The U.S. Securities and Exchange Commission (SEC) recently admitted that a hacker successfully infiltrated one of its cell phones to gain access to its X account and post false information about the approval of spot bitcoin exchange-traded funds (ETFs). The agency revealed that it had deactivated its multi-factor authentication as early as July 2023, leaving the account vulnerable to attack.
The hacker employed a technique known as a “SIM swap” attack, which involves taking control of a cell phone associated with the target account. By doing so, the hacker was able to send a tweet on January 9 claiming that the SEC had approved spot bitcoin ETFs, a day before the agency actually made the announcement.
In a statement, an SEC spokesperson clarified that the unauthorized access occurred through the telecom carrier and not the SEC’s own systems. The agency’s staff has not found any evidence suggesting that the hacker gained access to SEC systems, data, devices, or other social media accounts. The spokesperson did not disclose the identity of the telecom carrier involved.
The SEC also revealed that it had disabled its multi-factor authentication on the account in July 2023 due to difficulties accessing the account. However, this security measure has since been reinstated.
This security breach is particularly embarrassing for the SEC, as the agency is known for advising investors to prioritize security and maintain multi-factor authentication on their financial accounts. The false tweet from the @SECGov account, which suggested that the agency had approved the eagerly-awaited ETFs, caused market movements before it was quickly determined to be a hack.
The spokesperson explained that once the hacker gained control of the phone number, they reset the password for the @SECGov account. Law enforcement agencies, including the Federal Bureau of Investigation, Department of Homeland Security, Commodity Futures Trading Commission, and the Department of Justice, are currently investigating how the unauthorized party convinced the telecom carrier to change the SIM associated with the account and how they knew which phone number was linked to the account.
Following the hack, the SEC promptly moved to approve bitcoin ETFs. X, formerly known as Twitter, issued a statement two weeks ago, asserting that the compromise was not a result of any breach in its systems but rather due to an unidentified individual gaining control over a phone number associated with the @SECGov account through a third party.
SIM swap attacks have been prevalent in the cryptocurrency industry for years, with attackers targeting victims’ phone numbers to steal their digital assets. Last year, Friend.Tech users fell victim to such attacks, resulting in the loss of their ether holdings.
The SEC continues to investigate the incident in collaboration with law enforcement and oversight agencies. The agency’s security lapse serves as a reminder of the importance of robust security measures, including multi-factor authentication, to protect against cyber threats in the cryptocurrency space.
Read More: SEC Comments on Hack of Its X Account and Resulting Fake Bitcoin ETF Approval Announcement