SIM swap attacks have stolen millions in Bitcoin. Learn exactly how they work and the specific steps to make yourself immune — from removing SMS 2FA to carrier-level locks.
SIM swap attacks have drained millions in Bitcoin from people who thought they were secure. Your phone number is the weakest link in your Bitcoin security chain — and attackers know it. Here is exactly what a SIM swap is, how it works, and the specific steps to make yourself immune.
A SIM swap is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, every SMS-based two-factor authentication code goes to them — not you. They reset your exchange password, drain your account, and disappear in minutes.
The average SIM swap takes under 10 minutes to execute. Attackers often use social engineering (calling your carrier pretending to be you), bribing carrier employees, or exploiting weak identity verification at carrier stores.
Bitcoin is irreversible. There is no dispute process, no chargebacks, no "call your bank." This makes Bitcoin holders uniquely valuable targets compared to traditional bank account holders. An attacker who SIM swaps a Coinbase user can steal $500,000 in Bitcoin in the time it takes you to notice your phone lost service.
High-profile SIM swap victims include:Michael Terpin, who lost $24 million in crypto in 2018. Joel Ortiz stole $7.5 million from crypto investors via SIM swaps. Dozens of exchange accounts are compromised this way every month.
Step 1 — Reconnaissance: Attackers find your name, phone number, email, and carrier from data breaches, social media, or dark web databases.
Step 2 — Social engineering: They call your carrier, claim to be you, say they got a new phone, and ask to transfer your number. Many carriers have terrible identity verification — just a billing address and last 4 of your SSN is enough.
Step 3 — Takeover: Your phone shows "No Service." Their phone now receives your SMS messages.
Step 4 — Password reset: They go to your exchange, click "Forgot Password," receive the SMS code, and reset your password.
Step 5 — Drain: They withdraw everything, move funds through mixers, game over.
| Authentication Method | SIM Swap Vulnerable? | Security Level |
|---|---|---|
| SMS 2FA | Yes — codes go to attacker | Very weak |
| Email 2FA (if email uses SMS recovery) | Yes — indirect | Weak |
| TOTP (Google Authenticator, Authy) | No | Good |
| Hardware security key (YubiKey) | No | Excellent |
| Passkey (biometric) | No | Excellent |
| No 2FA | N/A | Terrible |
The core lesson: Never use SMS for 2FA on any account connected to Bitcoin.
Log into every exchange and wallet service you use. Find the 2FA settings. Switch from SMS to an authenticator app (Google Authenticator, Aegis on Android) or hardware key. Do this today — it takes five minutes and eliminates the primary attack vector.
Exchanges supporting hardware keys: Coinbase (YubiKey), Kraken (YubiKey), Gemini (YubiKey). Use them if you have significant balances.
Every major US carrier allows you to add a port-out PIN or SIM lock that requires in-person ID verification to transfer your number:
After setting this, call your carrier to confirm it is active. Some carriers have bugs where online settings do not propagate correctly.
Your email is only as secure as its recovery method. If your Gmail account can be recovered via SMS, a SIM swap also compromises your email.
Recommended: Create a dedicated email for crypto using ProtonMail with no SMS recovery. Use a hardware key or TOTP-only recovery. Never share this email address publicly.
Ideal: Do not associate any phone number with your exchange accounts at all. When forced to provide one, use a Google Voice number or a burner SIM that has no connection to your identity and is never used for anything else.
Some MVNO carriers offer better protection:
These cost more but add meaningful friction for attackers.
The ultimate SIM swap defense is removing Bitcoin from exchanges entirely. You cannot SIM swap a hardware wallet.
If you hold more than $10,000 in Bitcoin, it should be in self-custody:
With self-custody, SIM swaps become irrelevant for your primary holdings. Only funds you actively trade need to stay on exchanges.
If you notice any of these, act immediately:
Immediate response: Call your carrier from a different phone. Ask them to lock your account and reverse any unauthorized SIM transfer. Then change all exchange passwords from a secure device.
For Bitcoin holders with significant holdings (above $100,000), the security posture needs to be more aggressive:
Separate identities: Use a dedicated device (old phone or tablet) with a fresh Google account and a new phone number only for crypto. Never browse social media or general web on this device.
No exchange leakage: Do not mention on social media that you own Bitcoin, what exchanges you use, or how much you hold. Attackers troll Twitter, Reddit, and Discord to identify targets.
Address privacy: Never post a Bitcoin receiving address publicly that can be linked to your identity. Chain analysis firms can estimate your holdings from your address.
Hardware key for everything: YubiKey on your exchange accounts, your email, your password manager, and your VPN.
Using Authy with multi-device enabled: If Authy multi-device is on, an attacker with your phone number can clone your TOTP codes by registering a new device. Disable multi-device in Authy settings immediately.
Reusing email addresses: If you use the same email for crypto and everything else, a data breach on any service leaks your crypto email.
Storing seed phrases in cloud storage: iCloud, Google Drive, and Dropbox are not secure. Your seed phrase belongs on steel or paper, offline.
Weak carrier PIN: "1234" or your birthday defeats the purpose. Use a random 10-digit number and store it in your password manager.
SIM swap attacks are entirely preventable. The fixes are not complicated — remove SMS 2FA, add a carrier SIM lock, use TOTP or hardware keys, and move your Bitcoin to self-custody. An attacker who tries to SIM swap you should hit nothing but dead ends.
Your phone number was never meant to be an authentication factor. Treat it as the public identifier it is, and put your real security elsewhere.
Related posts:
Get our free Beginners Guide to Buying Bitcoin plus weekly insights for long-term holders.
Bitcoin scams cost billions annually. Here are the 10 most common attacks — phishing, pig butchering, fake giveaways, ATM fraud, clipboard hijacking — and exactly how to protect yourself from each.
Coinjoin breaks the link between Bitcoin inputs and outputs for financial privacy. After Samourai's shutdown, here's what still works — Wasabi Wallet, JoinMarket, Payjoin — and how to use them safely.
Sparrow vs Specter vs Electrum vs Nunchuk: the four leading Bitcoin multisig coordinators compared. Choosing the right coordinator is critical for air-gapped signing and coin control.