Full Report
Eric Council Jr., a 26-year-old from Athens, Alabama, has been sentenced to 14 months in federal prison. He played a key role in a cybercrime conspiracy targeting the U.S. Securities and Exchange Commission (SEC). Council and his co-conspirators illegally gained access to the official SEC X account, formerly known as Twitter. They used the SEC X hacked account to post a fake announcement about Bitcoin. The false message claimed that the SEC had approved Bitcoin Exchange-Traded Funds (ETFs). This misleading post caused Bitcoin’s value to spike sharply. Soon after, the SEC regained control of its account and confirmed that the announcement was false. The cryptocurrency’s value then dropped by more than $2,000. A Planned SIM Swap to Hack the SEC X Account According to court documents, Council was part of a coordinated scheme that began in January 2024. He and others engaged in SIM swapping—a method that involves fraudulently transferring someone’s phone number to another SIM card—in order to gain control of digital accounts. On January 9, 2024, Council impersonated a victim at an AT&T store in Huntsville, Alabama, using a fake ID he printed himself. He tricked the store employee into issuing a replacement SIM card for the victim’s phone number, which was connected to the SEC’s official X account. Council then walked into a nearby Apple store, purchased a new iPhone, and used the stolen SIM card to activate the device. With control over the phone number, he received password reset codes for the @SECgov X account. He took a photo of the reset code and shared it with his co-conspirators before returning the phone for a cash refund. Soon after, the group used the reset code to access the SEC’s X account. They posted a fake announcement claiming that the SEC had approved Bitcoin ETFs. This false information caused Bitcoin’s value to spike by more than $1,000. Once the SEC regained control of the account and confirmed the post was fake, Bitcoin’s value dropped by over $2,000. Federal Officials Respond Federal authorities described the cyberattack as a direct threat to financial markets and public trust. “Schemes of this nature threaten the health and integrity of our market system,” said U.S. Attorney Pirro. “SIM swap schemes threaten the financial security of average citizens, financial institutions, and government agencies. Don’t fool yourself into thinking you can’t be caught.” Matthew R. Galeotti from the Justice Department added, “Council and his co-conspirators used sophisticated cyber means to compromise the SEC’s X account and posted a false announcement that distorted important financial markets.” FBI Assistant Director in Charge Jensen described Council’s actions as “brazen” and said the sentencing proves that digital fraudsters will be found and held accountable. Amanda James, Special Agent in Charge at the SEC Office of Inspector General (OIG), emphasized the agency’s commitment to maintaining the integrity of SEC operations. Evidence of Further Plots During a June 2024 FBI search of Council’s apartment in Athens, Alabama, investigators uncovered further evidence of planned SIM swap attacks. They found a fake ID card, a portable ID card printer, and a laptop containing templates for additional fake IDs. The laptop also revealed internet searches that included: “SECGOV hack” “telegram sim swap” “how can I know for sure if I am being investigated by the FBI” “federal identity theft statute” “how long does it take to delete telegram account” These searches pointed to the Council’s growing concern over potential law enforcement scrutiny, as well as his continued intent to engage in criminal activity. Authorities revealed that Council had attempted additional SIM swaps in June 2024 and went by online aliases such as “Ronin” and “Agiantschnauzer.” He was arrested on October 17, 2024, and admitted to receiving approximately $50,000 for carrying out SIM swapping tasks. Council pleaded guilty on February 10, 2025, to conspiracy to commit aggravated identity theft. Along with the prison sentence, Judge Amy Berman Jackson of the District Court ordered him to forfeit the $50,000 he earned and imposed a three-year supervised release term. As a condition of his release, Council is banned from using computers to access the dark web or to commit any further identity-related crimes. What Is SIM Swapping? A SIM card, or Subscriber Identity Module, is a small chip that connects a phone to a mobile network. SIM swapping is a type of identity theft where a criminal convinces a mobile carrier to transfer a victim’s phone number to a SIM card under their control. Once successful, the attacker can receive text messages and calls meant for the victim, including two-factor authentication codes for social media or financial accounts. This form of attack allows hackers to bypass security systems and gain access to sensitive information and digital platforms. In Council’s case, SIM swapping enabled unauthorized access to a government social media account, which was then used to manipulate financial markets. A Coordinated Federal Effort The case was jointly investigated by several federal agencies, including: FBI Washington Field Office’s Criminal and Cyber Division SEC Office of Inspector General U.S. Attorney’s Office for the District of Columbia Computer Crime and Intellectual Property Section (CCIPS) Justice Department’s Fraud Section Market Integrity and Major Frauds Unit The FBI’s Birmingham Field Office also provided key support during the investigation. Lawmakers Confirm One-Day Cyber Pause in Separate Case In a separate development, Rep. Don Bacon of Nebraska addressed concerns about a pause in U.S. offensive cyber operations against Russia. During a House Armed Services Committee hearing, Bacon clarified that the halt lasted only one day. “I actually dug into this whole matter. It was a one-day pause, which is typical for negotiations,” said Bacon, who chairs the House subcommittee on cyber issues. He was referring to the Trump administration’s efforts to curb Russia’s military actions in Ukraine. “That’s just about as much as I can say,” he added. While unrelated to the SEC hacking case, this update reflects the broader attention being paid to cyber operations and cybersecurity threats by both the government and lawmakers.
