How does an attacker gain access to a phone number without having the phone? Like physically stealing the sim card or something else?

As others have mentioned, SIM Swap attacks are very common where the attacker impersonates the victim and convinces the mobile operator to transfer the victim’s phone number (known as MSISDN in telecom parlance) to the attacker’s SIM. If you Google SIM Swap, you will find many instances of it.

From that moment onwards, all the 2nd factor SMS OTP go to the attacker.

There are APIs that are provided by mobile operators via aggregators such as Telesign, Prove, Vonage, Twilio etc. that can be used to check if a SIM Swap has happened recently on that phone number. That API is used by fintech companies and others e.g. when they want to check if a fund transfer is to be allowed or flagged up.

Sim swap via pretending to be a clueless customer who lost their physical phone, banking on lax checks at customer service.

The attacker just needs to convince/compromise a single carrier employee to get a new SIM for your number.

bribe, coerce, and social engineer a phone company employee into transferring the victims phone number to you, or a technical attack to get the system to send the sms messages to a device you control, without ever touching the victim.