A SIM swap attack happens when an attacker convinces your phone carrier to move your number to a SIM card they control, intercepting every SMS to your accounts — including password-reset codes and SMS-based 2FA. The chain from a hijacked number to a drained crypto wallet runs through email, exchange login, and withdrawal, and can complete in hours.
What you'll learn
What SIM swap is and how big the problem is in 2026
The step-by-step attack mechanics from data-broker lookup to drained wallet
Why crypto holders are the highest-payout targets
The port-out PIN and account-lock setup for each major US carrier
How to migrate from SMS 2FA to authenticator apps and hardware keys
Whether eSIM and a separate phone number actually help
The hour-by-hour recovery procedure if you think it is happening
What is a SIM swap attack, and how big is the problem in 2026?
A SIM swap attack is when someone convinces your phone carrier to port your phone number to a SIM they control. They then receive every SMS sent to your number. Password resets and SMS-based 2FA codes go to them. The FBI's IC3 logged 982 SIM swap complaints in 2024 with $25.98 million in reported losses (source: FBI IC3 2024 Annual Report). T-Mobile lost a $33 million arbitration award in March 2025 over a 2020 SIM swap that drained $38 million in Bitcoin from a single customer (source: Greenberg Glusker case summary). UK Cifas reported nearly 3,000 unauthorized SIM swaps in 2024, a 1,055% jump year over year (source: Cifas Fraudscape 2025 SIM swap report).
The headline numbers under-count significantly. Most victims report the downstream fraud (crypto stolen, bank account drained, email taken over) rather than the SIM swap itself. Industry estimates put the true rate at 10x to 50x the reported number. Australia's IDCARE logged a 240% increase in 2024, with 90% of cases occurring without any user engagement (source: IDCARE port-out and SIM swap newsletter). The trend in 2026 is clearly upward. Carriers' defenses got better in the US after the 2024 FCC rules, but the attack still works at scale because user adoption of port-out PINs and account locks is low.
The reason this guide focuses on crypto is the payout math. Bank-fraud SIM swap pays out slower than crypto. Banks have transaction holds, chargebacks, and fraud teams that can reverse transfers. Crypto withdrawals confirm on chain in minutes. Once confirmed, there is no chargeback. The attacker who SIM-swaps a bank account might net thousands. The attacker who SIM-swaps a crypto holder can net six or seven figures in hours.
2024-2026 SIM swap loss data
Source | Metric | Number |
|---|---|---|
FBI IC3 (US, 2024) | Reported complaints | 982 |
FBI IC3 (US, 2024) | Reported losses | $26 million |
FBI IC3 (US, 2021 spike) | Reported complaints | 1,611 |
FBI IC3 (US, 2021 spike) | Reported losses | $68 million |
Single settlement | T-Mobile crypto case | $33 million |
UK Cifas (2024) | Unauthorized SIM swaps reported | Nearly 3,000 (+1,055% YoY) |
AU IDCARE (2024) | Assistance requests | +240% YoY |
FCC (2024) | New rules | Mandatory account locks + instant alerts |
For the foundational 2FA + mobile-side context this guide builds on, see two-factor authentication for crypto and mobile wallet safety tips.
How does the attack actually work, step by step?
The attacker collects basic personal data about you. Data brokers, breach databases, social media. They then call your carrier and impersonate you. They claim you lost your phone or got a new device. They convince the support agent to activate a new SIM card with your number. The agent transfers the number. Your phone loses service. Their phone now receives your texts. The whole process can be done in under 30 minutes.
The mechanism is social engineering plus weak carrier identity check. The attacker does not need to break any technical system. They just need a support agent who follows the documented process and accepts the impersonation. The information they need (name, address, sometimes last four of Social Security number) is sold by data brokers for a few dollars per record. Past breaches at major US carriers, retailers, and exchanges have spilled enough personal data into the criminal market that almost any US adult is reachable. For how to respond when your personal data turns up in a breach feed, see data breach response for crypto holders.
Insider risk at carriers is the harder version of the same attack. Some confirmed cases involve carrier employees who accept payment to perform the SIM swap directly, no impersonation required. The T-Mobile $33 million case turned on this pattern, where an employee allegedly took payment to move a customer's number. The carrier defenses described later in this guide help against social engineering. They help less against insider compromise. Hardware-key 2FA on the downstream accounts is what closes that residual risk.
5-step attack walkthrough
Attacker collects your phone number, full name, address, and other identifiers from data brokers or breach data
Attacker calls your carrier or visits a store, impersonating you
Attacker convinces the agent (or pays an insider) to activate a new SIM with your number
Your phone loses signal. The attacker's phone starts receiving your texts and calls
Attacker requests password resets on your email, exchange, and bank accounts, intercepting the SMS codes
For the prevention practices on the data-broker side, see physical security for crypto. The OPSEC layer that makes the discovery step harder.
