The X Safety Team’s preliminary investigation suggests that a “SIM swap” attack led to the alleged approval of a Bitcoin ETF by the Security and Exchange Commission (SEC).
According to the X Safety Team, the SEC’s main X account lacked two-factor authentication (2FA), enabling a hacker to access and impersonate the SEC.
Recent concerns arise from the SEC’s lack of 2FA on its X account, following a breach where a hacker falsely announced the approval of a spot Bitcoin ETF.
A Jan. 10 post on X’s safety page revealed that the hacker executed a SIM swap attack, gaining control of the phone number linked to the SEC’s account.
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” wrote the X safety team.
“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
A SIM swap hack, a type of identity theft, occurs when a hacker seizes control of a victim’s phone number to access various accounts, including crypto wallets. The hacker likely obtained control by convincing a third-party telecom provider to transfer the phone number associated with the SEC’s X account.
Even without knowledge of the SEC’s X account password, the hacker could have reset it using the associated email address, assuming they knew the email.
Blockchain sleuth ZachXBT humorously rephrased SEC Chair Gary Gensler’s social media security advice in response to the X safety post.
Following the hack, Senators J.D. Vance and Thom Tillis sent a letter to SEC Chair Gary Gensler expressing concern and seeking an explanation within four days.
“These developments raise serious concerns regarding the Commission’s internal cybersecurity procedures and are antithetical to the Commission’s tripart mission to protect investors,” wrote the letter.
Several members of Congress also demanded an official investigation into the incident, with Senator Bill Hagerty emphasizing the need for transparency.
“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened. This is unacceptable.”
However, Senator Cynthia Lumiss echoed the call for transparency regarding “fraudulent announcements.”
Elon Musk, responding to a CNBC segment hinting at X’s internal systems compromise, refuted the claim on Twitter, humorously stating that “LFGDogeToTheMoon” was the SEC’s password.
Read also: Nigeria’s Central Bank approves Africa Stablecoin Consortium to pilot Naira Stablecoin (cNGN)