SEC SIM Swapper Gets 14 Months for X Account Hijack
An Alabama man has been handed 14 months behind bars after hacking an SEC social media account to post fake news about Bitcoin.
Eric Council Jr., 26, of Huntsville, pleaded guilty to conspiracy to commit aggravated identity theft and access device fraud back in February, after the incident took place in January 2024.
According to court documents, he created a fake identity card using personally identifiable information (PII) of the victim obtained from co-conspirators.
He then used this to perform a SIM swap attack – whereby mobile phone carriers are tricked into porting a victim’s number to a SIM card controlled by a fraudster. With this, they are able to receive two-factor authentication (2FA) codes in order to access social media, crypto and other sensitive accounts.
Read more on the incident: Senators Demand Probe into SEC Hack After Bitcoin Price Spike
With access to the SEC’s account on X (formerly Twitter), Council’s co-conspirators then posted in the name of the SEC chairman, falsely announcing the regulatory approval of Bitcoin (BTC) Exchange Traded Funds (ETFs).
Council received payment in BTC from co-conspirators for his role, while they may have benefitted from a surge in the price of the virtual currency following the announcement. It increased by more than $1000 per BTC, before diving more than $2000 per BTC after the announcement was corrected by the SEC, the Justice Department (DoJ) said.
“Schemes of this nature threaten the health and integrity of our market system,” said US attorney Jeanine Pirro for the District of Columbia.
“SIM swap schemes threaten the financial security of average citizens, financial institutions, and government agencies. Don’t fool yourself into thinking you can’t be caught. You will be caught, prosecuted, and will pay the price for the damage your actions create.”
At the time, the SEC account reportedly didn’t even have 2FA enabled, making the job of the co-conspirators even easier. It came amid a rash of account takeovers at X including Mandiant, Hyundai and Certik.
The agency, which is designed to protect investors from corporate misconduct, was heavily criticized at the time, especially as it had just brought in strict new cybersecurity reporting and transparency rules for listed firms.
