SIM Swap Attacks: The Complete Protection Guide for Crypto Holders

In 2025, SIM swap attacks drained over $68 million from crypto holders. The attack is brutally effective: an attacker convinces your carrier to transfer your phone number to their SIM card. Once they have your number, they receive your SMS verification codes, reset your passwords, and drain your accounts.

The average SIM swap takes 15 minutes. The average victim doesn't realize it happened until their phone goes dead — by which time their exchange accounts are already empty.

How a SIM Swap Works

1. Reconnaissance — The attacker gathers your personal info: full name, address, phone number, carrier, last four of SSN. Most of this is available from data breaches or social media.
2. Social engineering — They call your carrier, impersonate you, and request a SIM transfer. Alternatively, they bribe a carrier employee (going rate: $500-1,000).
3. Number transfer — Your phone loses service. Their phone now receives your calls and texts.
4. Account takeover — They trigger password resets on your email, exchanges, and wallets. SMS 2FA codes go to their device.
5. Drain — They access your exchange accounts and withdraw everything. Total elapsed time: under an hour.

Why Crypto Holders Are Targeted

• Public identification — If you've ever discussed crypto publicly, you're on a list
• High-value accounts — Exchange accounts often hold five to seven figures
• Irreversible transactions — Once crypto is sent, it's gone
• SMS 2FA dependency — Many exchanges still default to SMS-based two-factor authentication
• Data broker exposure — Your phone number is connected to your identity across hundreds of services

The Protection Protocol

Step 1: Eliminate SMS 2FA Everywhere

This is the single most important action you can take.

Replace SMS 2FA with:

• Hardware security keys (YubiKey 5) — Best option. Physical device that can't be remotely compromised
• Authenticator apps (Authy, Google Authenticator) — Good option. Tied to your device, not your phone number
• Never use SMS 2FA for any exchange, email, or financial account

Check every account that currently uses your phone number for 2FA and switch it today.

Step 2: Lock Your SIM

Contact your carrier and request:

• SIM lock / SIM PIN — Requires a PIN to make any changes to your account
• Port freeze — Prevents your number from being transferred to another carrier
• Account PIN — A separate PIN required for any account modifications
• Note on account — "Do not process any SIM changes without in-store ID verification"

Carrier-specific instructions:

• T-Mobile — Enable "Account Takeover Protection" in your account settings
• AT&T — Set up "Extra Security" passcode via the myAT&T app
• Verizon — Enable "Number Lock" in the My Verizon app
• For international carriers — Call customer service and request maximum port protection

Step 3: Separate Your Identity From Your Number

Your phone number should not be linked to your financial identity.

• Use a separate number for exchanges — Get a VoIP number (Google Voice) or a dedicated SIM for financial accounts
• Don't share your primary number publicly — Use a separate number for social media, forums, and public profiles
• Register financial accounts with a non-SIM number — Google Voice numbers can't be SIM-swapped (but can be compromised through Google account access)

Step 4: Secure Your Email Chain

Your email is the skeleton key. If an attacker gets your email, they can reset everything.

• Use [ProtonMail](https://go.getproton.me/aff_c?offer_id=7&aff_id=16789) for all crypto-related accounts — End-to-end encrypted, not linked to phone number recovery
• Enable hardware key 2FA on your email — YubiKey, not SMS
• Don't use your primary email for crypto — Create a dedicated, private email address that you never share publicly
• Disable phone number recovery on your email account

Step 5: Monitor for Attacks

Early detection is critical. Set up:

• Carrier alerts — Enable text/email notifications for any account changes
• Exchange notifications — Real-time alerts for logins, withdrawals, and 2FA changes
• Google Alerts — Set an alert for your name + "SIM swap" or your phone number
• Credit monitoring — SIM swap attackers often target bank accounts too

If You're Under Attack Right Now

If your phone suddenly loses service and you suspect a SIM swap:

1. Immediately call your carrier from another phone — Report fraud and request emergency number freeze
2. Log in to your exchange accounts from a computer — Change passwords and disable withdrawals if possible
3. Contact your exchange support — Request emergency account freeze. Most major exchanges have emergency procedures.
4. Secure your email — Change password and add hardware key 2FA immediately
5. File a police report — Required for any recovery process
6. Document everything — Timestamps, screenshots, and transaction IDs for potential recovery

The Audit Checklist

Run through this checklist right now:

• [ ] All exchange accounts use hardware key or authenticator app 2FA (not SMS)
• [ ] SIM PIN/lock enabled on your carrier account
• [ ] Port freeze enabled
• [ ] Crypto email address is separate from personal email
• [ ] Email accounts use hardware key 2FA
• [ ] Phone number recovery is disabled on email accounts
• [ ] No financial account uses SMS as the primary 2FA method
• [ ] Carrier has "in-store ID only" note for SIM changes

Bottom Line

Your phone number is not a security tool — it's a liability. Every account that depends on SMS verification is one social engineering call away from compromise.

The fix takes about an hour: buy a YubiKey, switch every account to hardware or app-based 2FA, lock your SIM, and separate your crypto identity from your phone number.

An hour of work today protects everything you've built. The protocol protects. Follow it.