How to Prevent SIM Swap Attacks — The Anti-Loss Protocol for Protecting Your Crypto from Phone Number Hijacking

Published on 2026-05-30

The 5-Minute Phone Call That Can Wipe Out Your Crypto

You wake up to find your phone has no signal. Strange, but maybe it is a network outage. You wait an hour. Two hours. Then you check your email and see a flood of password reset confirmations from Coinbase, Kraken, and your email provider. By the time you call your mobile carrier, the attacker has already: reset your email password, bypassed your SMS-based two-factor authentication, logged into every crypto exchange account you own, and withdrawn everything.

This is a SIM swap attack — and it is one of the simplest, most devastating attacks in crypto. It does not require malware, phishing links, or technical sophistication. The attacker only needs your name, your phone number, and a convincing voice. In 2025 alone, SIM swap attacks drained over $100 million from crypto exchange accounts, with individual victims losing between $5,000 and $7.2 million.

The worst part? Most of these attacks are entirely preventable. The Anti-Loss Protocol for SIM swap prevention takes under 30 minutes to implement and eliminates the attack vector almost completely. Here is exactly how to protect yourself.

How a SIM Swap Attack Works

A SIM swap (also called SIM jacking, SIM splitting, or port-out scam) is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your phone number, they can intercept every SMS and voice call sent to it — including two-factor authentication codes, password reset links, and account verification messages.

The attack chain looks like this:

Information gathering: The attacker collects your name, phone number, address, date of birth, and the last four digits of your Social Security Number. This data comes from data breaches, social media, data broker websites, or social engineering posts.
The call (or visit): The attacker calls your mobile carrier — or visits a store in person — pretending to be you. They claim they lost their phone and need a new SIM card activated. Using the collected personal information, they pass the carrier's identity verification.
The swap: The carrier deactivates your SIM and activates the attacker's SIM with your phone number. Your phone loses signal immediately.
Account takeover: With your phone number, the attacker resets your email password (most email accounts use SMS for recovery). From the email, they reset passwords on every exchange, trading platform, or service that uses SMS 2FA. SMS verification codes now go directly to the attacker's phone.
The drain: Funds are withdrawn from exchange accounts, often converted to privacy coins or transferred through mixing services. The entire process can happen in under 20 minutes.

Some attackers also bribe or socially engineer mobile carrier employees directly. In 2024, several T-Mobile and AT&T employees were arrested for accepting bribes of $500-$2,000 to perform unauthorized SIM swaps. This means even strong customer-facing security can be bypassed by insider threats.

Who Is Most at Risk?

Anyone with a mobile phone number linked to crypto accounts is at risk. But certain profiles are disproportionately targeted:

High-net-worth crypto holders: Attackers scan blockchain for large wallets, then cross-reference with leaked data to find phone numbers. If you have ever used your real name on a crypto forum, Discord, or Twitter/X, you are a potential target.
Exchange users with SMS 2FA: If your Coinbase, Kraken, Binance, or Gemini account uses SMS for two-factor authentication, a SIM swap gives the attacker full access.
Public figures and influencers: Crypto influencers, project founders, and KOLs are targeted because their holdings are visible on-chain and their personal information is easier to find.
Anyone who has posted their phone number online: Even a single public post containing your phone number can be scraped and used for targeting.

SIM Swap Attack Vectors Compared

Attack Vector	How It Works	Difficulty	Frequency	Prevention
Customer service social engineering	Attacker calls carrier, pretends to be you, passes identity checks with leaked personal data	Low (scripted call)	Very High	Carrier PIN/port freeze + authenticator app 2FA
In-store impersonation	Attacker visits carrier store with fake ID or social engineering	Medium	High	Carrier PIN + account security flag
Insider bribery	Carrier employee performs unauthorized swap for payment	Low (for attacker)	Medium	Use authenticator/hardware key 2FA so SMS interception is useless
Port-out scam	Attacker transfers your number to a different carrier entirely	Low-Medium	Medium	Number lock/port freeze with both current and target carriers
Pretexting with leaked data	Attacker uses data breach info (SSN, DOB, address) to pass verification	Low	Very High	Remove personal data from data brokers; use carrier PIN
Email compromise first	Attacker hacks email first, then uses email to request SIM change	Medium	High	Secure email with hardware key; separate email for crypto

The Anti-Loss Protocol: 10 Steps to Prevent SIM Swap Attacks

Step 1: Remove SMS as Your 2FA Method — Immediately

This is the single most important step. If your crypto exchange accounts use SMS for two-factor authentication, switch to an authenticator app or hardware security key today. SMS 2FA is better than no 2FA, but it is fundamentally vulnerable to SIM swaps. Once you remove SMS as a 2FA method, a SIM swap gives the attacker nothing — they can intercept your phone number, but they cannot generate your TOTP codes or access your hardware key.

