How to Avoid SIM Swaps in Crypto
SIM swaps occur when a hacker hijacks a phone number, thereby gaining access to accounts that depend on a phone number for authentication and account recovery. You can avoid SIM swaps by opting for authenticator applications over SIM-based authentication where applicable, and avoiding depending on your phone number as your sign-in and recovery method.
Key Takeaways
-
Cases of SIM swaps leading to significant financial losses are on the rise in the crypto space.
-
SIM swap hacks in the crypto space have led to significant effects for affected users and even the larger cryptocurrency community. A notable instance is Vitalik Buterin’s Twitter (X) account hack.
-
In SIM swap hacks, the hacker gains access to the victim's SIM card and re-routes messages going to the SIM to their own device. This allows them to gain access to the victims’ internet profiles and applications including crypto wallets.
-
In this article, we explain how this works and some precautionary measures that can be taken to reduce the risks of falling prey to SIM swap hacks.
The American Federal Bureau of Investigation (FBI) released a statement on February 8, 2022, detailing the recorded losses from SIM Swap hacks in the US in the year 2021. An estimated $68 million was lost in reported SIM swap hacks in the US alone. SIM swapping has been around for a while with cases recorded as early as 2017 according to Chainsec. However, this has escalated since then, as the $68 million loss in 2021 alone represents an over 400% increase in recorded losses when compared to three years earlier (2018-2020), where losses totaled $12 million.
In the crypto space, some of the most popular and ‘lucrative’ hacks of 2023 have been traced down to cases of SIM swap. So, what are SIM swap hacks?
What Are Sim Swap Hacks and How Do They Affect Cryptocurrency Investors?
SIM swap hacks are known as port-out scams, SIM splitting scams, or SIM hijacking scams. These hacks happen when a foul player routes connections to a victim’s SIM card to another SIM card which they are in control of. This redirects messages, calls, and every relevant communication meant for the victim to the hacker, including 2FA SMS notifications. On some platforms, the phone number alone is sufficient to reset an account’s password, regardless of 2FA measures implemented.
While this may seem like a simple breach in electronic communication, the hackers use this access in several ways which are highly debilitating to their victims and other people connected to them.
Stealing Cryptocurrencies and Other Assets
In the crypto space, a successful breach of an investor's SIM card can allow the hacker to gain access to user accounts on centralized exchanges and other financial accounts that are protected by 2FA SMS verification or other account recovery methods that use the victim’s phone number. Once the hacker gains access to these accounts, they can siphon available funds from their victims’ accounts,
Hijacking Social Media Profiles
Apart from gaining access to user accounts with direct financial relevance, SIM swap hackers can also intercept the user’s social profiles using the same strategy and initiate harmful communications with their connections. For popular or influential personalities, this puts their audience at risk as well. In some cases the hackers share phishing links through these accounts to target unsuspecting followers.
These links usually promise a giveaway, leading users to platforms that request for users to connect their wallets and sign a transaction. This allows the hacker to interact with the user’s wallet and drain the victims’ wallets.
How Do SIM Swap Attacks Work?
SIM swapping is a social engineering-based hacking technique, just like most hacking strategies. After all, it is significantly an easier way for a hacker to socially engineer their way into users’ accounts, when compared to traditional hacking strategies like brute-force attacks, where hackers try to crack a password by trying as many character combinations as possible.
For a successful SIM swap attack, the hacker simply needs to convince the telecommunications service provider that they own the victim's SIM card and wish to port the SIM’s communication to another SIM card that is provided by them. The service provider only requests some personal information from the hacker to execute the SIM swap. If the hacker is able to provide the requested personal information of the victim, the service provider proceeds to port the number as requested. Popular information asked before performing the swap includes the client’s maiden name, work history, birth information, and family data.
Hackers can obtain this information through social media, stolen files, and data extraction techniques that utilize malicious mail or applications that install malware on the victim’s device and scan for data from the clipboard and other means. This is why some SIM swapping cases in the crypto space are connected to decentralized applications where users share their personal information as seen in friend.tech – a social finance (SoFi) platform on the Base network.
Once the hacker swaps the SIM successfully, they exploit vulnerable user accounts. Vulnerable accounts in this case include any user profile protected by security methods based on the SIM card. This could be SIM-based 2-factor authentication, or accounts where the link to reset user passwords is sent to the user’s SIM card. Considering that many emails are protected by SIM card-based security methods, the hacker could also gains access to the user’s email and expands their reach.