Why are crypto holders the top targets?
Crypto holders sit at the end of a chain that pays out faster and bigger than any other target. Phone number compromise leads to email password reset. Email reset leads to exchange password reset. Exchange password reset leads to 2FA reset (if 2FA is SMS-based). 2FA reset leads to withdrawal. The whole chain can be done in hours. Once the withdrawal confirms on chain, there is no chargeback.
From Blofin's support data, the SIM swap cases that reach us almost always arrived through the same path. Phone number ported. Email password reset via SMS recovery. Exchange password reset via email recovery. Exchange 2FA reset via SMS. Withdrawal request through the exchange. The chain takes hours. The user usually realizes hours or a day later when they cannot sign back in. By that time the funds are gone. Speed of detection is the only thing that changes the outcome.
The pattern matters because every link in the chain is a potential break point. Email account with hardware-key 2FA breaks the chain at link 2. Exchange account with authenticator-app 2FA (and an authenticator that is not recoverable via SMS) breaks the chain at link 4. Withdrawal address whitelist with 24-hour grace period breaks the chain at link 5. The attacker only needs one path through. The defender needs every link to hold. The password-discipline layer that sits underneath all of this is covered in password management for crypto.
The downstream chain
Link | What attacker does | What breaks the chain |
|---|---|---|
1. Port number | Convince carrier to activate new SIM | Port-out PIN + account lock + instant alert |
2. Email reset | Use SMS recovery to reset email password | Hardware-key 2FA on email; no SMS recovery option |
3. Exchange reset | Use email reset to reset exchange password | Email already protected per link 2 |
4. Exchange 2FA reset | Use SMS or email to reset 2FA on exchange | Authenticator-app 2FA without SMS fallback |
5. Withdrawal | Initiate withdrawal to attacker address | Withdrawal address whitelist + 24-hour grace |
What carrier-side defenses can you turn on right now?
Set a port-out PIN with your carrier. Enable an account lock if your carrier offers one. In the US, all four major carriers offer some form of port-out protection in 2026 under the 2024 FCC rules. The names differ. The protection differs in detail. The pattern is the same: a separate PIN or lock that an attacker has to know or disable before your number can move to another SIM. Adoption is still low, which is why this attack still works at scale.
The FCC mandate from 2024 (still in force in 2026) requires wireless providers to use secure authentication methods before transferring a phone number, to offer customers an account lock to block SIM changes, and to notify customers right away when a SIM change or port-out request is made (source: FCC compliance announcement for the SIM swapping and port-out fraud rules). The "instant alert" rule is the most useful from a recovery standpoint. If you get an SMS or email saying your SIM is being changed and you did not request it, you have seconds to call the carrier and stop it. Most carriers send the alert to the phone number being ported, which is useless because the attacker now controls it; the better implementations also send to the account email or to a separate alert number.
US carrier port-out lock setup (early 2026)
Carrier | Feature name | Where to enable |
|---|---|---|
AT&T | Wireless Account Lock | myAT&T app; blocks port-out and sensitive account changes |
Verizon | Number Lock + SIM Protection | My Verizon app; separate controls for port-out and SIM change |
T-Mobile | Port Out Protection + SIM Protection | T-Mobile app or website; per-line add-on |
Google Fi | Number Lock | Fi website; covers external ports and internal SIM changes |
Xfinity Mobile | Number Lock | Xfinity app |
Mint Mobile | Number Lock | App or website; requires one-time password during legitimate port |
Visible | Line Lock | Visible app or website |
The setup takes 5-10 minutes per carrier. The procedure is roughly: open the carrier's official app, find "Account Settings" or "Privacy," enable the lock, generate a port-out PIN, store the PIN somewhere safe (password manager works), and confirm the lock is active. Disable the lock only when you actually want to switch carriers. Re-enable immediately after.
How should you handle 2FA after SIM swap awareness?
Move every account that supports it from SMS-based 2FA to an authenticator app or a hardware security key. Google Authenticator, Authy, and the FIDO2-based YubiKey are the standard options. SMS 2FA is convenient. It is also the single biggest weakness in the SIM swap chain. Once SMS is out of the loop, the attacker has a port without a payout.
