19 Hours to Beat a SIM-Swap: A Recovery That Came Down to Speed
He thought his phone had simply lost signal. In fact, an attacker had ported his number, intercepted his SMS codes, and emptied his exchange account overnight. We started the trace the next morning — and the clock is the only reason this story ended well.
The attack
Nobody touched his devices. The attacker socially-engineered his mobile carrier into porting the number to a SIM they controlled, then triggered a password reset on his exchange account. The reset code arrived by SMS — to them. Within an hour his Bitcoin and Ethereum were gone.
Why speed won
We timestamped the three withdrawals and mapped their destinations immediately. Two of the three paths consolidated and deposited to a regulated exchange within 19 hours — narrow enough for a freeze to land. We packaged the on-chain trace and routed a law-enforcement request to the carrier for the port logs.
The outcome
81% returned. The one hop that reached a no-KYC swap in the first hour was lost; everything that touched a compliant venue was frozen and released after identity confirmation. A day later and the answer would have been very different.
Protect yourself first
Move high-value accounts off SMS two-factor and onto an authenticator app or hardware key. If your phone suddenly shows “No Service” for no reason, treat it as an attack in progress and call your carrier from another line.
Think your loss might be traceable?
Send us the platform, the transactions, and the timeline. We’ll tell you honestly whether a recovery path exists — no upfront fees, no guarantees we can’t keep.