Examples of SIM Swap attacks
Here are some known instances of SIM swap hacks that have impacted the crypto space in recent times.
Vitalik Buterin’s Twitter Account Hack
Even a crypto investor who isn’t interested in NFTs would rush to claim a free NFT offered by Ethereum Founder – Vitalik Buterin. This was the strategy SIM Swap hackers employed when they successfully gained access to the Ethereum Founder’s Twitter (X) account on September 9, 2023.
The link which directs to a malicious website promised investors a claim on a commemorative NFT issued in partnership with Consensys – the MetaMask wallet development team. To claim the NFT, users will need to connect their wallet to the platform. Connected wallets were drained of their valuable crypto assets including NFTs and other fungible tokens. Despite attempts to alert investors early enough, losses continued to rise. Crypto investigator ZachXBT reports over $690,000 in stolen assets, over 70% in NFTs.
Update: $691k drained (another 33% in drainer fee address) pic.twitter.com/AVIShqDlMU
— ZachXBT (@zachxbt) September 9, 2023
Sequel to the attack, Vitalik Buterin confirmed that the breach was due to a SIM swap attack on his T-Mobile account. The said malicious Tweet has since been deleted.
Friend.tech
Decentralized social media platform friend.tech has been the subject of repeated SIM swap attacks in the early weeks of October 2023. The platform operating on the Base Layer 2 network allows users to create accounts by connecting their Twitter profiles. Some of the earliest reported SIM swap hack cases connected to Friend.tech came at the end of September 2023.
got swim swapped for 20+ ETH (they drained my https://t.co/xb5o31p3Yy)... stay vigilant out there bros
— froggie.eth 🐸🦉 (@brypto_) September 30, 2023
set a PIN on your sim even if you don't think you need to
Affected users reported up to 20 ETH in losses. New cases continued to emerge, going into October. As tracked and reported by ZachXBT, the SIM swap hacker netted assets in the excess of $385,000 in stolen crypto assets.
The same scammer profited $385K (234 ETH) in the past 24 hours off SIM swapping four different FriendTech users. pic.twitter.com/03BoBEqGax
— ZachXBT (@zachxbt) October 4, 2023
Responding to the hack, friend.tech has implemented improved security fixes to protect the platform from more losses, like adding a 2FA password to friend.tech accounts as an additional layer of protection.
Michael Terpin
Aged just 15 at the time, Ellis Pinksy SIM swapped Michael Terpin and stole over $23 million worth of crypto assets. The event which occurred in 2018 would result in a slew of lawsuits from the renowned entrepreneur against everyone involved in the hack, including AT&T, Michael Terpin’s network provider. Terpin sued the network provider for $220 million: $20 million to cover the direct losses and $200 million for extra damages. While the service provider was able to win the court case and avoid paying these charges, Terpin went ahead with further lawsuits including one against Elvis Pinksy when he turned 18 in 2020.
Recorded history of the hack reports that the teenager was just a front to an even bigger social engineering hacking gang that used underage individuals and telecommunication company staff to gather key information about their target. According to the report, Pinksy had developed a Python application that scrapped social networks in search of contact details of telecommunication workers. Pinksy and his crew would proceed to contact the worker and attempt to bribe their way to receive handy information on targets. Terpin’s case was an example of the involvement of telecommunication workers in cases of SIM swap hacks.
How to Avoid SIM Swap Hacks
The growth in cybersecurity strategies is complemented by relative growth in cyber attack strategies by foul players who are dedicated to detecting shortcomings of set-ups and exploiting them. From known cases of SIM swap hacks, here are some things you can do to reduce your chances of falling prey to these hacks;
Use Authenticator Applications and Avoid SIM Card-Based Authentication
Most internet platforms now offer authentication as an extra security measure. This involves using unique codes to verify user requests such as logins and withdrawals. The unique codes are either sent to the user’s email, mobile number or obtained using Authentication applications like Google 2-Factor Authentication application and Authy. Most platforms allow users to choose their authentication method.