The three tiers of 2FA differ in how much SIM swap protection they offer. SMS 2FA is the weakest. The whole point of the SIM swap is to intercept these codes. Authenticator-app TOTP generates codes on your device, not via your carrier. SMS swap does not affect this. The trade-off is that you need to back up the authenticator's recovery codes somewhere safe, because losing your phone with the authenticator on it locks you out. Hardware security key (FIDO2) is the strongest. A YubiKey or similar device requires physical presence to authenticate, and the FIDO2 / WebAuthn protocol is explicitly designed to be phishing-resistant by binding credentials to the registered origin (source: FIDO Alliance User Authentication Specifications). Even an attacker with full account access cannot use the second factor without the physical key. For the broader hardware-security context that sits alongside hardware-key 2FA, see Blofin's hardware wallet guide.
For balances above a few thousand dollars, the hardware key is worth the $50. For everything else, the authenticator app is enough. The mistake to avoid is keeping SMS 2FA "as a backup" on the same account. Most exchanges fall back to whichever 2FA method you registered, so leaving SMS active undoes the protection. Remove SMS entirely from any account where another factor is set up. Hardware-key 2FA also closes the door on signature-phishing attacks that bypass SMS and TOTP codes; see crypto phishing attacks for the broader attack landscape that hardware keys defend against.
2FA tier comparison for SIM swap protection
Tier | What it uses | SIM swap risk | Cost | When it makes sense |
|---|---|---|---|---|
SMS 2FA | Text message codes | High. Designed to be defeated | Free | Avoid where possible |
Authenticator app TOTP | App-generated codes on your device | Low. Codes generated locally | Free | Most users; balances under five figures |
Hardware key (FIDO2) | Physical USB or NFC key | Near zero. Requires physical key | ~$50 per key | High-value accounts; recommend two keys per account |
For the broader 2FA picture, see the two-factor authentication guide referenced earlier in this article.
Do eSIM and a separate phone number help?
Yes to both. eSIM removes the physical-SIM transfer step. An attacker would have to either trick the carrier into activating a new eSIM profile (still possible but with one more check step) or compromise your eSIM profile itself, which is harder than swapping a physical SIM. A separate phone number for crypto accounts that you never share publicly removes the data-broker discovery step. The attacker needs your number to start the attack. If they cannot find it, they cannot start.
eSIM advantages stack with port-out PINs. Physical SIM swap requires the attacker to either get a new physical SIM card sent to them or have an insider activate one in-store. eSIM activation is done over the air, but requires a profile transfer that some carriers gate behind in-person check or device-trust checks. The bar is higher. The protection is not absolute. Carrier-employee compromise still bypasses both. But the combination of eSIM plus port-out PIN plus authenticator-app 2FA plus a separate phone number for sensitive accounts is the practical ceiling of consumer-grade defense.
The separate-number strategy works through identifier isolation. The number you use for crypto exchange logins, email recovery, and bank 2FA should be different from the number on your business card, your LinkedIn profile, and your public social media. The attacker who searches data brokers for your number finds the public one. The crypto-tied number stays invisible. Options include Google Voice (free, Google-account dependency), a second SIM line on a dedicated device, or a privacy-focused mobile service such as Efani, which advertises an 11-layer authentication protocol and a 14-day cooling-off period on port-out requests as its core SIM swap defense (source: Efani secure mobile service). The trade-off is that you have to remember which number is on which account, and account-recovery flows that send alerts to the wrong number get confusing.
eSIM vs physical SIM at a glance
Property | Physical SIM | eSIM |
|---|---|---|
Transfer mechanism | Physical card swap | Over-the-air profile activation |
Carrier-side check | Often phone call only | Often phone call + device check |
Insider-compromise vector | Activate a physical SIM card | Activate an eSIM profile |
In-store transfer required | No (some cases) | Some carriers require for eSIM changes |
Defense layer added | Baseline | Adds one check step |
What should you do during and right after a suspected SIM swap?
Time matters more than anything else. The moment your phone loses signal in an unexpected way, treat it as a possible attack. Call the carrier from a different phone immediately. Demand a port-out reversal and account freeze. Then change passwords on every linked account, starting with email and then exchange. Move funds from any exchange account that supports withdrawal-on-hold features. If real funds are at risk, file with FBI IC3 within the first 24 hours.
The pattern of recovery cases we see splits clean into two outcomes. Users who notice within an hour and can get the carrier to reverse the port have a real chance at saving funds, especially if the exchange has not yet processed the withdrawal. Users who notice the next morning almost never recover funds, but can recover accounts. The difference between the two is whether the user had a port-out PIN that bought time, and whether their crypto accounts used authenticator-app 2FA instead of SMS.
