Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Hackers seize control of SEC’s X account to promote crypto

By Joseph Menn Washington Post

The Securities and Exchange Commission said Tuesday an “unknown party” had hacked its official account on the social media platform X to promote bitcoin, the latest of multiple hacks used to push cryptocurrencies.

The account @SECGov posted on the platform, formerly known as Twitter, that the agency had approved bitcoin exchange-traded funds for listing on national exchanges.

The posting occurred shortly after 4 p.m. and attracted millions of views before the SEC wrested control back and declared that the earlier statement was false. By that time, the initial post had been reported by some media outlets.

SEC Chair Gary Gensler later posted on X that the agency’s “account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”

His post followed an SEC statement that the hacker had taken control for a brief period.

“The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct,” said spokeswoman Stephanie Allen.

Bitcoin backers have asked the SEC for permission to list such funds repeatedly, a change that would give investors a more regulated way to participate in the crypto markets.

The false post briefly drove a spike in bitcoin prices, so that anyone with knowledge of the scam could have reaped a major profit.

The hijack was also notable because the account was not only a source for official news but one branded by X with a silver check mark, meaning that it had been verified as an important government account.

It is unclear whether such accounts include special security arrangements, but it would be surprising if the SEC account did not include at least a minimal form of two-factor authentication.

Nonetheless, X’s own account for safety matters posted late Tuesday that the SEC account did not have two-factor “at the time the account was compromised.” It also said the company believed that the phone number associated with the account had been wrested away by the hacker.

It has been notoriously easy for hackers to assume control of existing phone numbers for years through attacks, including those known as SIM-swapping. That can lead to the compromise of email and financial accounts, even those using SMS-based two-factor authentication. The Federal Trade Commission last month urged carriers to do a better job confirming the identities of people asking to move their numbers to a new device.

The SEC did not respond Wednesday to a request for comment on the claim.

Allison Nixon, an expert on SIM-swapping, said that X had failed to establish defenses that could stop someone from using a stolen number to alter two-factor requirements. Other companies have such mitigations, she said.

Poor security at X has included years of takeovers of high-profile accounts and multiple whistleblower complaints, including by the company’s former head of security Peiter Zatko.

The hack follows that of smaller government accounts and those of some accounts with gold checks, which are given to private organizations, over the past few weeks.

Since those accounts are also likely to have two-factor authentication, some security experts say the spate of hijacks suggests a broad vulnerability or new technique is in play. X did not respond to an email seeking comment.