SEC Says SIM Swap Enabled Hacker to Access X Account,

WASHINGTON – The U.S. Securities and Exchange Commission (SEC) revealed on Monday that a SIM swap attack led to the breach of its official  X (Formerly Twitter) account earlier this month.

On Jan. 9, an unauthorized party gained access to the @SECGov X handle and posted a fabricated message stating that the agency had approved the first spot bitcoin exchange-traded fund (ETF). The fake news briefly sent bitcoin prices surging to nearly $48,000 before falling below $46,000 when the SEC clarified no approval had been given.

The SEC said an investigation found that two days after the incident, the hacker obtained control of the SEC phone number linked to the X account in an apparent SIM swap attack. The agency’s telecommunications provider enabled the SIM swap, which allows a phone number to be moved to a new device without the owner’s consent.

With control of the phone number, the hacker reset the account password and bypassed two-factor authentication – which was disabled in July at the SEC’s request due to login issues.

SEC Chair Gary Gensler has faced criticism for the security lapse. Billionaire Elon Musk, who frequently spars with regulators, mocked the agency over the hack. The breach also highlighted Twitter’s ongoing vulnerabilities after recent upheaval at the company.

While the hacker did not access any non-public SEC systems or data, the unauthorized bitcoin post temporarily moved crypto markets and cast a shadow over an agency already grappling with technological change.

The SEC did not identify the perpetrator but said multiple law enforcement entities are investigating how the individual executed the SIM swap and knew which phone number to target.