The United States Securities and Exchange Commission has confirmed it fell victim to a “SIM swap” attack which led to the false X post stating that spot Bitcoin exchange-traded funds had been approved on Jan. 9.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” a SEC spokesperson said on Jan. 22.
“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account,” the SEC spokesperson added.
The SEC said law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the SEC’s X account.
The SEC also revealed that six months prior to the attack, a staff member removed multi-factor authentication as an additional layer of protection due to issues accessing the account. The security measure was not restored until after the Jan. 9 attack.
The SEC says it hasn’t found any evidence suggesting the unauthorized party gained access to other SEC systems, data or social media accounts.
SIM swapping is a technique in which attackers gain control of a telephone number by having it reassigned to a new device.
The SEC officially approved several spot Bitcoin ETF applications the following day on Jan. 10, most of which began trading on Jan. 11.
This is a developing story, and further information will be added as it becomes available.