Hour-by-hour recovery flow
Time | What to do |
|---|---|
0-15 minutes | Call the carrier from a different phone. Identify yourself with the port-out PIN or account lock. Demand an immediate reversal and account freeze |
15-60 minutes | Change email password through a backup recovery method that does not use SMS. Change exchange passwords starting with the largest-balance account |
1-3 hours | Initiate withdrawal holds on exchange accounts (most major exchanges have a 24-hour hold trigger for major account changes). Contact each exchange's emergency support line. Provide the suspected timeline |
3-24 hours | File with the FBI Internet Crime Complaint Center for the record (source: FBI IC3). File a police report locally. Document everything: timestamps, screenshots, support ticket numbers |
24-72 hours | Audit every account linked to the affected phone number. Remove SMS as a recovery option. Re-enable port-out PIN. Consider switching to an eSIM-only carrier |
The exchange-side hold is the most under-used recovery tool. Most major exchanges automatically hold withdrawals for 24 hours after a major account change (password reset, 2FA reset, withdrawal-address whitelist change). If your exchange account is one that has this protection, the hold buys you the window to recover. Blofin and most reputable exchanges have this feature; check your exchange's security settings. For the broader recovery procedure if funds were already moved, see how to recover a crypto wallet, and for the step-by-step incident response in the first hour, see compromised wallet emergency steps.
Frequently asked questions
How likely is a SIM swap, really?
Lower than crypto-Twitter alarm suggests, higher than zero. FBI IC3 logged about 1,000 confirmed SIM swap complaints in 2024 in the US. That under-counts significantly. The estimated true rate is 10x to 50x reported. Crypto holders with public profiles or large balances are over-represented in actual cases. If you are a public crypto holder, or your wallet on-chain shows large balances tied to identifying information, your personal risk is materially higher than the population average.
Can I prevent it completely?
Not completely. Carrier-insider risk and social-engineering at the carrier level cannot be 100% blocked from your side. The port-out PIN plus account lock plus FCC mandatory alert together get the practical risk close enough to zero for most users. The remaining risk is concentrated in carrier-employee compromise, which has happened and which produced the T-Mobile $33 million settlement.
Does using a Google Voice number protect me?
Partially. Google Voice numbers are not portable in the same way carrier numbers are, so the basic SIM swap attack does not apply. The trade-off is that Google Voice is a Google account dependency. If your Google account is compromised through other means (phishing, password reuse), the protection collapses. Combine Google Voice with hardware-key 2FA on the Google account and the residual risk is small.
What if my carrier does not offer a port-out PIN?
Switch carriers. In the US, all four major carriers and most MVNOs (Mint, Visible, Google Fi, Xfinity Mobile) offer some form of port-out lock or PIN in 2026 per FCC mandate. If yours does not, it is non-compliant. In other jurisdictions, the rules vary. Some EU carriers require in-store ID check by default, which is its own protection. Some emerging-market carriers offer minimal protection; in those cases the eSIM and separate-number strategies matter more.
If I get SIM-swapped, can I recover the funds?
Sometimes, if you act within hours. The path: contact the carrier within the first hour, reverse the port, freeze affected accounts (email, exchange) before withdrawals process. Some exchanges hold withdrawals for 24 hours after major account changes, which is the window. Once funds confirm on chain, recovery is nearly impossible barring law-enforcement coordination with the receiving exchange. File with FBI IC3 immediately for the record.
Is a hardware 2FA key better than authenticator apps?
For high-value targets, yes. A FIDO2-based YubiKey or similar hardware key adds a physical-presence requirement that an authenticator app does not. Phishing attacks that can intercept TOTP codes from authenticator apps cannot intercept hardware-key challenges in the same way. For balances above a few thousand dollars, the $50 hardware key is worth it. For smaller balances, an authenticator app is usually enough.
Does eSIM make SIM swap impossible?
No, but it makes the attack harder. The attacker has to convince the carrier to activate a new eSIM profile, which often requires more check than a physical SIM swap. Some carriers require the user to visit a store in person for eSIM changes. The protection is not absolute. The barrier is higher. Combined with port-out PINs and authenticator-app 2FA, the residual risk is small.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include the FBI IC3 2024 Annual Report, the FCC 2024 SIM swap and port-out fraud rules, the Greenberg Glusker arbitration summary on the T-Mobile $33 million crypto SIM swap award, the UK Cifas Fraudscape 2025 report, Australia's IDCARE port-out and SIM swap research, and the FIDO Alliance authentication specifications. All facts independently checked against cited sources current as of May 2026.
This article is educational and does not constitute financial, legal, or security-consulting advice. SIM swap defenses depend on choices the user makes about carrier setup, 2FA migration, and account hygiene. The 2026 threat landscape changes constantly; specific carrier features and FCC rules reflect early-2026 data. Refer to the official documentation of your carrier and exchanges for product-specific procedures. Blofin does not contact users first about account issues; any uninvited message claiming to be from Blofin support is a scam.