Recommended 2FA methods (ranked by security):

FIDO2 hardware security key (YubiKey, Titan): Phishing-resistant, physical device required. The gold standard. Supported by Coinbase, Kraken, Binance, Gemini, and most major exchanges.
Authenticator app (Google Authenticator, Authy, 2FAS): Generates time-based one-time passwords (TOTP) locally on your device. Not vulnerable to SIM swaps. Authy offers encrypted cloud backup; 2FAS is open-source.
Passkeys (WebAuthn): Emerging standard using biometric or device-based authentication. Supported by an increasing number of platforms.

Step 2: Set a Carrier PIN or Port-Freeze

Every major mobile carrier offers a security PIN or port-freeze feature. This adds a mandatory verification step before any SIM change or number port can occur. Even if the attacker has all your personal information, they cannot complete the swap without the PIN.

T-Mobile: Set a Port Validation PIN via the T-Mobile app or by calling 611. This PIN is required for any SIM change or number port.
AT&T: Enable Extra Security in your AT&T account settings. This adds a passcode requirement for all account changes, including SIM swaps.
Verizon: Set up a Number Lock through the My Verizon app. This prevents unauthorized port-outs.
Other carriers: Call customer service and ask for port freeze, SIM swap protection, or account PIN. If they do not offer it, consider switching to a carrier that does.

Important: Do not use your birthday, address, or any easily guessable number as your carrier PIN. Use a random 6-8 digit number stored in your password manager.

Step 3: Use a Separate Phone Number for Crypto

Do not use your primary phone number for crypto exchange accounts. Instead, get a dedicated secondary number (via Google Voice, a prepaid SIM, or a VoIP service) that is used exclusively for crypto-related accounts. This number should never be posted online, never be linked to your real identity, and never be used for social media or other services.

If your primary number is ever SIM-swapped, the attacker gains nothing because your crypto accounts are tied to a completely different number. This is the Anti-Loss Protocol's core principle: separation of concerns.

Step 4: Secure Your Email Account

Your email is the master key to your digital life. If an attacker controls your email, they can reset passwords on every connected service — even without a SIM swap. Secure your email with:

Hardware security key (FIDO2) as primary 2FA — Gmail, Outlook, and ProtonMail all support FIDO2 keys.
Recovery email that is also secured with hardware key 2FA.
Remove phone number recovery from your email account if possible. If your email provider allows recovery only via another email address or security key, disable SMS recovery entirely.
Use a dedicated email address for crypto accounts that you do not use for anything else. This email should never be shared publicly.

Step 5: Remove Your Phone Number from Data Broker Sites

Data broker sites like Whitepages, Spokeo, BeenVerified, and PeopleFinder aggregate your personal information — including your phone number, address, and date of birth — and sell it to anyone. Attackers use these sites to gather the information needed to pass carrier identity verification.

Action items:

Opt out of every major data broker site manually (each has an opt-out process, though it is deliberately cumbersome).
Use a service like DeleteMe, Kanary, or Optery to automate ongoing removal.
Search your phone number on Google and request removal of any results that display personal information.

Step 6: Enable Account Alerts on All Exchanges

Configure every crypto exchange account to send you real-time notifications for:

Login attempts (especially from new devices or IP addresses)
Password changes
2FA method changes (if someone tries to switch from authenticator to SMS, you need to know immediately)
Withdrawal requests
API key creation

These alerts should go to your secure email AND to a push notification on your phone. If you receive an alert for an action you did not initiate, you have a window of minutes to freeze the account before funds are withdrawn.

Step 7: Use Withdrawal Whitelists

Most major exchanges offer a withdrawal address whitelist feature. Once enabled, funds can only be withdrawn to pre-approved wallet addresses. Even if an attacker gains full access to your account, they cannot withdraw to their own address — they would need to add a new address, which typically triggers a 24-48 hour security hold and sends notifications to your email and phone.

Add your personal hardware wallet addresses to the whitelist. Do not whitelist exchange addresses (attackers can create accounts on other exchanges). The 24-48 hour hold on new addresses gives you time to detect and respond to unauthorized access.

Step 8: Consider a Dedicated Mobile Carrier for Crypto

Some security-conscious crypto holders maintain a separate mobile plan (even a cheap prepaid plan) exclusively for any accounts that require a phone number. This number is never used for personal calls, never posted online, and never linked to social media. The cost is $10-$30/month — trivial compared to the protection it provides.

