SIM Swap Crypto Theft: The 9th Circuit Just Changed It (2026)

Why SIM Swap Crypto Cases Are Different From Other Thefts

Most crypto theft cases are forensically lonely. A wallet drainer phishes you, a romance scammer sweet-talks you, a fake support agent walks you through giving up your seed phrase — in every one of those, the only counterparty with U.S.-jurisdiction assets and a deep pocket is the thief themselves. If the thief is offshore (and they almost always are), the practical recovery path is narrow: trace the funds, hope they touch a regulated exchange, hope a federal agency is willing to subpoena, hope the bank balance still exists.

SIM swap is different because the victim has a second defendant: the U.S. mobile carrier whose authentication failure made the entire attack possible. AT&T, T-Mobile, and Verizon are publicly traded companies with U.S. jurisdiction, large legal budgets, and existing settlement programs for these claims. They are also subject to a federal statute — Section 222 of the Communications Act — that imposes specific duties on how they handle the account information used in port-outs. When the duty is breached and the breach is the proximate cause of a measurable financial loss, that is a civil case. The on-chain forensic trace establishes the loss with precision the carrier cannot dispute.

This is why SIM swap is the one crypto-theft archetype where the victim should be thinking about two investigations from day one: the on-chain forensic case that follows the money, and the civil-litigation case that pursues the carrier. The two run in parallel, the evidence overlaps, and the timeline (carrier port-out vs. wallet drain, lined up to the second) is what makes both of them stand up.

How a 2026 SIM Swap Actually Works

The SIM swap of 2026 is a faster, cleaner version of the attack that was first widely publicized around 2018. Three things have changed.

1. eSIM provisioning collapsed the timeline

In 2018 a SIM swap typically required either an in-person visit to a carrier retail store with a fake ID or social engineering of a phone-channel customer service rep into shipping a physical SIM card. Either path took hours and left a paper trail that was easy to subpoena later. The eSIM era changed both. An eSIM is a software profile downloaded to a device through the carrier's app or chat. From the moment the attacker has account credentials and can pass whatever authentication the carrier still requires, the time from port request to working SIM on the attacker's device is often under five minutes. There is no shipping, no store visit, no inventory log to subpoena later. The forensic record is whatever the carrier chose to keep about its own internal port-protection workflow — and that record, more often than not, is what the civil case will turn on.

2. Voice cloning broke voiceprint authentication

Several large carriers introduced voiceprint or voice-based authentication options in the late 2010s as a way to harden the call-center channel. Consumer-grade AI voice cloning, available through any of a dozen public services in 2026, made those checks worthless. Thirty seconds of a target's voice (from a podcast appearance, a YouTube video, a public Twitter Space, or a recorded voicemail) is enough to clone their voice well enough to pass any voiceprint check that does not actively probe for synthesis artifacts. If you have ever spoken in public at all, your voice is a usable authentication bypass for a motivated attacker.

3. T-Mobile and AT&T data breaches handed attackers the answer key

The T-Mobile breaches of 2021 and 2023 exposed account data — including phone numbers, plan details, and in some cases authentication data — for tens of millions of customers. The AT&T breach disclosed in mid-2024 exposed call and text metadata for nearly all wireless customers covering a several-month window in 2022. None of those breaches alone is enough to execute a SIM swap, but each one provides the answers to the knowledge-based questions that carriers use as fallback authentication. An attacker working from a breached dataset starts the call already knowing the victim's phone, plan, billing zip, and recent activity — the questions a customer service rep is trained to ask are no longer secrets.

