US prosecutors have recommended a two-year prison sentence for Eric Council Jr., the individual behind the January 2024 hack of the Securities and Exchange Commission’s official X account. The breach led to a false announcement claiming the SEC had approved Bitcoin ETFs, which briefly caused a sharp price spike and widespread confusion across the crypto industry.
The market was volatile following the incident, and Bitcoin’s price skyrocketed to more than $1000 above after the deceptive post was posted until it was deleted. Council, a 25-year-old from Athens, Alabama, also pleaded guilty this year to charges of conspiracy to commit aggravated identity theft and access device fraud.
Council used SIM swap to access SEC account
Based on federal filings, it is clear that Council performed a SIM swap attack to hijack the SEC’s official social media account. By giving a fraudulent ID to a telecommunication firm, he was able to get them to move the number of a federal employee to a SIM card that he controlled. This step enabled him to request a password reset code and get access to the SEC’s X account.
He then forwarded the credentials to co-conspirators so they could publish the fake Bit coin ETF approval announcement. The message confused the investors since anticipations for an actual decision on spot Bitcoin ETFs were high. The following day, the SEC formally approved the ETFs in an official release; however, it was too late, as the damage from the fraudulent release had already happened.
Prosecutors emphasize severity of the crime
According to the prosecution, Council’s actions were part of a larger fraud scheme involving forged identification and collaboration with others in the US and abroad. He is reported to have made $50,000 from the hack. Investigators also found that he had searched online about how to determine whether the FBI was investigating him.
Federal officials stressed that the severity and sophistication of the scheme justified the recommended two-year sentence. Council’s sentencing is scheduled for May 16 in Washington, D.C.
Hack highlights cybersecurity gaps at SEC
The breach also exposed significant weaknesses in the SEC’s digital infrastructure. During the hack, multi-factor authentication was disabled on the agency’s X account due to internal access issues. This vulnerability allowed Council and his group to take over the account easily.
After the incident, the SEC said that multi-factor authentication had been reactivated on all official social media handles and called on the public to use its website for confirmed updates.