Google Voice is a popular free alternative, but be aware that Google accounts can be socially engineered too. A prepaid SIM purchased with cash and registered with minimal personal information provides the strongest separation.

Step 9: Monitor for Signs of an Attempted SIM Swap

Early warning signs of an attempted or successful SIM swap:

Sudden loss of cellular service with no explanation (no network outage in your area).
Unexpected SIM changed notification from your carrier.
Texts or calls you did not make appearing in your logs.
Password reset emails you did not request.
Login notifications from exchanges or email providers you did not initiate.

If you experience any of these, act immediately: call your carrier from a different phone, freeze your exchange accounts, and change your email password from a trusted device.

Step 10: Have an Incident Response Plan

Despite all prevention, assume a breach could happen. Prepare:

Write down the phone numbers for fraud departments at every exchange you use. Store this offline (paper in a safe).
Know how to freeze your accounts quickly. Some exchanges (like Coinbase) offer a one-tap lock account feature in their mobile app.
Keep a hardware wallet with the bulk of your holdings disconnected from any exchange. Exchanges are for trading; long-term storage belongs in self-custody.
Document your account details (exchange names, account emails, approximate balances) in a secure, encrypted location that a trusted person can access in an emergency.

SIM Swap Prevention Checklist

Protection	Effectiveness	Time to Implement	Cost
Switch from SMS to authenticator app 2FA	Very High (eliminates SMS interception value)	15 minutes per account	Free
Add hardware security key (YubiKey)	Highest (phishing + SIM swap proof)	10 minutes per account	$25-$70 per key
Set carrier PIN / port-freeze	High (blocks most social engineering swaps)	5 minutes	Free
Use separate phone number for crypto	High (complete separation)	30 minutes	$0-$30/month
Secure email with hardware key	Very High (blocks email-based recovery)	20 minutes	$25-$70 (one-time)
Remove phone from data brokers	Medium (reduces attacker's info)	1-2 hours (or use service)	$0-$100/year
Enable exchange withdrawal whitelist	High (blocks unauthorized withdrawals)	10 minutes per exchange	Free
Set up account alerts on all exchanges	Medium (early warning)	10 minutes per exchange	Free
Dedicated prepaid SIM for crypto	High (complete identity separation)	30 minutes	$10-$30/month
Incident response plan documented	Medium (limits damage if breached)	1 hour	Free

What to Do If You Have Been SIM Swapped

If you suspect a SIM swap is in progress or has already happened:

Call your carrier immediately from another phone. Tell them you have been SIM-swapped and demand they reverse the swap and freeze your account.
Change your email password from a trusted device (not your phone). If you cannot access your email, contact your email provider's account recovery process.
Log into every exchange from a trusted device and change passwords, disable API keys, and enable withdrawal freezes. If you cannot log in, call the exchange's fraud/support line immediately.
Move remaining funds to a new wallet that was never associated with the compromised accounts. Use a hardware wallet.
File a report with the FBI's IC3 (ic3.gov) if you are in the US, or your local law enforcement. Also report to the FCC (for US carriers) and the FTC.
Document everything: Transaction hashes, account balances before and after, timestamps, and all communication with carriers and exchanges. This supports insurance claims and law enforcement investigations.

The Bigger Picture: Why SMS 2FA Is Failing

SMS-based two-factor authentication was designed in an era when phone numbers were considered a reliable identity anchor. That assumption no longer holds. Phone numbers are portable, transferable, and increasingly targeted. The telecommunications infrastructure was not designed with adversarial threat models in mind — it was designed for convenience.

The crypto industry is moving away from SMS 2FA, but adoption is uneven. Many exchanges still default to SMS during account setup, and many users never change the default. The Anti-Loss Protocol is clear: if your crypto security depends on your phone number, your crypto is not secure.

The transition to FIDO2 hardware keys and passkeys is the long-term solution. These standards are phishing-resistant, SIM-swap-proof, and increasingly supported across the crypto ecosystem. A $30 YubiKey protects your accounts more effectively than any SMS-based system ever could.

Bottom Line

SIM swap attacks are low-tech, high-impact, and entirely preventable. The Anti-Loss Protocol takes less than an hour to implement: switch to authenticator app or hardware key 2FA on every account, set a carrier PIN, use a separate phone number for crypto, secure your email, enable withdrawal whitelists, and have an incident response plan.

The cost of prevention is measured in minutes and a few dollars. The cost of a successful SIM swap is measured in everything you own. There is no rational reason to delay.

Before securing your phone number, verify which networks your assets use and which exchanges support hardware key 2FA at Crypto Network Guide — because comprehensive security means protecting every attack vector, not just the ones on-chain.