Skip to content
WhySoGeek.
Crypto

SIM Swap Attacks on Crypto: Ditch SMS 2FA in 2026

A SIM swap can hijack your phone number and every SMS code tied to it. Here is how the attack drains crypto accounts and how passkeys shut it down.

Sam Carter 8 min read
Cover image for SIM Swap Attacks on Crypto: Ditch SMS 2FA in 2026
Photo: theKeyport / flickr (BY-NC-ND 2.0)

Your phone number feels like it belongs to you. It does not. It belongs to your carrier, and a convincing enough phone call can move it to a stranger's SIM in minutes. For anyone with crypto protected by text-message codes, that is not an inconvenience; it is the whole security model collapsing at once.

Quick answer

A SIM swap is when an attacker convinces your mobile carrier to port your number to their SIM, so they receive every SMS meant for you, including your two-factor codes. They then reset passwords and pass SMS-based verification to drain accounts. The fix is to stop relying on SMS for security: use a passkey or hardware security key where supported, an authenticator app where not, and lock down your carrier account with a PIN. Keep high-value crypto in self-custody so no account reset can reach it.

Key takeaways

  • A SIM swap hijacks your phone number, handing the attacker every SMS code sent to it.
  • SMS is the weakest 2FA and the primary reason SIM swaps are so damaging.
  • Passkeys and hardware keys are phishing-resistant; they will not release credentials to a fake site.
  • Authenticator app codes beat SMS but can still be phished if you type them into a fake page.
  • Self-custody removes the account-reset attack surface entirely for the funds you hold yourself.

How a SIM swap drains an account

The attack is social engineering, not hacking. The scammer gathers enough personal detail about you, then calls your carrier posing as you and reports a lost or upgraded phone. The rep moves your number to the attacker's SIM. Your own phone goes dead, and every call and text now flows to them.

From there the chain is fast:

  • They trigger a password reset on your email, delivered by SMS.
  • With your email controlled, they reset your exchange and other accounts.
  • Any account protected only by an SMS code is now theirs, and they cash out.

The losses are real and large; the FBI's complaint center tracked tens of millions of dollars in SIM-swap losses in a single year, and crypto is a favorite target because the theft is fast and hard to reverse.

A smartphone with a SIM card and a padlock symbol representing account security

Why SMS is the weak link

SMS was never designed for security. It can be intercepted through carrier exploits, and, crucially, it is tied to a phone number that a carrier can reassign. That makes it the softest of the common second factors.

Ranking the options by how well they resist attack:

2FA methodResistance to SIM swapResistance to phishing
SMS codeNone; the whole targetLow
Authenticator app (TOTP)Strong; not tied to the numberMedium; a code can be phished
Passkey / FIDO2 hardware keyStrong; nothing to interceptHigh; bound to the real domain

The jump from SMS to an authenticator app already defeats the SIM swap, because those codes live on your device, not on your phone number. The further jump to passkeys or hardware keys also defeats the phishing that can still trick you into typing a TOTP code into a fake site.

Passkeys and hardware keys, briefly

A passkey or FIDO2 hardware key is phishing-resistant by design. The credential is cryptographically bound to the real website's domain, so even if you click a convincing fake login link, the key simply refuses to authenticate to the wrong domain. There is no code for you to read out, mistype, or hand to an attacker.

Adoption is real and accelerating. Major platforms support passkeys, and at least one major crypto exchange made passkeys mandatory, reporting a large jump in authentications when it did. The realistic 2026 setup for most people is passkeys where supported, an authenticator app everywhere else, and a hardware key on the highest-value accounts.

For a full account hardening routine beyond 2FA, our secure crypto exchange account checklist covers withdrawal allowlists, device hygiene, and more.

Lock down the carrier itself

Better 2FA protects your logins, but you should also make the SIM swap harder in the first place. Carriers offer account-level protections that many people never enable:

  • Set a carrier PIN or passcode required before any SIM or number change.
  • Add a port-out or number-lock feature if your carrier supports it.
  • Minimize the personal data attackers can use to impersonate you; the less they know, the harder the pretext call.

These steps do not replace strong 2FA, but they raise the bar on the pretext-call step the whole attack depends on.

What to do right now

Prioritize the accounts that touch your money:

  • Remove SMS as your 2FA on email, exchanges, and password managers wherever an alternative exists.
  • Enable passkeys on every service that supports them, starting with your primary email.
  • Add a hardware security key to your highest-value accounts, and register a backup key.
  • Use an authenticator app for services that still lack passkeys, never falling back to SMS.
  • Set a carrier PIN and port-out lock to make the SIM swap itself harder.
  • Keep long-term crypto in self-custody, since a hardware wallet cannot be reached by resetting an online account; see our cold wallet versus hot wallet guide.

Frequently asked questions

If SMS 2FA is risky, is having it worse than nothing?

SMS 2FA is still better than a password alone, but it is the weakest option and the direct target of SIM swaps. Replace it with an authenticator app or passkey on any account that matters, and keep SMS only where nothing else is offered.

Do passkeys stop SIM swaps completely?

Passkeys are not tied to your phone number, so a SIM swap cannot intercept them, and they resist phishing because they are bound to the real domain. For accounts fully protected by passkeys or hardware keys, the SIM-swap path is closed.

How does self-custody help against this attack?

A SIM swap works by resetting online accounts. Crypto you hold in your own hardware wallet has no account to reset and no support line to socially engineer, so it is out of reach of the attack entirely, as long as your seed phrase stays private.

What is the single most important step?

Get SMS off your primary email account and replace it with a passkey or authenticator app. Email is the master key that attackers use to reset everything else, so protecting it phishing-resistantly closes the most damaging path.

This article is for general information and is not financial advice.

#crypto#security#2fa

Sources & further reading

Keep reading