SIM Swapped in 30 Minutes: How $120K in SOL Disappeared
The attacker called the carrier, transferred the phone number, reset the exchange password, and withdrew everything in under 30 minutes. The victim didn't know until their phone lost signal.
The Incident
At 2:14 PM on a Tuesday, the victim's phone lost cellular signal. They assumed it was a network issue and connected to WiFi. Forty minutes later, they received an email notification that their exchange password had been changed. By the time they logged in through a password recovery flow, 2,400 SOL -approximately $120,000 at the time -had been withdrawn to an external wallet. The withdrawal was initiated at 2:22 PM, just 8 minutes after the phone lost signal. The attacker had ported the victim's phone number, intercepted the SMS verification code, reset the exchange password, and initiated the withdrawal in under 10 minutes.
Attack Vector: Carrier Social Engineering
The attacker had obtained the victim's full name, date of birth, last 4 digits of their SSN, and billing address from a 2023 data breach that included their mobile carrier account information. Armed with this data, the attacker called the carrier's customer support line, impersonated the victim, and requested a SIM transfer to a new device. The support representative verified identity using the stolen personal information and processed the transfer. The victim's phone immediately lost signal as the new SIM activated. The attacker then had full access to all SMS messages, including 2FA codes from the exchange.
On-Chain Trail
The 2,400 SOL was withdrawn to a freshly created Solana wallet. Within 15 minutes, it was bridged to Ethereum via Wormhole -converting SOL to wETH on Ethereum mainnet. The wETH was then swapped to USDC through a DEX aggregator (1inch), which split the trade across multiple liquidity pools to minimize slippage and tracing clarity. The USDC was sent to a centralized exchange in a non-cooperative jurisdiction. Approximately $18,000 worth was frozen by the exchange before withdrawal after the victim's exchange flagged the stolen funds through their compliance channel. The remaining approximately $102,000 was withdrawn before the freeze took effect.
Outcome
Of the $120,000 stolen, approximately $18,000 was frozen on the destination exchange and is subject to an ongoing law enforcement request for return. The remaining $102,000 is considered lost. The victim filed a police report, an FCC complaint against the carrier, and a civil suit against the carrier for negligence in processing the unauthorized SIM transfer. The case is ongoing. The carrier has since implemented additional verification requirements for SIM transfers, though whether this was a direct result of this incident is unclear.
Prevention
Three changes would have prevented this entirely. First: replacing SMS 2FA with a hardware security key (YubiKey) or authenticator app -the attacker would have ported the number but could not bypass non-SMS 2FA. Second: setting a carrier account PIN and port freeze -the carrier representative could not have processed the transfer without the PIN. Third: self-custody of significant holdings on a hardware wallet -even with full exchange account access, the attacker cannot withdraw from a hardware wallet. The victim had over $100K on a centralized exchange protected only by SMS 2FA -a configuration that is known to be vulnerable to SIM swaps.