SEC Admits Multi-Factor Security Disabled Before Fake Bitcoin Post

A hacker was able to take control of a phone number associated with the US Security and Exchange Commission’s (SEC) official account on X, formerly Twitter, in order to make a premature announcement earlier this month that caused the price of cryptocurencies to skyrocket, the agency said.

The 9 January post on X said the SEC had approved the first spot Bitcoin exchange traded funds (ETFs), causing the price of Bitcoin to skyrocket to $48,000 (£38,000) before the post was removed.

The agency officially confirmed the approval of Bitcoin spot ETFs a day later, but as of Tuesday Bitcoin’s price remained in the doldrums at around $38,000, its lowest value so far this year.

Bitcoin surged in value during the fourth quarter of 2023 from around $26,000 to around $42,000 at the end of December as investors anticipated the approval of ETFs, which allow a broader range of investors to buy products linked to Bitcoin’s price without directly investing in the token.

SEC chair Gary Gensler. Image credit: SEC

SIM swap

Previously only Bitcoin futures ETFs had been approved by the regulator.

The SEC said late on Monday the phone number associated with its X account had been transferred to a different phone using a SIM swap hack, in which a telecoms carrier is tricked into transferring a number to a device under the hacker’s control.

The hacker can then create a new password and authenticate the process via a message sent to the phone number.

The SEC said it is still investigating how the trick was carried out and how the attacker discovered the number was associated with the account.

Image credit: Pexels

MFA disabled

It said multi-factor authentication (MFA), which requires an additional layer of security, such as a dedicated app, had been disabled for six months at the time of the hack at the SEC’s request.

“While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in a post on X.

“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.”

MFA is currently enabled for all SEC social media accounts that offer it, the agency said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK CMA Seeks Feedback On Microsoft, Amazon AI Partnerships

British regulator invites feedback on major partnerships Microsoft and Amazon have struck with smaller AI…

5 hours ago

Google Fires More Staff Over Israel Protest

Another 20 staff have been fired by Google over Israel protest and their “completely unacceptable…

6 hours ago

Australian PM Hits Out At Elon Musk Over Knife Attack Video

Censorship row brewing down under, after the Australian Prime Minister calls Elon Musk an 'arrogant…

7 hours ago

US SEC Seeks $5.3 Billion Fine From Terra’s Do Kwon

Financial regulator asks New York judge to impose $5.3 billion in fines against Terraform Labs…

8 hours ago

Microsoft Launches Smallest AI Model, Phi-3-mini

Lightweight artificial intelligence model launched this week by Microsoft, offering more cost-effective option for Azure…

11 hours ago

US Senate Passes TikTok Ban Or Divestment Bill

ByteDance protest falls on deaf ears, as Senate passes TikTok ban or divest bill, with…

13 hours ago