SIM Swap Attack: How Hackers Hijack Your Phone Number
Your phone number is quietly the master key to your money. Your bank, your email, your crypto exchange all trust it to prove you are you, usually by texting a code. A SIM swap attack takes that key and hands it to a stranger, often in the time it takes you to notice the bars on your screen have dropped to "No Service." By the time you reconnect, an attacker can have reset your passwords and emptied your accounts. For crypto holders the damage is worse — once coins leave a wallet, no one can claw them back.
This guide explains what a SIM swap attack is, how it works step by step, why it has become the favorite tool for stealing cryptocurrency, and the few changes that actually stop it.
What a SIM Swap Attack Is and Why It Works
A SIM swap attack is account takeover fraud that targets a weak spot in two-factor authentication: the text message. Your SIM, short for subscriber identity module, is the small chip that ties your mobile number to your phone. In a SIM swap, the attacker never touches your device. Instead they convince your mobile carrier to move your number onto a new SIM card they hold. The moment that swap completes, every call and text meant for you, including security codes, arrives on their phone instead.
This is the part people misunderstand. It is not a phone hack and it is not a broken encryption algorithm. It is a customer-service hack. The weakness being exploited is the human at the carrier, and the false assumption that controlling a phone number proves identity. Strip away the jargon and a SIM swap is just someone persuading a company to give away your number, then using it to walk through the front door of everything that number protects. Security researchers file SIM swap scams under identity theft for good reason. The attacker is not only after your money; for a while they own your whole digital identity, all of it routed through one ordinary mobile phone account you assumed was yours alone.
How a SIM Swap Attack Works, Step by Step
Almost every case follows the same three moves, and none of them require advanced hacking. They require patience and a convincing story.
Step 1: Harvesting your personal information
First the attacker builds a profile of you. They pull personal information from old data breach dumps sold on the dark web, from phishing emails that trick you into typing your details, and from your own social media. A birthday here, a pet's name there, the last four digits of a card from a leaked database, and they have enough personal details to sound like you on a phone call. The more you have posted publicly, the cheaper this step is. Most of this personal data is not freshly stolen at all. It leaked years ago in some forgotten breach, and the attacker is simply reassembling scattered pieces into a convincing whole.
Step 2: Impersonating you to the carrier
Next they impersonate you to your mobile provider. Sometimes that is a phone call with a rehearsed story about a lost or broken phone. Sometimes it is a walk-in to a retail store with a fake ID. In the worst cases the attacker simply bribes or recruits a carrier employee, which turns the whole defense into a single dishonest insider. This is social engineering, not code, and it works because support staff are trained to be helpful and to clear the queue.
Step 3: The swap and the takeover
Once the carrier activates the new SIM — the defining moment of the whole attack — your real phone drops to no service. Now the attacker controls the number. They go to your email or your exchange, click "forgot password," and let the reset code arrive as a text message they can read. They intercept that SMS, reset the password, and gain access. With your email taken over, they cascade into every other account tied to it. The full account takeover can happen in minutes — long before most people realize why their phone went dark.
Why SIM Swaps Are a Crypto Theft Machine
Plenty of attacks can drain a bank account, but banks can reverse fraudulent transfers. Crypto is different, and that difference is exactly why a SIM swap is so devastating in this corner of finance.
SMS 2FA is the single point of failure
Most exchanges still let users protect an account with a code sent by text. That feels safe until you realize the entire defense rests on one assumption: that only you receive your texts. A SIM swap breaks that assumption completely. One intercepted code resets the login, and SMS two-factor authentication, the thing meant to be your safety net, becomes the open door. The attacker does not need your password if they can reset it through your number. Worse, the same trick defeats the password itself, because many exchanges let you recover a forgotten one by text. The SMS code is not a second lock at all; it is the only lock, and the SIM swap holds the key. Even institutions get caught: in 2024 the SEC's own X account was hijacked through a SIM swap and used to post a fake Bitcoin ETF approval that briefly jolted the market.
Irreversible by design
A bank can freeze a wire and reverse a charge. A blockchain cannot. Once an attacker moves your coins to a wallet they control, the transfer is final, with no chargeback and no support line to call. That irreversibility is a feature of crypto — but it turns a SIM swap from a scare into a permanent loss, which is why attackers specifically hunt known crypto holders. The dollar figures show how much is at stake.
| Case | Year | Amount | How it happened |
|---|---|---|---|
| Michael Terpin v. AT&T | 2018 | $24 million | Number ported, crypto accounts drained |
| FTX bankruptcy-day heist | 2022 | about $400 million | SIM swap during the exchange's collapse |
| Washington DC bitcoin theft | 2024 | 4,100 BTC, about $263 million | Social engineering plus SIM swaps, 9 convictions |
| T-Mobile arbitration victim | 2020 | $33 million awarded | Carrier security failure, repeated swaps |
| SEC X account hijack | 2024 | market-moving fake post | SIM swap of the agency's account |
How Common Are SIM Swap Attacks, Really?
