Back in February I was the victim of a hacking attempt from a known hacker who targets public cryptocurrency holders. The past few days have been difficult, spending countless sleepless hours vigilantly changing passwords and getting my accounts and life locked down. It’s been a miserable experience, and one that I would not wish on my worst enemy (although I don’t have enemies).

Here’s what happened. I glanced down at my phone and noticed that it had no service. Strange, but not uncommon. I immediately started receiving emails about change password requests – email accounts, crypto exchanges etc. Warning. A hacker had called my phone carrier, convinced them (or paid them?) that they were me and swapped my sim into their own phone. This should be impossible, but clearly we cannot trust the phone companies to protect us. At that point, they had access to my phone number, texts and calls. This would allow them access to my 2 factor authorization if I was using SMS Authentication (I was not).

Presumably they had hacked me in advance, or gotten all of the information they needed to pretend to be me and to prepare to immediately start attempting to access my accounts. Scary.

They first thing they did was to hack my email provider and change the mx records on my main email account so that they would receive my emails instead of me. This way, they could start sending password resets and I would not know about it. Luckily I saw the first few come through before he deleted them. They would also, theoretically, have access to the texts coming for 2FA to confirm my identity. As of now, this did not work. Why?

Because I have all of my 2FA on a separate, offline device. This is the SINGLE thing that largely saved me from the most damage. Even with my logins and passwords, they were unable to access my 2FA (thus far, as I do not feel like I am in the clear). This gave me enough time to contact my banks, credit cards, crypto exchanges etc. and have my accounts locked. Key point – never use SMS verification as a part of your 2FA – they are counting on this vulnerability in a SIM-Swap attack. 2FA is a double edged sword – it offers protection when used correctly (on a separate device), but allows easy access to everything if it is simply a text message to your phone – because the hacker will be receiving your texts and calls.

Below is a definitive guide to SIM-Swapping. It is thorough, terrifying, but necessary. Read it, read it again, read it again. Slowly go through all of the steps to protect yourself. It will take time.

The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You

The silver lining of this experience is that it has forced me to reevaluate everything with regards to cyber security in general. Let’s just say that the hackers lit a serious fire under my ass.

The article above is very detailed and tells you everything you need. Here are a few ideas that you can do RIGHT NOW to help avoid this problem.

  1. Call your phone company and tell them to put a sim lock on your phone. Ask what advanced options they offer for protecting your account. Push hard. Request that they never change anything on your account without you walking into a specific store location, near your home and showing ID. Be relentless, threaten to take your business elsewhere. There’s always another security precaution they can take on your behalf.
  2. Leave your phone company altogether if you are in the United States. They cannot really protect you. Join Efani.
  3. Make sure you have a separate email account and password (preferably encrypted email like protonmail) for every exchange. Have 2FA using an authenticator (google authenticator, authy, although AUTHY CAN BE HACKED etc) on a separate, offline device. NOT ON YOUR PRESENT PHONE. The minute they swap your sim card, everything on your present phone becomes a liability.
  4. Get a Yubi key or another hardware 2FA device. Then nobody can access your accounts unless they are physically sitting at your computer. Get a separate one for each computer you use, and another that you have to put in for withdrawals.
  5. Put 2FA on EVERYTHING. Facebook. Instagram. Twitter. Bank Accounts. EVERYTHING. Do NOT use SMS Authentication – do it on your separate device with an authenticator.
  6. If you trade on your mobile, consider getting a separate phone altogether who’s number you never share just for trading. This one is supposed to be awesome. You can use GoogleFi sim cards to constantly change numbers if you are really serious.
  7. If you do not have a separate phone, you can get a google phone number and use that everywhere that requires a phone number. That way if you are hacked the 2FA codes go to your secret google number. This number MUST REMAIN SECRET.
  8. Start changing passwords now – this is something you should do often. Make them unique – never use the same password for ANYTHING.
  9. Generally get away from using Gmail, Yahoo mail etc. Easy to hack. I cannot stress enough – encrypted email services with 2FA on a separate device.
  10. STOP USING CHROME! It’s a piece of shit browser made by a company that is mining your data for profit. The vulnerabilities are astounding.Use Firefox, Brave or another secure option.
  11. Get a virus program for your computer, like Bitdefender. This has nothing to do with a sim swap, but it can still save your ass from viruses and phishing. Malware on your computer is an advanced way of getting the information the hacker needs before the sim swap. Remember, they knew exactly where to go the second they had control of my phone. This is a layer of protection, but not even enough.
  12. Stop sharing everything online. I am extremely guilty of this, and for me it is very hard to put the cat back in the bag since I have been a public figure in the music world for decades. Look for anywhere your phone number, address and email address are available and delete them.
  13. REMOVE YOUR PHONE NUMBER FROM CRYPTO EXCHANGES.    Even if you set up 2FA with an authenticator, they usually have your phone number stored from your first authentication. BAD. Once your 2FA is set on an authenticator, go back and DELETE YOUR NUMBERSecure your Telegram – instructions are in the article, but Telegram is tied to your phone number. Bad.

Get your crypto off of exchanges and into cold storage. So simple, yet most do not do it.

This is really JUST THE BEGINNING. I know it’s annoying, frustrating, it “won’t happen to you” and none of this is “really necessary,” but I highly suggest going through the article above and doing as many of the things possible. It’s your life – don’t let someone else steal it