A Crypto SIM Swap attack is a fraudulent process in which your phone number is transferred from your SIM card to a new SIM card that the scammers hold and then use to access SMS messages sent to your number. This gives them access to your crypto wallet’s Two-Factor Authentication (2FA) codes sent to your phone, allowing them to restore the wallet’s password, gain access to your crypto assets, and transfer the crypto to their position.
What is the Connection Between a Sim Swap and an Attack on Your Crypto Wallet?
Nowadays, we use our mobile phones as more than a way to communicate with the rest of the world by voice or text. We have the world on our phone, e-mails, our banking app. We even store personal information we need to remember on the note app. Your phone is not just a source of information and a communication tool; swapping the SIM card makes it easy for the hacker to gain access to your 2FA codes, allowing them to reset the password for every single one of your financial services and your crypto wallet in particular, making it easy to empty your funds into any external wallet they possess. And once your crypto has been drained from your wallet, it cannot be retrieved.
How Can a Hacker Swap Your Phone’s SIM Card?
SIM Swapping requires relatively few technical skills, just a criminal mind. Hackers bribe telecom customer representatives to facilitate the actual swapping of SIM details. Here are the steps
1) They identify their target. A data breach may have leaked their target’s phone number, or they may have acquired it from one of the many sites that buy data to sell it to telemarketers (and hackers). Social engineering can give them the phone number and the personal details they need to impersonate you.
2) They call the telecom provider’s customer service and then:
If they have a customer representative on their payroll, he helps them swap their target’s SIM details with the ones of their own SIM. If they do not, they collect enough personal information to go through a typical security check, which allows them to convince the representative the target wants to replace his SIM.
3) They now control their target’s mobile number and can receive/reply to all the text messages sent to that number. This is important as most sites require Multi-Factor Authentication to let you access your data or to replace information you may have forgotten, e.g. your password.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication is a system that combines something the user knows (e.g., password) with something that is sent to a device the user owns. The second could be an SMS message to the stored phone number, a code, or a link sent to the registered e-mail address, or a code retrieved from an authenticator app. It is the most widely used security mechanism, usually referred to as two-factor authentication (2FA), because only two mechanisms are used (typically user-id & Password, and a code sent via SMS message or e-mail).
Following a SIM Swap, the hacker receives SMS message and, probably, has hacked into the victim’s e-mail address, they can access anything stored online, because they can use the ‘forgotten password’ process to change the password the victim has set up.
2FA with an SMS message does not protect the victim because the hacker may have already accessed the person’s e-mail (using the forgotten password facility). A code generated by an authenticator app is the safest 2FA because the app stays with the actual phone and not with the SIM.
How Do We Go from A SIM Swap to Your Crypto Wallet Being Threatened?
A SIM swap is the beginning. In virtual terms, it is like losing the key to the box that contains the key and the combination of your safe. The hacker has already swapped your SIM. Now, the new SIM will receive the SMS with the 2FA code; therefore, the password to your wallet can be changed. The SIM Swap has become a Crypto SIM Swap attack.
Cryptocurrency Wallets or Exchanges
These are platforms where users can store, send, receive, and trade their digital assets. After a SIM Swap, a hacker can intercept 2FA codes and reset passwords for these accounts, which allows him to transfer the funds to their wallets or sell them on the market.
Access To Online Files or Folders.
One 2FA code allows hackers to reset passwords, of cloud storage services like Dropbox, Google Drive, etc., and to additional information that might help the hackers hack the different that might be protected by more than just a 2FA code. The hacker who stole $24M from Michael Terpin found the access codes in a file stored in Terpin’s Dropbox folder.
E-Mail Accounts.
Another thing that is accessible through a SIM swap is a victim’s email account. Access to the email address means they have control of both elements of 2FA. They can reset the password and receive the SMS code or the code sent to the email address used to access that website. They also have access to attachments, which could be a source of more personal information that can help them achieve their goal of accessing your crypto wallet.
How Can You Tell You Are a Victim of a SIM Swap Attack?
There are signs that your SIM has been swapped. They can be detected before you notice strange social media activities or bank transactions you do not recognize.
1) You cannot send or receive SMS because your SIM card has been deactivated.
2) You have no signal or your phone is constantly searching for a signal.
These are the immediate signs that something is very wrong. It is not a given you are facing a crypto SIM Swap attack, but if you cannot access your account or if passwords in your keychain don’t work anymore, then your crypto wallet may be at risk.