The actual attack sequence

What runs against the typical 2026 victim looks like this:

1. Target identification. Often from on-chain reconnaissance — a wallet known to hold meaningful balance, linked through OSINT or a previous data leak to a real-world identity and phone number.
2. Carrier reconnaissance. The attacker looks up which carrier the target uses, what plan, what authentication options are likely on the account. Breached datasets are the most common source. Number-portability lookups via NPAC or third-party services confirm carrier of record.
3. The port request. Submitted through whichever channel has the weakest authentication for that carrier — typically the in-app eSIM transfer flow, the chat channel, or a retail store with a complicit or social-engineered employee.
4. Authentication bypass. Either with knowledge-based answers from a breach, a cloned voice, a fake ID image, an SS7 intercept of an authentication code, or an internal bribe to a carrier employee. Federal indictments since 2022 have repeatedly named carrier employees as paid co-conspirators — the bribery price for a single port-out has been reported in court filings as low as a few hundred dollars.
5. The drain. Once the SIM transfers, the victim's phone loses service and the attacker's device receives all SMS. Within minutes the attacker initiates password resets on Gmail, the exchange, and any other account that allows SMS recovery. Two-factor codes flow to the attacker's device. Funds are pushed off the exchange, usually to a fresh wallet, usually as USDT (because of liquidity and speed of bridge).
6. Laundering. Bridge to a different chain (Tron, BSC), through a mixer if available on that chain, sometimes through a chain of wallet hops, ultimately landing at a deposit address on a second exchange — preferably one with weak KYC or weak law enforcement cooperation.

The whole sequence, from port request to first laundering hop, is routinely under thirty minutes. Some published cases have completed in under ten.

The On-Chain Forensic Trace After a SIM Swap

The on-chain side of a SIM swap case has a structure that is unusual in two ways. First, the breach point (the exchange) is almost always a regulated, U.S.-jurisdiction custodian — Coinbase, Kraken, Gemini, or one of the smaller domestic platforms — because that is where SMS-2FA password resets actually work. Second, the first move off the exchange is almost always to a freshly funded wallet that the attacker controls, not to a known cluster — SIM swap operators tend to use clean wallets per victim because they understand that the dollar amounts will draw federal attention. That combination — clean U.S. exchange on the input side, clean wallet on the output side — produces a forensic trail that looks different from a wallet-drainer case (which usually starts at a self-custody wallet) or a romance-scam case (which usually starts at a CEX deposit the victim made themselves).

Identifying which exchange the attacker drained from

This is rarely in doubt by the time we are engaged because the victim already knows. The exchange notified them of the password change or the withdrawal, or the victim logged in (from a different device) and saw the empty balance. What we add at this stage is the precise timestamp of every relevant action: password reset request, withdrawal initiation, withdrawal confirmation, and the on-chain transaction hash for each outgoing transfer. Those timestamps are critical because they have to line up against the carrier's port-out timestamp to within a few minutes for the negligence claim to be airtight.

The withdrawal path

The attacker's outbound transactions almost always have the same shape. We see, in roughly this order:

1. An on-platform conversion of all balances to either USDT (more common) or BTC (less common, used when the attacker is comfortable with Bitcoin's slower settlement). USDT wins because of bridge liquidity and because Tether has historically been less responsive to freeze requests than BTC infrastructure.
2. A withdrawal from the exchange to a fresh, never-used wallet. The wallet is almost always a single-use address — the attacker funded it with gas from a different source minutes before the drain.
3. A bridge transaction within minutes. The most common bridge in 2025-2026 SIM swap cases has been ERC-20 USDT to TRC-20 USDT via one of the major bridges, because Tron's transaction fees are negligible and the chain is harder to coordinate freezes on.
4. One to three intermediate hops on the destination chain.
5. A deposit at a second exchange — almost always one with either weak KYC or weak U.S. cooperation. Common destinations have included offshore platforms with limited subpoena response.

Tracing through mixers and bridges

The honest answer is that mixers and bridges add work but rarely defeat the trace. Cross-chain bridges leave correlatable on-chain footprints: the deposit transaction on the source chain and the withdrawal transaction on the destination chain are almost always within the same minute, almost always for the same notional dollar amount minus the bridge fee, and almost always using a deposit/withdrawal pair that the bridge contract emits as paired events. Tools like the Chainalysis Reactor cross-chain tracer, TRM Labs' bridge tracking, and several open-source cross-chain mappers have made this routine work. Mixers are harder — Tornado Cash output cannot be deterministically linked back to its input — but most SIM swap attackers do not use Tornado Cash because the volume is too small to provide privacy and the mixer is itself a regulatory red flag at the off-ramp. Operators tend to rely on hops and chain-jumps for obfuscation, not true mixing, and hops are traceable.

