The U.S. Securities and Exchange Commission (SEC) has confirmed that it fell victim to a "SIM swap" attack, resulting in a fake X post on January 9 claiming the approval of spot Bitcoin Exchange-traded funds (ETFs).
An SEC spokesperson stated that, "Two days after the incident, in consultation with the SEC's telecommunications carriers, the SEC determined that an unauthorized party gained control of the SEC mobile number associated with the account through an apparent 'SIM swap' attack." The SEC spokesperson added, "Once control of the phone number was obtained, the unauthorized party reset the password for the @SECGov account."
The SEC mentioned that law enforcement is investigating how the unauthorized party convinced a carrier to change the account's SIM card and how they knew which phone number was associated with the SEC's X account. Additionally, the SEC revealed that six months prior to the attack, a staff member removed multi-factor authentication as an extra layer of protection due to account access issues. Security measures were not reinstated until after the January 9 attack.
The SEC clarified that there is no evidence indicating that the unauthorized party gained access to other SEC systems, data, or social media accounts. SIM swapping involves an attacker taking control of a phone number by reassigning it to a new device. On January 10, the day after the attack, the SEC officially approved several spot Bitcoin ETF applications, and most of them commenced trading on January 11.
