The FBI has apprehended Eric Council Jr., a 25-year-old man from Athens, Alabama, accused of orchestrating a sophisticated hack on the U.S. Securities and Exchange Commission's (SEC) X account earlier this year. According to U.S. prosecutors, this attack was allegedly part of a broader conspiracy to manipulate Bitcoin prices.
On January 9, 2024, the SEC's X account was compromised to issue a fraudulent announcement claiming approval of Bitcoin ETFs for listing on stock exchanges. This misinformation led to a temporary surge in Bitcoin prices by $1,000, followed by a sharp $2,000 decline after SEC Chair Gary Gensler clarified the hack.Â
The Department of Justice revealed that Council and his accomplices executed a SIM-swap attack to seize control of the phone number linked to the SEC's X account manager.Â
SIM swapping involves deceiving a wireless carrier into transferring a victim's phone number to a device controlled by the attacker. This enables access to text messages, phone calls, and crucial security codes for multi-factor authentication.
The SEC confirmed that the attackers did not breach the agency's internal systems or other social media platforms; the compromise occurred due to manipulation of the mobile carrier's number porting procedures. Once in control, the attackers reset the X account password to disseminate the fake news.
Eric Council Jr. has been indicted on charges of conspiracy to commit aggravated identity theft and access device fraud, with potential penalties of up to five years in prison.
This incident has reignited criticism of the SEC's cybersecurity measures, the primary U.S. market regulator, and raised alarms about the security infrastructure of X, particularly after its acquisition by Elon Musk in October 2022.