The U.S. Securities and Exchange Commission (SEC), the federal agency that regulates the stock market, has revealed that its official X account was hacked by an unauthorized party who used a SIM swap attack to gain access to the account. The hacker posted a false announcement that the SEC had approved bitcoin exchange-traded funds (ETFs), causing a brief surge in the price of the cryptocurrency.
A SIM swap attack is a type of cyberattack that involves taking over a victim’s phone number by convincing a telecom provider to transfer the number to a new device controlled by the attacker. This allows the attacker to bypass security measures that rely on phone-based verification, such as text messages or calls.
SIM swap attacks have become increasingly common in recent years, as hackers target high-profile individuals and organizations that have valuable digital assets or sensitive information. Some of the victims of SIM swap attacks include Twitter CEO Jack Dorsey, actress Jessica Alba, and cryptocurrency exchange Coinbase.
How did the SEC’s X account get hacked?
According to a statement released by the SEC on January 22, 2024, the agency had disabled multi-factor authentication (MFA) for its X account in July 2023, due to some issues with accessing the account. MFA is a security feature that requires users to provide more than one piece of evidence to prove their identity, such as a password and a code sent to their phone.
The SEC said that it had re-enabled MFA for its X account after it was compromised on January 9, 2024. The agency also said that it had determined that the hacker had obtained control of the SEC’s phone number associated with the account in an apparent SIM swap attack. The hacker then used the phone number to reset the password for the X account and posted the fake announcement.
The SEC said that it had contacted X’s support staff immediately after discovering the hack and requested them to delete the tweet and restore the account. The agency also said that it had notified the Department of Justice, the Federal Bureau of Investigation, the Department of Homeland Security, and the SEC’s Inspector General about the incident and was cooperating with them in the investigation.
What was the impact of the hack?
The hack of the SEC’s X account had a significant impact on the cryptocurrency market, as many investors and traders reacted to the false announcement that the SEC had approved bitcoin ETFs. Bitcoin ETFs are investment products that track the price of bitcoin and allow investors to buy and sell bitcoin without having to deal with the technical aspects of owning and storing the cryptocurrency.
The approval of bitcoin ETFs by the SEC has been a long-awaited and highly anticipated event in the crypto industry, as it would provide more legitimacy and liquidity to the market. However, the SEC has repeatedly rejected or delayed the applications for bitcoin ETFs, citing concerns over market manipulation, fraud, and lack of regulation.
The fake tweet posted by the hacker claimed that the SEC had approved three bitcoin ETFs: the VanEck Bitcoin Trust, the Bitwise Bitcoin ETF Trust, and the Valkyrie Bitcoin Fund. The tweet also included a link to a fake SEC website that mimicked the official one.
The tweet was posted at 4:32 p.m. ET on January 9, 2024, and was deleted within minutes. However, in that short span of time, the price of bitcoin jumped from around $42,000 to over $44,000, according to data from CoinMarketCap. The price then quickly dropped back to its previous level after the tweet was exposed as a hoax.
The SEC said that it was not aware of any investors who had suffered losses as a result of the hack, but advised the public to be cautious and verify the sources of information before making any investment decisions.
What are the implications of the hack?
The hack of the SEC’s X account has raised serious questions about the agency’s cybersecurity practices and its ability to protect the integrity of the financial markets. The SEC is responsible for enforcing the federal securities laws and regulating the securities industry, and it holds publicly traded companies to high standards of disclosure and accountability.
The fact that the SEC had disabled MFA for its X account, which has over 1.6 million followers and could potentially influence the market, has drawn criticism from lawmakers and experts. Senator Mark Warner, the chairman of the Senate Intelligence Committee, said that he was “stunned” by the SEC’s admission and called for a hearing on the matter. He also said that he would introduce legislation to require federal agencies to use MFA for their social media accounts.
Cybersecurity experts have also expressed their concern over the SEC’s vulnerability to SIM swap attacks, which are relatively easy to execute and hard to prevent. They have urged the SEC to review its security policies and procedures and to educate its staff and the public on how to protect themselves from such attacks.
The hack of the SEC’s X account has also highlighted the need for more regulation and oversight of the cryptocurrency market, which is still largely unregulated and prone to volatility and manipulation. The SEC has been trying to establish a clear and consistent framework for regulating crypto assets and products, but has faced challenges and resistance from the industry and some lawmakers.
The SEC has said that it remains committed to fostering innovation and protecting investors in the crypto space, and that it will continue to evaluate the applications for bitcoin ETFs based on its existing rules and standards. The agency has also said that it will take appropriate actions against the hacker and anyone who may have aided or benefited from the hack.
