If you own cryptocurrency, one of the most dangerous threats you face is not a sophisticated smart contract exploit or a blockchain vulnerability — it is a simple phone call. SIM swap attacks have drained millions of dollars from crypto holders, and the recent wave of attacks targeting Friend.tech users, which resulted in approximately $385,000 in stolen Ethereum, is a stark reminder that this threat is not going away. This guide walks you through everything you need to know about SIM swap attacks and, more importantly, how to protect yourself.
The Basics
A SIM swap attack happens when someone tricks your mobile carrier into transferring your phone number to a SIM card they control. Once they have your phone number, they can receive your text messages, including two-factor authentication codes. With those codes, they can reset passwords and access your cryptocurrency exchange accounts, email, and any other service linked to your phone number.
The attack works because mobile carriers use relatively weak identity verification procedures. An attacker who has collected some basic personal information about you — your name, address, date of birth, maybe the last four digits of your Social Security number — can often convince a customer service representative to process a SIM port request. This information is frequently available from data breaches, social media profiles, or publicly accessible records.
Once the SIM is swapped, your phone will suddenly lose service. You might think it is just a temporary network issue. Meanwhile, the attacker is rapidly accessing your accounts, changing passwords, and draining your cryptocurrency wallets. The entire process can take less than 30 minutes from start to finish.
Why It Matters
SIM swap attacks are particularly devastating in the cryptocurrency world because crypto transactions are irreversible. Unlike credit card fraud, where you can dispute charges and often recover your money, stolen cryptocurrency is gone permanently. There is no customer service hotline to call, no fraud department to investigate, and no insurance fund to reimburse you.
The scale of the problem is enormous. In 2023 alone, SIM swap attacks have cost cryptocurrency holders tens of millions of dollars. The FBI has issued multiple warnings about the threat, and high-profile cases involving celebrities, executives, and ordinary investors continue to make headlines. With Bitcoin trading around $27,983 and Ethereum at $1,733, even a modest crypto portfolio represents a tempting target for attackers.
The Friend.tech attacks in October 2023 illustrate how quickly this threat evolves. Attackers specifically targeted users of the new decentralized social platform because they knew these users held cryptocurrency. The attacks were targeted and efficient, suggesting a level of sophistication that is only increasing over time.
Getting Started Guide
Step 1: Remove SMS as a two-factor authentication method. This is the single most important step you can take. Go through every cryptocurrency exchange, wallet service, and email account you use and replace SMS-based 2FA with an authenticator app. Google Authenticator, Authy, and Microsoft Authenticator are all solid choices. Authy has the added benefit of encrypted cloud backups, so you will not lose access if you lose your phone.
Step 2: Enable a SIM port lock with your mobile carrier. Call your mobile carrier and request that a SIM port lock or port freeze be placed on your account. This adds an extra verification step before anyone can transfer your number to a new device. Each major carrier handles this differently — ask specifically for a port-out PIN or port freeze.
Step 3: Strengthen your mobile carrier account security. Add a strong, unique password and enable 2FA on your mobile carrier account itself. If an attacker can access your carrier account online, they may be able to process a SIM swap through the web portal without ever calling customer service.
Step 4: Move significant holdings to a hardware wallet. Hardware wallets like Ledger, Trezor, and Coldcard store your private keys offline, making them immune to any attack that relies on compromising your phone number or online accounts. For holdings exceeding what you need for daily transactions, a hardware wallet is essential.
Step 5: Audit your digital footprint. Review what personal information is publicly available about you online. Remove or restrict access to your phone number, email address, and any details that could be used to verify your identity with a mobile carrier. Be cautious about discussing your cryptocurrency holdings on social media.
Common Pitfalls
The biggest mistake people make is assuming that SMS-based 2FA is sufficient protection. While it is better than no 2FA at all, SMS was never designed as a secure authentication mechanism. Text messages are transmitted in plain text and can be intercepted through various methods beyond SIM swapping, including SS7 protocol exploits.
Another common error is reusing passwords across multiple services. If an attacker gains access to one account through a data breach, they will try the same credentials on every major exchange and wallet service. Use a password manager to generate and store unique passwords for each service.
Finally, many people fail to secure the email account associated with their crypto exchange accounts. If an attacker can access your email, they can often reset passwords and bypass other security measures through the account recovery process. Your email account should have the strongest security settings available, ideally protected by a hardware security key.
Next Steps
After implementing the basic protections outlined above, consider advancing to hardware security keys (FIDO2/WebAuthn) for your most critical accounts. Devices like the YubiKey provide the strongest form of two-factor authentication available, and major exchanges including Coinbase, Binance, and Kraken support them.
Consider setting up a dedicated email address exclusively for cryptocurrency-related accounts. This reduces the risk that a compromise of your primary email will expose your exchange accounts. Use a strong, unique password and protect it with a hardware security key.
Stay informed about new security threats by following reputable cryptocurrency security researchers and publications. The threat landscape evolves constantly, and the protections that are adequate today may need to be updated tomorrow. Your cryptocurrency security is only as strong as its weakest link — make sure that link is not your phone number.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals for your specific situation.
the friend.tech drain was wild. people linking their phone numbers to wallets with zero hardware key backup in 2023 is crazy to me
linking phone numbers to wallets in 2023 was negligent. friend.tech built on a foundation of SMS verification and paid the price
switched to a yubikey after almost getting sim swapped last year. took 20 minutes to set up and now i sleep fine
good guide but should emphasize: never use SMS for 2FA on any exchange. hardware keys or authenticator apps only
authenticator apps are fine but even better: remove SMS as a recovery option entirely. most people leave it as a backup and thats the attack vector
T-mobile got social engineered on me in 2022. lost 2 ETH because the attacker reset my exchange password via SMS. switch carriers if yours has weak verification
T-mobile is notorious for this. their store employees can be social engineered with barely any verification. carriers need to be held liable for these losses
carriers will never accept liability voluntarily. needs legislation. the $385K friend.tech drain alone should have triggered action