Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
A false post on the official X social media page of the US Securities and Exchange Commission that prematurely claimed it had approved new bitcoin investment products appeared after a hacker took control of the mobile phone number linked to the account, according to the regulator.
The widely shared post on January 9 saying that the SEC had given the green light to the first bitcoin exchange traded funds momentarily sent the cryptocurrency sector into a frenzy. It was quickly disavowed by the agency, which announced its bona fide approvals a day later.
The SEC on Monday said it determined that an unauthorised party had deployed an apparent “SIM swap”, which involves transferring a mobile phone number to a different device without the owner’s permission. The password for the SEC’s account on X was then changed.
The number transfer occurred via the telecommunications carrier rather than through the agency’s systems, the SEC said. The regulator added it had not found any evidence that the hacker gained access to its systems, devices, data or other social media accounts.
The agency also disclosed that X in July had disabled multi-factor authentication at the SEC’s request “due to issues accessing the account”. The procedure was reinstated after the page was breached and was enabled for all SEC social media accounts offering such authentication, the regulator said.
The mishap was an embarrassment for the agency after its chair Gary Gensler made cyber security a pillar of his agenda, adopting rules that require businesses be more vigilant about cyber risks.
While the hack was not serious by cyber standards, given that it did not affect the SEC’s own systems, analysts found the absence of two-factor authentication, first disclosed by X, to be an easily avoidable faux pas. “We encourage all users to enable this extra layer of security,” X said the day of the incident.
The fake post came as Wall Street eagerly awaited SEC authorisation of the first-ever spot bitcoin ETFs, which enable ordinary investors to hold the cryptocurrency in their brokerage accounts. Gensler has expressed scepticism over crypto, calling the markets the “wild west”.
Gensler has adopted a tough enforcement stance against crypto and argued that many digital tokens are securities that fall directly within the agency’s purview. The SEC already regulates ETFs.
The day of the hack, Gensler posted on his own X account 10 minutes after the fake post was published, saying the regulator’s account had been “compromised” and no ETF approvals had been granted.
The regulator on Monday said it was still co-ordinating with law enforcement as well as federal agencies including the FBI, the Department of Homeland Security, and the Commodity Futures Trading Commission. According to the SEC, the probe’s focus includes how the hacker had the telecoms carrier change the SIM and how they became aware of the account’s number.