How to Protect Your Crypto from SIM Swap Attacks
A SIM swap can start with one carrier support call and end with your email and exchange accounts exposed before you notice your phone has gone offline. The attacker doesn't need malware. They need your phone number moved to a SIM they control. To protect crypto from SIM swaps, remove SMS 2FA, use an authenticator app, separate short-term exchange balances from long-term holdings, and keep significant crypto in a self-custody hardware wallet.
SIM swap is one of the most effective methods of crypto theft because it bypasses the security most people rely on: SMS two-factor authentication. SMS can be SIM-swapped, which is why crypto-related and exchange accounts should use authenticator apps rather than SMS. This guide explains exactly how the attack works, how to recognize it while it's happening, and how to protect yourself.
How a SIM Swap Attack Works
The attack is simpler than most people expect. No malware. No hacking. Just carrier support.
Step 1: Research. The attacker first gathers your personal data. Phone number, name, home address, and email address. Some of this stems from data breaches, including a documented breach at a major hardware wallet company that exposed the names, addresses, emails, and phone numbers of over 270,000 customers. The aftermath included SIM-swap attacks targeting those users. Other details come from social media or other online sources.
For crypto users, the greatest danger arises when a custodial exchange account relies on SMS-based access. Exchange wallets are online, custodial hot wallets: the exchange controls the keys, and you access funds through a service login.
That login is the weak point. If your exchange or email account uses SMS for password resets or two-factor authentication, your phone number becomes part of the recovery path. Once an attacker controls that number, text messages meant for you can arrive on their device instead.
Here's the practical version: your Bitcoin, ETH, or USDT on an exchange is protected by the exchange account. If that account can be reset through SMS, the wallet balance is only as strong as your carrier account. A SIM swap turns a phone-number problem into a crypto-account problem.
Signs You've Been SIM Swapped
The clearest warning sign is a phone that suddenly loses cellular service when you are not changing devices, changing carriers, or traveling through a dead zone. Treat that as urgent if the same phone number is tied to your email, exchange accounts, or password recovery.
The account-side signals matter just as much. Watch for password reset emails you did not request, exchange login notifications you do not recognize, or two-factor prompts that arrive when you are not signing in. If your email inbox shows security alerts from Coinbase, Binance, Kraken, Gemini, or another custodial platform, assume the account is under pressure until you prove otherwise.
Don't wait for a perfect explanation. If you suddenly lose cellular signal and see unexpected password-reset emails or security prompts, treat it like an active account takeover, especially with significant funds on an exchange. Check your crypto exchange accounts from a secure connection, review recent logins and withdrawal activity, and remove SMS recovery whenever the account lets you. If you still hold a large balance on an exchange, move the long-term portion to self-custody after you regain control of the account.
This section is deliberately account-focused. Carrier recovery procedures vary by provider, country, and account settings. The crypto move is the same everywhere: reduce the damage by removing SMS from the access path and keeping serious holdings away from custodial logins.
How to Protect Your Crypto Exchange Accounts
Here's the honest issue: most people set up SMS 2FA because it's the default option exchanges offer. It feels like security. It isn't, especially for accounts holding significant crypto. Say you keep $5,000 on Coinbase. Replacing SMS with an authenticator app means a SIM-swapped attacker can still receive your texts, but can't generate the login code.
Remove SMS 2FA from every crypto account. Replace it with one of these:
Authenticator app (Google Authenticator or Authy). These apps generate time-based one-time codes locally on your phone. They have no connection to your SIM card. A SIM-swapped attacker receives your texts, but they can't generate codes from an authenticator app they don't have physical access to. Any exchange account or crypto-related account should use an authenticator app rather than SMS.
Hardware security key (such as YubiKey). Use one for high-value exchange accounts when the platform supports it. Coinbase supports YubiKey for account protection. A SIM-swapped attacker can steal texts, but they still cannot tap the physical key required for login, trading, or withdrawals.
Lock down the phone-number layer too. Set a carrier account PIN that is different from your phone unlock code, then ask your carrier for port protection, number lock, SIM lock, or a port freeze. The wording varies by provider. The goal is simple: make number transfers and SIM changes harder to approve remotely.
Use a dedicated email address for crypto exchanges. Don't reuse it for shopping, social media, or newsletters. Remove SMS recovery from that email, protect it with an authenticator app or hardware key, and store backup codes offline.
Strong passwords, updated devices, careful URL checks, and private recovery phrases still matter. They reduce hot-wallet risk but do not change who holds the exchange keys. That is why exchange hardening has a limit. It protects buying, selling, and short-term balances. It does not turn Coinbase, Binance, Kraken, Gemini, or similar platforms into self-custody. So split the job. Keep only the amount you need for near-term trading or spending on an exchange. Move long-term holdings to a wallet where the private key is under your control.
