The cryptocurrency world has been anticipating the approval of Bitcoin ETFs by the Securities and Exchange Commission (SEC), something that finally happened just before the deadline on Wednesday. A group of hackers touched off premature celebration on Tuesday when they gained control of the SEC’s X account, using the unauthorized access to post a fake approval message.
X’s corporate safety team indicated that the hackers had gained access to a phone number tied to the SEC’s account through a “third party,” pointing to a likely SIM swap. The SEC reportedly also did not have two-factor authentication enabled at the time of the attack.
Hacked X account takes advantage of hotly anticipated crypto news
The crypto world has been abuzz with talk of a Bitcoin ETF, or SEC approval for certain investment companies to offer “spot bitcoin” exchange-traded funds. These are liquid funds that tie their value to the price of bitcoin by holding large amounts of it, providing investors a means to profit from crypto without actually holding any of it. The SEC had set January 10 as a deadline to reach a decision regarding the applications of 11 firms that sought to offer bitcoin ETFs; it ended up approving all of them, though the wait until the last minute to do so opened the door for hackers to have some fun first.
The fun only lasted for about 15 minutes. At a little after 4:00 PM on Tuesday, just after the markets had closed for the day in New York, the SEC X account posted what looked like authentic approval of bitcoin ETFs. The news spread like wildfire, sparking mass celebration from crypto exchanges. They would end up having to wait a day for the real party, however. Gary Gensler, chair of the SEC, was quick to post from his personal X account that the notification was bogus and that a hack had taken place.
Though there was only about 15 minutes of exposure, it was enough time for Reuters and several other media sources to put out stories covering the apparent Bitcoin ETF approval. Though there was an immediate spike in the value of bitcoin, hitting an increase of about $3,000 before the fake post was debunked, it ultimately fell about 3.15% after the air had cleared. The price would go up 0.3% the following day when the real announcement was made.
While it is possible the hacker was after a quick profit, the timing of the attack and the brief window points more to an odd prank than anything. That is an unusual application of a breach of the SEC’s X account, which could have been used for much more lucrative (and financially damaging) schemes.
According to Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems: “Given this was solely on the social media platform along with a raft of highly respected security firms, I suspect it will be rapidly forgotten in the broader scheme of things. It does however reinforce the importance of security for public and private sector organizations, regardless of size and stature.”
X quick to disavow Bitcoin ETF incident
The SEC has reiterated that it will not break major market-impacting announcements like the Bitcoin ETF approval via its X account, and has said that the FBI has been contacted about the incident and is investigating. For its part X security was almost excessively forthcoming about what happened, almost seeming to be in a hurry to ensure blame was placed directly on the SEC for not properly securing its account. This may be due to its ongoing FTC order that requires it to address privacy and security issues, something that has already cost it hundreds of millions of dollars in prior violations.
The Bitcoin ETF debacle is also far from the first time a high profile X account has been captured and used to make a fraudulent announcement regarding crypto, and prior incidents have been more the direct fault of the company’s internal security. The biggest incident took place in 2020, when Elon Musk, Jeff Bezos and Barack Obama were among the public figures hit by a crypto scam. That incident turned out to stem from a security lapse that allowed attackers to social engineer their way into access to an administrative panel that essentially enabled them to take over any account on the platform.
X has also been struggling with a wave of crypto-related hacking that now dates back to late 2023. Earlier in the week, the X accounts of both Netgear and Hyundai were hacked and used to promote crypto scams. Leading security firm Mandiant also had its platform account hijacked for a similar scheme last week, even though it says that it had 2FA enabled.
The exact details of the Bitcoin ETF attack have yet to be released by any of the involved parties, but given what is known a SIM swap is a very reasonable assumption. SIM swapping has been on the rise as a criminal approach as of late, with three of the biggest for-profit hacking groups in the news making it a part of their toolkit: Lapsus$, Octo Tempest and Scattered Spider.
Darren James, a Senior Product Manager at Specops Software, notes that the SEC’s own new rules will likely prompt more detailed reporting in the near future: “Ironically, the SEC’s new breach reporting requirements should help us better understand what exactly took place from a forensic standpoint. It is difficult to say if the SEC X/Twitter account fell prey to stolen credentials, phishing, social engineering, etc. But, what is clear is that leaders need to be diligent in keeping tight controls on their data.”
Darren Guccione, CEO and Co-Founder at Keeper Security, points out that this is a reminder that many organizations are continuing to lag behind in implementing MFA requirements: “Not all 2FA and MFA options are created equal, but some form of MFA is better than going without. MFA can protect against a variety of cyber-attack vectors including phishing, brute force and credential stuffing attacks. Traditional 2FA methods such as SMS are weaker than other methods like an authenticator app or hardware key. In fact, the National Institute of Standards and Technology (NIST) removed the use of SMS authentication from its recommended authentication methods list due to the potential vulnerabilities. A password manager can store MFA codes and autofill them, which provides a seamless experience for users by eliminating the second step, and protects against social engineering or SIM swapping attacks that can compromise codes sent via the weaker MFA methods such as email or SMS.”