Building the criminal-complaint evidence package

The deliverable is a forensic report — the same kind we describe in blockchain forensic evidence in federal civil litigation — structured for a federal agent who will read it once. It contains the source-of-funds analysis, the chain of transactions from the exchange withdrawal to the off-ramp deposit, the timestamps cross-referenced to the carrier port-out timeline, the destination exchange's name and (if identifiable) the deposit address controlled by the attacker. The package is what gets attached to the IC3 complaint, the FBI field-office referral, and any subsequent Rule 45 subpoena to the off-ramp exchange. Our companion piece on subpoenaing crypto exchanges walks through how that subpoena process actually runs.

The Civil Case Against the Carrier

This is the section that has shifted the most in the last two years and is, in our view, the section where most SIM swap victims still leave money on the table. The civil case against the carrier is a real cause of action with real precedent and real settlements behind it. It is also the case that the on-chain forensic record is uniquely positioned to support.

The statutory hook: Section 222 of the Communications Act

Section 222 of the Communications Act of 1934, codified at 47 U.S.C. § 222, requires telecommunications carriers to protect Customer Proprietary Network Information — the data that identifies the customer's account, device, and number assignments. The implementing regulations at 47 CFR Part 64 (Subpart U) impose specific authentication and notification requirements on carriers when they make changes to a customer's account. A port-out that hands a phone number to someone other than the account holder, executed without the authentication that the regulations require, is on its face a Section 222 violation.

For a long time the question was whether Section 222 supports a private right of action — that is, whether an individual victim can sue the carrier for damages, or whether the only remedy is an FCC enforcement proceeding. The lower courts split. Several district courts dismissed Section 222 claims on the theory that the statute did not create a private cause of action.

The 9th Circuit reversal that changed the landscape

In October 2024 the Ninth Circuit decided Terpin v. AT&T Mobility, LLC, reversing in part the district court's dismissal of crypto investor Michael Terpin's claim against AT&T over a 2018 SIM swap that cost him approximately $24 million in cryptocurrency. The opinion held that Section 222 of the Communications Act does support a private right of action for damages caused by a carrier's mishandling of CPNI, and remanded the case for further proceedings. The opinion is publicly accessible on the Ninth Circuit's website and on CourtListener; readers should pull the actual decision rather than relying on summaries.

The practical effect of Terpin is to give SIM swap plaintiffs a federal statute they can sue under, in addition to whatever state-law negligence and consumer protection claims they were already pleading. The CPNI claim now anchors most well-pleaded SIM swap complaints, and the Ninth Circuit's reasoning has been cited in subsequent district court rulings allowing similar claims to proceed against T-Mobile and Verizon. Two years on, the practical bar to bringing one of these suits is much lower than it was in 2022.

Negligence and the carrier's own port-protection protocols

Section 222 is the statutory floor. The negligence theory is in some ways the more powerful argument because it turns on the carrier's own published procedures. Every major U.S. carrier publicly markets a "port protection" or "number lock" feature that customers can enable to prevent unauthorized port-outs. Internal procedure manuals (which become discoverable in litigation) typically require multiple authentication steps before any port-out is approved. When a port-out is executed without those steps, the carrier has breached its own duty of care — not some hypothetical duty invented by plaintiff's counsel, but the duty the carrier wrote down for itself and trained its employees on. Internal training materials, port-protection enrollment records, and call-center procedure documents are the spine of the negligence theory. They get subpoenaed; they get produced; they appear at trial.

