Full Report
An Alabama man has been sentenced to 14 months for hacking the SEC’s X account
Analysis Summary
# Incident Report: SEC Account Takeover via SIM Swapping
## Executive Summary
In January 2024, an individual named Eric Council Jr. participated in a conspiracy that resulted in the unauthorized access and control of the U.S. Securities and Exchange Commission (SEC) X (formerly Twitter) account. The primary attack vector was a sophisticated SIM swap attack executed against an SEC victim, allowing co-conspirators to obtain 2FA codes and seize control. The impact was the posting of a false announcement regarding Bitcoin ETF approval, causing significant, temporary volatility in the cryptocurrency market. The perpetrator was sentenced to 14 months in prison following a guilty plea.
## Incident Details
- Discovery Date: January 2024 (Implied shortly after posts were made)
- Incident Date: January 2024
- Affected Organization: U.S. Securities and Exchange Commission (SEC)
- Sector: Government/Financial Regulation
- Geography: United States (Perpetrator based in Alabama)
## Timeline of Events
### Initial Access
- **Date/Time:** January 2024
- **Vector:** SIM Swap Attack facilitated by insider-obtained PII.
- **Details:** Co-conspirators obtained the Personally Identifiable Information (PII) of the victim associated with the targeted account credentials. Eric Council Jr. used this PII to create a fake identity card and execute a SIM swap against the victim's mobile carrier, porting the victim's phone number to a SIM card controlled by the fraudster.
### Lateral Movement
- This phase consisted of using the hijacked phone number to intercept Two-Factor Authentication (2FA) codes, which allowed the co-conspirators to successfully access the SEC's X account.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Unauthorized control and posting activity on the official SEC X account. Specifically, co-conspirators posted a false announcement claiming regulatory approval for Bitcoin (BTC) Exchange Traded Funds (ETFs). This caused an immediate, significant spike in Bitcoin price, followed by a sharp decline. Council received payment in BTC for his role.
### Detection & Response
- **How it was discovered:** The malicious posts made via the SEC account, which were later retracted or identified as false.
- **Response actions taken:** The incident led to a criminal investigation. Eric Council Jr. pleaded guilty in February 2024 to conspiracy to commit aggravated identity theft and access device fraud. He subsequently received a 14-month prison sentence.
## Attack Methodology
- **Initial Access:** SIM Swap attack executed against a target victim to intercept mobile communication/2FA codes.
- **Persistence:** Not explicitly detailed, but implied use of captured credentials/2FA to maintain temporary control over the X account.
- **Privilege Escalation:** Not directly applicable to the network (as it was account takeover), but successful escalation of unauthorized access to a high-privilege social media account.
- **Defense Evasion:** Utilizing legitimate carrier infrastructure manipulation (SIM swapping) to bypass standard 2FA controls.
- **Credential Access:** Acquiring pre-existing PII from unspecified co-conspirators to facilitate the SIM swap deception.
- **Discovery:** Not applicable (The attack was preemptive social engineering/fraud against the service provider, not network reconnaissance).
- **Lateral Movement:** Movement from the victim's phone line to the SEC's X account control.
- **Collection:** The primary objective was account takeover for manipulation, not large-scale data collection, though PII was used to facilitate the initial step.
- **Exfiltration:** Financial gain leveraged through market manipulation resulting from the false announcement.
- **Impact:** Market manipulation and damage to the SEC's public trust/reputation.
## Impact Assessment
- **Financial:** Significant, temporary volatility in the Bitcoin market (price increased by over $1000/BTC, then dropped more than $2000/BTC). Council received payment in BTC.
- **Data Breach:** The core breach involved PII used to execute the SIM swap against an unnamed victim. The SEC account itself was compromised for publication purposes.
- **Operational:** Disruption to the official communication channel of the SEC and regulatory uncertainty.
- **Reputational:** Significant reputational damage to the SEC due to the highly visible and impactful false posting.
## Indicators of Compromise
*While the article does not list specific IoCs, the core elements suggest the following behavioral/network indicators were present:*
- **Network indicators - defanged:** Suspicious authentication attempts or account activity originating from newly provisioned or anomalous mobile numbers associated with the SIM swap.
- **File indicators:** N/A (Incident focused on account access, not malware deployment).
- **Behavioral indicators:** Unauthorized user posting from the SEC X account; high-volume trading activity following the false ETF announcement.
## Response Actions
- **Containment measures:** Revocation or resetting of compromised X account credentials; rapid communication clarifying the announcement was false.
- **Eradication steps:** Investigation leading to the identification and prosecution of Eric Council Jr. and co-conspirators.
- **Recovery actions:** Re-securing the SEC X account, likely involving review and strengthening of associated 2FA protocols.
## Lessons Learned
- **Key takeaways:** Traditional, knowledge-based 2FA relying on SMS/phone numbers is highly vulnerable to well-executed SIM swap attacks, even against high-value targets. PII used in SIM swap schemes is often sourced via breaches or insider theft.
- **What could have been done better:** The SEC and its security posture failed to ensure that the primary account credentials were protected by more robust authentication methods (e.g., hardware tokens or strong authenticator apps) that are impervious to SIM swapping.
## Recommendations
- **Prevention measures for similar incidents:** Mandate the use of FIDO2/hardware-based security keys or application-based authenticators (e.g., TOTP apps) for all high-value or executive social media accounts, entirely deprecating SMS-based 2FA.
- **Policy Review:** Review and tighten protocols surrounding the PII information accessible to co-conspirators that enabled the initial SIM swap pretext.