Analysis Summary
# Incident Report: SEC X Account Hijacking via SIM Swap
## Executive Summary
An individual successfully hijacked the U.S. Securities and Exchange Commission (SEC) official X (formerly Twitter) account using a SIM swapping attack to gain unauthorized access, post a fraudulent announcement regarding Bitcoin Exchange Traded Funds (ETFs), and manipulate financial markets. The attacker has since been identified, apprehended, and sentenced to prison time as a result of a coordinated federal investigation.
## Incident Details
- **Discovery Date:** [Not explicitly stated, but implied upon fraudulent post dissemination]
- **Incident Date:** [Not explicitly stated, but likely recent given the 2025 publication date]
- **Affected Organization:** U.S. Securities and Exchange Commission (SEC)
- **Sector:** Government/Financial Regulation
- **Geography:** United States (Washington D.C. area context for investigation offices)
## Timeline of Events
### Initial Access
- **Date/Time:** [Not specified]
- **Vector:** SIM Swapping attack targeting the victim's mobile account.
- **Details:** The attacker obtained the necessary information (likely via social engineering or prior compromise) to convince a mobile carrier to transfer the victim's phone number to a device controlled by the attacker. This provided control over SMS-based two-factor authentication (2FA) codes.
### Lateral Movement
- **Details:** The attacker used the compromised phone number to bypass security measures (likely secondary verification or password resets) to gain control of the SEC’s X account credentials.
### Data Exfiltration/Impact
- **Details:** The attacker posted a false announcement on the SEC's official X account claiming SEC approval for Bitcoin ETFs. The primary impact was the immediate manipulation of financial markets, causing rapid asset price fluctuations.
### Detection & Response
- **Details:** The incident was detected when market participants reacted to the false announcement. A joint federal investigation involving the FBI, SEC OIG, U.S. Attorney’s Office, and CCIPS was launched. The attacker was ultimately identified and prosecuted.
## Attack Methodology
- **Initial Access:** SIM Swapping (Social engineering/Account Takeover of mobile provider).
- **Persistence:** Gaining control of an authenticated platform (SEC X account).
- **Privilege Escalation:** Bypassing security measures (likely 2FA) via the SIM swap to access sensitive controls.
- **Defense Evasion:** [Not explicitly detailed, likely operating quickly post-compromise.]
- **Credential Access:** Not explicitly stated, but inferred ability to intercept verification codes associated with a mobile number.
- **Discovery:** [Not applicable to the attacker prior to access.]
- **Lateral Movement:** Movement from the compromised phone number control to the target social media account control.
- **Collection:** [Not applicable; the goal was publication/manipulation, not large-scale data theft.]
- **Exfiltration:** Communication of false, market-moving information.
- **Impact:** Direct financial market manipulation.
## Impact Assessment
- **Financial:** Significant, immediate market volatility and disruption due to false official announcements.
- **Data Breach:** No large-scale data exfiltration detailed, but unauthorized control and publication from a high-profile, sensitive government account occurred.
- **Operational:** Disruption to the SEC's communication channel and necessary coordination among federal agencies to counter the false statement.
- **Reputational:** Damage to the SEC’s reputation for secure communications and public trust.
## Indicators of Compromise
* **Network indicators:** [None provided/defanged]
* **File indicators:** [None provided]
* **Behavioral indicators:** Unauthorized posting from the official SEC X account, specifically market-moving announcements that contradict official policy.
## Response Actions
- **Containment measures:** Coordination between federal agencies (FBI, SEC OIG, DOJ) to investigate and take down the unauthorized communication.
- **Eradication steps:** Identifying and arresting the perpetrator responsible for the SIM swap and account takeover.
- **Recovery actions:** Issuing clarifying statements to mitigate market chaos; prosecuting the offender (resulting in a prison sentence).
## Lessons Learned
- SIM swapping remains a critical threat vector, especially when used against accounts protected only by SMS-based 2FA.
- Government and high-profile entities using SMS 2FA for critical platform access are highly vulnerable to social engineering tactics targeting telecommunications providers.
## Recommendations
- Immediately transition all critical government and financial regulatory accounts away from SMS-based Two-Factor Authentication (2FA) to hardware security keys (e.g., FIDO2/WebAuthn) or authenticator apps.
- Enhance monitoring and anomaly detection around social media account activity for posts that deviate significantly from typical communication patterns, especially those involving regulated sectors like cryptocurrency.
- Review security protocols with mobile carriers (if applicable) or internal policies related to account recovery procedures linked to sensitive accounts.