Alabama man arrested for involvement in hijacking SEC Twitter account

A 25-year-old Alabama man was arrested and charged with hacking into the Securities and Exchange Commission’s Twitter/X account earlier this year and making fake regulatory posts that artificially increased the price of Bitcoin by more than $1,000 per Unity increased.

Eric Council Jr., a resident of Athens, Alabama, was arrested Thursday morning and charged with aggravated identity theft and access device fraud in connection with the January 2024 incident.

According to the Justice Department, the FBI and the SEC Inspector General, the Council, and other unnamed parties used the SIM swap to steal the identity of a third party with access to the SEC’s main account. The attackers only retained control of the account for a short time, but before the SEC and Twitter/X could restore access to the agency, they published a post impersonating Chairman Gary Gensler and announcing that the listing of Bitcoin on registered national securities exchanges has been approved.

Although the SEC actually ultimately approved the listing, the early release caused significant market disruption, causing the price to rise by $1,000 per Bitcoin before falling by $2,000 per Bitcoin when the announcement was revealed to be fake.

An internal SEC investigation earlier this year had already found that the breach was caused by a SIM swapping attack via a telecommunications provider and confirmed that the agency’s Twitter/X account did not have multifactor authentication. SIM swapping attacks use social engineering and other methods to trick network operators into assigning a mobile phone number to another device controlled by the attacker.

“These SIM swap schemes, in which fraudsters trick service providers into giving them control of unsuspecting victims’ phones, can result in devastating financial losses to victims and the loss of sensitive personal and private information,” said U.S. Attorney Matthew Graves. “Here, the conspirators allegedly used their illegal access to a telephone to manipulate financial markets. Through charges like these, we will hold accountable those who commit these serious crimes.”

According to authorities, Council Jr., who went by the pseudonyms “Ronin,” “Easymunny” and “AGiantSchnauzer” online, was provided a fake ID template and other personal information for the person who linked it to the SEC account Number checked.

According to the indictment, the Council was advised by other co-conspirators that an individual identified only as “CL” had a phone number with access to the SEC’s Twitter account. They then used an encrypted messaging service to send the council personal information, an ID template and a photo of “CL” to create a false identity. The co-conspirators also stated that “CL” had a cell phone account with telecommunications provider AT&T.

The council, which had its own ID card printer, printed out the fake ID and used it at an AT&T store on January 9, 2024, posing as an “FBI agent who had broken his phone and needed a new SIM.” card needed”. After obtaining a replacement card, he visited another wireless carrier’s store and used it to reassign CL’s cell phone number to his device, giving him control of the person’s phone, their information, and access codes to the SEC’s Twitter/X account .

He then passed these codes on to his co-conspirators, who published the fake tweet. He received an unspecified fee in Bitcoin and later returned the phone.

Authorities allege Council Jr. later conducted a series of incriminating Internet searches for “SECGOV hack,” “Telegram sim swap,” “How do I know for sure if I’m under investigation by the FBI,” and “What are the signs?” “That you are under investigation by law enforcement or the FBI, even if you have not been contacted by them.”

The short-term takeover of the account and the financial impact of the fake post sparked outrage in Congress and among identity experts, who expressed disbelief that a high-profile social media account owned by an agency with market-moving regulatory powers could and could not be hijacked so easily the case was Use multi-factor authentication.

A Scoop News Group review of federal rules and regulations surrounding government use of social media found that while many agencies strongly encourage or internally require that their accounts have multifactor authentication and other protections, there is no standard – or there are binding rules that oblige them to do so.

The Office of Management and Budget, which is responsible for implementing cybersecurity policy across the federal government, repeatedly declined to answer questions from CyberScoop in the wake of the hack about whether federal agencies require multifactor authentication for social media accounts have to use.

Grant Schneider, who served as federal chief information security officer at OMB before leaving the administration in 2020, told CyberScoop that much of the authority OMB and other agencies have over federal civilian cybersecurity policy comes from the Federal Information Security Management Act, a law originally passed in 2002 and updated in 2014.

Because this law focuses on “federal information and federal information systems,” I am not convinced that OMB or, if an agency uses a social media platform that does not store or process federal data [the Cybersecurity and Infrastructure Security Agency]“At least under FISMA, the agency has the authority to control how agencies secure these accounts,” Schneider said.