How Can You Protect Yourself?
SIM Swapping is one of the fastest-growing forms of cyber fraud. In 2022, the FBI received 2,056 SIM-Swapping complaints, an increase of 27.6% from 2021, when they received 1611 complaints. The actual figures are likely to be higher. The weak link is the telecoms industry's focus on convenience and cost over security. A hacker needs to be willing to deceive or bribe a telecom customer service rep. It is also the starting point for various types of fraud, not just Crypto SIM Swap attacks. So, how can you protect yourself?
Beware of Your Digital Footprint.
Social media, e-mails, and e-mail attachments provide a good deal of information about you and about your personal data. Avoid putting your birth date on your social profile. Be careful what you post. You need to go beyond the advice not to post things you wouldn’t want to read on the front page of a paper. You need to be careful not to post anything that could verify your identity. For instance, one of the standard security questions is your data of birth. If you want people to wish you a happy birthday, don’t put your complete date of birth on social media. Cyber fraud aside, identity theft is also very common, and it is used to commit fraud against your assets or other actions that will damage you. Social media is not the only component of your digital footprint. It is recommended that attachments be removed from your ‘sent’ e-mail folder after a while. Going back to Michael Terpin, the hacker who managed to steal $24M found his phone number in a PDF file containing a press release that was attached to an e-mail. It is fairly common to put your mobile number in your business e-mail signature. That is also risky.
Hackers can use social engineering to steal personal and financial information, your digital footprint can show them the way.
Protect Your Accounts
One of the easiest levels of protection is to opt out of two-factor authentication by SMS or e-mail and choose an authenticator app instead; whatever happens, the app stays on your phone, so your passwords cannot be reset, and getting access to your accounts becomes more difficult.
Switch to a secure browser to reduce the amount of your data collected online.
Use a password manager with a strong master password to generate or store the passwords to access your accounts. Keep a hard copy of the master password in a safe place, or better, in a few safe places. Do not store it on a device.
Do not download pirated content. It often contains malware. A trojan horse is the best way to collect your data and be hacked.
Avoid public Wi-Fi. If that is your only possibility to access the internet, use a VPN as a secure way to browse.
How You Can Protect Your Digital Assets
There are some preventative measures you can take to protect your digital assets. Prevention is the best way to reduce the risk of a Crypto SIM Swap attack. There are things you can check before you open an account with a crypto exchange:
1) Crypto insurance coverage in case of theft
2) The option for two-factor authentication through an authenticator app rather than SMS or e-mails.
3) Account recovery accessibility
4) Customer service accessibility: If you realize your SIM has been swapped, you do not want to waste time on a chatbot or be put on hold forever. Speed is essential to protect your assets.
5) Cold Storage Reserves
Cold storage wallets are a way of storing Crypto Currency keys offline. In this way, it is almost impossible for hackers to access your wallets. Consumer sentiment is important, but it is not always a guarantee. It is important to note that PlasBit holds 100% of users’ crypto-currencies offline in call storage. All customer assets are responsibly backed by Plasbit and accessible at customer convenience. All sensitive account information is encrypted at system and data levels using Secure Socket Layer (SSL) technology.
What Can You Do Once You Realize You Are a Victim?
Hackers can work very fast. The moment you realize you cannot use your phone, you have precious little time to act. The easiest thing to do is access your crypto exchange account and change user-id and password. Do not leave the new password in any keychain, but keep a hard copy of it somewhere safe and not connected to the internet. Better if it is not electronic.
Prevention is better than a cure, as discussed above. However, if you were just thinking of adopting the measures described above, including transferring your digital asset to a Plasbit crypto wallet, there is very little else you can do. If you can access your account, the hackers had not reached it yet.
Once you have checked that your digital assets are safe, you can alert your bank and your credit card you may have been hacked and that they need to verify any unusual transaction. It is better if you order new cards.
Last but not least, check all your other accounts. Hackers may impersonate you to reach your contact list and steal from them.
How Much Can You Lose If You Are a Victim?
In 2022, the losses from the complaints received by the FBI amounted to $71.6 Million, a 5.3% increase from $68 Million losses estimated in 2021. However, these figures do not tell the story of SIM Swap attacks hackers used as a starting point to gain access to the victim’s crypto wallets. The examples below can give you an idea of what happens.
