A SIM swap does not require breaking any encryption or hacking a wallet directly. Instead, the attacker exploits the customer support process of a mobile carrier, using stolen personal details, a bribed insider, or a convincing phone call to trick a support agent into porting the victim's number onto a SIM the attacker controls. From that moment, the victim's phone silently goes dead while the attacker's device starts receiving every call and text meant for them.
The technique became a favored path into crypto holdings because so many exchanges and wallet services historically offered SMS as a password-reset or login-verification option. An attacker who controls the number can request a password reset on an exchange account, intercept the one-time code, and drain funds within minutes, often after first researching the target through leaked databases or phishing to learn which platforms they use. High-profile thefts, including a lawsuit against a major U.S. carrier over a $24 million crypto loss, pushed regulators to act: since 2024, U.S. carriers have been required to verify customers with stronger authentication before processing a SIM change or port-out request, offer an account-lock feature, and notify customers immediately when a change occurs.
Defenses that matter most for crypto users include:
- Replacing SMS-based 2FA with an authenticator app or hardware security key
- Setting a port-out PIN or account lock directly with the mobile carrier
- Avoiding linking a phone number to exchange account recovery wherever possible
Because carrier-side security still varies widely, treating a phone number as a weak link rather than a trusted identity factor remains the safest assumption.