PreSaleCryptoBMIC

safety · 9 min read · last updated 2026-05-08

SIM Swap Defense Crypto: A Practical Hardening Guide

SIM swap defense crypto guide: carrier locks, app-based 2FA, hardware keys, and the real-world steps that actually reduce account takeover risk.

SIM Swap Defense Crypto: A Practical Hardening Guide

If you hold any meaningful amount of crypto on an exchange or in a hot wallet linked to a phone number, SIM swap defense crypto planning is not optional. It is the single most common path to a six-figure loss for retail holders, and the attackers know exactly which carriers, which support scripts, and which exchanges still let SMS reset an account. This page is the checklist we wish someone had handed us before we needed it.

We are going to assume you have already been targeted. That is the right mental model. Phone numbers leak from data breaches, NFT mint lists, Telegram groups, and KYC vendor hacks. Treat your number as already public and design from there.

What a SIM swap actually is

A SIM swap (also called a SIM hijack or port-out fraud) is when an attacker convinces your mobile carrier to move your phone number to a SIM card or eSIM they control. They then receive your SMS codes, password reset links, and any voice calls. The FBI’s Internet Crime Complaint Center reported $68 million in SIM-swap-related losses in 2021 alone, and noted the technique is heavily used against cryptocurrency holders (FBI IC3, Feb 2022).

The attacker does not need to be technical. Most swaps happen through:

  • A bribed or socially-engineered carrier employee
  • A weak port-out process at a third-party retail store
  • A compromised online carrier portal using credentials from a prior breach
  • An eSIM transfer initiated through the carrier app after account takeover

In November 2023 the FCC finalized rules requiring carriers to authenticate customers before any SIM change or port-out and to notify customers immediately when one is requested (FCC, 2023). Enforcement and implementation vary. Do not assume your carrier has it dialed in.

The layered defense, in priority order

1. Remove SMS from anything that touches money

This is the single biggest win. Go through every exchange, every email account, every password manager, and every wallet recovery method. Replace SMS 2FA with one of:

  • A TOTP authenticator app (Aegis on Android, Raivo or 2FAS on iOS — avoid cloud-syncing the seeds to a weak account)
  • A hardware security key (YubiKey 5 series or equivalent FIDO2 device)

CISA explicitly recommends phishing-resistant MFA — meaning FIDO2/WebAuthn — over any push or SMS option (CISA fact sheet). For the email account that controls your exchange logins, hardware key is the standard. Anything less and you are gambling.

The SEC’s own X account was hijacked in January 2024 specifically because SMS-based authentication was still enabled and a number was ported (SEC, Jan 2024). If a federal regulator gets caught by this, your discount broker probably will too.

2. Lock the carrier account itself

Each major US carrier has a port-out PIN or account lock feature. Enable it. Specifically:

  • Verizon: Number Lock and a separate Account PIN
  • AT&T: Wireless Account Lock under MyAT&T
  • T-Mobile: Account Takeover Protection plus a port-out PIN
  • Google Fi: 2-Step Verification on the parent Google account, with hardware key

Do not use the same PIN as your voicemail, your bank, or your birth year. Write it in your password manager, not in Notes.

For the truly paranoid: move your “crypto number” to an eSIM-only MVNO that has no retail stores. No retail store means no walk-in social engineering vector. This is one of the harder steps for attackers to defeat, though it is not foolproof.

3. Compartmentalize numbers

Your public-facing number — the one on your LinkedIn, your business card, the one you give exchanges a decade ago — is burned. Get a second number on a different carrier. Use it only for:

  • Your primary email recovery (if you cannot use a hardware key alone)
  • Bank account fraud alerts
  • Nothing else, ever

Do not use this number in any Telegram group, Discord verification, NFT mint, airdrop registration, or KYC form. The moment it leaks, rotate it.

4. Get the funds off the phone-linked accounts

If you have already done steps 1–3, the next question is why is anything still sitting on an exchange? For long-term holdings, self-custody on a hardware wallet eliminates the SIM swap attack surface entirely — the attacker can take over your email and your number and still cannot move coins. Our hardware wallet shortlist walks through what we actually use.

If you are evaluating wallets specifically for the threat model where a phone is the weak point, see our notes on self-custody versus MPC tradeoffs. MPC wallets that use SMS as one of their factors are not what you want here.

5. Watch for the precursors

Most SIM swaps come with warning signs in the 24 hours before:

  • Unexpected “your password was reset” emails (delete-and-ignore is wrong; act)
  • A sudden loss of cell signal that does not return after a reboot
  • Spam calls designed to make you ignore the legitimate carrier alert
  • LinkedIn or Twitter password reset attempts you did not initiate

Set up a separate “alerts” email, monitored on a device that is not your phone. If you lose service unexpectedly, assume swap and move funds immediately from any phone-recoverable account.

What this does not protect against

SIM swap defense does not stop:

  • Drainer signature phishing on a connected wallet
  • A compromised laptop with a keylogger reading your seed phrase as you type it
  • An exchange insider or a regulator-ordered account freeze

For the first two, see our seed phrase storage guide and our coverage of recent wallet drainer campaigns. SIM hardening is one slice. It happens to be the slice with the highest ratio of effort-to-loss-prevention for most retail holders.

A note on recovery if it has already happened

If you suspect an active SIM swap right now:

  1. Call the carrier from a different phone immediately. Ask for a fraud lock.
  2. From a clean device, change passwords starting with email, then exchanges, then password manager.
  3. Move funds from any account where SMS could have reset access.
  4. File reports with IC3 (ic3.gov), the FCC, and your local police. The reports matter for civil recovery against the carrier.
  5. Preserve evidence — screenshots of timestamps, transaction hashes, support tickets.

Civil suits against carriers for negligent SIM swap handling have resulted in settlements, but they are slow and expensive. Prevention is cheaper than litigation by several orders of magnitude.

Honest summary

SIM swapping is not a sophisticated attack — it is a process failure at large telecom companies that the industry has known about for almost a decade and still has not fully fixed. The good news is that you can route around the problem in an afternoon: kill SMS 2FA everywhere it touches money, hardware-key your email, lock your carrier account, and move long-term holdings to self-custody. None of those steps are glamorous, none of them are expensive, and any one of them done properly would have prevented the majority of high-profile retail losses we have seen reported over the last three years.

Wallet shortlist for this topic: see our wallet reviews

FAQ

Does T-Mobile's Account Takeover Protection actually stop SIM swaps?
It raises the bar but does not stop insider-assisted swaps. Treat it as one layer, not a complete defense, and pair it with app-based 2FA and a hardware key.
Is Google Voice safer than my carrier number for 2FA?
It is not vulnerable to traditional SIM swaps, but it can be hijacked through Google account compromise. Use TOTP or hardware keys instead of any SMS.
Should I use a separate phone number just for crypto exchanges?
Yes, ideally a number on a low-profile carrier (or eSIM) that you never share publicly, with port-out PIN enabled and SMS 2FA disabled where possible.

Sources

Research, not advice. This article is editorial. We are not your financial adviser. Crypto presales can lose 100% of capital.