The fake Twitter announcement of a spot Bitcoin ETF approval from the U.S. Securities and Exchange Commission (SEC) ahead of the real announcement was the result of a SIM swap attack, the regulator revealed Monday.
In a statement, the SEC provided details of how its @SECGov Twitter account was “compromised,” throwing the crypto market into turmoil as it posted a fake announcement that the long-awaited spot Bitcoin ETFs had been given the green light.
After consulting with its telecom carrier, the securities regulator “determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” the regulator revealed. “Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”
The regulator noted that it is “continuing to coordinate with several law enforcement and federal oversight entities,” in the ongoing investigation, which aims to discover how the unauthorized party was able to get the SEC’s phone carrier to change the SIM for the account, and how they knew which phone number was associated with the account.
The SEC further revealed that multi-factor authentication (MFA) on its Twitter account had been disabled at the request of its staff since July 2023, “due to issues accessing the account.” The regulator’s failure to enable MFA on its Twitter account contradicts SEC chair Gary Gensler’s own recommendations against identity theft and fraud, in a tweet posted in October 2023.
The incident caused chaos in the cryptocurrency market as it waited on tenterhooks for news of whether the SEC would approve or reject multiple spot Bitcoin ETFs before a window to do so closed. Following a tweet from chair Gensler retracting the fake announcement, and a follow-up tweet from the SEC’s own account, Bitcoin’s price plunged.
The following day, the SEC issued the—real—approval of the rule change that enabled spot Bitcoin ETFs to begin trading.
The regulator’s social media blunder prompted demands from Senators JD Vance (R-OH) and Thom Tillis (R-N.C.) for an explanation from the SEC chair, who noted that the incident raised “serious concerns” over the regulator’s cybersecurity procedures.
Edited by Stacy Elliott.