Full Report
The Department of Justice announced Eric Council Jr. was sentenced to 14 months in prison for the hack.
Analysis Summary
# Incident Report: SEC X Account Compromise via SIM Swap
## Executive Summary
An individual, Eric Council Jr., was sentenced for his role in hacking the official X account of the U.S. Securities and Exchange Commission (SEC) in January 2024. The attackers used a SIM swap attack to gain control of an authorized user's phone number, reset the account password, and post a false announcement regarding Bitcoin ETFs, causing significant temporary volatility in the cryptocurrency market. The response involved legal action leading to a conviction and sentencing.
## Incident Details
- Discovery Date: January 9, 2024 (Inferred from attack date)
- Incident Date: January 9, 2024
- Affected Organization: U.S. Securities and Exchange Commission (SEC)
- Sector: Government/Financial Regulation
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: On or about January 9, 2024
- Vector: SIM Swap Attack followed by Account Takeover (ATO)
- Details: Council and co-conspirators executed a SIM swap attack against the cellphone account of an individual credentialed to access the SEC's X account. This allowed them to take control of the victim's phone number.
### Lateral Movement
- Details: Using control of the phone number, the attackers reset the password for the official @SECGov X account, thereby achieving account control.
### Data Exfiltration/Impact
- Date/Time: January 9, 2024
- Details: The attackers posted an unauthorized tweet falsely announcing the SEC's approval of Bitcoin Exchange Traded Funds (ETFs). This caused the price of Bitcoin to spike temporarily before dropping when the announcement was retracted.
### Detection & Response
- Detection: The unauthorized post was eventually identified as false by the SEC or X platform safety measures.
- Response Actions: The DOJ initiated legal proceedings against the responsible parties, culminating in the sentencing of Eric Council Jr. to 14 months in prison in May 2025.
## Attack Methodology
- Initial Access: SIM Swap attack targeting a user associated with the SEC X account.
- Persistence: Not explicitly detailed, but access was maintained long enough to post the fraudulent announcement.
- Privilege Escalation: Achieved by using the compromised phone number to reset the X account password.
- Defense Evasion: Exploitation of weak two-factor authentication (2FA) or reliance on SMS-based 2FA vulnerable to SIM swapping.
- Credential Access: Indirectly achieved via SIM swap facilitating password reset.
- Discovery: Not explicitly detailed, assumed to be internal reconnaissance of potential targets for social engineering/SIM swap.
- Lateral Movement: Movement from the compromised phone number to the cloud-based X account credentials.
- Collection: Not applicable (Goal was immediate manipulation, not deep data theft).
- Exfiltration: N/A (The impact was public dissemination of false information).
- Impact: Financial market manipulation (Bitcoin price volatility).
## Impact Assessment
- Financial: Significant temporary market volatility in the Bitcoin cryptocurrency sector resulting from the false announcement.
- Data Breach: No direct breach of SEC internal data was reported; the impact was unauthorized public communication.
- Operational: Temporary operational disruption to the SEC's crisis communications protocol and social media integrity.
- Reputational: Damage to the SEC's reputation regarding the security of its official communications channels.
## Indicators of Compromise
- Network indicators: (None specified/Defanged)
- File indicators: (None specified)
- Behavioral indicators: Unauthorized posting on @SECGov X account, activity following SIM swap success.
## Response Actions
- Containment measures: Retraction/removal of the fraudulent tweet shortly after posting.
- Eradication steps: Identification and legal charging of perpetrators.
- Recovery actions: Implementation of enhanced security protocols for the SEC's social media accounts (implied).
## Lessons Learned
- Key takeaways: SMS-based secondary authentication factors (used in 2FA) are highly susceptible to social engineering attacks like SIM swapping.
- What could have been done better: Stronger multi-factor authentication methods, such as hardware keys or authenticator apps, should be enforced for high-privilege accounts like those managing official government social media channels.
## Recommendations
- Prevention measures for similar incidents: Immediately transition away from phone number/SMS-based multi-factor authentication for all critical accounts. Mandate the use of application-based or hardware token MFA for social media management tools. Review controls governing access to and recovery of official agency communication platforms.