The honest answer is a paradox. By raw count these attacks are rare, but per victim they are catastrophic, and the official numbers badly undercount the crypto losses.
Look at the reported totals first. The FBI's Internet Crime Complaint Center logged 982 SIM swap complaints in 2024, with roughly $26 million in losses, down from a peak near $72.6 million in 2022. Microsoft has noted that less than 0.3% of identity attacks use SIM swapping at all, dwarfed by ordinary phishing. On those numbers alone, you might shrug.
| Year | Reported SIM swap losses (FBI IC3) |
|---|---|
| 2022 | $72.6 million |
| 2023 | $48.8 million |
| 2024 | $26.0 million (982 complaints) |
Then look closer. The same year that official SIM swap losses sat around $26 million, a single Washington DC case moved roughly $263 million in bitcoin, and the FTX heist took about $400 million. Neither lands in the SIM swap column, because investigators file them under broader fraud or theft categories. The takeaway is not that the attack is harmless. It is that it is uncommon, surgical, and aimed at people with real money, especially crypto, where one success pays for a thousand failures. Averaged out, each reported SIM swap scam in 2024 cost its victim around $26,000, and those are only the cases small enough to be filed as SIM swaps in the first place. The headline crypto thefts, the ones in the tens or hundreds of millions, sit in entirely different ledgers.
Warning Signs of a SIM Swap Attack
You usually get one warning that a SIM swap is in progress, and the clock starts the moment it lands. Minutes matter here, not hours.
The big one is dead simple: your phone loses service for no reason. Full battery, no carrier outage, everyone around you has bars, and yours are just gone. In a city center, that is not a glitch. Treat it as the alarm it probably is. The other tells show up on whatever device still works. You get locked out of an account you used yesterday. A password-reset text lands that you never asked for. Your carrier emails to "confirm" a new SIM you did not request. Spot any of these on your other mobile devices and assume someone is trying to take control of your mobile number right now. Whatever you do next, do it fast, because the attacker already is.
How to Prevent SIM Swapping and Protect Yourself
You cannot stop a determined criminal from social-engineering a call center, but you can make your number worthless to them. One change matters far more than the rest.
Get money off SMS
One move matters more than all the rest. Stop using text messages as your second factor for anything that holds value. Move every exchange, bank, and email login to an authenticator app, or better still, a hardware security key an attacker would have to steal in person. This is not fringe paranoia anymore. Late in 2024 the FBI and CISA told the public to drop SMS codes outright, and the newest federal identity rules from NIST no longer count SMS as good enough for sensitive accounts. If a service only offers texts, park your serious money somewhere that supports an app or a key. The reason it works is simple. An authenticator code lives only on your device. A hardware key cannot be copied or sweet-talked out of you over the phone. Neither one rides along when your number gets stolen, so the swap ends up grabbing a number that unlocks nothing.
Lock the carrier and your footprint
Then harden the number itself. Add a SIM PIN or a number-transfer lock with your carrier so no swap can happen without it. Many providers now offer this for free, such as Verizon's SIM Protection, which blocks changes until you turn it off. Use a strong, unique password and a password manager so a single data breach does not unlock everything. And stop advertising your crypto holdings, because public bragging is how attackers pick their targets in the first place. Quiet wallets get robbed far less often than loud ones.
What to Do If You Are Hit by a SIM Swap
Speed decides how bad a SIM swap fraud gets, so work in order. First, call your carrier from another phone to report the SIM hijacking and reclaim your number. Next, from a device that is still trusted, reset the passwords on your email and your exchange accounts and rip SMS two-factor authentication off every one of them. If you hold crypto, freeze withdrawals on your exchange and move funds if you still can. Then document everything and file reports with the FBI's Internet Crime Complaint Center and the FTC. None of this undoes a finished theft, but it can stop an attack that is still in progress and cut off the account takeover before it spreads.
A SIM Swap Attack Targets the Weakest Link
A SIM swap attack does not beat your security; it walks around it, through a phone company that was never built to guard your savings. Your number was never meant to be an identity document, yet we have wired it into everything that matters. For anything holding money, the safe assumption is simple: treat SMS two-factor authentication as already broken, and move to an app or a hardware key today rather than after you lose service some random afternoon. The fix is boring, total, and takes about ten minutes. So here is the only question that counts: if your phone went dark right now, how much could a stranger reach before you got it back?
