SIM Swap Attacks: The Full Kill Chain
How attackers take over your phone number, bypass 2FA, and drain your accounts. The complete attack chain from reconnaissance to execution -and the specific steps to make yourself immune.
The Attack Chain
A SIM swap starts with reconnaissance. The attacker gathers your personal information: full name, date of birth, address, last 4 digits of your SSN, and your phone number. Most of this is available from data breaches (check haveibeenpwned.com), social media profiles, or public records. Armed with this information, the attacker calls your mobile carrier and social engineers the support representative into transferring your phone number to a SIM card they control. Alternatively, they may bribe or coerce a carrier employee -insider-assisted SIM swaps are increasingly common. Once they have your number, they receive all your SMS messages and phone calls.
Why Crypto Users Are Prime Targets
Crypto users are targeted because: many exchanges still use SMS-based two-factor authentication, crypto transactions are irreversible once confirmed, and crypto users often publicly display their involvement through social media (tweeting about gains, displaying NFT profile pictures, discussing holdings in Discord/Telegram). An attacker who SIM swaps a crypto user can reset exchange passwords via SMS, bypass SMS 2FA, withdraw funds to their own wallet, and the victim may not realize what's happening until their phone loses signal. The entire attack -from SIM swap to fund withdrawal -can be completed in under 30 minutes.
Minute-by-Minute: A Typical SIM Swap
Minute 0: Attacker calls carrier, ports your number. Minute 2: Your phone loses signal -the SIM is now active on the attacker's device. Minute 3: Attacker initiates password reset on your exchange account using your email (which they may have already compromised, or which sends a reset code via SMS). Minute 5: Attacker logs into your exchange with the new password, bypasses SMS 2FA with the intercepted code. Minute 8: Attacker initiates withdrawal of all liquid assets to an external wallet. Minute 10-30: Depending on the exchange's withdrawal processing time and any security holds, funds arrive in the attacker's wallet. Minute 30+: The attacker begins laundering through mixers, bridges, or peer-to-peer swaps. By the time you notice your phone isn't working and call your carrier, the funds are already moving through the laundering pipeline.
How to Make Yourself Immune
First: call your carrier and set a PORT FREEZE and account PIN. A port freeze prevents your number from being transferred to another carrier without physically visiting a store with ID. An account PIN means support agents cannot make changes without the PIN. Second: remove SMS 2FA from every crypto exchange and replace it with an authenticator app (Google Authenticator, Authy) or, better, a hardware security key (YubiKey). SMS 2FA is the vulnerability -remove it. Third: remove your phone number from exchange account recovery options entirely if possible. Fourth: use a separate, unlisted phone number for any remaining SMS-based services -not the number you share publicly. Fifth: self-custody significant holdings on a hardware wallet. Even if an exchange account is compromised, a hardware wallet cannot be drained via a SIM swap.
If It Happens To You
If your phone suddenly loses signal and won't reconnect: call your carrier immediately from another phone. Tell them you suspect a SIM swap and to freeze the account. If you can't reach them by phone, go to a physical store with government ID. Simultaneously, log into your crypto exchanges from a computer and change passwords, disable SMS 2FA, and check for pending or recent withdrawals. If funds have already been withdrawn, contact the exchange's emergency fraud line with the transaction details. File a police report and an FCC complaint (fcc.gov/consumers/guides/filing-informal-complaint) -SIM swapping is a federal crime. Document everything with timestamps for law enforcement and potential legal action against the carrier.