The crypto community was rocked on October 5, 2023, when on-chain investigator ZachXBT revealed that a single attacker had stolen 234 ETH worth $385,000 from four Friend.tech users through SIM swap attacks. With Ethereum trading at $1,611 and Bitcoin at $27,415, the stakes of poor account security have never been higher. Whether you are a seasoned DeFi user or just getting started with cryptocurrency, understanding how SIM swap attacks work and how to defend against them is essential knowledge that could save you thousands of dollars.
The Basics
A SIM swap attack, also known as a SIM hijacking or port-out scam, occurs when a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once the attacker has your phone number, they can receive your SMS messages and phone calls, which means they can bypass SMS-based two-factor authentication on any account linked to that number. This includes email accounts, social media profiles, cryptocurrency exchanges, and wallet recovery systems. The Friend.tech attacks demonstrated exactly how this works in practice: the attacker gained control of victims’ phone numbers, then used SMS-based authentication to access their Friend.tech accounts, sell their social tokens, and drain their ETH wallets. One victim reported losing 22 ETH, approximately $35,400 at the time, in a matter of minutes.
Why It Matters
SIM swap attacks are particularly dangerous for cryptocurrency users because crypto transactions are irreversible. Unlike traditional banking where you can dispute a fraudulent charge, once ETH or Bitcoin is transferred out of your wallet, there is no customer service number to call and no chargeback process to initiate. The scale of the problem is staggering: ZachXBT has documented approximately $13.3 million stolen through 54 SIM swap attacks targeting the crypto community, with victims including high-profile organizations like Aptos Network, PleasrDAO, and Metis DAO. The Friend.tech model of linking social media identities to crypto wallets creates an especially dangerous combination because attackers can discover phone numbers through doxxed social media accounts and then execute targeted SIM swaps. If your real name is associated with your crypto activity, you are at elevated risk.
Getting Started Guide
The most important step you can take today is to move away from SMS-based two-factor authentication on all your crypto-related accounts. Here is a practical guide to securing your accounts:
Step 1: Enable authenticator app 2FA. Download Google Authenticator, Authy, or Microsoft Authenticator on your phone. For each crypto exchange and wallet service you use, enable 2FA using the authenticator app option instead of SMS. Authy is particularly recommended because it offers encrypted cloud backups of your 2FA tokens, protecting you if you lose your device.
Step 2: Use a hardware security key. Purchase a YubiKey or Google Titan key and register it as a second-factor authentication method on all services that support it, including Google, Twitter, GitHub, and major exchanges like Coinbase and Binance. Hardware keys are immune to phishing and SIM swap attacks because the authentication response is generated physically on the device.
Step 3: Secure your mobile carrier account. Contact your mobile carrier and request a port-out authorization PIN or passcode. This additional security measure requires anyone attempting to transfer your number to provide a secret code that only you know. Major carriers including AT&T, Verizon, and T-Mobile all offer this feature, though they do not always advertise it prominently.
Step 4: Separate your identity. Create a dedicated email address used exclusively for cryptocurrency accounts, not linked to your real name or primary social media profiles. Consider using a Google Voice number instead of your carrier number for crypto-related accounts, as Google Voice numbers cannot be SIM swapped through traditional carrier channels.
Step 5: Use a hardware wallet. Store the majority of your cryptocurrency in a hardware wallet like a Ledger or Trezor device. These wallets keep your private keys offline and require physical confirmation of transactions, making them immune to remote attacks even if your online accounts are compromised.
Common Pitfalls
Many users make the mistake of thinking that having SMS 2FA enabled means their accounts are secure. In reality, SMS 2FA is the specific vulnerability that SIM swap attackers exploit. Another common error is using the same email address for crypto accounts and social media, which creates a chain of compromise: if an attacker gains access to your email through a SIM swap, they can reset passwords on every linked account. Users also frequently underestimate the social engineering sophistication of SIM swap attackers, who may research their targets extensively through social media, public records, and data broker databases before contacting the carrier. Finally, relying on a single hardware device for both your 2FA tokens and your daily phone usage means that if your phone is compromised or lost, you lose access to everything simultaneously.
Next Steps
After implementing the security measures outlined above, conduct a full audit of your digital footprint. Search for your phone number and email address online to see what information is publicly available. Review which of your accounts still use SMS 2FA and migrate them immediately. Consider subscribing to a credit monitoring service that alerts you to unauthorized inquiries, as SIM swap attackers sometimes use personal information obtained through credit bureaus. Stay informed about new security threats by following researchers like ZachXBT on social media. The crypto ecosystem rewards those who take security seriously and punishes those who do not. Taking these steps today could be the difference between keeping your assets safe and becoming the next victim in a growing wave of SIM swap attacks.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with security professionals for personalized guidance.
ZachXBT single handedly doing what the FBI should be doing. traced 4 sim swaps in real time while carriers did nothing
friend.tech users losing 234 ETH because of SMS 2fa is brutal. hardware keys cost like 30 bucks people, just get one
friend.tech users losing 385k to SMS swaps. and people wonder why i refuse to use phone number for anything crypto related
30 bucks for a yubikey vs 385k in stolen ETH. the math is pretty clear but people still rely on SMS like its 2010
yubi_or_die_ 30 bucks vs 385k is the clearest roi calculation in crypto security history. and people still use sms 2fa
Had a coworker get sim swapped last year. T-Mobile let someone port his number with barely any verification. Carriers need to be held accountable here.
Karen M. is right. carriers need liability for unauthorized ports. until it costs them money nothing changes
EU has stronger carrier regulations and SIM swaps are way less common there. US telecom companies lobbied hard against accountability
^ same thing happened with AT&T in 2022. the carrier security is a joke
ZachXBT doing more for crypto security than most audit firms combined. dude works for free basically