SIM Swap Attacks: How Hackers Hijack Crypto Accounts via SMS

SIM swap attacks are one of the most direct paths from a stolen phone number to a drained crypto account. An attacker persuades a mobile carrier to transfer your phone number to a SIM card they control, and from that point every text message you receive, including one-time passwords from exchanges, goes to them instead of you.

How attackers carry out a SIM swap

The process starts with information gathering. Before contacting a carrier, attackers compile personal details about the target: full name, date of birth, home address, and sometimes the last four digits of a Social Security number. This data is available through data broker sites, previous breach databases, and social media profiles that many holders keep publicly visible. Phishing emails are often used alongside this research; for a deeper look at how those campaigns work, see how crypto phishing scams operate.

With that profile in hand, the attacker calls the carrier's support line and poses as the account holder. In some cases, carrier employees are bribed directly. The goal is to get the carrier to activate a new SIM card with the victim's number. Once the swap goes through, all incoming calls and texts route to the attacker's device. The victim's phone loses service, often the first sign something is wrong.

The scale of the problem is growing. The UK's fraud prevention service Cifas recorded a 1,055% increase in unauthorized SIM swaps between 2023 and 2024, rising from 289 cases to nearly 3,000 (Cifas, 2024). These numbers cover only reported fraud; actual cases are higher.

Why SMS-based 2FA on exchanges is the critical gap

Most major cryptocurrency exchanges still default to SMS-based two-factor authentication when users sign up. The logic is that sending a code to your phone adds a layer of verification. But when an attacker controls your phone number, that code goes directly to them. SMS 2FA, in that moment, becomes the mechanism of the attack rather than a protection.

Crypto is a primary target because transactions are irreversible and pseudonymous. Exchange withdrawals cannot be recalled after authorization. The FBI's Internet Crime Complaint Center tracked nearly $26 million in reported SIM swap losses in the United States in 2024 (FBI IC3, 2024), a figure that captures only a fraction of actual incidents since many victims do not report.

Legal consequences for carriers are starting to follow. In March 2025, a U.S. arbitration panel ordered T-Mobile to pay $33 million after a customer's crypto holdings were drained following a successful SIM swap, with the panel finding the carrier failed to verify the transfer request adequately. The case established a precedent for carrier liability in SIM swap losses.

If you are unsure whether your exchange accounts still use SMS 2FA, see why 2FA alone is not enough to protect your crypto for a breakdown of which authentication methods hold up and which do not.

What to change in your setup

Three specific changes address the main exposure points.

Lock your carrier account. Call your mobile carrier and request a SIM lock, port freeze, or number lock. This prevents your phone number from being transferred to a new SIM or carrier without additional verification, such as a PIN or an in-store visit. All major U.S. carriers offer this. Under FCC rules updated in 2024, carriers are also required to notify you when a SIM change or port-out request is made, so confirm those alerts are active on your account.

Replace SMS 2FA on every account that touches your crypto. That means exchange accounts, email, and password managers. Replace SMS codes with an authenticator app such as Authy or Google Authenticator, or a hardware security key. A code generated on a local device cannot be intercepted by someone who controls your phone number.

Remove your phone number from account recovery options. Many exchanges and email providers allow a phone number as a backup recovery path. Remove it and replace it with a backup code stored securely offline.

A carrier lock combined with app-based 2FA closes the most common SIM swap path. To see which parts of your full setup carry gaps in authentication, check your setup in the Asset Alert app.