The Securities and Exchange Commission (SEC) has disclosed that the recent unauthorized post claiming approval of spot Bitcoin exchange-traded funds (ETFs) on January 9th is linked to a “SIM swap” attack.
This method involves transferring a mobile phone number to a different device without the owner’s consent.
Importantly, the SEC clarified that this attack occurred through a telecommunication network and did not compromise its internal systems, assuring the security of its core systems.
The deceptive post announcing the approval of the first-ever spot Bitcoin ETF in the United States caused a stir in the cryptocurrency industry.
The SEC acted swiftly to debunk the post, attributing it to a hacker who had taken control of the mobile phone number associated with the account.
The breach involved the hacker compromising the regulator’s account, resetting the account password, and disseminating false information regarding spot Bitcoin ETF approval.
It was noted that a previously enabled multi-factor authentication (MFA) process had been disabled in July 2023, raising concerns about the account’s vulnerability leading up to the incident.
The SEC provided insight into the situation, stating that “While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.”
MFA was only reenabled after the account was compromised on January 9th, and it is now active for all SEC social media accounts that offer it.
The timing of this incident was crucial as it coincided with heightened anticipation on Wall Street for the SEC’s approval of the first spot Bitcoin ETF.
This breach underscored concerns about the security of the SEC’s social media accounts.
Upon discovering the unauthorized post, the SEC’s staff promptly took action by deleting the post, unlinking external posts, and notifying the public through the official @garygensler X.com account.
The SEC collaborated with X.com to terminate unauthorized access between 4:40 pm and 5:30 pm Eastern Standard Time on the same day.
Currently, the SEC is working in tandem with various law enforcement and federal oversight agencies, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, to conclude their investigations into the incident.