- SEC says hacker that compromised its X account used a “SIM swap” attack.
- The unauthorised access had seen the hacker publish a fake spot Bitcoin ETFs approval announcement.
- Investigations into the breach are ongoing, but SEC says its 2FA feature had been disabled at the time of the compromise.
The US Securities and Exchange Commission (SEC) has confirmed that the hack on the agency’s X account, and the resulting “fake approval” of spot Bitcoin ETFs, happened after an apparent “SIM swap.”
According to the SEC, the attacker used a cell phone number linked to the agency’s X account. The unauthorised entity accessed the phone number via a telecom carrier the SEC uses, and not from the regulator’s system.
However, the SEC notes that at the time of the hack, two factor authentication (2FA) for the social media account was disabled. In a press release, the SEC said 2FA for its X account had been disabled since July 2023.
“While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account. Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it,” the SEC said in an update published on Monday.
Multi-agency investigation ongoing
The unauthorised access to SEC’s X account on January 9, 2024 drew widespread criticism and condemnation, with calls for investigation as observers pointed to potential market manipulation. The false approval saw Bitcoin’s price swing sharply – rising to highs of $49k before paring all gains within minutes.
While the SEC officially approved the spot Bitcoin ETFs on January 10 and trading commenced on January 11, an investigation involving various regulatory and law enforcement agencies is ongoing.
In its latest press update on the incident, the SEC and its staff continue to cooperate with the FBI, Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission (CFTC), the Department of Justice (DoJ), and the SEC’s own Division of Enforcement.