Coindesk Logo

SEC Shut Off Extra Security on X For About 6 Months, Letting Hacker Breeze In

SEC Shut Off Extra Security on X For About 6 Months, Letting Hacker Breeze In

SEC Shut Off Extra Security on X For About 6 Months, Letting Hacker Breeze In

The U.S. regulator confirmed it didn't take its own security advice through much of 2023, leaving it open for a costly social-media hack that's still under investigation.

The U.S. regulator confirmed it didn't take its own security advice through much of 2023, leaving it open for a costly social-media hack that's still under investigation.

The U.S. regulator confirmed it didn't take its own security advice through much of 2023, leaving it open for a costly social-media hack that's still under investigation.

AccessTimeIconJan 22, 2024, 9:00 PM
Updated Mar 8, 2024, 8:19 PM

Chair Gary Gensler's U.S. Securities and Exchange Commission confirmed its bitcoin ETF hack was a "SIM swap." (Jesse Hamilton/CoinDesk)

10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now
  • The U.S. Securities and Exchange Commission acknowledged a hacker managed to take over one of the agency's cell phones to crack its X account and post about the spot bitcoin ETF.
  • The regulator had deactivated its multi-factor authentication as far back as July 2023.

The U.S. Securities and Exchange Commission (SEC) confirmed that a hacker took over its X account through a "SIM swap" attack that seized control of a cell phone associated with the account. That allowed the outsider to falsely tweet on January 9 that the agency had approved spot bitcoin exchange-traded funds (ETFs), a day before the agency actually did so.

"Access to the phone number occurred via the telecom carrier, not via SEC systems," a spokesperson for the agency said in a statement on Monday. "SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts." The SEC did not identify who the telecom carrier was.

The agency had also deactivated its multi-factor authentication on the account in July 2023 "due to issues accessing the account," the spokesperson said. That protection has since been turned back on.

The embarrassing security lapse – from an agency well known for advising investors to ensure proper security and maintaining multi-factor authentication on their financial accounts – allowed a posting on X under the @SECGov account that led many to believe the agency had signed off on its eagerly-awaited approval for the ETFs. The false news moved the markets before it was quickly determined to be a hack.

"Once in control of the phone number, the unauthorized party reset the password for the @SECGov account," the spokesperson said. "Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account."

Shortly after the hack, the SEC moved in earnest to approve bitcoin ETFs.

X – formerly known as Twitter – shared a similar take on the SEC hack in a statement two weeks ago, saying "the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party."

The SEC is still investigating alongside law enforcement and oversight agencies, including the Federal Bureau of Investigation, Department of Homeland Security, Commodity Futures Trading Commission and the Department of Justice.

SIM swap attacks have been common in crypto for years, with attackers gaining access to victims' phone numbers, usually for the purpose of stealing their holdings. Friend.Tech users were targeted last year, for example, with attackers making away with users' ether holdings.

Edited by Nikhilesh De.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Jesse Hamilton is CoinDesk's deputy managing editor for global policy and regulation. He doesn't hold any crypto.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.