The FBI has arrested a 25-year-old man from Athens, Alabama, named Eric Council Jr. in connection with a cyberattack that compromised the Securities and Exchange Commission’s (SEC) official social media account on X (formerly Twitter). This incident led to a significant disruption in the cryptocurrency market, particularly affecting Bitcoin’s value.
Council was charged with conspiracy to commit aggravated identity theft and access device fraud, according to federal authorities. The charges stem from an incident on January 9, 2024, during which Council and his accomplices allegedly hacked into the SEC’s X account and posted a fraudulent announcement claiming that the SEC had approved the first-ever Bitcoin exchange-traded funds (ETFs) in the U.S.
The Justice Department noted that the Council gained control of the SEC’s account through an unauthorized Subscriber Identity Module (SIM) swap. This method involves tricking a mobile service provider into transferring a victim’s phone number to a SIM card controlled by the hacker, allowing access to sensitive accounts linked to that number.
The unauthorized tweet caused Bitcoin’s value to surge by over $1,000 within minutes, only to fall back sharply after the SEC quickly denied the announcement. SEC Chair Gary Gensler confirmed that their account had been compromised shortly after the false news spread. The incident raised alarms not only due to its immediate financial implications but also because it highlighted vulnerabilities in social media security protocols.
According to the indictment, Council used a fraudulent identification document created with the victim’s name and his own photo to impersonate an SEC employee. He then conducted a SIM swap at an AT&T store in Huntsville, Alabama, claiming to be an FBI employee needing a new SIM card due to a broken phone. Following this, he purchased a new iPhone and used it to receive two-factor authentication codes necessary for accessing the SEC’s X account.
The FBI’s investigation revealed that Council had searched online for terms related to hacking and potential investigations against him, indicating awareness of the legal risks involved. If convicted, Council faces a maximum sentence of five years in prison. The indictment also suggests that other individuals were involved in this scheme, although their identities remain undisclosed at this time.
