The United States Securities and Exchange Commission (SEC) claims that it was a victim of “SIM swapping” when its account on the social media platform X, formerly known as Twitter, was hacked earlier this month, prior to the approval of the multiple spot Bitcoin exchange-traded funds (ETFs).
“SIM swapping” is a technique internet fraudsters use to seize control of telephone lines. In this way, attackers gain control of a telephone number by having it reassigned to a new device.
SEC had Multifactor Authentication Enabled
The SEC claims to have had multifactor authentication enabled six months before the hack, but X Support disabled it at the request of an SEC staff member. This hacking led to the false X post on January 9 stating that spot Bitcoin exchange-traded funds (ETFs) had been approved.
Multifactor authentication is an additional layer of protection due to issues accessing the account. The security measure was not restored until after the January 9 attack.
Approval on January 10
The following day, January 10, the SEC formally authorized a number of spot Bitcoin ETF applications, the majority of which started trading on January 11.
The regulator approved the 19b-4 applications from prominent entities like VanEck (HODL), Valkyrie (BRRR), Grayscale Investments ($GBTC), WisdomTree (BTCW), Invesco Galaxy (BTCO), BlackRock Inc. (IBIT), Fidelity Investments (FBTC), Bitwise (BITB), Hashdex (DEFI), ARK 21shares (ARKB), and Franklin Templeton (EZBC).
SEC Cell Phone Hacked
The SEC determined that the unauthorized party obtained control of the agency’s cell phone number associated with the X account in an apparent ‘SIM swap’ attack two days after the incident, in consultation with the regulator’s telecom carrier.
“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account,” an SEC spokeswoman explained.
An investigation to find out how the unauthorized party got the carrier to change the SIM for the account and how the attacker knew which phone number was associated with the agency’s X account has been opened as well.