← Back to Articles

SIM Swap Through Number Recycling: Protect Crypto Accounts From Silent Takeovers

By Marcus “M.J.” Varela - cybersecurity specialist and DeFi strategist. Trust but Verify.

Give up an old phone number and it doesn’t disappear-it gets recycled. Mobile carriers routinely reassign inactive numbers, and attackers quietly buy or acquire those recycled numbers to reset accounts that still rely on SMS. In plain terms: if an old number is tied to your email, exchange, or wallet app login, the next person holding that number can receive your verification codes. That’s a silent takeover waiting to happen.

Phone number recycling risk for crypto security and wallets, illustrating SIM swap through number reassignment

Quick summary

  • Number recycling enables stealth account resets months after you abandon a SIM.
  • SMS-based authentication is fragile; use app-based codes or hardware security keys.
  • Decouple your phone number from email, exchanges, and wallets-completely.
  • Harden wallet recovery and test it; backups matter more than devices.
  • Security is a system: devices, settings, habits, and recovery procedures working together.

How number recycling fuels “soft” SIM swaps

A classic SIM swap tricks your carrier into moving your current number to an attacker’s SIM. Number recycling is quieter. Carriers retire old numbers and reassign them. Attackers buy those reassigned numbers or set up alerts to capture them as soon as they become available. If your accounts still have that number as a recovery method, the new owner can request password resets or 2FA codes and walk straight in.

The flow is simple:

  • Find a target account that lists a phone number for login or recovery.
  • Acquire the recycled number tied to that account (or wait until it becomes available).
  • Trigger password resets or login verifications via SMS.
  • Pivot to email, exchange accounts, and messaging apps to deepen access.

This attack isn’t flashy, but it’s effective because it exploits standard account recovery paths that many people forget to update. In Crypto security & Wallets, that can mean access to exchange funds, cloud-stored 2FA backups, or smart contract wallets that support phone-based sign-in.

Why this matters for Crypto security & Wallets

Self-custodial wallets don’t depend on your phone number to sign transactions-the private key does. But the ecosystem around your key often does:

  • Email: If your email is recovered via SMS, everything downstream is at risk-exchanges, cloud backups, and developer tools.
  • Exchanges and brokers: Many still allow SMS for login or as a fallback. That’s an open door if the number is recycled.
  • Smart-contract wallets or Web3 accounts: Some support phone-based login or recovery. If the phone is part of your recovery quorum, a recycled number can break your security model.
  • Messaging apps: Telegram/WhatsApp logins tied to your number can be hijacked, enabling social engineering of support or contacts.

In short, you rarely lose coins because the blockchain failed. You lose them because an account in the chain of access failed-often starting with a phone number.

Design your defenses: decouple, harden, and test

Security is a set of habits and design choices. For Crypto security & Wallets, focus on three moves: decouple phone numbers, harden authentication, and test recovery.

1) Decouple your phone number from critical accounts

  • Remove your phone number from email, exchange, broker, and wallet-related accounts. Replace it with app-based 2FA (TOTP) or security keys.
  • Audit old services: newsletters, fintech apps, domain registrars, cloud drives, password managers. Delete the number and disable SMS recovery.
  • Avoid sharing a real phone number publicly or with support tickets. Use masked email aliases for low-trust sign-ups.

2) Harden authentication the right way

  • Primary email: Use hardware security keys (FIDO2) for login and recovery. Add an app-based code as a secondary factor. Disable SMS fallback.
  • Exchanges: Enable TOTP or security keys; disable SMS. Turn on withdrawal allowlisting and time locks. Set anti-phishing codes.
  • Wallets: Prefer self-custody wallets that do not rely on phone numbers. For smart-contract wallets with social recovery, avoid phone-based guardians.
  • Carrier protections: Add a port-out PIN and request a port freeze. These are not perfect, but they raise the bar.
  • Messaging apps: Set a Telegram 2FA password; hide your number from non-contacts. On WhatsApp, enable two-step verification with a strong PIN.

3) Treat keys and backups like production systems

  • Private key generation: Initialize hardware wallets yourself, offline. Verify firmware authenticity before setup. Never use pre-initialized devices.
  • Seed storage: Write down your seed phrase on durable media. Store redundant copies in separate, secure locations. Consider a passphrase for vault funds.
  • Recovery drills: Practice restoring from backup on a spare device to confirm you can recover under pressure. This is your “fire drill.”
  • Operational hygiene: Always verify the address and amount on the device screen. Avoid blind signing; read what you approve.

Practical checklist you can do today

  • Change your primary email to security keys + TOTP; remove SMS.
  • On every exchange: disable SMS, enable allowlisting and 24-48 hour withdrawals delay.
  • Scan your password manager for accounts still tied to a phone number; remove it.
  • Add a carrier account PIN and request a port freeze.
  • Review wallet setups: verify firmware, re-check seed backups, and test recovery on a spare device.
  • Lock down Telegram/WhatsApp with 2FA passwords and hide your number from public view.

Advanced defenses for higher-stakes holdings

If the amounts justify it, raise resilience while accepting added complexity:

  • Multisig: Use a 2-of-3 or 3-of-5 setup with hardware diversity (different vendors). This removes single-device failure risk.
  • Air-gapped flows: Sign transactions offline using QR or SD card (PSBT) to reduce malware exposure on the host machine.
  • Descriptor-based backups: Keep wallet descriptors or xpubs documented to make recovery predictable, not a puzzle.
  • Separation of duties: Maintain a “spending” wallet for daily use and a “vault” wallet with stricter policies and delays.

FAQ

Is SMS ever acceptable for crypto accounts?

It’s better than nothing but far weaker than TOTP or hardware security keys. If SMS is the only option temporarily, treat that account as high risk and move to stronger factors as soon as possible.

If my self-custody wallet doesn’t use my phone number, am I safe?

You’re safer, but not invincible. Attackers target the surrounding stack: email, exchanges, messaging, and browser wallets. One weak link can still lead to loss.

What about VOIP numbers or “privacy” numbers?

They can still be recycled or reassigned by providers. Don’t rely on any phone number for recovery of critical accounts.

Do carrier locks and PINs stop SIM swaps?

They help, but they aren’t perfect. Treat them as speed bumps, not walls. Your real defense is removing the phone number from critical authentication flows.

How often should I test recovery?

At least twice a year or after any significant change (new device, firmware update, move to a new location). Document what worked and what didn’t.

Can a recycled number compromise my hardware wallet?

Not directly. But if it compromises your email or exchange, the attacker can try social engineering or drain custodial funds while you’re distracted. Keep layers strong.

The takeaway

Number recycling turns yesterday’s phone into today’s backdoor. In Crypto security & Wallets, the fix is straightforward: remove SMS from the equation, strengthen authentication with keys or TOTP, and make recovery boring and reliable through tested backups. Build habits you can verify, not assumptions you hope will hold.

Related Articles