The Securities and Exchange Commission (SEC) has
revealed that the unauthorized post on January 9 about the approval of spot
Bitcoin ETFs on January 9 was related to a “SIM swap” attack.
This tactic involves transferring a mobile phone
number to a different device without the owner’s consent. The US securities
watchdog clarified that the attack occurred via the telecommunications carrier
rather than through its internal systems, emphasizing that its core systems
were never compromised.
The misleading post, which declared the green light
for the first bitcoin exchange-traded funds (ETFs), caused a frenzy in the
cryptocurrency sector. However, the SEC was quick to dismiss the post,
attributing it to a hacker who had gained control of the mobile phone number
linked to the account.
After the intruder had compromised the regulator’s X
account, the password to the account was reset, and a false announcement about
the approval of spot Bitcoin ETFs was made. Notably, multi-factor
authentication (MFA), previously enabled, had been disabled in July 2023,
raising questions about the vulnerability of the account leading up to the
incident.
The SEC mentioned: “While multi-factor
authentication (MFA) had previously been enabled on the @SECGov X account, it
was disabled by X Support, at the staff’s request, in July 2023 due to issues
accessing the account.”
“Once access was reestablished, MFA remained
disabled until staff reenabled it after the account was compromised on January
9. MFA currently is enabled for all SEC social media accounts that offer
it.”
The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— U.S. Securities and Exchange Commission (@SECGov) January 9, 2024
SEC’s Social Media Safety Concerns
The timing of the incident was particularly
significant as Wall Street eagerly awaited SEC authorization of the first-ever
spot bitcoin ETFs. This breach raised a concern about the SEC’s social media
security.
Upon discovery, SEC staff swiftly responded by
deleting the unauthorized post, un-liking external posts, and alerting the
public through the official @garygensler X.com account. The SEC engaged with
X.com to terminate unauthorized access between 4:40 pm ET and 5:30 pm ET on the
same day.
The SEC is collaborating with various law
enforcement and federal oversight entities, including the SEC’s Office of
Inspector General, the Federal…
