Yahoo Finance SEC blames ‘SIM swap’ attack for disastrous X hack ahead of Bitcoin ETF approval
The Securities and Exchange Commission provided an update on Monday to a hacking incident from earlier this month that sent ripples through the crypto industry ahead of the agency's anticipated approval of Bitcoin ETFs.
In a statement shared with Fortune, an SEC spokesperson said the agency was the victim of a "SIM swap" attack—a technique in which cybercriminals convince mobile carriers to transfer phone numbers to a new account.
While Monday's explanation provides additional context as to how a hacker gained unauthorized control of a key government office's social media account, the SEC said it's still working with law enforcement agencies to determine who carried out the attack.
The hack
On Jan. 9, crypto industry onlookers monitored SEC accounts for any notice of the agency's decision on Bitcoin ETFs, a financial vehicle that would allow investors to trade the popular cryptocurrency as shares on major exchanges. After years of rejecting applications for Bitcoin ETFs, the SEC was poised to approve the applications of a dozen-odd firms, including BlackRock.
While analysts predicted the decision would come on Jan. 10, the SEC's official X (formerly Twitter) account made a surprising announcement just after markets closed on Jan. 9: The agency had approved every application. Many on the social media platform were celebrating.
Still, something seemed off. There were no new filings to support the decisions, and the SEC did not post any updated news on its website. Soon after, Chair Gary Gensler posted on his own account that the SEC's account had been "compromised" and that the agency had not yet approved the listing or trading of any of the ETFs.
As speculation swirled, SEC staff clarified that someone had gained unauthorized access to the agency's X account, and officials were working with law enforcement officials to find the culprit.
Criticism poured in from all sides, with gleeful crypto advocates pointing to past SEC guidance on cybersecurity practices, and lawmakers from both parties calling for an investigation into what happened.
‘Issues accessing the account’
The SEC is still investigating how the hacker was able to persuade the carrier to change the SIM for its account, and how they knew which phone number was associated with the account.
SIM swaps are often carried out through social engineering: A cybercriminal calls a cell phone provider such as T-Mobile and convinces an agent to transfer over the control of a phone number to a new SIM card. With control of the phone number, the attacker can reset passwords and take over the victim's accounts.
The attacks are common in crypto, with Vitalik Buterin—the cofounder of Ethereum—losing access to his X account in an incident in September, with a hacker posting a malicious link to Buterin's page and stealing over $691,000 from unsuspecting victims.
One protection against SIM swaps is multifactor authentication, which provides an additional layer of defense. According to the SEC spokesperson, the agency's X account had multifactor authentication enabled but removed it in July because of "issues accessing the account," adding that the feature since has been enabled on every SEC social account where available.
Under Elon Musk's ownership, X has faced criticism over cybersecurity, including for removing SMS-based multifactor authentication for nonsubscribers in February. Still, cybersecurity experts have long warned that SMS-based multifactor authentication is weaker than other forms because it is vulnerable to SIM swapping and urged users to rely instead on authentication apps or physical security keys.
The SEC did not have any multifactor authentication enabled. The spokesperson said that the hacker reset the password once in control of the number, although did not specify the exact mechanics.
The spokesperson said the agency is coordinating with different law enforcement and federal oversight agencies, including the SEC's Office of Inspector General, the FBI, the Department of Homeland Security, and the Department of Justice.
The spokesperson said there's no evidence that the hacker gained access to SEC systems, data, devices, or other social platforms.
This story was originally featured on Fortune.com
