Skip to content
CASE FILE
STEVENSTORCH INVESTIGATIONS · SIM-SWAP ACCOUNT TAKEOVER · CASE NO. SS-2026-038
RECOVERED

Eiro Group SIM-Swap Cash-Out: Tracing a $96,200 Account Takeover to a 72% Recovery

T.B. did nothing careless. An attacker convinced her mobile carrier to port her number, used the SMS codes to reset her exchange logins, and emptied her holdings overnight. The cash-out ran through an Eiro Group-linked operation. We traced it and recovered 72% — strong, because the laundering route ran through accounts we could reach.

CASE SUMMARY
Operator
Eiro Group — on-file dossier →
Method
SIM-swap account takeover; the attacker hijacked the victim’s phone number, reset exchange access, and cashed out through an Eiro Group-linked receiving operation.
Reported loss
$96,200 (USD) in BTC and ETH
Case opened
June 2026
Funds recovered
72%
Subject
T.B., a dental-practice owner in Tampa, FL
Case officer
Steven Storch Investigations

Initial Contact

T.B. woke to no mobile signal and a string of security emails. Her number had been ported to a device she did not control, and within hours her exchange accounts were drained of BTC and ETH.

She contacted us that morning. SIM-swap cases are time-critical: the attacker’s advantage ends the moment the victim regains control and the stolen funds hit a chokepoint we can act on.

Point of Compromise

The takeover did not start on the blockchain — it started at the carrier. Once the number was ported, SMS two-factor codes flowed to the attacker, who reset passwords and withdrawal settings and moved the assets out.

The withdrawals were consolidated and routed toward an Eiro Group-linked cash-out channel. That channel’s reliance on identifiable exchange accounts is what made a strong recovery possible.

EXHIBIT A · CLIENT STATEMENT“I had two-factor authentication on everything. What I did not know was that text-message codes are not safe against a SIM-swap. By the time my phone came back, the accounts were empty.”

Investigation Log

  1. 01
    Lock down and document

    We guided T.B. to restore the number, lock every account, and replace SMS codes with an authenticator app, while preserving carrier and exchange records.

  2. 02
    Withdrawal tracing

    We traced the outbound BTC and ETH from her own exchange accounts through consolidation to the cash-out channel’s deposit addresses.

  3. 03
    Exchange freezes

    Because the cash-out funnelled through real exchange accounts, we filed evidence-backed freeze requests fast, while balances were still present.

  4. 04
    Carrier and law-enforcement filings

    A formal carrier complaint over the unauthorised port, plus IC3 and local law-enforcement reports documenting the takeover.

  5. 05
    Recovery

    Two exchanges froze and released the traceable funds. A smaller off-ramped portion was lost, but the bulk was reachable.

Disposition

72%
Recovery: $69,300 of $96,200 — about 72%. SIM-swap victims are often told nothing can be done because “they had 2FA.” The opposite was true here: the chain does not lie, and the cash-out route ran through accounts that answered to compliance teams. Speed plus a reachable off-ramp made the difference.

Indicators on File

  • Sudden loss of mobile signal with no explanation — a possible number port.
  • Reliance on SMS text codes for two-factor authentication on crypto accounts.
  • Security emails about password or withdrawal-setting changes you did not make.
  • Account access and withdrawals from an unfamiliar device or location.
  • Carrier “upgrade” or “port” notices you never requested.

Think you are looking at the same playbook?

If any of these patterns match what happened to you, the first 72 hours matter most. Bring us the wallet addresses, the platform name, and every message you still have.

Request a Case Review →Search the Scam-Broker Directory