Breaking: SEC Falls Victim to Sophisticated SIM-Swap Hack
Before the U.S. Securities and Exchange Commission’s (SEC) official announcement of the approval of a Bitcoin ETF, hackers hijacked the SEC’s official X/Twitter account and disseminated information regarding the ETF’s approval. Subsequently, the price of Bitcoin surged, only to plummet after the revelation that the news was fabricated and subsequently deleted.
Although there is no evidence to suggest that the hijacking of the SEC’s account was a deliberate attempt to manipulate the market, the significant volatility in the Bitcoin futures market could potentially inflict substantial losses on investors.
The SEC revealed that the breach of its X/Twitter account was due to the failure to enable multi-factor authentication combined with a SIM swap attack.
Today, the SEC released the findings of its investigation into the account hijacking, indicating that the operators of the SEC’s account had ceased using X’s multi-factor authentication feature as of July 2023, thereafter relying primarily on mobile phone verification.
A hacker managed to gain control of the phone number associated with the account through a SIM swap attack, thereby gaining the ability to post any information on the SEC’s account.
In a statement, the SEC disclosed that the hacker obtained control of the number through the carrier’s system, but did not disclose the identity of the carrier. It is noteworthy that several U.S. carriers, including T-Mobile, have previously been targeted by SIM swap attacks against cryptocurrency investors, suggesting that this issue has not yet been resolved.
A SIM swap attack involves the attacker convincing the carrier to transfer the victim’s phone number to a new SIM card, often due to lax security checks by the carrier, thereby granting the attacker control over the phone number.
Law enforcement agencies are currently assisting the SEC in investigating how the hacker was able to hijack the phone number through the carrier, while the SEC has reactivated the multi-factor authentication feature on its X/Twitter account.