Why Hardware Wallets Are Immune to SIM Swap
Here's what the table looks like across different storage methods:
| Asset Location | SIM Swap Risk | Why |
|---|---|---|
| Exchange account with SMS 2FA | Critical | SIM swap bypasses SMS 2FA directly. Password reset, account drained. |
| Exchange account with an authenticator app | Low | SIM swap can't generate authenticator-app codes. |
| Tangem hardware wallet (self-custody) | None | Access requires physical card possession. No phone authentication in the access path. |
Tangem sits in the "none" category because access requires the card. Tangem Cold Wallet stores your private keys in a Samsung S3D350A secure element chip, certified to EAL6+ under the Common Criteria. The private key is generated on-chip during setup and never leaves the card under any circumstances.
To sign a transaction, you tap the physical card to your phone. That's it. No SMS code. No email login. No cloud account. The card is the key.
Here's what that means in practice: an attacker could SIM-swap your phone number, take over your email, download the Tangem app, and open it on their own device. They still can't access your wallet. Without the physical card in hand, they have nothing. The attack path that empties exchange accounts doesn't exist for self-custody hardware wallets.
This is the fundamental difference between custodial and non-custodial storage. Custodial wallets, such as exchanges like Coinbase, Binance, and Kraken, control the private keys while you control the account login. That account login can be reset via SMS. Non-custodial hardware wallets put the key literally in your hands and remove the phone-number-dependent recovery path entirely.
One caveat worth naming: if you lose all your Tangem backup cards and have no seed phrase, fund recovery is impossible. No entity, including Tangem, can recover the funds. This is the trade-off of true self-custody. The same architecture that makes remote attacks impossible also means there's no backdoor for recovery. Tangem recommends keeping cards in separate locations: one with you, one at home, one with a trusted person.
Tangem has distributed over 3 million devices since 2018, with zero successful hacks reported. The firmware is audited by Kudelski Security, Riscure, and Cure 53. The app's source code is open source on GitHub. The security model can be checked, not just claimed.
Complete SIM Swap Protection Checklist
Work through these in order. The first group protects your exchange accounts today. The last item moves your most significant holdings out of the SIM-swap attack surface entirely.
- Remove SMS 2FA from all crypto exchange accounts
- Add an authenticator app (Google Authenticator or Authy) to all exchange accounts
- Add a hardware security key for high-value exchange accounts
- Set a carrier account PIN that is not your phone PIN
- Request port protection, SIM lock, number lock, or a port freeze from your carrier
- Create a dedicated crypto email address
- Remove SMS recovery from that dedicated crypto email
- Move significant crypto holdings from exchanges to a Tangem hardware wallet
The account items are free and take an afternoon. Tangem Cold Wallet setup time is listed as 1-3 minutes. Together, these steps reduce exchange-account risk and move long-term holdings out of phone-number-dependent access paths.
FAQ
FAQ
-
No. If your crypto is in a self-custody hardware wallet like Tangem, a SIM swap cannot steal it. The attack only works against accounts secured by SMS-based authentication. Self-custody means the private key resides on a hardware chip in a physical card. There's no phone-number-protected account to reset and no email recovery path to exploit. An attacker who SIM-swaps your number gains nothing that can reach your wallet.
-
Both are significantly safer than SMS 2FA for crypto-related accounts. Vault guidance lists Google Authenticator and Authy as examples of authenticator apps to use instead of SMS, since SMS can be SIM-swapped. The practical difference is recovery. If you hold $5,000 on an exchange, either app is a major upgrade over SMS because the code isn't delivered to your phone number. Google Authenticator can keep codes local if cloud sync is off. Authy can be convenient if you lose a phone, but cloud backup means you should secure the Authy account itself carefully.
-
Change it before adding more money. Start with the exchange account that holds the largest balance, then work through the rest. Replace SMS with an authenticator app wherever the exchange supports it, save the backup codes offline, and ensure your email account also supports SMS-free recovery. If you keep 100 USDT on an exchange for quick trades, the risk is limited to that account balance. If you keep 1 BTC or a large ETH position there, the stakes are different. Move the long-term portion to self-custody once the account is secured.
-
It removes exchange-account risk for the funds you move. It does not protect funds that still sit on Coinbase, Binance, Kraken, Gemini, or other custodial platforms. Think of it as separating balances by purpose. Your exchange account can handle buying, selling, or short-term trading. Your Tangem wallet holds the crypto you don't want exposed through service logins, password resets, or SMS recovery. If the exchange account is compromised later, the attacker still cannot access assets that have already been moved to the card.
-
No. Tangem requires no account registration and no KYC for basic wallet usage. Tangem collects no personal data: no name, address, email, or phone number. Transactions connect directly to public blockchain nodes without passing through Tangem servers. There's no Tangem account to compromise and no personal data profile for an attacker to use as a starting point. That matters because SIM-swap attacks often begin with identity data. A breach that exposes 270,000 customer names, physical addresses, email addresses, and phone numbers gives attackers valuable information. Tangem's basic wallet usage does not create that kind of Tangem account profile.
Ask AI whether Tangem is a good fit for your needs
