X logo

SEC X account hacked to hawk crypto-scams

We have seen several high-profile accounts that were taken over on X (formerly Twitter) only to be used for cryptocurrency related promotional activities, like expressing the approval of exchange-traded funds (ETFs).

The latest victim in this line-up is the Securities and Exchange Commission (SEC).

The unauthorized post (which was removed within 30 minutes) looked like this:

The tweet sent from the account whiel it was hijacked

The post says:

“Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges.

The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”

The hack appears to have been designed to take advantage of anticipation around an imminent annoncement by US regulators about Bitcoin Exchange Traded Funds (ETFs). ETFs are financial products that allow investors to buy commodities like gold or Bitcoin as if they are shares. A spot Bitcoin ETF will buy the cryptocurrency directly, “on the spot”, at its current price, throughout the day. The approval would mark a key milestone for the cryptocurrency market in gaining acceptance to mainstream financial markets.

Even though the false tweet only had a short life-span it caused a $2,000 spike in Bitcoin exchanges rates. Someone knowing this was going to happen could have made a significant profit.

In a statement the SEC said:

“That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

Based on a preliminary probe, X confirmed that the SEC account had been compromised and it found that it was not due to a breach of the social media platform’s systems.

According to X, an unidentified individual was able to obtain control over a phone number associated with the @SECGov account through a third party. This would suggest the compromise was the result of a SIM swapping attack, where an attacker takes control of a phone number by convincing a mobile carrier to transfer the victim’s phone number to a SIM card they own.

With this control they can intercept messages, two-factor authentication (2FA) codes, and eventually reset passwords of the account the number has control over. Although apparently the SEC did not have 2FA enabled for its X account!

Secure your X account

Although any form of 2FA is better than none, all forms of 2FA are not equally secure. SMS-based 2FA is vulnerable to SIM swapping and if you can avoid it, we suggest you do. X offers other options like an authentication app and a security key.

To change your 2FA factor in X click on More

The More button is beneath the Profile button on your X page

Select Settings and Support > Settings and Privacy > Security and Account access

Click Security > Two-factor authentication and put a checkmark in your preferred option.

You will be prompted to enter your X password and click Confirm. From there, follow the instructions in the prompts. Since not many people have security keys, I’ll continue with the Authentication app instructions.

  • Click Get started
  • Open your preferred authentication app and add the X account to the app. Usually this is as simple as scanning the QR code.
  • You’ll be prompted to enter the authentication code shown by the app.

You’re all set. Store the displayed backup code in a safe place in case you need it.

The prompt that says you're all set also displays your backup code

You’ll receive a confirmation mail at the address associated with the account.

And if you see tweets from an account about cryptocurrencies, NFTs, ETFs or other financial news that you would not expect from that account, keep a ten foot pole between you and what they are linking to.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.