Question 1

My phone went dead and now my accounts are gone. What is happening and what do I do first?

Accepted Answer

What is almost certainly happening is a SIM swap attack: a criminal social-engineered your wireless carrier (or paid an insider at the carrier) to transfer your phone number to a SIM card the criminal controls. Once the criminal owns your number, they own every account that uses SMS as a recovery factor or as a second factor of authentication: email, banking, brokerage, crypto exchanges, payment apps, and frequently the corporate single-sign-on you use at work. The first three actions matter enormously and are time-sensitive. First, call your carrier from a different phone immediately, identify yourself in person at a retail store if possible, and demand the line be returned to your control with a port-freeze and a porting PIN added to the account. Second, from any device you still control, change passwords on email first, then financial accounts, then crypto exchanges, and rotate every recovery email and recovery phone number to a new account the criminal does not know about. Third, file an FBI IC3 complaint and a complaint with the Federal Communications Commission and your state public utilities commission against the carrier. Then call us. The forensic window for recovering attribution evidence on the carrier-side compromise is short.

Question 2

How is a SIM swap attack recovery investigation different from a carrier complaint?

Accepted Answer

A carrier complaint is a customer-service ticket filed against the company that let the swap happen. A SIM swap attack recovery engagement produces the documented forensic record that turns that complaint into a viable claim and supports every other recovery pathway. We acquire the carrier's account-history records (CPNI, port logs, account-change logs), reconstruct the timeline of unauthorized account changes, identify the channel through which the swap was authorized (in-store insider, call-center social engineering, online portal compromise, account-takeover via stolen carrier credentials), correlate the swap timing with the downstream account takeovers (email, banking, brokerage, crypto), and produce a chain-of-custody package that supports civil litigation against the carrier under FCC Section 222 / 47 U.S.C. 222 and state-law negligence theories, FCC and state PUC formal complaints, IC3 and FBI Cyber Division referral, cyber insurance claims, and where crypto was stolen, evidence-package coordination with licensed asset-recovery partners.

Question 3

Can you actually help me recover stolen crypto from a SIM swap?

Accepted Answer

We help with the forensic and coordination side, not the direct recovery. Cryptocurrency stolen via SIM swap is typically moved through exchanges, mixers, and chain-hops within hours or days of the takeover. Recovery requires blockchain tracing (which we coordinate with specialist partners; we do not perform on-chain tracing in-house), exchange-level legal demands (which require licensed counsel or law-enforcement subpoena), and frequently international cooperation. What we deliver is the forensic case file: timeline of the SIM swap, account-takeover artifacts on every wallet and exchange account that was compromised, carrier-side evidence supporting civil action against the wireless provider, and IC3 and FBI Cyber Division referral package. We then coordinate the introduction to a licensed asset-recovery partner where one is appropriate. We do not promise crypto recovery and we do not take fees contingent on recovery; that structure is reserved for licensed asset-recovery counsel and we are not that.

Question 4

What about my email account, my banking, my work accounts? How bad is this and how long does cleanup take?

Accepted Answer

How bad it is depends on how long the criminal had control of your number before you noticed. A swap that lasted ninety minutes typically results in two or three primary account takeovers (most commonly the email account that anchors everything else, plus one or two financial accounts). A swap that lasted twelve hours typically results in cascading compromise across twenty or more accounts as the criminal works systematically through every service that uses SMS-based password reset. Cleanup is not a one-day job. We typically scope a SIM swap recovery as a 12 to 25 hour forensic engagement, structured across roughly two to four weeks: account-takeover triage in the first 48 hours, full timeline reconstruction in the first week, identity-hardening in the second week (rotating every recovery factor away from SMS, deploying hardware security keys on every account that supports them, locking carrier-side port-freezes and porting PINs in place), and the FCC/PUC carrier-grievance package and civil-action support documentation in the third week. The case range is typically $6,600 to $13,750 with a $5,500 starter retainer.

Question 5

Should I sue my wireless carrier for the SIM swap?

