The
U.S.
Securities
and
Exchange
Commission
release
this
statement
in
response
to
the
hack
of
its
X
account
that
led
to
a
fake
announcement
being
issued
in
the
SEC’s
name
saying
the
regulator
had
a
approved
a
spot
bitcoin
exchange-traded
fund:
Based
on
current
information,
staff
understands
that,
shortly
after
4:00
pm
ET
on
Tuesday,
January
9,
2024,
an
unauthorized
party
gained
access
to
the
@SECGov
X.com
account
by
obtaining
control
over
the
phone
number
associated
with
the
account.
The
unauthorized
party
made
one
post
at
4:11
pm
ET
purporting
to
announce
the
Commission’s
approval
of
spot
bitcoin
exchange-traded
funds,
as
well
as
a
second
post
approximately
two
minutes
later
that
said
“$BTC.”
The
unauthorized
party
subsequently
deleted
the
second
post,
but
not
the
first.
Using
the
@SECGov
account,
the
unauthorized
party
also
liked
two
posts
by
non-SEC
accounts.
While
SEC
staff
is
still
assessing
the
scope
of
the
incident,
there
is
currently
no
evidence
that
the
unauthorized
party
gained
access
to
SEC
systems,
data,
devices,
or
other
social
media
accounts.
Upon
becoming
aware
of
the
incident,
staff
in
the
Office
of
Public
Affairs
posted
to
the
official
@garygensler
X.com
account
at
4:26
pm
ET,
alerting
the
public
that
the
@SECGov
account
had
been
compromised,
an
unauthorized
post
was
made,
and
the
Commission
had
not
approved
the
listing
and
trading
of
spot
bitcoin
exchange-traded
products.
Staff
deleted
the
first
unauthorized
post
on
the
@SECGov
account,
un-liked
the
two
liked
posts,
and,
at
4:42
pm
ET,
made
a
new
post
on
the
@SECGov
account
stating
that
the
account
had
been
compromised.
Staff
also
reached
out
to
X.com
for
assistance
in
terminating
the
unauthorized
access
to
the
@SECGov
account.
Based
on
information
currently
available,
staff
believe
that
the
unauthorized
access
to
the
account
was
terminated
between
4:40
pm
ET
and
5:30
pm
ET.
The
SEC
takes
its
cybersecurity
obligations
seriously.
Commission
staff
are
still
assessing
the
impacts
of
this
incident
on
the
agency,
investors,
and
the
marketplace
but
recognize
that
those
impacts
include
concerns
about
the
security
of
the
SEC’s
social
media
accounts.
The
staff
also
will
continue
to
assess
whether
additional
remedial
measures
are
warranted.
Staff
are
coordinating
with
appropriate
law
enforcement
and
federal
oversight
entities,
including
the
SEC’s
Office
of
Inspector
General,
the
Federal
Bureau
of
Investigation,
and
the
Department
of
Homeland
Security’s
Cybersecurity
and
Infrastructure
Security
Agency,
amongst
others,
in
their
investigations.
The
agency
will
provide
updates
on
the
incident
as
appropriate.
Importantly,
the
Commission
makes
its
actions
public
on
the
Commission’s
website,
http://www.sec.gov.
The
Commission
does
not
use
social
media
channels
to
make
its
actions
public;
social
media
posts
only
amplify
announcements
that
are
made
on
our
website.