CryptoCISO

Case Study: Recovering From a SIM-Swap That Emptied an Exchange Account

Written by

in

A client woke to find his phone with no signal and his exchange account emptied. An attacker had SIM-swapped his number, intercepted the SMS reset codes, disabled his real two-factor protection and withdrawn his crypto.

What we found. The root cause was SMS-based two-factor authentication. Once the attacker controlled the phone number, every SMS code — including the withdrawal confirmations — went to them.

What we did. We built a minute-by-minute timeline of the takeover, traced the withdrawals through intermediary wallets, and followed two of them to deposit addresses at centralized exchanges. Because we moved quickly, one of those freeze requests reached the exchange while the funds were still on the platform.

The outcome. One exchange froze the linked deposit pending investigation. We then helped the client rebuild his security from the ground up: hardware-key two-factor, removal of all SMS recovery, and a clean separation between his phone number and his financial accounts.

The takeaway. SMS two-factor is the single weakest link in most account-takeover cases. Move every account that matters to a hardware key or authenticator app, and never let a phone number be the master key to your money.

Client and identifying details have been anonymized to protect confidentiality. CryptoCISO does not guarantee recovery; outcomes depend on the specific facts of each case.