Alabama Man Arrested in SEC Twitter Account Compromise

Remember back in January when someone compromised the U.S. SEC’s Twitter account and sent a tweet that caused a Bitcoin price spike? A 25-year-old man from Alabama has now been arrested for his alleged part in taking control of the account.

The man, Eric Council Jr., who was arrested Thursday, didn’t work alone - he performed a SIM swapping attack to take over the phone number associated with the account, paving the way for unnamed co-conspirators to send out the fake tweet.

Council also apparently had some time to mull over the repercussions of his actions, using his personal computer to search for things like: “SECGOV hack,” “How can I know for sure if I am being investigated by the FBI,” “What are some signs that the FBI is after you,” and more.

When the compromise initially happened, the SEC had pointed to SIM swapping, where phone numbers are transferred to other devices without authorization. This scam allows attackers to receive voice or SMS communications linked to a number - opening the door for them to reset account passwords or bypass two-factor authentication (if targets use texts as an authentication form).

But the indictment tied to the arrest gives us some more color about exactly how the compromise happened. 

The Hack: 

• Council allegedly traveled to an AT&T store with fake documentation purporting to be the actual person that had the access to the SEC Twitter account. Council claimed to be an FBI employee who broke his phone, and said he needed a new SIM card

• He was able to obtain a new SIM card, taking over the victim’s cellphone number

• Because the SEC’s social media account was linked to that number, Council was able to receive two-factor security reset codes associated with the account 

• Council then sent this code to the unnamed co-conspirators, who used the access to send a fake tweet that bitcoin Exchange Traded Funds had been approved

• After the compromise, Council used his personal computer to search for various terms, including “SECGOV hack,” “telegram sim swap,” “How can I know for sure if I am being investigated by the FBI,” “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them,” What are some signs that the FBI is after you,” and “federal identity theft statute”

The Big Picture:

Many other high-profile accounts have been compromised through SIM swapping over the years, even former Twitter CEO Jack Dorsey’s account in 2019. The SEC Twitter account hack put both SIM swapping and Twitter account protections - including the usage of multi-factor authentication (MFA) - into the spotlight, as the SEC acknowledged that MFA had been disabled six months before the account was compromised.

Council has been charged with conspiracy to commit aggravated identity theft and access device fraud. If convicted, he could face up to five years in prison.