An Alabama man was arrested today by the FBI for his suspected role in hacking the SEC’s X account to make a fake announcement that Bitcoin ETFs were approved.
The Department of Justice said that 25-year-old Eric Council, of Alabama, and conspirators conducted a SIM-swap attack to take over the identity of the person in charge of SEC’s X account.
“The conspirators gained control of the SEC’s X account through an unauthorized Subscriber Identity Module (SIM) swap, allegedly carried out by Council. A SIM swap refers to the process of fraudulently inducing a cell phone carrier to reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor. As part of the scheme, Council and the co-conspirators allegedly created a fraudulent identification document in the victim’s name, which Council used to impersonate the victim; took over the victim’s cellular telephone account; and accessed the online social media account linked to the victim’s cellular phone number for the purpose of accessing the SEC’s X account and generating the fraudulent post in the name of SEC Chairman Gensler.”
The SEC’s X account was hacked on January 9th, 2024, to tweet that it had finally approved Bitcoin ETFs to be listed on stock exchanges.
“Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges. The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection,” read the fake post on X.
This tweet included an image of SEC Chairperson Gary Gensler, with a quote praising the decision.
Bitcoin quickly jumped in price by $1,000 over the announcement, and then just as quickly plummetted by $2,000 after Gensler tweeted that the SEC account had been hacked and the announcement was fake.
The next day, the SEC confirmed the hack was possible through a SIM-swapping attack on the cell phone number associated with the person in charge of the X account.
In SIM swapping attacks, threat actors trick a victim’s wireless carrier into porting a customer’s phone number to a different mobile device under the attacker’s control. This allows hackers to retrieve all texts and phone calls linked to the phone number, including password reset links and one-time passcodes for multi-factor authentication (MFA).
According to the SEC, the hackers did not have access to the agency’s internal systems, data, devices, or other social media accounts, and the SIM swap occurred by tricking their mobile carrier into porting the number.
Once the threat actors controlled the number, they reset the password for the @SECGov X account to create the fake announcement.
Council was indicted on October 10th by a federal grand jury in the District of Columbia for his alleged role in the attack. The suspect is now charged with one count of conspiracy to commit aggravated identity theft and access device fraud, which faces a maximum penalty of five years in prison.
Sim swapping attacks have become a popular tool for threat actors to take over the phone numbers of targeted users, allowing them to receive one-time passcodes and breach accounts.
These attacks are commonly used to steal cryptocurrency from users whose accounts are generally protected through multi-factor authentication.
Most carriers have introduced ways to lock your number from being ported to another carrier without permission, and it is strongly advised that all users enable these protections if available.