SMS Phishing & SIM Swapping Attacks: Million-Dollar Crypto Heist

Cybercriminals no longer need sophisticated zero-day exploits to steal millions—they just need your identity.

A recent case involving Tyler Robert Buchanan highlights how attackers combined SMS phishing (smishing), credential theft, and SIM swapping to compromise companies and drain virtual currency accounts.

The result?

👉 Over $1 million in stolen digital assets
👉 Dozens of compromised organizations
👉 Countless exposed identities and credentials

For security leaders, this attack chain underscores a critical shift: identity is now the primary attack surface.

In this article, you’ll learn:

• How SMS phishing and SIM swapping attacks work together
• The step-by-step attack lifecycle
• Real-world breach insights from this case
• Detection, prevention, and response strategies
• How to align defenses with modern security frameworks

---

What Are SMS Phishing and SIM Swapping Attacks?

SMS Phishing (Smishing)

Smishing is a social engineering attack where attackers send fraudulent text messages designed to trick users into:

• Clicking malicious links
• Entering credentials
• Sharing sensitive information

These messages often impersonate:

• IT departments
• HR systems
• Trusted vendors

---

SIM Swapping

SIM swapping is an account takeover technique where attackers:

1. Trick a mobile carrier
2. Transfer a victim’s phone number to a new SIM
3. Intercept calls and SMS messages

This allows attackers to bypass:

• SMS-based multi-factor authentication (MFA)
• Account recovery protections

---

How the Attack Worked: Step-by-Step Breakdown

1. Mass SMS Phishing Campaign

Attackers sent hundreds of messages to employees:

• Disguised as internal IT alerts
• Mimicking trusted service providers

---

2. Fake Login Portals

Victims were directed to:

• Cloned corporate login pages
• Credential harvesting sites

Captured data included:

• Usernames and passwords
• Personal and corporate information

---

3. Credential Aggregation

Stolen credentials were:

• Collected via phishing kits
• Shared through attacker-controlled channels (e.g., Telegram)

---

4. Corporate Network Intrusion

Using valid credentials, attackers:

• Accessed internal systems
• Extracted sensitive data:
  • Intellectual property
  • Employee records
  • Account access information

---

5. Target Identification

Attackers analyzed stolen data to identify:

• High-value individuals
• Cryptocurrency holders

---

6. SIM Swapping Execution

They then:

• Hijacked victims’ phone numbers
• Intercepted authentication codes

---

7. Account Takeover & Crypto Theft

With full access, attackers:

• Logged into crypto wallets
• Reset credentials
• Transferred digital assets

---

Why This Attack Is So Effective

1. Exploits Human Trust

Employees trust messages that appear internal.

---

2. Bypasses Traditional Security

• No malware required
• Uses legitimate credentials

---

3. Defeats Weak MFA

SMS-based MFA is vulnerable to SIM swapping.

---

4. Scales Easily

Smishing campaigns can target hundreds of users simultaneously.

---

Real-World Impact

According to investigators:

• At least $1 million in virtual currency stolen
• Multiple companies breached
• Sensitive corporate and personal data exposed

Devices linked to Tyler Robert Buchanan contained:

• Victim identities
• Cryptocurrency seed phrases
• Login credentials

This demonstrates a full-spectrum compromise:

👉 Corporate breach → Identity theft → Financial loss

---

Mapping to MITRE ATT&CK

This attack chain aligns with MITRE ATT&CK:

Tactic	Technique
Initial Access	Phishing (T1566)
Credential Access	Credential Harvesting
Persistence	Account Takeover
Defense Evasion	Valid Accounts
Impact	Financial Theft

---

Common Mistakes Organizations Make

❌ Relying on SMS-Based MFA

Easily bypassed via SIM swapping.

---

❌ Lack of Phishing Awareness Training

Employees remain the weakest link.

---

❌ Overprivileged Accounts

Compromised credentials grant excessive access.

---

❌ Poor Monitoring of Identity Activity

Unusual logins often go unnoticed.

---

Detection & Threat Hunting

Indicators of Compromise (IoCs)

• Multiple failed login attempts followed by success
• SIM change requests on employee accounts
• Logins from unusual locations or devices
• Sudden password reset activity

---

SOC Monitoring Strategies

• Correlate:
  • Authentication logs
  • Telecom activity
• Monitor:
  • Identity and access patterns
  • Privileged account usage

---

Mitigation & Defense Strategies

1. Replace SMS-Based MFA

Adopt:

• Authenticator apps
• Hardware security keys
• Phishing-resistant MFA (FIDO2)

---

2. Implement Zero Trust Architecture

• Continuous authentication
• Device and identity verification
• Least privilege access

---

3. Strengthen Phishing Defenses

• Secure email and SMS gateways
• User awareness training
• Simulated phishing exercises

---

4. Monitor Identity Behavior

Use:

• Identity Threat Detection & Response (ITDR)
• Behavioral analytics

---

5. Secure Telecom Channels

Work with carriers to:

• Enable SIM swap protections
• Require strong identity verification

---

6. Protect High-Value Accounts

• Enforce stricter controls for executives
• Monitor cryptocurrency-related activity

---

Compliance & Regulatory Relevance

NIST Guidelines

Aligned with NIST:

• IA-2: Multi-factor authentication
• AC-2: Account management
• SI-4: System monitoring

---

ISO 27001 Controls

• A.9.4.2 – Secure log-on procedures
• A.12.4.1 – Event logging
• A.16.1.1 – Incident management

---

Best Practices for Long-Term Security

• Eliminate reliance on SMS authentication
• Regularly audit identity access controls
• Segment sensitive data and systems
• Implement continuous monitoring
• Educate users on social engineering tactics

---

Expert Insight: Risk Analysis

Likelihood: High
Impact: Critical

Why?

• Human-centric attack vector
• Easy to execute at scale
• High financial payoff

Business Impact

• Financial losses
• Data breaches
• Regulatory penalties
• Reputational damage

---

FAQs

What is SMS phishing (smishing)?

A social engineering attack using text messages to steal credentials or sensitive data.

---

How does SIM swapping bypass MFA?

By transferring a victim’s phone number, attackers intercept authentication codes.

---

Why is SMS MFA insecure?

It relies on telecom infrastructure, which can be socially engineered.

---

Who is most at risk?

Employees, executives, and individuals with cryptocurrency holdings.

---

How can organizations prevent these attacks?

• Use phishing-resistant MFA
• Monitor identity activity
• Train employees regularly

---

Conclusion

This case is a powerful reminder:

👉 Cyberattacks are no longer just technical—they are psychological and identity-driven.

Organizations must:

• Rethink authentication strategies
• Strengthen identity security
• Move toward Zero Trust models

Next Step:
Assess your organization’s reliance on SMS-based authentication and transition to stronger, phishing-resistant methods today.