SEC Blames Social Media Account Hack on ‘SIM Swap’ Attack in Fake Bitcoin ETF Post

Fredrik Vold
Last updated: | 1 min read
SEC Blames Social Media Account Hack on 'SIM Swap' Attack in Fake Bitcoin ETF Post
Source: Adobe / dennizn

The US Securities and Exchange Commission (SEC) has revealed that its social media account on X fell victim to a “SIM swapping” attack in relation to the false post about the approval of Bitcoin exchange-traded funds (ETFs) earlier this month.

The incident, which occurred on January 9, led to a temporary surge in the price of Bitcoin, followed by a price crash after SEC Chair Gary Gensler said on his personal X account that the SEC’s X account had been “compromised.”

In a statement published on Monday this week, the SEC said that six months before the attack, an additional layer of protection known as multi-factor authentication (MFA) had been removed by staff and was only reinstated after the January 9 attack.

The fraudulent post was followed by a vote by the commission the next day, which ultimately resulted in the approval of all spot Bitcoin ETF applications.

SIM swapping involves attackers gaining control of a phone number by having it reassigned to a new device.

Once in control of the phone number, the unauthorized party reset the password for the @SECGov account, the statement said.

The new statement from the regulator confirms key details shared by X Safety already the day after the incident.

Ongoing investigation by SEC and law enforcement agencies


According to the new SEC statement, law enforcement agencies are currently investigating how the hackers persuaded the SEC’s mobile carrier to facilitate the phone number switch.

The agency did not disclose the identity of the carrier involved.

Both lawmakers and leaders from the crypto industry have sought explanations for the SEC’s vulnerability to such an attack, especially given the regulator’s stringent cybersecurity requirements for publicly traded companies.

The incident is under investigation by various agencies, including the SEC’s Office of Inspector General and its Division of Enforcement, the Commodity Futures Trading Commission, the Federal Bureau of Investigation, the Department of Justice, and the Cybersecurity and Infrastructure Security Agency.

Multi-factor authentication is now enabled for all SEC social media accounts that offer it, the SEC statement added.