SEC SIM Swapper Sentenced to 14 Months for Account Hijacking

An Alabama man has been sentenced to 14 months in prison following his involvement in the hacking of a social media account belonging to the Securities and Exchange Commission (SEC), where he posted misleading information regarding Bitcoin.

Eric Council Jr., a 26-year-old resident of Huntsville, pleaded guilty to conspiracy to commit aggravated identity theft and access device fraud earlier this year, after the incident which occurred in January 2024.

Court documents reveal that Council created a fraudulent identification card using personally identifiable information (PII) acquired from associates. He then executed a SIM swap attack, a method in which mobile carriers are deceived into transferring a victim’s phone number to a SIM card under the control of the hacker. This gives the fraudster access to two-factor authentication (2FA) codes, enabling entry into sensitive accounts, including social media and cryptocurrency platforms.

Accessing the SEC’s account on X (formerly Twitter), Council’s co-conspirators posted a statement purporting to be from the SEC chairman, falsely claiming the agency had approved Bitcoin Exchange Traded Funds (ETFs). Council received compensation in Bitcoin from his associates, who likely exploited this misinformation to benefit from a spike in Bitcoin’s market price—surging over $1,000 before plummeting by more than $2,000 once the SEC issued a correction, as stated by the Justice Department.

“Schemes of this nature threaten the health and integrity of our market system,” declared US attorney Jeanine Pirro for the District of Columbia. She further emphasized that such SIM swap schemes jeopardize the financial security of ordinary citizens, financial institutions, and governmental bodies, cautioning perpetrators not to assume they will evade capture.

Notably, at the time of the breach, the SEC’s account reportedly lacked 2FA protection, facilitating the co-conspirators’ actions even further. This incident transpired amidst a wave of account takeovers on X, which had also affected other notable organizations.

The SEC, tasked with protecting investors against corporate misconduct, faced significant backlash, particularly as it had recently implemented stringent cybersecurity reporting and transparency regulations for publicly listed companies.