growing threat to crypto community
In the crypto sphere, SIM swap scams are on the rise, leading to significant losses. Uncover the concerning trend and take steps to protect your assets.
On Sept. 9, scammers took over the social media account of Ethereum (ETH) co-founder and CEO Vitalik Buterin. They then used it to post a fake NFT giveaway, directing unwitting users to click a phishing link that drained nearly $700,000 from their wallets.
Days after the incident, Buterin confirmed that he had been the victim of a SIM swap, speculating that bad actors had social-engineered his mobile service provider to take over his phone number.
Buterin is one of the highest-profile victims of this attack that is becoming more prevalent in the crypto space. In August, noted blockchain analyst ZachXBT shared data showing that since May, the crypto community had lost more than $13 million from 54 SIM swap scams.
What is a SIM swap, and why has it become such a popular avenue for scamming crypto holders? And what can you do to protect yourself from such attacks?
What is a SIM swap?
A SIM swap is a form of identity theft that involves an attacker taking control of your mobile phone number and assigning it to a new SIM card they control.
Usually, the attackers exploit two-factor authentication (2FA) and two-step verification weaknesses, particularly when they involve a user receiving text messages or calls. It allows them to steal sensitive data, including passwords, financial resources, and even cryptocurrencies.
SIM swaps can be executed remotely, with the attacker contacting your mobile service provider or visiting one of their physical stores, pretending to be you.
They may have previously acquired information about you through a different hack or, more insidiously, might have an accomplice within the company who can facilitate the transfer.
Once the attacker persuades customer support to transfer your number to a new SIM card, they gain control over it and, consequently, all calls or text messages sent to that number.
Moreover, they can access all apps on the phone, including social media and financial apps. And in case yours is an influential social media account, the attackers will most probably use it to post malicious links to fake tokens or NFT airdrops in the hopes of duping a few unwary followers.
SIM swap attacks often capitalize on public knowledge or, as in the case of Vitalik Buterin, information manipulated through social engineering.
Some experts note that, compared to exploiting smart contracts or hacking exchanges, SIM swapping is a more accessible entry point for cyber attackers since it doesn’t necessitate advanced technical proficiency.
Recent cases of SIM swap scams in crypto
In 2021, the Federal Bureau of Investigation (FBI) was inundated with more than 1,600 grievances relating to SIM swapping, cumulatively amounting to losses exceeding $68 million.
According to the agency, the number of complaints was four times as high as those received between 2017 and 2019, a period marked by crypto’s growing mainstream popularity.
A case in point was when Coinbase publicly acknowledged that between March and May 2021, a 2FA breach led to the theft of crypto assets from no fewer than 6,000 customers.
Several leading figures in the crypto community have also fallen victim to SIM swapping recently. Let’s take a look at some of the cases:
Vitalik Buterin account hack
Bad actors took control of Vitalik Buterin’s X account on Sept. 9 to post a malicious link promising a free commemorative NFT from software giant Consensys.
Users who fell for the ruse clicked the link and connected their wallets in anticipation of getting the Consensys NFT but instead had their accounts drained.
Blockchain detective ZachXBT revealed that the scammers managed to siphon approximately $691,000 worth of crypto assets from hapless victims.
One victim, BokkyPooBah, lost two NFTs, CryptoPunk #3983 and CryptoPunk #1751, valued at $249,000 and $94,251, respectively.
Buterin later relayed his experience on Farcaster, a decentralized social media platform, on Sept. 12. He described how the hacker exploited T-Mobile, his telecom service provider, to control his phone number, enabling them to reset his X password and bypass the need for 2FA.
“Yes, it was a SIM swap, meaning that someone socially engineered T-Mobile itself to take over my phone number.”
Vitalik Buterin, Ethereum co-founder and CEO
The Ethereum CEO has since regained control of his account and urged fellow users to consider removing their phone numbers from their social media accounts to bolster security.
