SEC Admits Multi-Factor Security Disabled Before Fake Bitcoin Post

A hacker was able to take control of a phone number associated with the US Security and Exchange Commission’s (SEC) official account on X, formerly Twitter, in order to make a premature announcement earlier this month that caused the price of cryptocurencies to skyrocket, the agency said.

The 9 January post on X said the SEC had approved the first spot Bitcoin exchange traded funds (ETFs), causing the price of Bitcoin to skyrocket to $48,000 (£38,000) before the post was removed.

The agency officially confirmed the approval of Bitcoin spot ETFs a day later, but as of Tuesday Bitcoin’s price remained in the doldrums at around $38,000, its lowest value so far this year.

Bitcoin surged in value during the fourth quarter of 2023 from around $26,000 to around $42,000 at the end of December as investors anticipated the approval of ETFs, which allow a broader range of investors to buy products linked to Bitcoin’s price without directly investing in the token.

SEC chair Gary Gensler. Image credit: SEC

SIM swap

Previously only Bitcoin futures ETFs had been approved by the regulator.

The SEC said late on Monday the phone number associated with its X account had been transferred to a different phone using a SIM swap hack, in which a telecoms carrier is tricked into transferring a number to a device under the hacker’s control.

The hacker can then create a new password and authenticate the process via a message sent to the phone number.

The SEC said it is still investigating how the trick was carried out and how the attacker discovered the number was associated with the account.

Image credit: Pexels

MFA disabled

It said multi-factor authentication (MFA), which requires an additional layer of security, such as a dedicated app, had been disabled for six months at the time of the hack at the SEC’s request.

“While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in a post on X.

“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.”

MFA is currently enabled for all SEC social media accounts that offer it, the agency said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago