Hacker Gains Access to SEC’s X Account, Tweets Fake Bitcoin ETF Approval
The U.S. Securities and Exchange Commission suffered an embarrassing security breach last week when the agency’s official X Twitter account was hacked. The hacker sent global financial markets into turmoil by tweeting that the SEC had approved a Bitcoin exchange-traded fund (ETF).
The tweet, sent on January 19th at 11:44 AM ET, stated “The SEC has officially approved a bitcoin ETF and spot bitcoin trading in the US markets. Game over. We won.” This appeared to indicate a major policy shift by the SEC towards greater acceptance of cryptocurrencies.
However, the SEC quickly clarified that the tweet was fabricated. Chairman Gary Gensler released a video statement saying the agency did not yet have plans to approve a Bitcoin ETF. Nevertheless, the fake tweet had already sent prices of Bitcoin spiking nearly 20% to over $25,000. When the truth emerged, Bitcoin erased those gains entirely. Over $200 million worth of trades were liquidated in the wild price swing.
Hacker Exploited SIM Swap Attack, Deactivated MFA
According to the SEC, the X account hacker exploited a common but clever technique called SIM swapping. The hacker was somehow able to hijack the phone number associated with the account. This allowed them to reset the password and bypass multi-factor authentication protections.
It was revealed that the X account’s MFA had not been used since July 2023. The deactivated MFA is against best security practices for sensitive accounts, and seems to have made the hack significantly easier to execute.
| Timeline of Main Events in SEC X Account Hack |
|—|
| January 19, 11:44 AM ET | Fake tweet sent claiming Bitcoin ETF approval |
| 12:15 PM | SEC clarifies tweet is false, begins investigating |
| January 22 | SEC reveals hack details, including SIM swap attack method |
“While this hack clearly embarrassed the agency, it also stressed how vital basic security measures like MFA are, even for accounts with only posting privileges”, said Jordan Mitchell, a cybersecurity expert at Mandiant.
Gensler Under Fire for Security Lapses
SEC Chairman Gary Gensler faced criticism from Congress over the security failures that enabled the hack. House lawmakers admonished Gensler for allowing MFA to remain inactive for so long, violating cybersecurity best practices.
“This hack was utterly preventable through common sense measures like keeping MFA on at all times. The lack of basic account hygiene by the SEC’s technology staff is very concerning,” said Rep. Tom Emmer (R-Minn.), who serves on the House Financial Services Committee.
Gensler stated that MFA was mistakenly disabled during an account transfer between social media staffers.
While Gensler apologized for the incident, lawmakers may call for accountability through hearings or investigations into this cybersecurity failure. There are also worries the hacker could attempt further intrusions into SEC systems.
What Happens Next?
The SEC continues working with law enforcement to track down the still-unidentified hacker behind the SIM swap attack and fake tweet. The FBI, Homeland Security, and U.S. Secret Service are all reportedly cooperating on the investigation.
Privacy experts have also raised concerns about the safety of private user data, including financial information, held by cell phone providers that could be exposed in SIM swap attacks. They advocate for telcos to increase identity verification requirements before porting a person’s phone number to a new device.
The SEC’s next moves around cryptocurrency regulation remain uncertain after this incident. Gensler has been viewed as skeptical of Bitcoin ETF’s up to this point.
“While I don’t expect SEC policies to change overnight, this hack seemed to briefly reveal the crypto community’s greatest wish – a regulated Bitcoin ETF product. So the pressure is rising for Gensler to revisit his stance,” said Edward Robinson, a longtime fintech reporter for Bloomberg News.
For now, the SEC’s leadership has their hands full investigating the hack and reassuring the public that critical systems are secure. However, last week’s events gave significant exposure to the growing mainstream adoption of cryptocurrencies. Once the dust settles, talks of allowing Bitcoin ETF’s in a limited capacity may advance quicker than Gensler would prefer.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.