The alert came in at 7:42 PM on a Tuesday.

A founder — we'll call him Marcus — was finishing dinner when his phone showed "No Service." He tapped the screen a few times, assumed it was a temporary outage, and kept eating. By 8:15, his wife asked if their online banking felt slow. By 8:30, he was locked out of his email. By 9:14 PM, Coinbase had sent a withdrawal confirmation for $84,000 to an address he'd never seen.

What Marcus didn't know was that his carrier account had been called by someone pretending to be him forty minutes earlier — claiming his phone was lost and requesting a new SIM. The carrier agent followed protocol. The request looked legitimate. The number moved.

By the time Marcus figured out what had happened, the crypto was gone and a wire transfer had cleared his primary checking account. Ninety minutes. That's how long it took.

This attack chain is not theoretical. It runs every night.

How SIM swap works in 2025

A SIM swap — also called port-out fraud or SIM hijacking — is a social engineering attack against your mobile carrier. The attacker calls customer support, impersonates you with personal information scraped from breach dumps or LinkedIn, and requests that your phone number be transferred to a SIM in their possession. Once the transfer completes, your phone shows "No Service." Their phone receives every call and text meant for you — including the one-time passwords, password reset links, and account recovery codes that stand between an attacker and your financial life.

The attack has three components: reconnaissance, social engineering, and monetization. None of them requires sophisticated hacking. In 2024, IDCARE reported that 90% of SIM swap cases occurred without any victim interaction — meaning the victim didn't click a malicious link, answer a suspicious call, or make a mistake. The carrier call was the only front.[1]

Carrier authentication is the weak point. Identity verification at most carriers still relies on knowledge-based questions: last four of a Social Security number, billing ZIP code, answers to account security questions. This information is routinely available from breach databases that circulate on dark web markets. In 2024, more than 7 billion credentials appeared on dark web markets — providing fraudsters with everything they need to pass carrier verification at scale.[2]

SS7 — the signaling protocol that routes calls and SMS between carrier networks — has been known to be exploitable for over a decade. An attacker with access to an SS7 gateway can intercept SMS without performing a SIM swap at all, receiving OTP codes as they move through the network. The protocol was built on trust between carriers, and it shows. Fixing SS7 requires carrier-side infrastructure changes that have moved slowly. End users have no visibility into and no control over whether their carrier has implemented SS7 firewalls.

The economics are straightforward. A single successful SIM swap targeting a crypto holder can yield six or seven figures. The skill floor is low — the primary requirement is a convincing phone manner and access to someone's basic personal data. There are SIM swap-as-a-service offerings on underground forums that handle the carrier call for a percentage of the take. This is a mature, professionalized attack.

Source: In 2024, the FBI's IC3 report documented 982 SIM swap complaints with $25,983,946 in confirmed losses in the U.S. alone.[3] UK Cifas recorded a 1,055% surge in unauthorized SIM swaps — from 289 to approximately 3,000 cases — in the same period.[4]

Why affluent households are in the crosshairs

High-net-worth individuals are not targeted despite their wealth — they are targeted because of it.

A LinkedIn profile listing "Founder & CEO," investment holdings in cryptocurrency, and an active public speaking schedule is a lead sheet for a SIM swap operator. The research phase is automated. Breach databases are queried for the target's email, phone number, date of birth, and Social Security number. Doxxing-for-hire services can supplement this with home address, family member names, and known associates.

The attacker's calculus is simple: the time invested in targeting a crypto whale who holds seven figures on a centralized exchange returns multiples over targeting someone with a checking account and a Netflix account. Carrier agents are not trained to evaluate whether a call requesting a SIM change is part of a targeted attack. The verification process is designed to confirm identity, not to detect fraud.

The attack works best when the victim's digital footprint is visible. Public LinkedIn posts about funding rounds, conference appearances that list a cell number, press coverage of a business sale — all of this narrows the target and increases the attacker's confidence. The same social media presence that signals success also signals vulnerability.

Microsoft's 2024 Digital Defense Report found that SIM swapping accounted for less than one-third of one percent of identity attack volume — a tiny fraction — but the per-incident financial damage places it among the most destructive single-attack vectors in the consumer threat landscape.[5]

The gap consumer security doesn't close

Consumer security products are built around the assumption that the threat comes from malware and credential leaks. They address that assumption well. What they don't address is the carrier account — the layer where your phone number lives, where SIM changes are processed, and where the decision to transfer your number to someone else is made by a call center employee following a script.

