Short answer

"Cracked" overstates it. SMS 2FA isn't broken cryptographically — the 6-digit code itself remains secret to the user receiving it. The attack is on the SIM card: SIM-swap attacks convince the mobile carrier to transfer your phone number to a SIM the attacker controls, after which the SMS codes go to them. The FBI's IC3 reported 1,611 SIM-swap complaints in 2023 with $68 million in crypto-related losses; the actual number is likely 5-10× higher because most cases go unreported.

How SIM-swap works

The attacker collects PII about you — name, address, last 4 of SSN, recent payment amounts — from a data breach or social engineering. They call the carrier (T-Mobile, AT&T, Verizon), claim a lost phone, request a SIM swap to a new card. With enough PII, the carrier accepts.

Within minutes, your phone loses signal. The attacker's SIM now receives all SMS and voice calls intended for your number. They go to your bank, exchange, email service — request password reset via SMS — receive the code on their SIM, take over the account.

Why this is a crypto problem specifically

Crypto exchanges that use SMS 2FA are vulnerable in a way banks aren't because:

  1. The withdrawal address can be a new, attacker-controlled wallet — funds gone immediately
  2. The transactions are irreversible — no chargeback, no fraud reversal
  3. The dollar amounts per attack are higher — average crypto SIM-swap loss in 2024 was $43K

Banks reverse fraudulent transactions; crypto exchanges return funds only at their discretion (rare).

The defenses, ranked

1. Drop SMS 2FA entirely. Replace with TOTP (Google Authenticator, Authy), Passkey, or hardware security key (YubiKey). This eliminates the entire attack vector. Every major US exchange supports at least TOTP.

2. Carrier-side port-out protection. T-Mobile NOPort, AT&T Number Lock, Verizon Number Lock — all available, all underused. They add a passcode or PIN required before any SIM swap. The 2023 attack volume would drop sharply if these were universally enabled.

3. Separate phone for crypto. A secondary phone number, used only for crypto exchange accounts, with no public association to you. Google Voice works but Coinbase doesn't accept VoIP numbers; use a second cellular line from US Mobile, Visible, or similar.

What's actually happening on US carriers in 2026

T-Mobile had a major 2023 breach exposing millions of customer records to potential SIM-swap targeting. AT&T had a 2024 incident. Verizon's record is cleaner but not perfect. The carriers say they've improved port-out verification; the FBI says SIM-swap incidents continue at record levels.

Bottom line: don't trust the carrier to protect your phone number. Use 2FA methods that don't rely on the phone number at all.

Further reading: SIM Swap, 2FA, The 2FA truth.