Blab Crypto
FCC Robocall Rule Could Expose Crypto Accounts to SIM-Swap Attacks
The Federal Communications Commission’s latest proposal could unintentionally widen the attack surface for crypto users by tying more personal data to the very phone numbers they rely on for security.
On May 26, the FCC published a draft rule under CG Docket Nos. 17‑59 and 02‑278 that would compel voice service providers to collect a host of identifiers—names, physical addresses, government‑issued ID numbers, alternate phone numbers, and supporting verification records—before a line can be activated. The data would be retained for four years after service termination, and carriers would face a $2,500 base forfeiture for each call that breaches the new KYC requirements.
The agency justifies the move by citing the billions of dollars Americans lose to illegal robocalls. By making carriers the first line of defense, the FCC hopes to intercept fraudulent traffic before it reaches the wider network.
For cryptocurrency holders, the proposal raises a secondary concern the FCC does not address. Phone numbers already serve as the linchpin for exchange onboarding, email and account recovery, SMS‑based two‑factor authentication, fintech app verification, and customer‑support confirmation. If carriers now hold a richer set of identity data tied to a number, that number becomes a more valuable target for attackers.
SIM‑swap attacks—where a fraudster hijacks a victim’s number to intercept authentication codes—have become a common vector for crypto theft. In September 2025, the Department of Justice filed a civil forfeiture action against more than $5 million in Bitcoin that had been stolen through a SIM‑swap scheme, describing the method as an account‑takeover technique that lets attackers move from a phone number to email, exchange, and fintech accounts.
The FBI’s Internet Crime Complaint Center (IC3) recorded 1,611 SIM‑swap complaints in 2021 alone, with adjusted losses exceeding $68 million—up from 320 complaints and roughly $12 million in losses over the preceding three years. The spike underscores how a compromised phone number can lead to instant, irreversible crypto loss.
A high‑profile example came in January 2024 when an unauthorized party gained control of the phone number linked to the U.S. Securities and Exchange Commission’s X account. The attacker reset the account password and posted a false announcement claiming the SEC had approved a spot Bitcoin exchange‑traded fund. The SEC later corrected the misinformation.
The FCC’s proposal asks whether the expanded KYC applies only to high‑volume commercial originators or also to retail and prepaid customers. The outcome will shape how much personal data is tied to a phone number.
If the rule is limited to commercial originators, retail phone accounts would remain outside the expanded data collection, keeping the current level of anonymity for most consumers. However, if the rule covers all new and renewing customers—including prepaid SIM cards sold through third‑party vendors—then phone numbers would become tightly linked to physical addresses, government ID numbers, and four years of service history. Such a database would provide attackers with a rich set of impersonation material, increasing the risk of SIM‑swap, account‑recovery abuse, and even physical targeting.
Security researcher Jameson Lopp has argued that a KYC‑free phone service can serve as a personal security measure for individuals suspected of holding large Bitcoin positions. Linking a phone number to an identity trail, he says, raises exposure to extortion, swatting, and other “meatspace” attacks.
The FCC is still soliciting comments on the proposal, with the comment period closing on June 25. The agency has asked stakeholders to weigh the privacy risks of collecting more personally identifiable information and whether existing industry protections are sufficient.
Crypto holders should monitor the FCC’s final rule. A narrow rule that applies only to commercial originators would limit the immediate impact on most users, while a broader rule could transform the phone layer into a new attack surface for SIM‑swap and account‑recovery fraud. Until the FCC releases its final decision, the crypto community remains in a state of uncertainty regarding the future security of phone‑based authentication.
On May 26, the FCC published a draft rule under CG Docket Nos. 17‑59 and 02‑278 that would compel voice service providers to collect a host of identifiers—names, physical addresses, government‑issued ID numbers, alternate phone numbers, and supporting verification records—before a line can be activated. The data would be retained for four years after service termination, and carriers would face a $2,500 base forfeiture for each call that breaches the new KYC requirements.
The agency justifies the move by citing the billions of dollars Americans lose to illegal robocalls. By making carriers the first line of defense, the FCC hopes to intercept fraudulent traffic before it reaches the wider network.
For cryptocurrency holders, the proposal raises a secondary concern the FCC does not address. Phone numbers already serve as the linchpin for exchange onboarding, email and account recovery, SMS‑based two‑factor authentication, fintech app verification, and customer‑support confirmation. If carriers now hold a richer set of identity data tied to a number, that number becomes a more valuable target for attackers.
SIM‑swap attacks—where a fraudster hijacks a victim’s number to intercept authentication codes—have become a common vector for crypto theft. In September 2025, the Department of Justice filed a civil forfeiture action against more than $5 million in Bitcoin that had been stolen through a SIM‑swap scheme, describing the method as an account‑takeover technique that lets attackers move from a phone number to email, exchange, and fintech accounts.
The FBI’s Internet Crime Complaint Center (IC3) recorded 1,611 SIM‑swap complaints in 2021 alone, with adjusted losses exceeding $68 million—up from 320 complaints and roughly $12 million in losses over the preceding three years. The spike underscores how a compromised phone number can lead to instant, irreversible crypto loss.
A high‑profile example came in January 2024 when an unauthorized party gained control of the phone number linked to the U.S. Securities and Exchange Commission’s X account. The attacker reset the account password and posted a false announcement claiming the SEC had approved a spot Bitcoin exchange‑traded fund. The SEC later corrected the misinformation.
The FCC’s proposal asks whether the expanded KYC applies only to high‑volume commercial originators or also to retail and prepaid customers. The outcome will shape how much personal data is tied to a phone number.
If the rule is limited to commercial originators, retail phone accounts would remain outside the expanded data collection, keeping the current level of anonymity for most consumers. However, if the rule covers all new and renewing customers—including prepaid SIM cards sold through third‑party vendors—then phone numbers would become tightly linked to physical addresses, government ID numbers, and four years of service history. Such a database would provide attackers with a rich set of impersonation material, increasing the risk of SIM‑swap, account‑recovery abuse, and even physical targeting.
Security researcher Jameson Lopp has argued that a KYC‑free phone service can serve as a personal security measure for individuals suspected of holding large Bitcoin positions. Linking a phone number to an identity trail, he says, raises exposure to extortion, swatting, and other “meatspace” attacks.
The FCC is still soliciting comments on the proposal, with the comment period closing on June 25. The agency has asked stakeholders to weigh the privacy risks of collecting more personally identifiable information and whether existing industry protections are sufficient.
Crypto holders should monitor the FCC’s final rule. A narrow rule that applies only to commercial originators would limit the immediate impact on most users, while a broader rule could transform the phone layer into a new attack surface for SIM‑swap and account‑recovery fraud. Until the FCC releases its final decision, the crypto community remains in a state of uncertainty regarding the future security of phone‑based authentication.
