The SEC revealed that it lost control of its X (formerly Twitter) account on January 9 and allowed a hacker to announce the agency’s approval of 11 bitcoin ETFs fully 24 hours before the agency was prepared to make the announcement.
The stunning hack had the potential to move the market for bitcoin in both the U.S. and globally—a cybersecurity infraction so significant that it could have easily landed a broker-dealer, investment bank or registered investment advisor in regulatory hot water. Mainstream media including CNN and Marketwatch announced the faux SEC approval, amplifying the damage.
SEC Chairman Gary Gensler said in a statement today that SEC staff “are coordinating with appropriate law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, amongst others, in their investigations,” Gensler said in a statement this morning.
The hack comes at a time when cybersecurity is the agency's top priority in examining advisor firms.
“The SEC takes its cybersecurity obligations seriously," Gensler said. "Commission staff are still assessing the impacts of this incident on the agency, investors, and the marketplace but recognize that those impacts include concerns about the security of the SEC’s social media accounts. The staff also will continue to assess whether additional remedial measures are warranted."
The hacker gained access by accessing the phone number attached to the SEC’s official X account, Gensler said.
The “unauthorized party” wrote the X post “purporting to announce the Commission’s approval of spot bitcoin exchange-traded funds. The scofflaw then made a second post just two minutes later that said ‘$BTC.’”
Before the SEC could regain control of the account, the unauthorized party deleted its second post, but also liked two non-SEC posts, Gensler added.
While the agency is still accessing the scope of the incident, “there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts,” Gensler said.
Once the SEC’s Office of Public Affairs became aware of the hack, a staffer posted in Gensler’s X account, “alerting the public that the @SECGov account had been compromised, an unauthorized post was made and the Commission had not approved the listing and trading of spot bitcoin exchange-traded products,” Gensler said.
SEC staff were able to gain entry to the SEC’s official X account, at which point they deleted the fake announcement and created a new post letting investors and the media know the SEC’s account had been hacked, he said.