-
The
U.S.
Securities
and
Exchange
Commission
acknowledged
a
hacker
managed
to
take
over
one
of
the
agency’s
cell
phones
to
crack
its
X
account
and
post
about
the
spot
bitcoin
ETF. -
The
regulator
had
deactivated
its
multi-factor
authentication
as
far
back
as
July
2023.
The
U.S.
Securities
and
Exchange
Commission
(SEC)
confirmed
that
a
hacker
took
over
its
X
account
through
a
“SIM
swap”
attack
that
seized
control
of
a
cell
phone
associated
with
the
account.
That
allowed
the
outsider
to
falsely
tweet
on
January
9
that
the
agency
had
approved
spot
bitcoin
exchange-traded
funds
(ETFs),
a
day
before
the
agency
actually
did
so.
“Access
to
the
phone
number
occurred
via
the
telecom
carrier,
not
via
SEC
systems,”
a
spokesperson
for
the
agency
said
in
a
statement
on
Monday.
“SEC
staff
have
not
identified
any
evidence
that
the
unauthorized
party
gained
access
to
SEC
systems,
data,
devices,
or
other
social
media
accounts.”
The
SEC
did
not
identify
who
the
telecom
carrier
was.
The
agency
had
also
deactivated
its
multi-factor
authentication
on
the
account
in
July
2023
“due
to
issues
accessing
the
account,”
the
spokesperson
said.
That
protection
has
since
been
turned
back
on.
The
embarrassing
security
lapse
–
from
an
agency
well
known
for
advising
investors
to
ensure
proper
security
and
maintaining
multi-factor
authentication
on
their
financial
accounts
–
allowed
a
posting
on
X
under
the
@SECGov
account
that
led
many
to
believe
the
agency
had
signed
off
on
its
eagerly-awaited
approval
for
the
ETFs.
The
false
news
moved
the
markets
before
it
was
quickly
determined
to
be
a
hack.
“Once
in
control
of
the
phone
number,
the
unauthorized
party
reset
the
password
for
the
@SECGov
account,”
the
spokesperson
said.
“Among
other
things,
law
enforcement
is
currently
investigating
how
the
unauthorized
party
got
the
carrier
to
change
the
SIM
for
the
account
and
how
the
party
knew
which
phone
number
was
associated
with
the
account.”
Shortly
after
the
hack,
the
SEC
moved
in
earnest
to
approve
bitcoin
ETFs.
X
–
formerly
known
as
Twitter
–
shared
a
similar
take
on
the
SEC
hack
in
a
statement
two
weeks
ago,
saying
“the
compromise
was
not
due
to
any
breach
of
X’s
systems,
but
rather
due
to
an
unidentified
individual
obtaining
control
over
a
phone
number
associated
with
the
@SECGov
account
through
a
third
party.”
The
SEC
is
still
investigating
alongside
law
enforcement
and
oversight
agencies,
including
the
Federal
Bureau
of
Investigation,
Department
of
Homeland
Security,
Commodity
Futures
Trading
Commission
and
the
Department
of
Justice.
SIM
swap
attacks
have
been
common
in
crypto
for
years,
with
attackers
gaining
access
to
victims’
phone
numbers,
usually
for
the
purpose
of
stealing
their
holdings.
Friend.Tech
users
were
targeted
last
year,
for
example,
with
attackers
making
away
with
users’
ether
holdings.