Carrier-level PIN protection exists. T-Mobile, AT&T, and Verizon have all rolled out port-out PIN features in response to regulatory pressure. The problem is that most customers don't know these features exist, and the carriers don't prompt them to activate them. A feature that requires opt-in behavior from a user who doesn't know it exists provides the appearance of security without the substance.

SMS-based two-factor authentication remains the default at a significant number of financial institutions and cryptocurrency exchanges. NIST formally classified SMS one-time passcodes as a restricted authenticator in its 2025 revision of SP 800-63B — the first time NIST has created that designation.[6] Banks and exchanges that still send OTP codes via SMS are operating below the standard that their own regulator's guidance now describes as restricted.

The recovery flow is where the gap becomes visible. When a SIM swap occurs, the victim's phone goes dark. Their email may still be accessible — but only if the attacker hasn't yet moved from the phone number to the email account. The typical recovery process involves calling the carrier, proving identity, and waiting for the number to be restored. In the meantime, the attacker has a window that may be measured in minutes.

In March 2025, T-Mobile was ordered to pay $33 million in an arbitration proceeding tied to a SIM swap that resulted in cryptocurrency theft. The carrier-level security failure was the central finding.[7]

No one tests this flow until it's the only thing standing between them and zero.

What actually catches it

The attack chain has links. Break enough of them, and the economics stop working for the attacker.

A number-porting freeze at the carrier level is the most direct control. Most carriers offer this as an account-level feature — a PIN or verbal confirmation required before any number is ported or a SIM is reissued. It's not complicated to set up. Most people simply don't know to ask. When this lock is in place, a social engineering call to the carrier hits a wall that the attacker can't bypass without either bribing an insider or showing up at a retail location with forged identity documents.

Hardware token 2FA — FIDO2/WebAuthn-class authenticators like Yubikey — breaks the attack at the authentication layer. A hardware key is bound to a physical device, not to a phone number. Even if a SIM swap gives an attacker control of your phone number, they cannot generate the cryptographic challenge that the key produces. This is the security standard that NIST's 2025 guidance points toward for high-assurance contexts.

Carrier account change monitoring catches the attack in the window between when the swap is requested and when it's executed. Some services expose a SIM swap signal — a data point indicating that a number has recently been moved to a new SIM. When this signal fires, any authentication attempt from that number should be paused, not failed silently. The window is real; it's just short.

The 90-second response window is worth naming specifically. Once a SIM swap is underway, the attacker's objective is to monetize before the victim realizes what happened. Cryptocurrency exchange APIs have withdrawal limits, but those limits often reset or can be increased via authenticated session. Speed matters. A person who recognizes "No Service" as a potential incident — and knows who to call first — has a better outcome than one who spends the first twenty minutes resetting a router.

SafeHaven

SafeHaven is a managed security service for individuals and families. We don't sell software. We run the security program — monitoring carrier accounts, catching the exposures that don't announce themselves as incidents, and responding when something moves.

A SIM swap is not a software problem. It's not something a password manager or an antivirus subscription fixes. It requires someone who knows the attack chain, watches for the early signals, and acts before the window closes. That's what SafeHaven does — continuously, across the layers that consumer tools don't reach.

This attack chain is not theoretical. It runs every night against people who have no idea their phone is the keystone of their entire financial life.

Sources

  1. IDCARE 2024 — 90% of SIM swap cases occurred without victim interaction. idcare.org
  2. More than 7 billion credentials appeared on dark web markets in 2024. Credential dumps at this scale make carrier knowledge-based authentication trivially bypassable.
  3. FBI IC3 2024 Annual Report — 982 SIM swap complaints, $25,983,946 in losses. ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
  4. UK Cifas Fraudscape 2025 — SIM swap cases grew from 289 to approximately 3,000, a 1,055% increase. cifas.org.uk
  5. Microsoft Digital Defense Report 2024 — SIM swapping represents less than one-third of one percent of identity attack volume, but per-incident damage places it among the most destructive consumer attack vectors. microsoft.com/security/blog
  6. NIST SP 800-63B Revision 4 (2025) — SMS one-time passcodes formally classified as "restricted" authenticator for the first time. csrc.nist.gov
  7. T-Mobile $33 million arbitration award, March 2025 — carrier-level security failure identified as proximate cause of cryptocurrency theft resulting from SIM swap.

More Reading

The smart TV was the way in.