CASE FILE · ICT-2026-0402 · SIM-Swap Account Takeover

A Midnight Carrier Port-Out That Emptied an Exchange Account by Morning

A Birmingham pharmacist woke to a dead phone and an exchange account showing a zero balance. An attacker had ported her number, intercepted her reset codes, and withdrawn her holdings. Because she acted within hours, most of it was still recoverable.

Recovery Report

Vector: SIM-Swap Account Takeover
Instrument: BTC + ETH (withdrawn from exchange)
Reported loss: £88,500
Case opened: March 2026
Funds recovered: 68% (£60,200)
Claimant: Pharmacist, Birmingham UK

Illustrative case study. The scenario is a dramatized composite of real recovery casework; the broker and client names are fictional. Figures show typical outcomes, not a guarantee of results.

01How the takeover happened

The claimant did everything most people are told to do. Her exchange account used a password manager and SMS two-factor authentication. The weak link was the SMS itself. An attacker, using personal details likely bought from a prior data breach, contacted her mobile carrier and convinced them to port her number to a new SIM.

Once the number moved, every SMS code went to the attacker. They triggered a password reset on her email, then on her exchange, intercepting each one-time code. Within ninety minutes they had full control of an account holding roughly £88,500 in BTC and ETH.

02Where the funds went

The attacker initiated two withdrawals — one in BTC, one in ETH — to fresh external wallets, then immediately began moving the BTC toward a swap service to convert it into a privacy coin. Speed was their whole strategy: get the assets off the exchange and through a converter before anyone noticed.

The claimant noticed her phone had no signal at around 6 a.m., realised what had happened by 7, and contacted us the same morning. That timing is the single most important fact in this case. The ETH withdrawal had confirmed but had not yet moved further; the BTC was mid-conversion.

I always thought a SIM swap was something that happened to crypto influencers, not to a pharmacist who just wanted a retirement pot. The clock was the only thing on my side.

03How we recovered most of it

01
Locked the account first. We walked her through the exchange’s emergency account-freeze and got her carrier to reverse the port and restore the number under a port-freeze PIN.
02
Flagged the destination wallets. We identified both withdrawal addresses and the swap service the BTC was heading into, and submitted them to the exchange’s security team with timestamps while the funds were still in transit.
03
Caught the ETH before it laddered. The ETH had landed in a single external wallet and had not been split. The exchange, acting on our flagged report and her police crime reference, coordinated with the receiving platform to freeze it.
04
Chased the converting BTC. Part of the BTC had already cleared the swap into a privacy coin and was lost. The remainder, still queued, was held at the swap service after an abuse report.
05
Reconstructed for the bank and insurer. We packaged the full timeline for her crime report and an identity-theft insurance claim covering the unrecovered portion.

Funds recovered68%

£60,200 of £88,500 returned — the un-laddered ETH and the queued BTC. The portion already converted to a privacy coin could not be recovered. Same-morning action made the difference.

04Threat indicators

A phone that suddenly loses all signal for no reason — the first sign of a port-out.
SMS used as the only second factor on a high-value account.
Password-reset and login emails you did not request, arriving in a burst.
A carrier account with no port-freeze PIN or port-out protection enabled.
Withdrawals to brand-new external addresses immediately followed by a swap to a privacy coin.

Account taken over in the last 48 hours?

Speed decides these cases. If your funds were withdrawn recently, contact us now — assets still sitting on or near an exchange can often be frozen before they are converted.

Submit a Case →