Over the past 48 hours, a low-fidelity report surfaced: Iran is exploiting mobile network flaws to track US military assets in the Middle East. The mechanism? SS7 – a decades-old signaling protocol that telecom carriers trust implicitly. The same protocol underpins SMS-based two-factor authentication for your exchange account, your wallet recovery, your validator node's emergency key reset.
Same flaw. Different target. A state actor weaponizes cellular trust assumptions to geolocate a fleet. A script kiddie weaponizes them to drain a hot wallet. The infrastructure doesn't care about the payload.
Context: The Protocol That Never Dies
SS7 (Signaling System No. 7) was designed in the 1970s. Its core assumption: every carrier on the network is a trusted peer. There is no authentication layer for signaling messages. A carrier in one country can send a legitimate-looking query to another carrier's database, asking for the current location of a subscriber or for the ability to forward that subscriber's calls and texts.
This trust model is a feature for global roaming. It is a crippling vulnerability for security.
When a mobile phone attaches to a network, its IMSI (International Mobile Subscriber Identity) is broadcast. An attacker with access to an SS7 gateway can send a 'Provide Subscriber Location' request and get back the cell tower coordinates where the phone is currently registered. They can also send a 'Insert Subscriber Data' message to forward all incoming SMS to their own number.
Iran's reported use case: locate US military personnel carrying personal phones in the Gulf region. The military uses encrypted comms for operational chatter, but soldiers carry personal devices for morale, apps, banking. Those devices ping commercial towers. The towers answer to SS7.

In crypto, the attack surface is identical. The SIM swap that cost one CEO $24 million in 2018 started with a bribe to a carrier employee – but the technical bypass is pure SS7. Forward the target's SMS to a burner phone. Reset password on Coinbase. Dump wallet keys. Move funds.
The Iran story confirms that this is not just petty crime. It's a state-level reconnaissance capability. And if a state can track a carrier battle group, they can certainly track a DeFi founder with a mobile wallet.
Core: Code Does Not Run on a Vacuum
Let's dissect the technical chain for a crypto asset.
- SMS-Based 2FA: Most exchanges still allow SMS as a second factor. The security model assumes that the SMS channel is private. It is not. SS7 allows any carrier with a signaling connection to intercept that SMS. The text with the six-digit code is forwarded to the attacker's device before it reaches the user. The attacker now has the token. One more step – email password recovery often uses SMS – and the account is gone.
- Phone Number as Identity: Many decentralized identity solutions still rely on phone number verification for sybil resistance. Airdrop eligibility, governance voting, attestation. If an attacker can spoof a phone number via SS7 (call forwarding), they can claim airdrops meant for real users or manipulate vote counts. The protocol sees the correct phone number on-chain – but the off-chain verification layer is compromised.
- Validator Node Emergency Keys: Some proof-of-stake networks allow operators to register a phone number for emergency key reset if a validator goes offline. The operator loses access, calls the support line, receives an SMS with a recovery code. If the attacker has forwarded that number's SMS, they recover the validator keys. They can double-sign, get slashed maliciously, or simply ransom the validator.
Based on my 2020 audit of a major staking protocol, I found that the emergency key recovery path used a single SMS to a known phone number. I flagged it as a single point of failure. The response: 'We have a human verification step where support calls the number back.' The human step relies on the attacker not having forwarded calls. SS7 allows forwarding without user notification.
Data point: According to the FCC, SIM swap complaints increased 400% from 2015 to 2020. But those are reported numbers. The actual number of SS7-based intercepts without a SIM swap – where the SIM stays in the victim's phone but SMS is read by an attacker – is unknown. Carriers rarely disclose SS7 breaches because the protocol itself is the vulnerability.
Now overlay the Iran attack pattern. They didn't need to hack US soldiers' phones. They didn't plant malware. They queried the global signaling network for location data of phones that happened to be within range of US military facilities. The phones were personal devices, not tactical radios. But the correlation was sufficient to track unit movements.
The same query can request SMS delivery. If an attacker knows your phone number (public on Etherscan for many founders), they can intercept the SMS sent by your hardware wallet supplier for the initial setup seed phrase. Rare? Yes. Possible? Absolutely.
Consider the threat escalation. State actors have the resources to map out every phone number associated with a crypto project – team members, community managers, investors. They can then passively monitor location data and actively intercept authentication messages. This is not about stealing a few ETH. This is about strategic intelligence on a project's operational security before a market event.
Contrarian: The Blind Spot in Every Audit
I have read hundreds of smart contract audit reports. Not one mentions the telecom stack. Auditors check for reentrancy, oracle manipulation, integer overflow. They never check if the protocol's off-chain emergency path trusts a phone number.
Why? Because auditors assume the telecom layer is a neutral, reliable infrastructure. It is not.
The Iran report exposes the gap between cryptographic perfection and operational reality. You can have a formally verified smart contract with no bugs. But if the admin multisig's co-signer receives their authentication code via SMS, the entire scheme collapses with a single SS7 query.
The counterintuitive insight: The most secure protocols are those that assume total compromise of the telecom layer. They use hardware security modules, proof-of-personhood, or decentralized identity (DID) schemas that never touch the cellular network. They do not store phone numbers. They do not send SMS. They treat every text message as a potential attack vector.
But most protocols are not that paranoid. They are built on the assumption that telecom is safe. That assumption is a zero-day waiting to be exploited.
I call this the SS7 Blind Trust – a system vulnerability that no static analysis tool can detect because it is not in the code; it is in the environment where the code runs. The Iran attack is a textbook demonstration of how to exploit this blind trust. The US military knew about SS7 vulnerabilities for years. They still issued personal phones to personnel. The gap between knowledge and practice is where exploitation lives.
Takeaway: Verification Without Trust
The era of SMS-based security in crypto must end. Not gradually – immediately. The Iran attack is a signal that the threat level has escalated. State actors are now actively scanning the signaling network for targets. Your phone number is a public identifier on many blockchains through ENS or donation addresses. It only takes one query.
The forward path is three-fold:
- Hardware key recovery – Not SMS. Use seeds that can only be imported via QR code or NFC from a physically secured device.
- Decentralized identity (DID) with zero-knowledge proofs – Prove you control a wallet without revealing your phone number or email. Use ZK-based authentication for account recovery.
- Protocol-level SS7 awareness – If a protocol must use phone numbers, it should implement rate-limiting on sensitive actions based on SIM change detection, require multi-channel confirmation (e.g., email + phone + in-app push), and never rely on a single SMS for privilege escalation.
"Building on chaos, then locking the door." The SS7 chaos is the telecom infrastructure we inherited. We cannot fix it. But we can build our protocols to assume it is hostile.
"Logic is the only law that doesn't lie." The logic says: if your protocol trusts an unprotected channel, the channel will be exploited.
"Silicon ghosts in the machine, verified." The ghosts are not in the smart contract. They are in the cell towers.
Expect a shift: within 12 months, every major DeFi protocol will migrate off SMS-based recovery. The ones that don't will become case studies in the next major SIM swap wave. The Iran report is not a geopolitical curiosity. It is a technical audit of a threat model that applies to every crypto project in existence.
Your code is clean. Your telecom is the leak. Seal it.
