SEC Points to "SIM Swap" Attack in Bitcoin ETF Approval Hoax

The Securities and Exchange Commission (SEC) has revealed that the unauthorized post about approving spot Bitcoin exchange-traded funds (ETFs) on January 9 is related to a "SIM swap" attack.

This tactic involves transferring a mobile phone number to a different device without the owner's consent. The US securities watchdog clarified that the attack occurred via a telecommunication network rather than through its internal systems. It emphasized that its core systems were never compromised.

The misleading post, which declared the green light for the first spot Bitcoin ETF in the US, caused a frenzy in the cryptocurrency sector. However, the SEC was quick to dismiss the post, attributing it to a hacker who had gained control of the mobile phone number linked to the account.

Missing Two-Factor Authentication

After the intruder had compromised the regulator's account, the password to the account was reset, and a false announcement about the approval of spot Bitcoin ETFs was made. Notably, a previously enabled multi-factor authentication process had been disabled in July 2023. This raises questions about the vulnerability of the account leading up to the incident.

The SEC mentioned: "While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff's request, in July 2023 due to issues accessing the account."

"Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it."

The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.

SEC's Social Media Safety Concerns

The timing of the incident was particularly significant as Wall Street eagerly awaited the SEC's authorization of the first-ever spot Bitcoin ETF. This breach raised a concern about the security of the SEC's social media account.

Upon discovery, the SEC's staff swiftly responded by deleting the unauthorized post, un-linking external posts, and alerting the public through the official @garygensler X.com account. The SEC engaged with X.com to terminate unauthorized access between Eastern Standard time zone 4:40 pm and 5:30 pm on the same day.

Currently, the SEC is collaborating with various law enforcement and federal oversight entities, including the SEC's Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, to conclude the investigations.