The US Securities and Exchange Commission (SEC) disclosed that its social media account on platform X fell victim to a “SIM swapping” attack in connection with a false post regarding the approval of Bitcoin exchange-traded funds (ETFs) earlier this month.
This incident took place on January 9 and caused a temporary surge in Bitcoin’s price, followed by a subsequent crash after SEC Chair Gary Gensler announced on his personal X account that the SEC’s official account had been “compromised.”
In a statement released this week, the SEC revealed that six months prior to the attack, an additional layer of security known as multi-factor authentication (MFA) had been removed by staff and was only reinstated after the January 9 attack.
Following the fraudulent post, the commission held a vote the following day, ultimately leading to the approval of all spot Bitcoin ETF applications.
SIM swapping involves attackers gaining control of a phone number by having it reassigned to a new device. Once they have control of the phone number, the unauthorized party resets the password for the @SECGov account, as detailed in the statement.
This new statement from the regulatory authority reaffirms crucial details previously shared by X Safety on the day following the incident.
Ongoing investigation by SEC and law enforcement agencies
According to the recent SEC statement, law enforcement agencies are actively investigating how the hackers managed to convince the SEC’s mobile carrier to facilitate the switch of the phone number. The specific carrier involved has not been disclosed by the agency.
This incident has raised questions from both lawmakers and leaders within the cryptocurrency industry regarding the SEC’s vulnerability to such an attack. This is especially concerning given the regulator’s strict cybersecurity requirements imposed on publicly traded companies.
Multiple agencies are currently conducting investigations into the incident, including the SEC’s Office of Inspector General and its Division of Enforcement, the Commodity Futures Trading Commission, the Federal Bureau of Investigation, the Department of Justice, and the Cybersecurity and Infrastructure Security Agency.
The SEC statement also mentioned that multi-factor authentication has been enabled for all SEC social media accounts that offer this additional layer of security.