Michael Terpin
Michael Terpin’s case is very significant, not just for the staggering value of his loss, £24Million, but also for what happened later, thanks to how he reacted when he was a victim of an attack. It wasn’t the first time a hacker swapped its SIM, but the previous time, they hacked into his contacts and impersonated him, asking his friends to send donations to a non-existent charity. The second time, the hacker, Ellie Pinsky (15 years old at the time), had masterminded a heist that emptied his wallets.
Michael Terpin was determined to recover what was stolen from him. He sued his telecom provider, AT&T, but the judge determined they were not liable. He found a way to infiltrate the hacker community and offered a reward to anybody who provided him with useful information. In the end, he successfully sued Nicholas Truglia, a member of the team Pinsky had put together. Later, when Pinsky turned 18, he successfully sued him as well.
Once all the compensation has been paid, he would have recovered his loss, including his legal bills. It may have ended well for Michael Terpin, but his perseverance and his financial firepower were the key ingredients of his victory. Other victims may have his perseverance, but not his financial firepower.
Vitalik Buterin
Vitalik Buterin is the founder of Ethereum. He was a victim of a SIM Swap. His X account was hacked, and the hackers used his name to promote a malicious cryptocurrency scheme. The malicious link posted in Buterin’s account ultimately gave the hacker access to the victim’s digital wallet, resulting in over $891,000 stolen from the victims.
This case is evidence that anybody can be a victim of a SIM Swap. They did not touch Buterin’s crypto wallets, but they used his name and his X account to give credibility to a malicious link that allowed them to access other people’s digital wallets.
Bart Stephens
In May 2023, Bart Stephen, the co-founder of Blockchain Capital, lost $6.3 million worth of crypto when hackers drained his wallets containing Bitcoin, Ether, Maker, Compound, and Uniswap, among other tokens. The hackers also tried to steal from Stephens’ custodial cold wallet but failed because an employee at Blockchain Capital received an email alert of the withdrawal attempt.
That email alerted Stephens that he was under attack. The hackers funnelled the stolen cryptocurrencies through decentralised exchanges to make them more difficult to trace.
Stephen Defiore
Stephen Defiore was not a victim of a Crypto SIM Swap attack, but it is an interesting case. In Michael Terpin’s case, the judge decided AT&T was not liable, although the SIM Swap happened with the collusion of one of their customer service representatives. However, Stephen Defiore was charged with aiding attacks targeting 19 victims between August 2017 and November 2018. The telecom company Defiore worked for was not named in the case, making it all about him, not his employer. One of the victim, a New Orleans doctor, lost cryptocurrencies worth a staggering $100 Million.
The Community
The Community was the name given to six hackers who were caught and condemned for organizing SIM Swaps that led to getting hold of the victims’ cryptocurrency exchange accounts. They often bribed telecom customer service representatives to facilitate the swap. The Community masterminded hacks that cost the victims several millions in total. Four US based members (Garret Endicott, Ricky Handshumacker, Colton Jurisic, and Rayad Gafar Abbas) received prison sentences and were ordered to pay restitution. Endicott and Jurisic restitution payment were over $7M and $9M, respectively.
Connor Freeman, 22 from Dublin, had already pleaded guilty and received a prison sentence in Ireland and was ordered to pay restitution. Another member of the Community, Ryan Stevenson, had pleaded guilty in a different court case, received a prison sentence and had to pay restitution.
Be Aware of The Vulnerability of Your Digital Assets.
You would not leave your front door wide open when there is nobody home, would you? It is a basic precaution against trespassing before you consider alarms, security cameras, etc. Protecting your digital assets is no different.
SIM card swapping is on the rise. It is relatively easy and requires organization more than technical skills. However, our phones have become more than a way to communicate with friends, families, and the rest of the world. They have become the leading tool for managing our lives. Some apps manage our bank accounts, credit cards, and even our home heating. Even if hackers do not steal from us, they can impersonate us and use messages allegedly coming from us to spread malware and ultimately gain access to other people’s accounts, as shown in Michael Terpin’s and Vitalik Buterin’s cases. Cryptocurrencies can be considered the digital equivalent of cash. You would not leave cash on the table and the door open, would you? So be aware of the vulnerability of your digital assets and protect them.
Court cases can take a long time, and their outcome is not guaranteed. Michael Terpin sued AT&T and lost the case against Stephen Delfiore, a telco customer representative, was successful. What happened to Bart Stephens shows that cold storage wallets are the best defence. Plasbit keeps all crypto wallets in cold storage and protects access keys.