According to CoinDesk, the U.S. Securities and Exchange Commission (SEC) confirmed that a hacker managed to take over one of the agency's cell phones through a 'SIM swap' attack, seizing control of the phone associated with its X account. This allowed the hacker to falsely tweet on January 9 that the SEC had approved spot bitcoin exchange-traded funds (ETFs), a day before the agency actually did so. The SEC stated that access to the phone number occurred via the telecom carrier, not through SEC systems, and that no evidence has been found of unauthorized access to SEC systems, data, devices, or other social media accounts.
The SEC had deactivated its multi-factor authentication on the account in July 2023 due to issues accessing the account, but it has since been turned back on. The security lapse allowed a posting on X under the @SECGov account, leading many to believe the agency had approved the ETFs, which briefly moved the markets before being determined as a hack. Law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how they knew which phone number was associated with the account. The SEC is still investigating the incident alongside law enforcement and oversight agencies, including the Federal Bureau of Investigation, Department of Homeland Security, Commodity Futures Trading Commission, and the Department of Justice. SIM swap attacks have been common in the crypto industry for years, with attackers typically targeting victims' phone numbers to steal their holdings.