Gutter Cat Gang
Another possible SIM swap attack targeting NFT collectors is the Gutter Cat Gang hack. The incident came to light on July 7, 2023, when Gutter Mitch, co-founder of the Gutter Cat Gang NFT collection, issued a warning, asking followers not to interact with any links posted on the project’s official X account since they had been compromised.
Once again, ZachXBT attributed the incident to a SIM swap attack. He criticized the project’s security practices, chiding the team for using SMS-based 2FA authentication on their social media accounts even when there was growing concern over SIM swap hacks.
The hackers used the compromised account to share phony links for limited edition Gutter Cat NFT sneaker airdrops, which resulted in the draining of users’ hot wallets upon clicking.
The scammers reportedly made the fake links look authentic by incorporating recent Gutter Cat Gang branding and images from a sneaker collaboration with sportswear manufacturer Puma and NBA star LaMelo Ball.
ZachXBT confirmed that in the attack, one Gutter Cat user lost a Bored Ape Yacht Club (BAYC) NFT valued at more than $65,000, while another lost several NFTs from various collections worth an eye-watering $700,000.
Bart Stephens
On Aug. 16, 2023, Blockchain Capital co-founder Bart Stephens lodged a legal complaint alleging a SIM swap hack that led to the theft of at least $6.3 million in various cryptocurrencies from his virtual wallets.
In the lawsuit, Stephens asserted that the hacker, only identified as Jane Doe, exploited personal information found online and on the dark web to manipulate security procedures with his mobile service provider, allowing them to alter his account passwords.
The hacker then secured Stephens’ mobile phone account, procured a new device, and transferred Blockchain Capital’s managing partner’s private number to a SIM on the new device.
According to Stephens, his attackers then transferred millions of dollars worth of Bitcoin (BTC), Ethereum, Uniswap (UNI), Compound (COMP), and Maker (MKR) from his hot wallet. They also tried to steal another $14 million in ETH and BTC from Stephens’ cold wallet, but a vigilant Blockchain Capital employee thwarted the attempt.
Stephens’ mobile service provider allegedly notified him of the SIM swap incident a day after the theft occurred. The hackers reportedly moved at least half of the stolen funds to a crypto tumbler, making tracing them more difficult.
Since filing the lawsuit, the Blockchain Capital co-founder has kept mum on the matter.
Bryan Pellegrino
LayerZero CEO Bryan Pellegrino was another victim of a SIM swap attack. However, in his case, Pellegrino acted quickly enough to avert any losses from occurring due to the hack.
According to him, the attacker probably retrieved his details from a badge he’d thrown in the trash upon leaving Collision 2023 in Toronto, Canada.
Pellegrino first realized something was amiss when he checked his email and saw notifications from X informing him of changes to his account password.
Upon learning it was a SIM swap, he used his company, LayerZero’s social media account, to warn users against engaging with any posts from his account. He also set about retrieving the account with the help of X staff, who also deleted all posts made by the hacker.
Cole
Well-known crypto enthusiast and NFT creator Cole (@ColeTherium) also lost his X account after a SIM swap attack on June 5, 2023.
His phone number was compromised during the breach, leading to the hacker controlling all posts and direct messages (DMs) from his X account.
Cole described the experience as a barrage of text messages leading to the disappearance of cell service and eventually a hostile takeover of his X account.
The attacker impersonated Cole convincingly enough to persuade the NFT artist’s cell service provider, AT&T, to transfer his phone number to their device, allowing them to bypass 2FA security measures and access Cole’s X account.
During the period of unauthorized access, the hacker initiated a scam involving a nonexistent IGLOO token, which they claimed was the official token for Cole’s former NFT project, Pudgy Penguins.
ZachXBT linked the attack on Cole to a group he alleged had hacked more than eight social media accounts belonging to prominent crypto community members, stealing nearly $1 million worth of digital assets over several weeks.
According to the blockchain investigator, the group was responsible for SIM swap attacks on crypto influencer Ben “Bitboy” Armstrong,” OpenAI CTO Mira Murati, media personality and crypto critic Peter Schiff, and popular DJ Steve Aoki, among others.