State consumer protection statutes (California's Unfair Competition Law, New York's General Business Law § 349, Florida's FDUTPA, and analogous statutes in most other states) often add a third claim with statutory damages and fee-shifting. In states with strong UCL or analogous statutes, the consumer-protection claim is sometimes the most attractive vehicle for a settlement.

What the forensic report contributes to the civil case

This is the underexplained piece of the puzzle, and it is the reason a SIM swap victim should hire a forensic investigator early even if their attorney has not yet asked for one. Three things the on-chain trace does for the civil case:

1. It establishes damages with precision the carrier cannot dispute. The exchange's records show what was withdrawn at what dollar value at what timestamp. The on-chain trace confirms it. The carrier's defense team cannot credibly argue uncertainty about the loss amount when the loss is documented to the second on a public ledger.
2. It anchors the proximate-cause argument. The carrier's port-out timestamp plus the on-chain withdrawal timestamp, lined up next to each other on a single exhibit, makes the causal chain undeniable. The minutes between port-out and drain are the carrier's own log proving that the breach of duty was the cause of the loss. Defense lawyers find that exhibit very hard to argue around.
3. It preserves the parallel criminal-recovery option. A civil settlement against the carrier does not preclude continued forensic work toward identifying the actual thief. In some cases the carrier settlement and the criminal restitution stack — the victim recovers from the carrier and, separately, eventually receives a share of any recovery the federal case produces. For more on the broader civil-recovery framework, see our piece on can you sue a crypto scammer.

What Evidence Wins Both Cases

The criminal complaint and the civil suit are different proceedings with different burdens of proof, but they share most of the same evidence. A complete file looks like this:

The forensic investigator builds the on-chain half of this file. The attorney builds the carrier-records half through subpoena. The two halves are stitched together at the timestamp level — that joined exhibit is the case.

Working With a SIM Swap Attorney

SIM swap litigation is a specialty practice now. A handful of firms have built sustained books of business handling these cases, including Greenberg Glusker (which represented Terpin), the Dilendorf Law Firm (a New York crypto-focused boutique), Silver Miller (Florida), Stark & Stark, and several others with growing dockets. The pattern with the strongest specialists is that they already understand the carrier-side discovery playbook, already have the procedural manuals from prior cases, and already know which carrier defense lawyers will negotiate at what threshold. Their starting position is meaningfully ahead of a generalist's.

The forensic investigator and the attorney divide the work like this in a well-coordinated case:

• Attorney: Drafts and serves the demand letter, drafts and files the complaint, handles the preservation letter and the discovery requests to the carrier, manages the relationship with the breached exchange's legal team, negotiates settlement.
• Forensic investigator: Builds the on-chain trace, produces the timestamped exhibit lining up the port-out against the drain, drafts the technical portion of the complaint, prepares the report that will go to IC3 and any subsequent federal subpoena, and stands ready to testify if the case goes to trial.
• Joint: The combined timeline exhibit. The damages calculation. The proximate-cause argument. The expert-disclosure for any contested technical fact.

The fee structure varies by firm. Some take SIM swap cases on contingency (30-40% is typical, sometimes higher when the case requires expert witness fees the firm fronts). Others bill hourly with a contingency cap. The forensic investigator bills separately, usually flat-fee for the trace and hourly for any expert-witness work. Our piece on what a crypto expert witness costs walks through the forensic-side fee dynamics in more detail.

One practical note: the attorney's clock starts running on statutes of limitations from the moment the breach is discovered. Section 222 actions are subject to the catchall federal four-year statute under 28 U.S.C. § 1658, and most state-law tort claims have shorter limitations periods (often two or three years). Engaging counsel within the first ninety days is the standard advice. Engaging the forensic investigator should happen even sooner.

AI Voice Cloning Made SIM Swaps Easier in 2026

The threat-model shift that defines SIM swap in 2026 is the maturation of consumer voice cloning. Two years ago, cloning a voice well enough to fool a human listener took a few hundred dollars of compute and several minutes of source audio. Today the same quality is available for free, with thirty seconds of source audio, through any of a dozen public services. The implications for SIM swap are direct.