Due to the prevalence of SIM swap hacks, selecting mobile numbers as the medium for receiving authentication codes could expose the user to losses in case their SIM gets swapped. Emails could suffer the same fate as well. While Authentication applications have their own risks, using them for your account authentication means that your security is attached to your device and not your SIM card. This reduces the risk of running into losses from SIM swap hacks.
Use MFA (Multi-Factor Authentication) Where Supported
Beef up your profile security by using Multi-Factor Authentication (MFA), where users are required to enter additional information on top of their password. While this might not be available on every platform, endeavor to employ multiple verifications for key operations where possible.
This might make signing in a bit of a hassle, but it keeps your account safe in the event a hacker breaches the first security parameter. In addition to your password, consider adding one or more authentication processes including biometrics.
When setting up your authentication strategy, consider combining your password with an application-based authentication method and an inherence authentication method like fingerprint scans as well. As advised, consider avoiding SIM card-based authentication.
Avoid Using Your Phone Number as a Sign-in and Recovery Method
Many platforms allow users to create accounts by providing their phone numbers and a password. Even though emails have replaced mobile numbers for this purpose, platforms still retain this method as an option. Where this is the case, it is advised to opt for the email option.
Providing a mobile number attaches the account to your phone number and makes it an easy target for SIM swap hackers. Also, while choosing a recovery method for your account, avoid using your mobile number as the recovery method for the same reason.
Don’t Doxx Yourself
Doxxing is the act of making personal information public, usually by an unauthorized person. However, someone could also doxx themselves. This is as easy as claiming a previously anonymous profile. Users who doxx themselves reveal key information and proof of ownership of the accounts they are laying a claim on. Considering that SIM swaps are products of social engineering, any accessible personal information makes one more vulnerable to SIM swap hackers.
As a cryptocurrency investor, your wallet address has inherent privacy as transactions are not attached to a personal name, but when you finally doxx yourself and prove ownership of a known cryptocurrency address, smart contract, or project, this makes you a subject of hack attempts, this exceeds the premise of SIM swaps and extends to even more advanced attacks, mostly through social engineering, either directly or indirectly.
If possible, it is advised to maintain anonymity to a significant extent and avoid sharing personal details online, including your crypto wallet address. If you must doxx yourself, it is important to understand the risks and apply risk-management strategies to keep you safe.
What to Do if You Are the Victim of a SIM Swap Attack
Unfortunately, recommended prevention strategies only reduce the risks of getting hacked through SIM swaps and don’t totally get rid of them. SIM swap hack could happen to anyone, regardless of the measures taken, in case you suffer a SIM Swap attack, here are what you can do to salvage the situation;
First, confirm that your SIM has been swapped. The earliest sign of a SIM swap attack is that your SIM becomes unable to make calls, send messages, or receive any of the two. Quickly test out these two operations to strike out the chances of a network outage.
However, in a case where you are unable to detect the swap on time and are already being attacked, first, move to salvage your asset by moving your crypto assets from exchanges to your cold wallet and changing the authentication details of unaffected accounts. If possible, contact the affected platforms to halt operations on your account and track the movement of your funds. The recommended security infrastructure to use here is a cold wallet since the hackers might also gain access to your hot wallet.
Contact your service provider to disconnect your line, which might take some time. In the meantime, continue to salvage what assets you can while you wait for your provider to respond.
When this is done and the dust settles, it is important to analyze the situation and undertake precautionary measures to avoid a repeat. Also, explore means to recover stolen funds. Depending on the amount stolen, more extreme measures such as offering a bounty on the hacker and resorting to lawsuits like the case of Michael Terpin could also work.
Final Thoughts
The mobile SIM card is a gateway to unlimited personal information and this is why SIM swap hacks are troubling. We have discussed possible ways cryptocurrency investors can stay safe from threats and also manage a case of SIM swap hack.
Even if you’ve never been SIM swapped, it is still a good idea to protect your accounts based on the steps outlined above. Also, when you see a popular personality promoting a giveaway or an offer that sounds too good to be true, do your own research before connecting your cryptocurrency wallet to any linked platforms.
Finally, note that this article is for educational purposes only. Always do research on the impact of implementing any security measures to your accounts.
Joel is deeply interested in the technologies behind cryptocurrencies and blockchain networks. In his over 7 years of involvement in the space, he helps startups build a stronger internet presence through written content. Follow the author on Twitter @agboifesinachi
Or check it out in the app stores
