Carriers would hold names, addresses, and ID numbers for four years. That data bundle creates a richer target for SIM-swap attackers who already stole $68 million in a single year.
The FCC proposed a rule on May 26 that asks whether phone companies should collect names, addresses, government ID numbers, alternate phone numbers, and verification records before giving a customer a phone line. The agency also wants carriers to keep that data for four years after a customer cancels. Comments close June 25.
The FCC's stated goal is stopping illegal robocalls, which it says cost Americans billions in fraud. The logic is that the company originating the call is best positioned to block it before it enters the network.
For anyone holding crypto, the proposal creates a second-order security problem the FCC's framework does not address.
Phone numbers already sit at the center of exchange onboarding, email recovery, SMS two-factor authentication, and customer-support verification for fintech apps and crypto wallets. The more identity data carriers bundle with a phone account, the more valuable that account becomes to an attacker. A carrier breach or successful SIM swap becomes more damaging when the target holds assets that move instantly and irreversibly.
The DOJ's September 2025 civil forfeiture action against over $5 million in Bitcoin shows how the phone layer already converts into crypto loss. Prosecutors described SIM-swap attacks as a takeover method in which attackers gain control of a victim's phone number, intercept authentication codes, and use them to authenticate across email, exchange, and fintech accounts. Five US victims lost Bitcoin through that sequence. The FBI's IC3 recorded 1,611 SIM-swap complaints in 2021 alone, with adjusted losses exceeding $68 million, up from 320 complaints and roughly $12 million in losses across the preceding three years combined.
The FCC proposal would raise the value of the phone account at the center of that attack chain.
The SEC's own X account demonstrated that phone-number compromise can reach beyond individual wallets. In January 2024, an unauthorized party gained control of the phone number associated with the account in an apparent SIM swap, reset the password, and posted a false announcement claiming approval of a spot Bitcoin ETF. The SEC corrected it later.
Expanded carrier-side KYC records create richer impersonation material for anyone attempting the same attack against higher-value targets. Carriers would collect names, physical addresses, government-issued ID numbers, alternate phone numbers, and potentially copies of government-issued identification. For high-volume customers, the FCC also asks about the intended use of service and IP addresses. That data bundle would stay in the carrier's systems for four years after cancellation.
The FCC itself asks in the proposal what privacy risks may arise from expanded PII collection and whether existing industry protections would suffice, or whether the agency would need to mandate heightened security measures. That question acknowledges that the collected data creates its own exposure.
A carrier record that links a phone number to a physical address, a government ID number, an alternate contact, and a service history becomes a target for attackers who want to social-engineer the carrier's support desk, file a fraudulent port request, or cross-reference telecom data against exchange KYC records.
Bitcoin security researcher Jameson Lopp has argued that a KYC-free phone service can serve as a personal security measure for people suspected of holding large Bitcoin positions, because linking phone accounts to identity trails raises exposure to extortion, swatting, and physical attacks. Lopp maintains a public repository of physical attacks against crypto holders, supporting the point that physical targeting is a documented risk category.
The FCC proposal leaves open whether KYC requirements apply only to high-volume commercial originators or extend to new and renewing retail customers and prepaid SIM cards sold through third-party vendors. The proposal explicitly asks about prepaid and postpaid treatment and whether requirements should differ across customer types.
The bear case for crypto holders is that identity collection across new and renewing customers, prepaid SIM cards, and re-verification requirements would effectively end pseudonymous phone access in the US. Carrier databases would bundle phone numbers with physical addresses, government ID numbers, and four years of service history. For anyone operating under a threat model that includes SIM swapping, targeted extortion, or physical attack, the phone layer would become both more tightly identity-linked and more dangerous to lose control of. A carrier breach or vendor compromise at that scale would produce addressable target lists: phone numbers cross-referenced against identities, addresses, and service histories. That data asset has no prior equivalent at carrier scale.
If the FCC limits expanded KYC to high-volume commercial originators and leaves retail and prepaid customers outside the scope, the rule addresses the robocall problem at the network layer where it originates, and the retail phone account stays outside the expanded data collection. That outcome reduces the carrier-side honeypot risk for individual crypto holders while still giving the FCC the enforcement reach it is seeking against the fraud originators driving robocalls.
Whether those tools also expand the attack surface for crypto holders turns on the final rule's scope. A rule covering ordinary phone customers produces a different threat model than one confined to commercial originators.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.