SEC Blames Social Media Account Hack on ‘SIM Swap’ Attack in Fake Bitcoin ETF Post
The US Securities and Exchange Commission (SEC) has revealed that its social media account on X fell victim to a “SIM swapping” attack in relation to the false post about the approval of Bitcoin exchange-traded funds (ETFs) earlier this month.
The incident, which occurred on January 9, led to a temporary surge in the price of Bitcoin, followed by a price crash after SEC Chair Gary Gensler said on his personal X account that the SEC’s X account had been “compromised.”
The @SECGov twitter account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— Gary Gensler (@GaryGensler) January 9, 2024
In a statement published on Monday this week, the SEC said that six months before the attack, an additional layer of protection known as multi-factor authentication (MFA) had been removed by staff and was only reinstated after the January 9 attack.
The fraudulent post was followed by a vote by the commission the next day, which ultimately resulted in the approval of all spot Bitcoin ETF applications.
SIM swapping involves attackers gaining control of a phone number by having it reassigned to a new device.
Once in control of the phone number, the unauthorized party reset the password for the @SECGov account, the statement said.
The new statement from the regulator confirms key details shared by X Safety already the day after the incident.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
Ongoing investigation by SEC and law enforcement agencies
According to the new SEC statement, law enforcement agencies are currently investigating how the hackers persuaded the SEC’s mobile carrier to facilitate the phone number switch.
The agency did not disclose the identity of the carrier involved.
Both lawmakers and leaders from the crypto industry have sought explanations for the SEC’s vulnerability to such an attack, especially given the regulator’s stringent cybersecurity requirements for publicly traded companies.
The incident is under investigation by various agencies, including the SEC’s Office of Inspector General and its Division of Enforcement, the Commodity Futures Trading Commission, the Federal Bureau of Investigation, the Department of Justice, and the Cybersecurity and Infrastructure Security Agency.
Multi-factor authentication is now enabled for all SEC social media accounts that offer it, the SEC statement added.
