Full Report
Eric Council Jr. sentenced for 2024 SIM swap that led to fake Bitcoin ETF tweet from SEC’s X account, briefly impacting crypto markets.
Analysis Summary
This incident involves an individual sentenced for a SIM swap attack that was leveraged to compromise the U.S. Securities and Exchange Commission (SEC)'s X (formerly Twitter) account, resulting in a false announcement about a Bitcoin Exchange-Traded Fund (ETF).
# Incident Report: SEC X Account Hijack via SIM Swap
## Executive Summary
In 2024, Eric Council Jr. executed a SIM swap attack to compromise a mobile number associated with the SEC's official X account, enabling him to post a fraudulent tweet announcing an approved Bitcoin ETF. This exploit caused momentary, significant volatility in the cryptocurrency markets. Council Jr. was subsequently sentenced for the SIM swap hack that facilitated the hoax.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the incident occurred in **2024**.
- **Incident Date:** **2024** (The sentencing occurred in May 2025).
- **Affected Organization:** U.S. Securities and Exchange Commission (SEC).
- **Sector:** Financial Regulation / Government.
- **Geography:** United States (Implied due to SEC involvement).
## Timeline of Events
### Initial Access
- **Date/Time:** **2024**
- **Vector:** SIM Swap Attack.
- **Details:** The attacker manipulated a mobile carrier to transfer control of a phone number associated with the SEC's X account to the attacker's control.
### Lateral Movement
- The source material only details the compromise of the account used to post the tweet. No details on complex lateral movement within the SEC's internal networks are provided.
### Data Exfiltration/Impact
- **Impact:** The attacker gained control of the SEC's X account and posted a fraudulent tweet announcing the approval of a Bitcoin ETF. This caused brief, significant volatility in the cryptocurrency markets.
### Detection & Response
- **How it was discovered:** The tweet was recognized as fraudulent, leading to its removal and subsequent clarification by the SEC (though specific detection methods are not detailed).
- **Response actions taken:** The perpetrator, Eric Council Jr., faced legal action and was ultimately sentenced for the underlying SIM swap activities.
## Attack Methodology
- **Initial Access:** **SIM Swap.** Attacker convinced a mobile carrier to port the victim's phone number to a SIM card controlled by the attacker.
- **Persistence:** Gaining control of the phone number likely provided the means to bypass Multi-Factor Authorization (MFA) tied to that number, allowing continued access to the SEC's X account.
- **Privilege Escalation:** N/A (The focus is on access control via phone number compromise).
- **Defense Evasion:** Utilizing a trusted telecommunications channel (SIM swap) to bypass standard account security measures.
- **Credential Access:** Likely involved accessing or resetting credentials for the X account via SMS-based MFA.
- **Discovery:** N/A (No internal reconnaissance detailed).
- **Lateral Movement:** N/A.
- **Collection:** N/A (Focus was on publishing a statement, not data theft).
- **Exfiltration:** N/A.
- **Impact:** Information manipulation and market disruption.
## Impact Assessment
- **Financial:** Brief, significant **volatility in the crypto markets**.
- **Data Breach:** No specific corporate data breach detailed; the impact was reputational and market-related.
- **Operational:** Brief operational disruption due to the need to retract and clarify the false announcement.
- **Reputational:** Harm to the credibility of the SEC's official communication channels.
## Indicators of Compromise
- **Network indicators - defanged:** Not provided in the source material.
- **File indicators:** Not provided in the source material.
- **Behavioral indicators:** Unauthorized posting from the official SEC X account. SIM swap attempts on related phone numbers.
## Response Actions
- **Containment measures:** Removal of the fraudulent tweet from the X platform.
- **Eradication steps:** Legal sentencing of the perpetrator (Eric Council Jr.) for the SIM swap crime.
- **Recovery actions:** Issuing official statements to clarify the false nature of the announcement and restore market confidence.
## Lessons Learned
- **Key takeaways:** Reliance on SMS-based Multi-Factor Authentication (MFA) creates a critical vulnerability exploitable via social engineering against telecommunication providers (SIM swapping).
- **What could have been done better:** The SEC (and its social media management provider) should have utilized stronger, phishing-resistant MFA methods (e.g., hardware tokens or application-based TOTP) for highly sensitive accounts, independent of the associated mobile phone number.
## Recommendations
- **Prevention measures for similar incidents:** Immediately migrate high-sensitivity accounts away from SMS-based MFA. Implement stronger change management protocols for managing third-party access and critical system credentials.