SEC Blames ETF Tweet on SIM Swapper

Reading Time: 2 minutes
  • The SEC has recently updated the public on a hacking incident preceding the anticipated approval of Bitcoin ETFs
  • Cybercriminals persuaded mobile carriers to transfer phone numbers through a SIM swap attack, enabling the attacker to falsely claim the Bitcoin ETF approval
  • The situation is ironic as the SEC, known for offering cybersecurity advice, fell victim to a breach despite advocating data protection and device security

The Securities and Exchange Commission (SEC) recently issued an update regarding the hacking incident that caused turmoil in the crypto industry just before the expected approval of Bitcoin ETFs. In a statement shared with Fortune, an SEC spokesperson disclosed that the agency fell victim to a “SIM swap” attack, a method in which cybercriminals persuade mobile carriers to transfer phone numbers to a new account, which allegedly allowed the miscreant to pretend that the Bitcoin ETF had been awarded. The suggestion is all the more galling given that the SEC is frequently offering advice to citizens to protect their data and secure their devices.

SEC Account Tweeted Bitcoin ETF Approval

The incident unfolded on January 9, as the crypto community eagerly awaited the SEC’s decision on Bitcoin ETFs. Despite predictions for the announcement on January 10, the official SEC X account unexpectedly declared approval for all applications just after the markets closed. However, suspicions arose as no supporting filings were found, and the SEC did not update its website with relevant news. Subsequently, SEC Chair Gary Gensler clarified on his personal account that the SEC’s account had been compromised, and no approval had been granted for the ETFs.

Criticism from various quarters ensued, with crypto enthusiasts highlighting previous SEC cybersecurity guidelines, and bipartisan lawmakers calling for an investigation into the incident.

Ease of Compromise Will Worry the Government

SIM swap attacks are nothing new in the US but they typically target individuals; that a government body was compromised in this way is highly alarming, and the SEC is actively investigating the techniques employed by the hacker to convince its carrier to perform a SIM swap and determine how they identified the phone number linked to the account.

SIM swaps often involve social engineering, where a cybercriminal persuades a cell phone provider to transfer control of a phone number to a new SIM card. Once in control of the phone number, the attacker can reset passwords and take over the victim’s accounts.

The spokesperson told Fortune that, despite having multifactor authentication enabled, the SEC’s X account removed this security feature in July due to “issues accessing the account”, clarifying that multifactor authentication has since been reinstated on all SEC social accounts where available. At the time this was known, interested onlookers were not slow in pointing the SEC to its own guidance on two-factor authentication.

The incident underscores the vulnerability of SMS-based multifactor authentication to SIM swapping, a risk that cybersecurity experts have long warned against. The SEC is collaborating with law enforcement agencies, including the SEC’s Office of Inspector General, the FBI, the Department of Homeland Security, and the Department of Justice. The spokesperson affirmed that there is no evidence indicating the hacker gained access to SEC systems, data, devices, or other social platforms.