SIM Swap Attacks on Friend.tech Users Highlight Urgent Need for Stronger Account Security

On October 5, 2023, the cryptocurrency community faced yet another wave of social engineering attacks as on-chain investigator ZachXBT revealed that a single scammer had stolen 234 ETH, worth approximately $385,000, from four different Friend.tech users through SIM swap attacks. The incidents, which unfolded over a 24-hour period, underscore the persistent vulnerability of crypto accounts that rely on SMS-based two-factor authentication. With Ethereum trading at $1,611 and the broader market capitalization exceeding $1 trillion, the attacks demonstrate that even as the crypto ecosystem matures, basic security hygiene remains a critical gap for many participants.

The Threat Landscape

SIM swapping has emerged as one of the most devastating attack vectors in the cryptocurrency space. The technique involves a scammer tricking a mobile carrier into transferring a victim’s phone number to a SIM card controlled by the attacker. Once the attacker gains control of the phone number, they can bypass SMS-based two-factor authentication and gain access to email accounts, social media profiles, and cryptocurrency wallets. According to data compiled by ZachXBT, approximately $13.3 million has been stolen through 54 documented SIM swap attacks targeting the crypto community. Previous high-profile victims include Aptos Network, PleasrDAO, and Metis DAO. The Friend.tech attacks represent a troubling escalation, as the decentralized social platform’s model of linking user wallets to social media accounts creates a particularly lucrative target for SIM swappers.

Core Principles

At the heart of effective crypto security lies the principle of layered defense. The Friend.tech incidents reveal a fundamental flaw in relying solely on SMS for account recovery and authentication. The core principles that should guide every crypto user include separating identity from phone numbers, using hardware-based authentication methods, and minimizing the amount of personal information linked to crypto accounts. One victim, known on X as @darengb, lost 22 ETH after being SIM swapped. He warned that users whose Twitter accounts are linked to their real names are particularly vulnerable because their phone numbers can be easily discovered through public records. The attacker in the Friend.tech cases reportedly executed the SIM swap by visiting an Apple Store and transferring the victim’s number to an iPhone SE, illustrating how low-tech the initial social engineering component of these attacks can be.

Tooling and Setup

Protecting against SIM swap attacks requires a deliberate shift away from SMS-based authentication toward more robust alternatives. Hardware security keys such as YubiKey or Google Titan provide phishing-resistant two-factor authentication that cannot be intercepted through phone number porting. Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based one-time passwords that operate independently of the cellular network. For crypto wallet security specifically, hardware wallets like Ledger or Trezor keep private keys offline and isolated from internet-connected devices. Users should also set up a separate email address exclusively for cryptocurrency accounts, enable passcode protection with their mobile carrier to prevent unauthorized SIM changes, and consider using a dedicated phone number through a service like Google Voice that is not tied to a physical SIM card.

Ongoing Vigilance

Security is not a one-time setup but a continuous practice. Users should regularly audit which accounts are connected to their phone numbers and email addresses. Monitor wallet activity using on-chain tools and set up alerts for any unauthorized transactions. Be wary of phishing attempts that may try to extract additional information after an initial SIM swap, as attackers often use access to one account as a stepping stone to compromise others. The Friend.tech attackers were able to sell victims’ keys and drain their wallets because the platform’s design links social identity to wallet control, creating a cascading effect where a single compromised phone number leads to total asset loss. ZachXBT has consistently warned the community to never use SMS 2FA and instead opt for authenticator apps or security keys.

Final Takeaway

The Friend.tech SIM swap attacks of October 2023 serve as a wake-up call for the entire crypto community. As the ecosystem grows and platforms like Friend.tech create new models for social token trading, the attack surface expands correspondingly. Every user should conduct an immediate security audit of their authentication methods, migrate away from SMS-based 2FA, and implement hardware-based security wherever possible. The $385,000 stolen in a single day represents not just individual losses but a systemic vulnerability that the industry must address through better default security configurations and user education. With Bitcoin hovering around $27,400 and the market showing signs of renewed activity, the stakes of poor security practices have never been higher.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research and consult with security professionals before implementing security measures.