SEC Admits Multi-Factor Security Disabled Before Fake Bitcoin Post

A hacker was able to take control of a phone number associated with the US Security and Exchange Commission’s (SEC) official account on X, formerly Twitter, in order to make a premature announcement earlier this month that caused the price of cryptocurencies to skyrocket, the agency said.

The 9 January post on X said the SEC had approved the first spot Bitcoin exchange traded funds (ETFs), causing the price of Bitcoin to skyrocket to $48,000 (£38,000) before the post was removed.

The agency officially confirmed the approval of Bitcoin spot ETFs a day later, but as of Tuesday Bitcoin’s price remained in the doldrums at around $38,000, its lowest value so far this year.

Bitcoin surged in value during the fourth quarter of 2023 from around $26,000 to around $42,000 at the end of December as investors anticipated the approval of ETFs, which allow a broader range of investors to buy products linked to Bitcoin’s price without directly investing in the token.

SEC chair Gary Gensler. Image credit: SEC

SIM swap

Previously only Bitcoin futures ETFs had been approved by the regulator.

The SEC said late on Monday the phone number associated with its X account had been transferred to a different phone using a SIM swap hack, in which a telecoms carrier is tricked into transferring a number to a device under the hacker’s control.

The hacker can then create a new password and authenticate the process via a message sent to the phone number.

The SEC said it is still investigating how the trick was carried out and how the attacker discovered the number was associated with the account.

Image credit: Pexels

MFA disabled

It said multi-factor authentication (MFA), which requires an additional layer of security, such as a dedicated app, had been disabled for six months at the time of the hack at the SEC’s request.

“While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in a post on X.

“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.”

MFA is currently enabled for all SEC social media accounts that offer it, the agency said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

54 mins ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

5 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

6 hours ago