SIM-safe account recovery: stop SIM swaps turning a leaked number into a crypto takeover

A leaked phone number itself won’t steal crypto, but it often enables account takeovers by weakening recovery paths. Most SIM-swap losses follow a recovery chain: number compromise → email reset via SMS → exchange account takeover → withdrawals. The article outlines a SIM-safe recovery strategy that treats the phone number as already compromised and makes it insufficient for account recovery. Key steps: 1) Remove SMS from email recovery — prefer passkeys, hardware security keys, and offline recovery codes; 2) Use phishing-resistant MFA for high-value accounts — passkeys and security keys first, TOTP apps only as fallback; 3) Harden carrier-level controls — add carrier PINs, enable port-out protection or number locks, require in-person verification when possible; 4) Ensure exchanges don’t rely on phone-based recovery — enable withdrawal allowlists, withdrawal delays, and require security keys; 5) Prepare a leaked-number response plan — freeze carrier changes, reset email from a clean device, revoke sessions and rotate API keys; 6) Reduce device and app attack surface — keep OS updated, use strong SIM PINs, limit app permissions and use an isolated crypto admin environment. Common mistakes include keeping SMS on email recovery, using a single security key without backups, storing recovery codes in the protected inbox, and weak carrier verification. The recommended checklist summarizes controls across email, exchanges, carrier and devices. The aim is to break the recovery chain so a leaked number cannot be used alone to regain access or withdraw funds. Primary keywords: SIM-safe account recovery, SIM swap, SMS risk, security keys, passkeys. Secondary keywords: email recovery, carrier hardening, withdrawal allowlist, TOTP, device isolation.