What is a SIM Swap?

A SIM swap, sometimes called SIM hijacking or a port-out attack, is a fraud in which a criminal convinces a mobile carrier to transfer a victim's phone number onto a SIM card the attacker controls.

Once the number moves, every SMS-based two-factor code, password reset link, and account recovery call flows to the attacker instead of the victim. Within minutes the fraudster can pivot from the phone number into email, and from email into banking, brokerage, and cryptocurrency accounts. SIM swapping is the main reason security engineers at NIST, CISA, and major banks now discourage SMS 2FA for any high-value account.

How the attack works

Most SIM swaps are social engineering attacks against a carrier's retail stores or call centers. The attacker calls customer support armed with personal details scraped from data breaches, impersonates the victim, and claims the phone was lost or damaged. A sympathetic agent activates a new SIM and the victim's phone suddenly shows "No Service."

In more organized rings, attackers bribe insiders at T-Mobile, AT&T, or Verizon stores. Federal prosecutors have charged multiple former retail employees for accepting hundreds of dollars per swap. Once the number is on the attacker's SIM, they request a password reset on the victim's email, intercept the OTP code, and then use that email to reset passwords on exchanges like Coinbase, Binance, and Kraken.

Landmark cases and scale

• Michael Terpin v. AT&T: Crypto investor Michael Terpin sued AT&T after a 2018 SIM swap led to the theft of roughly $24 million in cryptocurrency, producing one of the first high-profile legal tests of carrier liability.
• Joel Ortiz: In 2019 Ortiz became the first person convicted in the United States for SIM-swap theft, pleading guilty after stealing more than $5 million in cryptocurrency from dozens of victims.
• Lapsus$: The extortion group responsible for breaches at Microsoft, Nvidia, Okta, and Uber in 2022 leaned heavily on SIM swaps to bypass MFA on corporate accounts, often targeting employees rather than their companies' perimeters directly.
• SEC X account (2024): The U.S. Securities and Exchange Commission confirmed that its official X account was taken over via a SIM swap and then used to post a false Bitcoin ETF approval announcement that briefly moved markets.

The FBI's Internet Crime Complaint Center has reported hundreds of millions of dollars in cumulative SIM-swap losses, with crypto holders accounting for a disproportionate share of both victims and dollar value.

Regulatory and carrier response

Enforcement has pushed carriers to harden the porting process. In 2023 the U.S. Federal Communications Commission adopted new rules under its SIM swap and port-out fraud rulemaking, requiring wireless carriers to use secure authentication before making SIM changes and to immediately notify customers of port-out requests. T-Mobile, AT&T, and Verizon have since expanded the use of number lock features and mandatory port-out PINs, and several carriers now block SIM changes during the hour following a password reset.

Defenses for individuals and platforms

The strongest individual defense is to move critical accounts off SMS 2FA entirely.

Authenticator apps like Google Authenticator or 1Password, and especially FIDO2 passkeys or hardware security keys such as YubiKeys, are not exposed to carrier compromise. Users should also enable their carrier's number-lock or port freeze, set a separate account PIN, and turn on Google Advanced Protection or Apple's Advanced Data Protection where available.

At the platform level, services can detect the telltale aftermath of a SIM swap. A new device login followed by a password reset, disabled 2FA, and an immediate withdrawal is a recognizable sequence, and gating those actions behind step-up verification is one of the few interventions that reliably interrupts the attack. Account protection systems can help surface these anomalous recovery patterns across many accounts at once, giving security teams a window to intervene before funds leave the platform.