SIM-Swap on KuCoin at 3AM: How We Saved $175,000 in 20 Hours
At 2:47 AM, an attacker ported our client's SIM card and attempted to access a KuCoin account with $175,000 inside. KuCoin locked the account — rightfully. But now the legitimate owner was locked out too. The attacker had the phone number. The clock was running. Here's exactly how we won.
At 2:47 AM our client received a carrier text: his SIM card had been successfully ported to a new device. He opened KuCoin. Account locked. $175,000 inside. He called us at 3:15. Over the next 20 hours we filed a Security Emergency Request with KuCoin, assembled a full proof-of-ownership package, guided the client through SIM recovery with his carrier, and escorted the exchange verification process in real time. By 6:30 PM the account was restored. The attacker had withdrawn nothing.
2:47 AM. The phone screen lights up in the dark.
A text from the carrier: "Your SIM card has been successfully ported to a new device."
He wasn't fully asleep. Or maybe the alert woke him. Either way, he knew immediately. You don't get that message at 3 AM unless something went very wrong. He opened KuCoin. Account locked.
$175,000 sitting inside. An attacker somewhere — holding his phone number, intercepting his SMS codes, probably already trying to figure out how to pass verification. And he had no idea how much time he had.
"It's 2:47 AM. I get a text from my carrier: 'Your SIM card has been successfully ported to a new device.' I wasn't fully awake, but I knew exactly what it meant. I opened KuCoin — account locked. $175,000 sitting there. First thing I did was call KarCrypto."
He called us at 3:15. That decision saved $175,000.
What a SIM-Swap Attack Is — and Why It's More Dangerous Than Phishing
A SIM-swap attack is when an attacker convinces your carrier to port your phone number to a new SIM they control. Once that happens, every call and text meant for you — including two-factor authentication codes — goes to them instead.
This is fundamentally different from phishing. The victim doesn't click anything. The victim doesn't enter a password anywhere. The attack happens entirely at the carrier level — through social engineering (convincing a rep the phone was "lost"), through a bought insider, or through vulnerabilities in number porting systems. You can do everything right and still be attacked.
Why SIM-swap is more dangerous than standard account hacking:
- SMS 2FA is the weakest link. Most exchange accounts rely on SMS codes as the second factor. After a successful SIM-swap, the attacker has access to all of them — every bank, every exchange, every account tied to that number.
- Speed of attack. From the moment the port completes to the first login attempt can be minutes. The victim has almost no time to react.
- It's targeted. SIM-swap is expensive to execute. Attackers don't do it at random. If it happened to you, someone knew you had a crypto account with a significant balance. That means a data leak somewhere in your history.
- Scale. The FBI recorded over 1,000 SIM-swap complaints in the US in 2023 alone, with losses exceeding $48 million. The actual number is significantly higher — most victims never report.
Unlike phishing, where the victim makes an error of judgment, SIM-swap victims are attacked through infrastructure they don't control and can't defend in the moment.
How KuCoin Responded — and Why That Was the Opening We Needed
When the attacker attempted to log in from a new device in an unfamiliar country, KuCoin's automated security system triggered. The account was locked. No access. No withdrawals.
That was the right call. But it created a race condition.
The lock protected the funds. But it also locked out the legitimate owner. The attacker had the phone number. If he could find another way to pass identity verification — or if we took too long — the window would close. We had to restore the real owner's access before the attacker found a workaround.
"KuCoin locking the account was actually the right move. But now I couldn't get in either. The attacker had my phone number. I had no idea how much time I had."
This is the exact window where professional emergency response matters. Not "we'll look at this tomorrow." Not "file a standard ticket and wait." Right now. In the middle of the night.
Timeline — 20 Hours
Client receives carrier notification. Opens KuCoin — account locked. $175,000 inside.
We take the case immediately. Log all details: attack time, amount, account status, carrier.
We guide the client through emergency SIM lock with his carrier while simultaneously building the evidence package for KuCoin Security. Historical IPs, login history, device fingerprints — all documented.
KuCoin Security Team receives our complete package: SIM-swap incident report, ownership proof, notarized identity documents, transaction history, and carrier confirmation of the SIM lock.
Security Team confirms receipt and opens an enhanced verification process. They request additional confirmation. We respond within minutes.
Account returned to the legitimate owner. Password reset. SMS 2FA replaced with hardware key. $175,000 intact. The attacker withdrew nothing.
From first call to full account control: 20 hours.
What We Did — Step by Step
Step 1: Security Emergency Request — not a standard ticket
Most users file a standard support ticket when something goes wrong. Standard support is processed by frontline agents following scripts. They can ask for documents, but they cannot authorize restoration of a locked account after a security incident. That decision sits with the Security Team — a different team with a different escalation path.
A properly filed Security Emergency Request bypasses the ticket queue. It routes directly to security specialists who operate 24/7 precisely for active attack scenarios. The difference in response time is not hours — it's days versus hours.
But the request has to be correct from the first submission. A vague "my account was hacked please help" goes nowhere fast. A structured incident report with attached evidence gets prioritized immediately.
Step 2: The ownership evidence package
When an exchange receives two competing claims on the same account — the legitimate owner and an attacker who now holds the phone number — it makes its decision based on the weight of evidence. Our job was to make that decision obvious.
What went into the evidence package:
- Complete history of login IP addresses — the attacker logged in from a new IP in a different country. Against the client's consistent geographic login history, this contrast was stark.
