Anatomy of a Market Shock: How a SIM Swap Breached the SEC and Jolted Bitcoin

In January 2024, a sophisticated attack on the U.S. Securities and Exchange Commission’s X (formerly Twitter) account sent shockwaves through both the cryptocurrency market and the regulatory community. The culprit, Eric Council Jr., a 26-year-old from Alabama, was sentenced Friday to 14 months in prison following his guilty plea to conspiracy charges related to aggravated identity theft and access device fraud, according to the Justice Department.

This incident, as first reported by TechCrunch and detailed in court documents, underscored the security vulnerabilities plaguing even the most critical government infrastructure. On January 9, 2024, Council executed a SIM swap attack—an increasingly prevalent method—by using a forged identification at an AT&T store to obtain a SIM card linked to the SEC’s mobile number. This move allowed Council to intercept SMS-based two-factor authentication (2FA) codes required to reset the password for the SEC’s X account.

Once inside the account, Council relayed the reset information to his co-conspirators. Within minutes, a fraudulent post appeared—purportedly from SEC Chair Gary Gensler—announcing the long-anticipated approval of spot Bitcoin exchange-traded funds (ETFs). The message, though quickly identified as false, had an immediate and profound effect: The price of Bitcoin surged by more than $1,000 within minutes as traders reacted to the “news,” only to plunge by over $2,000 when the SEC regained control and debunked the announcement. CNBC reported the move triggered intense volatility in the already turbulent cryptocurrency markets, highlighting the risk posed by social media platforms as vectors for financial misinformation.

The Justice Department’s summary of the attack emphasized both the technical sophistication and the brazenness of Council’s actions. U.S. Attorney Jeanine Ferris Pirro and Matthew R. Galeotti, head of the DOJ’s Criminal Division, drew attention to the broader implications of the breach, stating that Council “intentionally exploited vulnerabilities in our financial system to manipulate markets and profit from chaos.” The Defiant noted that, beyond the prison sentence, Council was also ordered to forfeit $50,000.

The method of attack—SIM swapping—revolves around tricking mobile carriers into transferring a target’s phone number to a SIM card controlled by the attackers. This, in turn, grants access to SMS-based 2FA codes, making high-value accounts with weak authentication protocols prime targets. As reported by Law360 and Cryptobriefing, this breach came despite earlier cybersecurity assessments at the SEC that concluded, months before, that the agency’s defenses were “not effective” and required urgent improvement.

The SEC hack is now a cautionary tale for both regulators and the private sector. In an industry defined by rapid digital transformation, the incident exposes a glaring vulnerability: reliance on SMS-based two-factor authentication for critical systems. Security analysts and former regulators have called for accelerated adoption of hardware security keys and biometric solutions, citing the inevitability of future attacks if fundamental changes are not made.

For cryptocurrency exchanges and market participants, the event rekindles fears of manipulation and regulatory uncertainty. The fleeting, yet dramatic, price swings serve as a reminder of how market confidence and technical weaknesses intersect in the digital age. The case of Eric Council Jr. is less a singular aberration and more a harbinger of new risks facing both Wall Street and Washington. As detailed by TechCrunch and others, the hack’s legacy will be measured both by the reforms it spurs and the lingering scars it leaves on the public trust.