If you own cryptocurrency, the events of September 2023 should serve as a wake-up call. From the compromise of Ordinals Wallet’s Twitter account to the hacking of Vitalik Buterin’s personal account — resulting in over $650,000 in stolen assets — social engineering attacks are becoming the most common way criminals target crypto holders. The good news is that you can dramatically reduce your risk with a few straightforward steps. This guide walks you through everything you need to know.
The Basics
A SIM swap attack occurs when a criminal convinces your mobile phone carrier to transfer your phone number to a SIM card they control. Once they have your phone number, they can receive your SMS messages and phone calls — which means they can bypass any account that uses SMS-based two-factor authentication. This includes email accounts, social media profiles, and potentially cryptocurrency exchange accounts.
Phishing attacks are related but distinct. In a phishing attack, criminals create fake websites, emails, or messages that look identical to legitimate services. When you enter your credentials or connect your wallet to these fake sites, the attackers capture your information and can drain your funds. The September 7 attack on Ordinals Wallet, where criminals posted a link to the fake website ordinalswallet[.]to, is a textbook example.
Both attack vectors rely on the same fundamental weakness: human trust. Attackers exploit the trust you place in familiar brands, project teams, and communication channels. Understanding this is the first step toward protecting yourself.
Why It Matters
The scale of crypto theft through social engineering is staggering. During just one week in September 2023, the crypto ecosystem lost approximately $42.5 million across 10 security incidents. While some of these were protocol-level hacks like the $41 million Stake.com breach, many involved social engineering elements — compromised social media accounts, phishing links, and SIM swap attacks.
For individual users, the impact can be devastating. Unlike traditional banking, cryptocurrency transactions are irreversible. Once funds are sent to an attacker’s wallet, there is no customer service department that can reverse the transaction. This makes prevention not just important but essential.
The threat is growing because crypto adoption is growing. As more people enter the space, the pool of potential victims expands, and attackers invest more resources in developing sophisticated social engineering techniques. The PinkDrainer phishing gang, linked to the Ordinals Wallet attack, represents a professionalized criminal operation with specialized tools and infrastructure.
Getting Started Guide
Step 1: Upgrade Your Two-Factor Authentication
The single most important step you can take is to stop using SMS-based two-factor authentication for any account connected to your cryptocurrency holdings. Instead, use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) or, ideally, a hardware security key like a YubiKey.
Authenticator apps generate time-based codes that do not depend on your phone number, making them immune to SIM swap attacks. Hardware security keys are even more secure, as they require physical possession of the key device to authenticate. Most major cryptocurrency exchanges support both authenticator apps and hardware keys.
Step 2: Secure Your Phone Carrier Account
Most major mobile carriers offer additional security settings that can prevent unauthorized SIM transfers. Contact your carrier and ask about enabling a port-out PIN or account-level security freeze. This adds a layer of protection that makes it significantly harder for an attacker to execute a SIM swap, even if they have some of your personal information.
Step 3: Use a Hardware Wallet
For any cryptocurrency holdings beyond what you need for immediate trading, use a hardware wallet such as a Ledger or Trezor device. Hardware wallets store your private keys offline, where they cannot be accessed by phishing sites or compromised computers. Even if an attacker gains access to your email, social media, and exchange account, they cannot access funds stored on a properly secured hardware wallet.
Step 4: Verify Before You Click
Before clicking any link in a social media post, Telegram message, or email, verify it through an independent source. If a project announces an airdrop or promotion on Twitter, check the project’s official website directly by typing the URL into your browser. Never connect your wallet to a website you reached through a link in a message — always navigate directly.
Step 5: Limit What You Share Online
Attackers use publicly available information to craft convincing social engineering attacks. The more you share about your crypto holdings, the accounts you use, and your personal details, the easier it is for an attacker to target you. Consider limiting the personal information you share on social media, and be cautious about discussing specific holdings or wallet addresses publicly.
Common Pitfalls
The most dangerous mistake is assuming that you are not a target. Many crypto users believe that only large holders or project teams are targeted by social engineering attacks. In reality, attackers cast wide nets, and even modest holdings can make you a target, especially if your security practices are weak.
Another common pitfall is relying on a single security measure. Two-factor authentication is important, but it is not sufficient on its own. A layered approach — combining hardware wallets, authenticator apps, carrier-level protections, and cautious online behavior — provides much stronger defense than any single measure.
Finally, many users make the mistake of treating all communication channels as equally trustworthy. An official-looking Telegram message or Twitter post can be generated by anyone who has compromised the account. Always verify important information through multiple channels before taking action.
Next Steps
After implementing the basic protections described above, consider taking additional steps to further harden your security posture. Research dedicated cryptocurrency security tools such as browser extensions that detect known phishing sites. Set up a separate email address exclusively for cryptocurrency-related accounts, so that a compromise of your personal email does not affect your crypto holdings. Consider using a dedicated device or browser profile for accessing cryptocurrency services, reducing the risk of malware or phishing affecting your financial activities.
The cryptocurrency ecosystem offers tremendous opportunities, but it also requires users to take personal responsibility for their security. By following the steps in this guide, you can significantly reduce your risk of falling victim to SIM swap and phishing attacks — and enjoy greater peace of mind as you participate in the crypto economy.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding the protection of your digital assets.
vitalik getting hacked for 650k while literally building the most secure blockchain is peak irony. nobody is safe from social engineering
Permissionless lending is still the most powerful use case in crypto
Switched to a YubiKey after the Ordinals Wallet thing. Takes 5 minutes to set up and makes SIM swaps irrelevant. No excuse not to.
Good guide overall but I wish people would stop saying hardware wallets are enough. They protect keys, not you from signing a malicious transaction.
^ this is the real talk right here. a ledger wont save you from clicking a fake airdrop link
DeFi yields are finally sustainable without token emissions
Real yield protocols are separating from the Ponzi-nomics era