Is a $30 Million BCH SIM Swap Hack Possible in a Non-custodial Wallet?

Peculiar $30 Million BCH SIM SWAP Hack

There has been a rumor floating around of an alleged SIM swap hack incident where a Chinese whale purportedly lost around $30 Million worth of BCH. The rumor stems from a now-deleted Reddit post of the supposed victim asking miners for help to recover access to his BCH. The victims added that he still has his private key and will be rewarding miners who will be able to help him. This SIM swap hack incident is nothing new, there have been several victims of SIM hacks in the past resulting in multimillion losses but this recent one is quite unique as the victim clearly states that he has still access to his private keys meaning he was hacked from a non-custodial wallet.

SIM swap hack

To understand the incident clearly, I will explain what is a SIM swap hack and how it is executed. Basically, a SIM swap hack is a situation where a hacker was able to gain access to private and secure information intended for the victim. They do this by convincing mobile service providers to activate your phone number on another device. It seems that convincing mobile carriers to authorize such changes is not that hard to do, so long as the hacker can present information that would prove that they are what they say they are, customer representatives are more than willing to make the changes.

Why hackers are interested in SMS messages

Now some of you might be asking why would hackers go through all the trouble of a SIM swap hack if they have all the necessary information they need to get access in a victim’s secure network. The simple answer to this is the fact that SMS has become the second layer of security of choice by many applications when users enable second-factor authentication 2FA. This takes on the form of One-time Passwords (OTPs). A successful SIM SWAP would mean that the second layer of protection has been compromised leaving all applications that use this unprotected.

SMS 2FA

Despite previous incidents of SIM swapping hacks, SMS is still one of the primary choices of many applications such as digital wallets, bank apps, centralized cryptocurrency exchanges and many more. In reality, SMS 2FA gives users a false sense of security as they rely too much on a third party for their security. In this case, SMS 2FA is only secure if the users are the only ones that have access to it. Since the SMS 2FA goes through the carrier’s network it is always at risk from internal and external risks, from bad actors within the network to hackers that utilize vulnerabilities in the SMS protocol such as the SIMJacker vulnerability.

Securing our SIM

The only way to secure our SIM is by not allowing hackers to get sensitive information online. Hence extra care should be taken when dealing with unfamiliar sites that require you to undergo KYC or upload personal information. One should always double-check the URL link to ensure that it is the site you intend to enter or log in. It is highly recommended to activate anti-phishing features if the option is open. In addition, be aware that hackers utilize several social engineering techniques to get sensitive information. Remember, customer representatives will almost never contact you first nor ask for more information than necessary.

Non-custodial wallets or accounts

Non-custodial wallets allow each user to create their own private keys (PK) using offline cryptographic wallet tools. While the tools are created by other developers only the user who generated the keys are able to access them. The only way for other people can have access to the private key is if the owner shares it with them. Most of the time users secure their PK by writing them down on a piece of paper and physically storing them in a secure location such as vaults or safety deposit boxes. Some store them in specialized USB keys that have enhanced security features and others use hardware wallets.

Non-custodial wallet SIM swap hack

The person who allegedly had his BCH stolen claims to have been a victim of a SIM swap hack but also claims he still has the private keys of the wallet that has been hacked. This has left some of the people in the crypto community scratching their heads as it seems to suggest that he had his non-custodial wallet compromised via a SIM swap. The hack would have made total sense if the wallet came from a centralized exchange or a custody wallet service provider since most of them use SMS 2FA to secure their wallets. But since the victim has access to his private keys we can only conclude it was indeed a non-custodial wallet.

Non-custodial wallets and trading still the best in security

There has never been any incident where non-custodial wallets were ever involved in any type of security flaw or weakness in the past. If the alleged SIM swap hack were true, the hack would be a result of the owner’s oversight for not securing his private keys well enough or inviting trouble by having it accessible using online or through his SIM. Wallets that are custodial in nature will never reach the same level of security as non-custodial wallets. I believe that the highest and most optimal security can only be achieved by giving users absolute and total control of their own assets which is the case in non-custodial wallets.

SIM Swap Hack Possible in a Non-custodial Wallet?

Given the right conditions, this is possible but is highly unlikely. The wallet owner of the non-custodial wallet would have ignored all reminders to keep the private keys offline and safe from the prying eyes of hackers and would have acted extremely irresponsible for having it accessible in an insecure network like the SMS. The rumor that circulated is likely to be just that, a rumor, but has opened up some interesting questions on the possibility of a non-custodial wallet to be hacked using this attack vector.

Blockchain/crypto enthusiast from the Philippines.