SEC Admits Multi-Factor Security Disabled Before Fake Bitcoin Post

A hacker was able to take control of a phone number associated with the US Security and Exchange Commission’s (SEC) official account on X, formerly Twitter, in order to make a premature announcement earlier this month that caused the price of cryptocurencies to skyrocket, the agency said.

The 9 January post on X said the SEC had approved the first spot Bitcoin exchange traded funds (ETFs), causing the price of Bitcoin to skyrocket to $48,000 (£38,000) before the post was removed.

The agency officially confirmed the approval of Bitcoin spot ETFs a day later, but as of Tuesday Bitcoin’s price remained in the doldrums at around $38,000, its lowest value so far this year.

Bitcoin surged in value during the fourth quarter of 2023 from around $26,000 to around $42,000 at the end of December as investors anticipated the approval of ETFs, which allow a broader range of investors to buy products linked to Bitcoin’s price without directly investing in the token.

SIM swap

Previously only Bitcoin futures ETFs had been approved by the regulator.

The SEC said late on Monday the phone number associated with its X account had been transferred to a different phone using a SIM swap hack, in which a telecoms carrier is tricked into transferring a number to a device under the hacker’s control.

The hacker can then create a new password and authenticate the process via a message sent to the phone number.

The SEC said it is still investigating how the trick was carried out and how the attacker discovered the number was associated with the account.

MFA disabled

It said multi-factor authentication (MFA), which requires an additional layer of security, such as a dedicated app, had been disabled for six months at the time of the hack at the SEC’s request.

“While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in a post on X.

“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.”

MFA is currently enabled for all SEC social media accounts that offer it, the agency said.