The United States Securities and Exchange Commission (SEC) acknowledged falling victim to a “SIM swap” attack, leading to a false announcement regarding the approval of spot Bitcoin exchange-traded funds (ETFs) on Jan. 9.
Confirming the incident on Jan. 22, an SEC spokesperson revealed that an unauthorized party successfully executed a “SIM swap” attack, gaining control of the SEC cell phone number associated with the account. Subsequently, the attacker reset the password for the @SECGov account, enabling them to post misleading information.
SIM swapping, a technique used by attackers, involves gaining control of a telephone number by having it reassigned to a new device. This incident highlights the vulnerability of such methods in compromising high-profile accounts.
Investigations Point to SIM Swap Attack
The SEC has initiated a thorough investigation into the matter, collaborating with law enforcement to determine how the unauthorized party convinced the carrier to change the SIM for the account. Additionally, the SEC is examining how the attacker knew which phone number was linked to the SEC’s X account.
It was disclosed that six months before the attack, a staff member removed multi-factor authentication as an additional layer of protection due to difficulties accessing the account. Remarkably, this security measure was not reinstated until after the Jan. 9 attack occurred.
Limited Impact on SEC Systems
Despite the breach, the SEC assured that there is no evidence suggesting the unauthorized party gained access to other SEC systems, data, or social media accounts.
Despite the setback, the SEC officially approved several spot Bitcoin ETF applications on Jan. 10, with most of them commencing trading on Jan. 11. The regulatory body is now working diligently to address the aftermath of the SIM swap attack and reinforce its security measures.