- 12 months of transaction history — patterns of behavior that are recognizable as a specific person's activity, not reproducible by someone with just a phone number
- Identity documents with notarized confirmation — matching the original KYC submission exactly
- Official carrier documentation confirming the SIM-swap incident and subsequent emergency SIM lock
- Timestamped chronology of the entire incident from the carrier notification to our submission
The attacker had the phone number. We had everything else — and that evidence gap was decisive.
Step 3: Parallel SIM recovery
While the KuCoin package was being prepared, we simultaneously walked the client through his carrier's emergency process for SIM lock and number recovery. This mattered for two reasons.
First, the attacker still held the number. Every minute they held it was a risk — not just for KuCoin, but for any other account tied to that number. Banks, email, other exchanges. The SIM needed to be locked immediately.
Second, carrier documentation confirming the SIM-swap was essential evidence for the KuCoin package. Getting this documentation quickly required knowing exactly what to request and how to phrase it.
Step 4: Real-time verification escort
Submitting the initial package was not the end of the work. KuCoin Security asked follow-up questions. Each one needed to be answered within minutes, not hours. Slow responses signal lower urgency and extend the timeline. We stayed available throughout the entire process.
By the time KuCoin's Security Team reached their decision point, every question they could have had was already answered. That's what compressed the timeline from what could have been three days to under 20 hours.
Account compromised right now?
24/7 emergency response. Every minute in a SIM-swap attack counts — contact us immediately.
The Result
At 6:30 PM — 20 hours after the attack began — KuCoin restored the account to its legitimate owner. Password reset and regenerated. SMS 2FA permanently disabled, replaced with a YubiKey hardware security key. The account carried an additional withdrawal restriction for the first 24 hours as a standard post-incident security measure.
"When they sent me new access credentials, the first thing I checked was the balance. All $175,000 still there. The attacker didn't make it."
The client immediately moved the funds to cold storage. We conducted an audit of all other accounts linked to the compromised phone number. Several required emergency 2FA changes.
What determined the outcome: he called us within 30 minutes of discovering the attack. That gave us a 20-hour window. Most cases with worse outcomes start with "I spent a few hours trying to handle it myself." Those hours are often the difference.
How to Protect Your Crypto Account from SIM-Swap
This attack is preventable. Not after the fact — before it. Most users don't take these steps until they've already been hit once.
Replace SMS 2FA with a hardware security key
A YubiKey or Google Titan Key is a physical device that cannot be intercepted by SIM porting. An attacker who acquires your phone number does not acquire your hardware key — because it's physically in your possession. This is the only 2FA method that is structurally immune to SIM-swap. Cost: $25–50. The math is obvious against $175,000.
If you're not ready to set up a hardware key today, switch at minimum to an authenticator app (Google Authenticator or Authy). It's meaningfully better than SMS, though not immune to device compromise.
Use a separate number exclusively for crypto
Keep a phone number — ideally a VoIP number or a SIM in a dedicated device — that is registered nowhere except your crypto exchanges. No social media. No marketplaces. No public services. It doesn't appear in any database an attacker could use to find and target it.
Set a SIM-lock PIN with your carrier
Most carriers allow you to set a PIN that must be provided before any SIM operation — porting the number, replacing the SIM, transferring to a new device. Call your carrier right now and set this up. Without the PIN, no employee can process a SIM operation, even under social engineering pressure.
Notify the exchange before any SIM change
If you're legitimately changing your phone number or SIM, notify KuCoin in advance. This allows the Security Team to flag the upcoming change as expected, significantly reducing the risk of your own legitimate new-device login triggering a protective lock.
What to Do in the First 15 Minutes if You're Under Attack
Emergency Checklist — SIM-Swap Attack
- Call your carrier immediately — demand an emergency SIM lock and freeze all operations on the number
- File a Security Emergency Request with the exchange — not a regular ticket, the emergency channel specifically
- Screenshot the carrier notification with timestamp — this is your primary piece of evidence
- Do not attempt repeated logins — multiple failed attempts can complicate the verification process
- Call specialists immediately — if significant funds are at stake, every minute of delay increases risk
- Check all accounts linked to the number — banks, email, other exchanges. All are at risk while the attacker holds the SIM
- Don't post publicly — attackers monitor victims' social media and adjust tactics in real time
The sooner you engage our emergency response service after discovering the attack, the better the odds of a full recovery. We operate 24/7 precisely because attacks don't wait for business hours.
If some funds were already withdrawn before the lock triggered, our exchange unfreeze process and on-chain tracing capabilities may still offer a recovery path. Every hour counts — stolen funds that haven't passed through a mixer are significantly easier to freeze.
Conclusion
SIM-swap is the rare crypto attack where the decisive factor isn't technical sophistication — it's speed. The attacker moved fast. We moved faster. That's the whole story.
Our client did one thing right in a moment of maximum stress: he called immediately, without wasting time on attempts he had no training to execute. Twenty hours later, every dollar was where it belonged.
If this is happening to you right now — stop reading and call. We'll take it from there.
Frequently Asked Questions
What should I do first in a SIM-swap attack on a crypto account?
How does KuCoin restore access to the legitimate owner?
Can the attacker withdraw funds while recovery is in progress?
How do I protect my KuCoin account from SIM-swap?
What if the attacker already withdrew some funds?
Under attack right now? Don't wait.
24/7 emergency response. We take active-attack cases immediately — every minute in a SIM-swap scenario matters. NDA signed before any case details are shared.