Accepted Answer

Talk to a plaintiffs attorney who handles telecommunications-fraud cases before answering that question. There is a body of case law (T-Mobile, AT&T, Verizon have all been sued repeatedly for SIM swap negligence) and the legal theories include FCC Section 222 / 47 U.S.C. 222 customer proprietary network information violations, state-law negligence and gross negligence, breach of contract against the carrier's customer agreement, and where the swap was facilitated by a corrupt insider, agency-theory claims that hold the carrier responsible for the insider's conduct. Whether a suit is viable in your case depends on the specific facts: how the swap was authorized, what the carrier knew or should have known, whether port-freeze or PIN protections were in place and bypassed, and the size of the loss relative to the cost of litigation. Our forensic report is the foundation of any such case. We do not provide legal advice and we do not represent clients in litigation; we produce the evidence and refer to plaintiffs counsel where appropriate.

Question 6

How much does a SIM swap attack recovery cost?

Accepted Answer

Typical engagements run 12 to 25 hours of forensic work, which at our hourly rate of $550 produces a case range of approximately $6,600 to $13,750. A starter retainer of $5,500 covers the initial intake, immediate identity-hardening triage, account-takeover timeline reconstruction, and the first round of carrier-grievance and IC3 filings. Where scope is well-bounded (single SIM swap event, no cascading account compromise beyond the obvious, complete evidence preserved), a fixed-fee engagement is available. Where the case expands (multi-month criminal persistence, multi-jurisdictional crypto theft, corporate single-sign-on compromise that bridges into a workplace cybersecurity incident), the engagement converts to hourly with milestone caps. Sliding-scale pricing is on the table on the first call for individuals who lost retirement, payroll, or operating funds and cannot fund a full engagement at headline rates.

Question 7

Can you actually identify the people behind the SIM swap?

Accepted Answer

Sometimes, and the attribution evidence on SIM swap cases is meaningfully better than on most other fraud verticals because the carrier-side records are subpoena-able and the criminal's downstream account activity (email logins, exchange logins, IP and device fingerprint logs) is often well-preserved on the platforms they touched. Mid-tier SIM swap operations operate inside the United States and reuse cashout infrastructure (specific exchanges, specific mule accounts, specific OTC desks) that creates attribution patterns. Identification of a specific named individual usually requires law-enforcement subpoena power; we produce the evidentiary package that the FBI Cyber Division, the Secret Service Electronic Crimes Task Force, and state attorneys general use to open or extend cases. Several high-profile SIM swap prosecutions in the last five years (REACT Task Force cases, the 2024 prosecution of the SIM-swap ring that targeted crypto holders in Florida and California) followed exactly this evidentiary pattern.

Question 8

How do I prevent this from happening again after the cleanup?

Accepted Answer

SIM swap protection is structural, not behavioral. The single highest-leverage change is moving every account that supports it off SMS-based authentication and onto either a hardware security key (YubiKey, Google Titan) or an app-based authenticator (Google Authenticator, Authy, 1Password) with the recovery factors rotated to a new email address that the criminal does not know about and that itself has hardware-key authentication. The second is locking the carrier account: port-freeze enabled, porting PIN set to a value not derivable from public information, account-PIN rotation, in-store-only authentication for any future account changes, and where supported, eSIM-only operation that prevents physical-SIM transfer entirely. The third is reducing the public attack surface: removing personal information from data brokers, scrubbing the phone number from social media and professional profiles, and reducing the number of services that have your number on file. We deliver this hardening as part of every SIM swap recovery engagement and it is the deliverable that prevents the second swap, which is otherwise statistically likely within twelve months of the first.

SIM Swap Attack Recovery
Telecom forensics. Identity hardening. Carrier accountability.

What this is

Who this is for

How the engagement works

What we will not do

SIM swap protection is structural, not behavioral

Related Witness services

A confidential, structured engagement.

Confidential Consultation

Scoped Engagement

Investigation and Findings

Quinnlan Varcoe

Frequently asked about SIM swap attack recovery

Schedule a confidential consultation

SIM Swap Attack RecoveryTelecom forensics. Identity hardening. Carrier accountability.