SIM Swapping — How Attackers Steal Your Phone Number (and Everything It Protects)

The TLDR

Your phone number is a master key. It receives 2FA codes for your bank. It’s the recovery option for your email. It verifies your identity for your crypto exchange. SIM swapping is the attack that moves your phone number from your SIM card to the attacker’s — using nothing more than a phone call to your carrier and enough personal information to pass identity verification. Once they have your number, they have your 2FA codes, your password reset links, and a direct path to every account that trusts your phone number as proof of identity.

The Reality

The $24 Million Crypto Theft

In 2018, Michael Terpin, a cryptocurrency investor, lost $24 million when attackers SIM-swapped his T-Mobile phone number. The attack took minutes. The theft was irreversible because cryptocurrency transactions can’t be charged back.

The attackers called T-Mobile, impersonated Terpin, and convinced a store employee to transfer his number to a new SIM. Once they had his number, they received his 2FA codes, reset his email password, accessed his crypto exchange accounts, and transferred out $24 million in cryptocurrency.

Terpin sued T-Mobile and won a $75.8 million judgment. The money was never recovered.

How Common Is This?

The FBI IC3 reported over 2,000 SIM swapping complaints in 2022 with losses exceeding $72 million. The real number is higher — many victims don’t report.

The FCC adopted new rules in 2023 requiring carriers to implement stronger authentication before processing SIM swaps. These help but don’t eliminate the attack, because the weakest link is still a human customer service representative.

How It Works

The Social Engineering Playbook

Step 1 — Reconnaissance: The attacker gathers personal information about you. Name, address, last four digits of SSN, date of birth, account PIN (if they can find or guess it). Sources: data broker reports ($3–$15), social media, breach databases, and phishing.

Step 2 — The Call: The attacker calls your carrier’s customer support line. They claim to be you. “Hi, I got a new phone and I need to activate my SIM.” Or: “I lost my phone and I need my number transferred to a new SIM.”

Step 3 — Identity Verification: The customer service rep asks verification questions. Name? Address? Last four of SSN? Date of birth? The attacker has all of this from Step 1. If they don’t have your account PIN, they may claim they forgot it, or call back until they get a less vigilant representative.

Step 4 — The Swap: The rep transfers your phone number to the attacker’s SIM card. Your phone immediately loses service — no calls, no texts, no data.

Step 5 — Account Takeover: The attacker now receives your SMS 2FA codes. They:

• Reset your email password (via SMS recovery)
• Log into your email
• Use email access to reset passwords on banking, crypto, and social media accounts
• Change the recovery options on everything so you can’t get back in

Port-Out Scams

A variant: instead of a SIM swap within your carrier, the attacker ports your number to a different carrier entirely. They file a number porting request with a new carrier, using your account information and PIN (or the last four of your SSN if the carrier accepts that instead). This is harder to reverse because it involves inter-carrier processes.

Insider Threats

In several documented cases, carrier employees were bribed to perform SIM swaps. A DOJ indictment in 2021 charged a former T-Mobile employee with performing over 100 unauthorized SIM swaps in exchange for Bitcoin payments. The going rate was reportedly $300–$1,000 per swap.

The Authentication Chain

Why does a phone number compromise cascade so badly? Because the phone number sits at the foundation of the authentication chain:

Phone number → SMS 2FA codes → Email access → Password resets → Everything

Your email is the master account. With email access, you can reset the password on virtually any online service. And email recovery typically depends on… your phone number.

This is why SMS-based 2FA, while better than no 2FA, creates a single point of failure at the carrier level. Your bank’s security, your email’s security, and your crypto exchange’s security all ultimately depend on a phone call to a customer service representative who makes $15/hour.

High-Profile Cases

Jack Dorsey (Twitter CEO)

In August 2019, Twitter CEO Jack Dorsey’s phone number was SIM-swapped. The attackers used his phone number to post tweets from his account via Twitter’s SMS-to-tweet feature. If the CEO of the platform isn’t immune, nobody is.

$400 Million FTX Theft

During FTX’s bankruptcy proceedings in 2022, approximately $400 million in cryptocurrency was stolen. While the full details are complex, SIM swapping was used as part of the attack chain to access accounts and authorization systems.

Teenager Rings

Some of the most prolific SIM swapping operations have been run by teenagers. The “Community” hacking group, whose members were as young as 17, stole over $100 million through SIM swapping attacks before being arrested. They targeted cryptocurrency holders specifically because crypto transactions are irreversible.

What You Can Do

Carrier PIN Setup

Every carrier offers an account PIN or passcode. Set one immediately:

• T-Mobile: Account → Security → Account PIN
• AT&T: Manage Account → Profile → Wireless Passcode
• Verizon: Account Security → Account PIN

Make this PIN different from any other PIN you use. If the attacker can guess your PIN, the protection is worthless.

SIM Lock / Number Lock

• T-Mobile: SIM Protection — prevents unauthorized SIM changes
• AT&T: Number Lock — locks your number to your current SIM
• Verizon: Number Lock — available in the My Verizon app

Enable these features. They add a layer of authentication before a SIM swap can be processed.

Move Away from SMS 2FA

The structural fix: stop using your phone number as an authentication factor.

1. Switch to authenticator apps (Authy, Google Authenticator, Aegis) for 2FA on every account that supports it
2. Use hardware security keys (YubiKey, Google Titan) for high-value accounts — email, banking, crypto
3. Use passkeys where available — they don’t depend on phone numbers at all
4. Remove your phone number as a recovery option from email and critical accounts where alternative recovery methods exist

If You’ve Been SIM-Swapped

If your phone suddenly loses service (no signal, no calls, no texts) and you didn’t do anything:

1. Call your carrier immediately from another phone. Tell them you’ve been SIM-swapped and to reverse it.
2. Change your email password first — this is the master account.
3. Change passwords on banking and financial accounts — especially crypto exchanges.
4. Enable 2FA on everything if it wasn’t already active — use an authenticator app, not SMS.
5. Check for unauthorized transactions and report them to your bank.
6. File a report with FBI IC3 and your local police.
7. Place a fraud alert on your credit with all three bureaus.

Speed matters. The window between the SIM swap and the account takeover can be minutes.

Sources & Further Reading

• FCC SIM Swap Rules (2023) — federal rules requiring stronger carrier authentication
• FBI IC3: SIM Swapping Advisory — FBI guidance on SIM swap prevention and reporting
• FTC: SIM Swap Report — federal consumer protection guidance
• Brian Krebs: SIM Swapping Coverage — investigative journalism on SIM swap attacks
• CISA: Mobile Authentication Guidance — federal recommendations for mobile security
• Terpin v. T-Mobile — legal documentation of the $75.8M SIM swap judgment