SIM Swap Attacks: Two minutes of reading for better operational security

SIM Swaps are still crushing the cryptocurrency industry. Victim after victim can be found on Twitter just by searching “sim swap.” From experience investigating SIM swaps cases, most victims share the same vulnerability where the attacker uses SMS 2FA to take over accounts.

What I have also learned is attackers are very tactical and patient when choosing their victims. They use your online footprint against you. They know your time zone, they know your schedule and they know the right time to execute the sim swap.

Even if you are security conscious and have taken the necessary steps you still can be compromised by insider threats, social engineering and fake IDs used inside telecommunication stores. This is why it is critical to do a personal security check of your accounts to see how they hold up. Below are best practices gained from investigating cases targeting attackers that stole funds from digital currency users.

Operational Security (OPSEC) Review:

Avoid advertising long distance travel on social media. This gives attackers a time frame of when to execute the sim swap.

Review all of your photos on your phone and delete all screenshots of recovery keys or phrases. Print all of your screenshots you need, store in a safe place and delete them from your phone.

Password block all of your personal notes on your phone. Make sure this password is different from your email and other accounts.

Do NOT take screenshots with your mobile carrier identified in the photo and post on social media. Make it a little harder on the attackers.

Use a non SMS authenticator service such as Authy or Google. Write down your authenticator backup codes in the event your phone is compromised or lost. Bottom line, if a company is compatible with an authentication app then use it.

Considering using an external security key such as Yubi or Titan for emails and other services that offer the support. I understand through personal experience that external keys for email access can be very inconvenient but they are often necessary. If you are high profile and have an online footprint for days, then you should seriously consider use of an external security key.

Use external hardware wallet services to store funds not being used to trade or make every day purchases.

Search all of your emails on haveibeenpwned for password compromise regularly.

Do not use the same passwords for cryptocurrency accounts and emails.

Bookmark your regularly visited links to fight phishing attacks.

Install an anti virus tool on your computer to fight against malware attempting to steal your personal information.

Purchase a VPN for your phone and computer. Use this anytime you connect to public WiFi or you travel internationally. If you can hotspot from your phone this is always better than public WiFi.

Do not use your personal phone number for any of your accounts if possible. Use Google Voice or an app such as Burner. Make sure VOIP numbers are not associated with SMS 2FA recovery for any accounts. VOIP is no good if you use it for SMS 2FA.

If you discuss sensitive items regularly associated with your company or personal financial information, consider using secure methods that auto erase the information after a specified period of time.

IF you must HODL on an exchange:


Enable an Authentication app.

Require 2FA for every transaction made from your wallet.

Enable Whitelisting requirement for all withdrawals.

These steps will ensure if you are the victim of a SIM Swap you will have 24–48 hours to fight back before they steal your funds.

Secure your accounts today! Tomorrow is too late!

Consider hiring CyChain to review your online footprint to be better prepared in the event an attack happens.

CyChain is a Digital Currency Risk and Advisory firm. You can contact us here: or directly at