The United States Securities and Exchange Commission has confirmed it fell victim to a “SIM swap” attack, leading to the false X post on Jan. 9 stating that spot Bitcoin (BTC) exchange-traded funds (ETFs) had been approved.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” an SEC spokesperson said on Jan. 22.
“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account,” the SEC spokesperson added.
The SEC said law enforcement is investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the SEC’s X account.
The SEC also revealed that six months prior to the attack, a staff member removed multifactor authentication as an additional layer of protection due to issues accessing the account. The security measure was not restored until after the Jan. 9 attack.
The SEC said it hadn’t found any evidence suggesting the unauthorized party gained access to other SEC systems, data or social media accounts.
Related: Fake spot Bitcoin ETF tweet ‘likely wasn’t the SEC,’ says Blockchain Association director
SIM swapping is a technique in which attackers gain control of a telephone number by having it reassigned to a new device.
The SEC officially approved several spot Bitcoin ETF applications the following day, Jan. 10, most of which began trading on Jan. 11.
Magazine: Crypto regulation: Does SEC Chair Gary Gensler have the final say?