Sprint Corp. v. FCC (2025): Carrier Liability for SIM Swaps

January 15, 2026 | By: Max Dilendorf, Esq.

Max Dilendorf, Esq.

Introduction

SIM-swap attacks remain one of the most common methods by which criminals steal cryptocurrency.

By fraudulently transferring a victim’s phone number to a SIM card under the attacker’s control, bad actors gain access to SMS-based authentication, password resets, and account recovery mechanisms used by many cryptocurrency wallets and exchanges.

Once control of the phone number is lost, unauthorized transfers of digital assets often follow quickly.

In 2025, the U.S. Court of Appeals for the District of Columbia Circuit issued a recent and important decision in Sprint Corp. v. FCC, affirming significant penalties against wireless carriers for failing to adequately protect Customer Proprietary Network Information (CPNI).

While the case addressed misuse of customer location information, the court’s analysis is directly relevant to SIM-swap cases—particularly those in which carrier failures enable downstream harms such as theft of cryptocurrency from self-custody wallets and centralized exchanges.

The Statutory Duty to Protect CPNI

Section 222 of the Communications Act imposes an affirmative duty on telecommunications carriers to safeguard customer information. The D.C. Circuit reaffirmed that this obligation is broad and mandatory:

“The Communications Act requires telecommunications carriers to ‘protect the confidentiality’ of customer proprietary network information.” Sprint Corp. v FCC, 151 F.4th 347, 353 (DC Cir. 2025)

Congress imposed this duty because telecommunications data is inherently sensitive. In Sprint, the court emphasized that customer location information reveals deeply personal details about subscribers’ lives:

“Over time, this information becomes an exhaustive history of a customer’s whereabouts and ‘provides an intimate window into [that] person’s life.’” Id. at 352

SIM-swap attacks depend on similarly sensitive forms of CPNI, including account authentication data, subscriber verification credentials, and control over phone numbers.

The statutory framework analyzed in Sprint applies with equal force to these categories of information.

“Reasonable Measures” Require Meaningful Safeguards

A central issue in the 2025 decision was whether Sprint and T-Mobile implemented “reasonable measures” to protect CPNI, as required by FCC regulations.

The court upheld the FCC’s conclusion that they did not.

The governing regulation requires carriers to take active steps to prevent unauthorized access:

“Carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” Id. at 353.

In practice, Sprint and T-Mobile relied heavily on contractual promises from third parties rather than implementing independent verification or monitoring systems.

The FCC found this approach insufficient, concluding that the carriers:

“Unreasonably relied on ‘the honor system.’” d. at 357.

This reasoning closely parallels SIM-swap cases, where carriers may rely on weak identity verification procedures, easily compromised knowledge-based authentication, or inadequate review of high-risk account changes.

Under Sprint, such practices can fall short of the reasonableness standard imposed by federal law.

Failure to Detect Unauthorized Access

The court also emphasized that reasonable safeguards must include the ability to identify illegitimate access attempts.

Sprint and T-Mobile lacked mechanisms to reliably separate lawful from unlawful requests:

“Nor did either carrier have an effective mechanism for distinguishing between a legitimate request for customer location information and an illegitimate one.” Id. at 357.

In the SIM-swap context, this principle is critical. If a carrier cannot distinguish between a legitimate subscriber request and a fraudulent SIM change initiated by an impostor, that failure may itself constitute a violation of the carrier’s duty to protect CPNI.

Notice of Risk Heightens the Duty to Act

The 2025 decision also makes clear that once carriers are aware of abuse, their obligations increase.

Continuing operations without meaningful changes after known vulnerabilities are exposed can constitute additional violations:

“Even after highly publicized incidents put [the carriers] on notice that [their] safeguards… were inadequate, the Carriers continued to sell access… without implementing reasonable measures.” Id. at 358.

Wireless carriers have now been on notice for years about the risks of SIM-swap fraud.

Public reporting, regulatory enforcement, arbitration decisions, and litigation have repeatedly identified the same weaknesses.

Under Sprint, failure to address known risks supports findings of unreasonable conduct.

Each Breakdown May Constitute a Separate Violation

The court also upheld the FCC’s determination that each distinct failure to protect CPNI may be treated as an independent violation:

“Each unique relationship… represented a distinct failure to reasonably protect CPNI.” Id. at 358.

Applied to SIM swaps, this reasoning supports the position that individual unauthorized SIM transfers—particularly where systemic deficiencies persist—may independently give rise to liability.

Implications for SIM-Swap-Enabled Crypto Theft

Although Sprint Corp. v. FCC arose in the context of an FCC enforcement action, its reasoning has broader implications for private claims and arbitrations involving SIM swaps and cryptocurrency theft. The decision confirms that:

Carriers owe a statutory duty to protect sensitive customer data
Safeguards must be operational, verifiable, and reasonable
Known risks require timely corrective action
Failure to protect CPNI can cause foreseeable and substantial harm

As the FCC concluded, inadequate safeguards:

“Caused substantial harm by making it possible for malicious persons” to exploit customer data. Id. at 358.

In SIM-swap cases, that harm frequently manifests as stolen cryptocurrency from both self-custody wallets and centralized exchanges.

Conclusion

The D.C. Circuit’s 2025 decision in Sprint Corp. v. FCC provides timely and authoritative guidance on the scope of wireless carriers’ obligations to protect CPNI.

Its reasoning is directly relevant to SIM-swap cases, where inadequate authentication procedures and weak safeguards enable unauthorized access to phone numbers and, ultimately, digital asset theft.

Dilendorf Law Firm has represented clients in more than 130 arbitrations, including SIM-swap cases against T-Mobile, Verizon, AT&T, and other carriers, involving failures to protect customer CPNI that resulted in the theft of cryptocurrency.

If you were a victim of a SIM swap and funds were stolen from self-custody wallets such as MetaMask, Phantom, Coinbase Wallet, or other non-custodial wallets, or from centralized exchanges such as Coinbase, Binance, Crypto.com, or Uphold, you may have legal claims worth evaluating.

Victims are encouraged to contact Dilendorf Law Firm for a consultation.

Clients holding significant amounts of cryptocurrency should also consider proactive asset-protection and custody planning.

Depending on individual circumstances, this may include the use of domestic or offshore asset protection trusts, which can provide an additional layer of protection against cyber threats and unauthorized access.

Dilendorf Law Firm assists clients in designing and implementing these structures, informed by extensive firsthand experience with the consequences of SIM swaps, cyberattacks, and crypto theft.

In addition, for many investors, crypto custody with a secure and insured institutional custodian is paramount, as reliance solely on personal devices and phone-based authentication can expose digital assets to avoidable risk.

This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.