Alabama man arrested for role in SEC Twitter account hijacking – djohnson
– [[{“value”:”
A 25-year-old Alabama man has been arrested and charged with hacking into the Securities and Exchange Commission’s Twitter/X account earlier this year and making fake regulatory posts that artificially inflated the price of Bitcoin by more than $1,000 per unit.
Eric Council Jr., a resident of Athens, Ala., was arrested Thursday morning and charged with aggravated identity theft and access device fraud in connection with the January 2024 incident.
According to the Department of Justice, the FBI and the SEC Inspector General, Council and other unnamed parties used SIM-swapping to steal the identity of a third-party individual with access to the SEC’s main account. The attackers only maintained control of the account for a short time, but before the SEC and Twitter/X could restore access back to the agency, they published a post imitating Chair Gary Gensler and announced that the listing of Bitcoin on registered national securities exchanges had been approved.
While the SEC did indeed eventually approve the listing, the premature posting caused considerable market disruption, sending the price up by $1,000 per bitcoin before falling by $2,000 per bitcoin when the announcement was revealed to be fake.
An internal investigation by the SEC earlier this year had already determined that the breach occurred through a SIM-swapping attack via a telecommunications carrier, and confirmed that the agency’s Twitter/X account did not have multifactor authentication in place. SIM-swapping attacks use social engineering and other methods to induce carriers to re-assign a cell phone number to another device controlled by the attacker.
“These SIM swapping schemes, where fraudsters trick service providers into giving them control of unsuspecting victims’ phones, can result in devastating financial losses to victims and leaks of sensitive personal and private information,” said U.S. Attorney Matthew Graves. “Here, the conspirators allegedly used their illegal access to a phone to manipulate financial markets. Through indictments like this, we will hold accountable those who commit these serious crimes.”
According to authorities, Council Jr., who went by the online handles “Ronin,” “Easymunny,” and “AGiantSchnauzer,” was provided a fake identification card template and other personal information for the individual controlling the number attached to the SEC’s account. Council Jr. then created a fake ID, using it to get a replacement SIM-card at a cell phone provider store that gave him control over the individual’s phone, its data and the access codes for the SEC’s Twitter/X account.
He then passed those codes along to his co-conspirators, who posted the fake tweet. He was paid an unspecified fee in bitcoin and later returned the phone.
Authorities claim Council Jr. later conducted a series of incriminating internet searches for “SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” and “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them.”
The short takeover of the account and the financial impact of the fake post caused outrage in Congress and among identity experts, who expressed disbelief that a high-profile social media account for an agency with market-moving regulatory powers was hijacked so easily and did not use multifactor authentication.
A Scoop News Group review of federal rules and regulations around agency social media use found that while many agencies strongly encouraged or internally required their accounts to have multifactor authentication and other protections in place, there are no standard or mandatory rules requiring them to do so.
The Office of Management and Budget, which has the authority to implement cybersecurity policy across the federal government, repeatedly declined to answer questions from CyberScoop in the wake of the hack about whether federal agencies were required to use multifactor authentication for social media accounts.
Grant Schneider, who served as federal chief information security officer in OMB before leaving government in 2020, told CyberScoop that much of the authority OMB and other agencies have over civilian federal cybersecurity policy derives from the Federal Information Security Management Act, a law originally passed in 2002 and updated in 2014.
Because that law is focused on “federal information and federal information systems,” when an agency is using a social media platform that is not housing or processing federal data, “I’m not convinced that OMB or [the Cybersecurity and Infrastructure Security Agency], at least under FISMA, has the authority to direct how agencies secure those accounts,” Schneider said.
The post Alabama man arrested for role in SEC Twitter account hijacking appeared first on CyberScoop.
“}]] – Read More – CyberScoop
