Share this article on:
The threat actor suspected of hacking the X (formerly Twitter) account of the US Securities and Exchange Commission (SEC) has been arrested by the FBI.
On 10 January 2024, the SEC’s X account was taken over by threat actors who used it to announce the approval of spot bitcoin ETFs, causing the price of bitcoin to jump US$1,000.
Both the SEC and its chair, Gary Gensler, took to the platform to clarify that the accounts had been hijacked and that posts relating to crypto were not written and posted by the SEC. As a result, bitcoin dropped by US$2,000.
“The @SECGov twitter account was compromised, and an unauthorized tweet was posted,” said Gensler.
“The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”
While the day after, the SEC did approve spot bitcoin ETFs, the SEC called on its inspector general to launch an investigation into the breach.
Now, the Department of Justice (DOJ) has announced that 25-year-old Eric Council jnr from Alabama has been arrested under suspicion of being involved in the breach.
“The conspirators gained control of the SEC’s X account through an unauthorised Subscriber Identity Module (SIM) swap, allegedly carried out by Council,” said the DOJ, confirming earlier suspicions of how the attack was carried out.
“A SIM swap refers to the process of fraudulently inducing a cell phone carrier to reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor.
“As part of the scheme, Council and the co-conspirators allegedly created a fraudulent identification document in the victim’s name, which Council used to impersonate the victim; took over the victim’s cellular telephone account; and accessed the online social media account linked to the victim’s cellular phone number for the purpose of accessing the SEC’s X account and generating the fraudulent post in the name of SEC chairman Gensler.”
Council was indicted on 10 October in the District of Columbia by a federal grand jury and, if convicted, faces up to five years in prison for one count of conspiracy to commit aggravated identity theft and access device fraud.