SIM swap — also called SIM-card hijacking or port-out fraud — is when an attacker convinces a mobile carrier to transfer the target's phone number to a SIM card the attacker controls. Once successful, every SMS and voice call sent to that number reaches the attacker. The original SIM goes dead. For any account secured by SMS 2FA, this is equivalent to handing over the second factor.

How it actually works

The attacker collects enough personal information about the target (name, billing address, last four of SSN, sometimes recent payment amounts) to pass the carrier's "verify your identity" check. They call the carrier, claim a lost or damaged phone, and request a SIM swap to a new physical SIM the attacker possesses. With T-Mobile, AT&T, or Verizon, the process can take fifteen minutes if the social engineering is competent.

Personal-information collection is the rate-limiting step. The 2017 Equifax breach, the 2020 LinkedIn dump, and the 2022 T-Mobile data leak all provided the kind of identifying information that fuels SIM-swap attacks today. The attack scales with the size of the leaked dataset; SIM swaps have been a steady five-to-six-figure monthly loss category in the US since 2018.

The crypto context

SIM swap is specifically dangerous for crypto holders because it bypasses SMS 2FA on every centralized exchange that still allows it. The 2020 lawsuit against AT&T (filed by Michael Terpin, who lost $24 million in crypto to a SIM-swap attack) raised the public awareness; the 2023 SEC Twitter compromise (a SIM-swap-enabled attack on the SEC's own X account that briefly tanked Bitcoin price) confirmed the attack vector is still active against high-value targets.

The FBI's IC3 reported 1,611 SIM-swap complaints in 2023 with $68 million in losses; the real number is likely higher because many SIM-swap victims don't report. Cryptocurrency was the asset class in the majority of high-value cases.

What actually defends

Three layers, ranked by effectiveness:

First, drop SMS 2FA on every exchange account. Replace with TOTP (Google Authenticator, Authy) at minimum, hardware key (YubiKey) or Passkey ideally. This breaks the attack entirely for SIM-swap-vulnerable accounts.

Second, set carrier-side port-out protections. T-Mobile NOPort, AT&T Number Lock, Verizon Number Lock — all available, all underused. They add a passcode or PIN that must be presented before a port-out can be processed; the attacker now needs the passcode in addition to the rest of the social-engineering input.

Third, use a separate phone number for high-value account recovery. A second SIM (or Google Voice number) used only for crypto accounts and never publicly associated with you. This raises the bar significantly because the attacker has to discover which number controls which account first.

What to do in the first hour after a SIM swap

If your phone suddenly loses signal in a context where it shouldn't (no airplane mode, normal cell coverage, your phone restarts and the SIM no longer registers), assume SIM swap. From any other device:

  1. Lock down every CEX account immediately — change passwords, disable SMS 2FA, set withdrawal whitelists.
  2. Lock down email accounts (Gmail, Outlook) — change passwords, revoke active sessions.
  3. Call the carrier from a different phone — get the SIM swap reversed, set port-out protections.
  4. File an IC3 complaint at ic3.gov — this matters for insurance claims and any subsequent civil action.

Further reading: 2FA, The 2FA truth, Passkey.