Like Cole’s case, most hacked accounts were used to promote fake tokens with phishing links attached. In Mira Murati’s case, the hacker used her account to advertise a bogus airdrop for an ERC-20 token called OPENAI. According to reports, the post was live for almost an hour and was viewed nearly 80,000 times before being removed.
Peter Schiff’s account was used to promote another fake token called GOLD, which the hacker breathily described as “tokenized gold.”
Signs of SIM swap attacks
Understanding the warning signs of SIM swapping can be vital in preventing potential damage from this cyber threat.
Loss of cell service
One such indicator is the sudden loss of all your mobile services. It could mean that an attacker has successfully executed a SIM swap, rendering your original SIM card useless.
Several victims, including Cole and Sign-In with Ethereum (SIWE) creator Brantly Millegan, have reported being bombarded with text messages before losing cell service.
In such a scenario, you will be unable to make calls or even text customer support.
Strange posts from your social accounts
Suspicious activity on your social media platforms is another telltale sign. If you start noticing posts, comments, or messages that you didn’t make, your account may have been compromised.
Inability to access your financial accounts
In addition, an inability to access your financial accounts is a major red flag. If you find that your usual login credentials for your credit card or bank account no longer work, it’s quite likely that you have fallen prey to a SIM swap attack.
Notifications from strange devices
There are other, subtler signs as well. An attacker might use your stolen phone number or SIM card on different devices. In more sinister cases, hackers can access all your mobile data, including files you’ve downloaded and applications you use, ranging from social networking apps to financial ones.
Responses from regulators
The US Congress and the Federal Communications Commission (FCC) have diligently explored effective strategies to counteract and prevent SIM swap scams for quite some time.
On July 11, the FCC announced a raft of measures, including creating the Privacy and Data Protection Task Force, intended to shield consumers from the escalating wave of SIM swap scams.
Among the proposed measures is an update to the FCC’s rules about personal network information and local number transferability. If enacted, the guidelines would compel mobile service providers to implement secure ways of verifying customer identity before allowing a phone number to be transferred to a new device or different provider.
Moreover, providers would be obligated to promptly notify customers whenever a SIM change or number transfer request occurs on their account.
According to the Commission, the new rules intend to form a consistent structure across the mobile industry while offering providers the leeway to implement the most innovative and suitable fraud prevention measures.
The proposal also opens the possibility for further adjustments, seeking public input on better aligning these rules with existing ones and exploring additional ways the Commission can streamline government initiatives to combat SIM swap and number porting frauds.
How to protect yourself from SIM swap hacks
As we wait to see how telcos will react to the FCC’s proposals, there are several steps you can take to avoid SIM swaps:
- Keep your mobile number and other crucial details, like passwords and PINs, to yourself. Don’t share these with anyone over the phone.
- Secure your SIM card with a SIM PIN. It will prompt you for a PIN whenever you restart your phone or use the SIM card on a new device.
- Be cautious about what information you share online. Cybercriminals are always hunting for valuable data to carry out SIM swap attacks, so don’t post about your financial holdings, including cryptocurrency, on social media or forums.
- Don’t secure your social and financial accounts with 2FA that uses SMS.
- Use 2FA apps like Authy, Google Authenticator, or Microsoft Authenticator.
- Don’t click on suspicious emails or links; they may be designed to steal your sensitive login information.
- Don’t share your bank or credit card details unless you know who’s asking for them.
- For an extra layer of protection, consider using a physical security key for your online accounts.
Additionally, it is rather difficult to identify social media accounts that have been hacked through SIM swaps. Apart from the account owners and blockchain security analysts warning the public not to interact with certain posts, one tell-tale sign is that most SIM swap scammers tend to limit who can reply to posts from accounts they have taken over, especially when they are sharing phishing links on those posts.
Scammers are constantly pushing the envelope when it comes to social engineering, and at times, even the most vigilant or well-informed among us can fall victim to their tricks. However, if you take the steps above, you should greatly reduce your chances of falling foul of a SIM swap scam.