• Voiceprint authentication is bypassable. Carriers that introduced voice authentication in the late 2010s as a hardening measure now have to assume that any successfully matched voice could be a synthesis. Active liveness checks — asking the caller to read random text in real time, probing for spectral artifacts of TTS systems — are the only mitigation, and they are not yet universal.
• Knowledge-based questions are bypassable. A breached dataset answers most of the standard "what is your billing zip" / "what was the last call you made" questions. The combination — voice that matches plus answers that match — convinces a customer service representative that they are talking to the account holder.
• Phishing-to-port pipelines have shortened. The traditional pattern of (phish credentials) → (use credentials in carrier app) was already fast. With voice cloning added to the toolkit, even carriers that require a voice callback before approving a port can be defeated by an attacker who has captured any recording of the victim — a podcast appearance, a YouTube video, a public speech, a voicemail greeting.

For a meaningful crypto holder in 2026, the practical defense is a layered one: SMS-based 2FA disabled wherever possible in favor of authenticator apps and hardware keys, port-protection enabled on the carrier account, the phone number not used as a recovery method on any meaningful financial account, and ideally a separate carrier-locked number (or eSIM on a less-targeted carrier) used exclusively for SMS recovery. Our knowledge-base piece on MFA for crypto accounts covers the full hardening stack, and our SIM swap protection page covers the carrier-side configuration. None of this fixes the problem after a SIM swap has happened — that is what the rest of this article is for — but it materially reduces the probability of being the next victim.

What to Do in the First 24 Hours

Speed matters in two specific ways. First, the exchange you were drained from may still have a window to flag the destination address or freeze related accounts on its platform. That window closes fast. Second, the carrier's internal logs may be retained on a rolling window — the longer you wait, the more risk that critical port-out records have rolled out of immediate retention and have to be pulled from archive.

1. Get your number back. Walk into a carrier retail store with photo ID and have the eSIM reissued to your device. Insist on enabling port protection on the way out the door.
2. Lock the exchange. From the recovered phone, log in and disable all withdrawals, change all 2FA to an authenticator app or hardware key, change the email associated with the account, and contact the exchange's fraud team in writing requesting a hold on the destination address.
3. Document the timeline. Write down, by timestamp, every event you can reconstruct: when service died, what you did when you noticed, every notification you received. Save every email and SMS that survives.
4. File with IC3. The FBI's Internet Crime Complaint Center is the federal record of the loss. File within the first 24 hours if you can. Include the exchange, the destination wallet (if you know it), and the dollar value.
5. File with the FCC. A CPNI complaint to the FCC creates a regulatory paper trail against the carrier. The FCC's consumer complaint center handles these.
6. Send a litigation-hold letter to the carrier. Even before counsel is engaged, a written demand to preserve all records relating to your account and the port-out event prevents the carrier from claiming records were lost in routine retention cycling. A SIM swap attorney can send this same day.
7. Engage a forensic investigator. Sooner is better. The on-chain trace gets harder (not impossible, but harder) as the funds sit longer and the attacker has more time to chain-jump.
8. Engage counsel. A specialist firm. The civil case is real, the statute of limitations is finite, and the carrier's defense team is paid by the hour to make this slow.

Frequently Asked Questions

SIM swap is one of several high-impact crypto-theft archetypes where the forensic record and the legal record have to be built in parallel. For the broader civil-recovery framework, see can you sue a crypto scammer and blockchain forensic evidence in federal civil litigation. For the parallel exchange-takeover archetype where the breach starts at the exchange and not the carrier, see Coinbase account hacked. For the wallet-drain archetype where the breach starts at a malicious approval, see my MetaMask was drained. For the subpoena mechanics that turn an on-chain trace into an actual KYC identity, see subpoenaing crypto exchanges. For the broader category of post-incident legal moves, see our knowledge-base hub on legal actions after crypto theft.