Case File · GEI-2026-0418 · SIM-swap account takeover

A Ported Number, a Drained Exchange: Tracing a SIM-Swap Takeover

A single unauthorised carrier port handed an attacker every code that stood between a Tampa business owner and her exchange balance. By the time her phone went dark, BTC and USDT were already moving. This is how the file was worked.

Vector
SIM-swap / carrier port-out
Instrument
Exchange account + linked hot wallet
Reported loss
$118,700 (BTC, USDT)
File opened
18 April 2026
Funds recovered
47%
Claimant
Small-business owner, Tampa, FL
About this case file. This is an illustrative, dramatized composite based on patterns GEInvestigator works in the field. Names of firms, platforms, and people are fictional and any resemblance to a real entity is coincidental. Figures and outcomes are representative; recovery is never guaranteed and depends on the facts of each case.

IntakeHow the subject made contact

Her phone dropped to “SOS only” on a Tuesday afternoon — no local outage, no warning. Within minutes an attacker had completed an unauthorised port of her mobile number to a new SIM, social-engineered through the carrier’s support line using personal details harvested earlier.

With the number in hand, every SMS one-time code now landed on the attacker’s device. The exchange password reset, the email recovery code, the withdrawal confirmation — all of it routed away from her before she understood her phone had stopped working.

Point of compromiseWhere control was lost

The attacker reset the exchange password, disabled login alerts, and authorised withdrawals to a staging wallet. From there the funds split: one tranche to a custodial deposit address, a second peeled toward a mixer within the first hour.

By the time she reached the carrier from a borrowed phone and had the number restored, ninety-two minutes had passed and the balance was gone. The takeover never touched her seed phrase — it didn’t need to.

“I did everything right except one thing I never knew was a weakness — my phone number. In ninety minutes it was all gone.”Field interview · Case GEI-2026-0418

Evidence chainHow the recovery was built

EX-01

Secured the carrier record

Pulled the port-out timestamp and requesting device from the carrier under the claimant’s fraud affidavit, fixing the takeover to a precise 92-minute window.

EX-02

Reconstructed the withdrawal ledger

Mapped the exchange withdrawals to two destination clusters — one custodial deposit address, one peel toward a mixer.

EX-03

Filed the exchange freeze

Submitted the trace and affidavit to the receiving exchange’s compliance desk; the custodial leg was frozen before it could cash out.

EX-04

Preserved the law-enforcement chain

Packaged the port-out evidence for the police report and FCC complaint so the recovered share could be released cleanly.

EX-05

Settled the recoverable share

The frozen custodial balance was returned to the claimant after KYC matching; the mixer leg was documented as traced-but-unrecoverable.

DispositionWhat came back

47%
Funds returned to claimant

Of $118,700 reported, $55,800 was returned from the frozen exchange leg. The portion peeled into a mixer within the first hour could be traced but not recovered — an honest ceiling we set expectations around from day one.

IndicatorsFraud signals on this file

  • Your carrier suddenly loses signal or shows “SOS only” with no outage in your area.
  • Password-reset texts you didn’t request, for the exchange or the email behind it.
  • An account holding real value protected only by SMS two-factor authentication.
  • Security-alert emails that arrive and are then deleted from your own inbox.

Seeing the same pattern in your own case?

GEInvestigator opens a file, traces the funds, and tells you honestly what can be recovered.

Open a Case →
By Case Studies