The FCC’s proposed robocall rule, published May 26 under CG Docket Nos. 17-59 and 02-278, asks whether originating voice service providers must collect and retain customer names, physical addresses, government-issued identification numbers, alternate telephone numbers, and supporting authentication information before providing services.
The agency is proposing a four-year retention period once the customer relationship ends, a forfeiture of $2,500 per call for KYC violations, and comments close on June 25.
The FCC frames the proposal around the problem that illegal robocalls cost Americans billions of dollars in fraud and wasted time, and the FCC argues that originating carriers are best positioned to stop illegal calls before they enter the network.
For crypto holders, the proposal brings a second-order security consequence that the agency’s robocall framework leaves unnoticed.
Phone numbers are already central to exchange onboarding, email and crypto account recovery, two-factor authentication via SMS, fintech apps, and customer support verification.
The more identity information telecom providers bundle with phone accounts, the more valuable these accounts become to attackers, and the more damaging a carrier breach or successful impersonation attempt becomes for anyone who owns assets that move instantly and irreversibly.
The phone number as a safety liability
The DOJ’s September 2025 civil forfeiture against more than $5 million worth of Bitcoin illustrates how the phone layer is already converting to crypto loss.
Prosecutors described SIM swap attacks as an account takeover method in which attackers gain control of a victim’s phone number, intercept authentication codes and use them to authenticate themselves as a victim through email, exchange and fintech accounts.
Five US victims lost Bitcoin through that streak. The FBI’s IC3 recorded 1,611 SIM swap complaints in 2021 alone, with adjusted losses of more than $68 million, compared to 320 complaints and approximately $12 million in losses in the previous three years combined.
The FCC proposal would increase the value of the telephone bill at the midpoint.
The SEC’s own X Account has shown that phone number compromises can extend beyond individual wallets.
In January 2024, an unauthorized party gained control of the phone number associated with the SEC’s X account through an apparent SIM swap, reset the account password, and posted a false announcement claiming approval of a spot Bitcoin ETF before the SEC corrected it.
Expanded carrier-side KYC records create richer imitation material for anyone attempting the same attack against higher-value targets.
What the FCC is building
Carriers would collect names, physical addresses, government-issued ID numbers, alternate phone numbers and possibly copies of government-issued ID.
For high-volume customers, the FCC also asks about intended use of the service and IP addresses. That data bundle would remain in the carrier’s systems for up to 4 years after a customer’s cancellation date.
The FCC itself asks in the proposal what privacy risks could arise from the extensive collection of personally identifiable information and whether existing industry protections would be sufficient, or whether the agency would have to mandate increased security measures, a recognition that the data collected creates its own exposure.
A carrier record that links a phone number to a physical address, a government identification number, an alternate contact, and a service history becomes a target for attackers looking to social engineer a carrier’s support desk, submit a fraudulent port request, or compare telecom data with exchange KYC records.
Bitcoin security researcher Jameson Lopp has argued that a KYC-free phone service could serve as a personal security measure for people suspected of holding large Bitcoin positions, because linking phone accounts to identity traces increases exposure to extortion, swatting, and wrench attacks.
Lopp’s public repository of physical attacks against crypto holders describes itself as a known but incomplete list of real-world “meatspace” attacks, supporting the point that physical attacks is a documented risk category.
Two outcomes for crypto holders
The FCC proposal leaves open whether the KYC requirements apply only to high-volume commercial originators or extend to new and renewing residential customers and prepaid SIM cards sold through third-party vendors.
The proposal explicitly asks about prepaid and postpaid treatments and whether requirements should differ per customer type.
The bear case for crypto holders is that identity collection on new and renewing customers, prepaid SIM cards, and re-verification requirements would effectively end pseudonymous phone access in the US.
Carrier databases would bundle phone numbers with physical addresses, government ID numbers and four years of service history.
For anyone operating under a threat model that includes SIM swapping, targeted extortion, or physical attacks, the phone layer would become both more closely tied to identity and more dangerous to lose control of.
A carrier breach or vendor compromise at that scale would produce addressable target lists, such as phone numbers matched against identities, addresses, and service history, a data asset that has no previous equivalent at the carrier scale.
If the FCC limits KYC to high-volume commercial originators and leaves retail and prepaid customers out of reach, the FCC is addressing the robocall problem at the network layer where it originates, and the retail phone account is left out of the comprehensive data collection.
| Final control result | Who is covered | Privacy impact | Risk of crypto holders | Article read |
|---|---|---|---|---|
| Narrow rule | High volume commercial makers | Limited expansion of the PII collection for retail | Lower SIM swap and doxxing overflow for regular users | Robocall enforcement tool with limited crypto impact |
| Basic case | New and innovative customers, with some exceptions to the customer type | More identity information linked to phone accounts | Higher value for transport data and recovery abuse | Privacy rule becomes a crypto security issue |
| Broad rule | Retail users, prepaid SIM cards, postpaid accounts and re-verification | Practical pseudonymous telephone access is shrinking | Larger honeypot for SIM swaps, extortion, swatting and physical targeting | Telecom KYC is becoming a new crypto attack surface |
| Breach scenario | Carrier, supplier or KYC provider compromised | Identity, phone, address and service history data exposed | Addressable target lists for attackers | Anti-robocall solution creates systemic holder risk |
This outcome reduces carrier-side honeypot risk for individual crypto holders, while still giving the FCC the enforcement reach it seeks against the fraudsters causing the robocall problem.
Whether these tools also expand the attack surface for crypto holders depends on the scope of the final rule: a rule that covers regular phone customers presents a different threat model than one limited to commercial creators.