SIM Swap Attack

How It Works

The attacker calls your mobile carrier and impersonates you, claiming they lost their phone or need a new SIM card. Using personal information gathered from data breaches, social media, or social engineering, they convince the carrier representative to port your number to their device. In some cases, corrupt carrier employees are bribed directly. Once the swap is complete, all calls and texts to your number go to the attacker's phone.

With your phone number, the attacker intercepts SMS-based 2FA codes. They initiate password resets on your email, then use email access to reset exchange passwords. The entire chain — phone number to email to exchange — can be compromised in under an hour. Victims often don't realize anything is wrong until their phone loses service, by which time their exchange accounts have been emptied.

The solution is straightforward: remove SMS from your security stack entirely. Use hardware security keys or TOTP apps for 2FA. Set a PIN or passphrase on your mobile carrier account to prevent unauthorized changes. Better yet, move your bitcoin to self-custody where no exchange account can be compromised in the first place. Your hardware wallet doesn't care about your phone number.

Key Points

• Attackers social-engineer or bribe mobile carrier employees to transfer your phone number
• SMS-based 2FA becomes an attack vector rather than a protection when your SIM is swapped
• Remove SMS 2FA from all Bitcoin-related accounts and replace with hardware keys or TOTP
• Set a carrier account PIN to make unauthorized SIM swaps harder
• Self-custody eliminates exchange account compromise as a theft vector entirely