Cybercrime

Alabama man arrested for role in SEC Twitter account hijacking

Eric Council Jr. was charged with aggravated identity theft and access device fraud in connection with the January 2024 incident.

By Derek B. Johnson

October 17, 2024

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

In this photo illustration, a visual representation of the digital cryptocurrency Bitcoin is displayed in front of Securities and Exchange Commission (SEC) logo on January 10, 2024 in Paris, France. (Photo illustration by Chesnot/Getty Images)

A 25-year-old Alabama man has been arrested and charged with hacking into the Securities and Exchange Commission’s Twitter/X account earlier this year and making fake regulatory posts that artificially inflated the price of Bitcoin by more than $1,000 per unit.

Eric Council Jr., a resident of Athens, Ala., was arrested Thursday morning and charged with aggravated identity theft and access device fraud in connection with the January 2024 incident.

According to the Department of Justice, the FBI and the SEC Inspector General, Council and other unnamed parties used SIM-swapping to steal the identity of a third-party individual with access to the SEC’s main account. The attackers only maintained control of the account for a short time, but before the SEC and Twitter/X could restore access back to the agency, they published a post imitating Chair Gary Gensler and announced that the listing of Bitcoin on registered national securities exchanges had been approved.

While the SEC did indeed eventually approve the listing, the premature posting caused considerable market disruption, sending the price up by $1,000 per bitcoin before falling by $2,000 per bitcoin when the announcement was revealed to be fake.

An internal investigation by the SEC earlier this year had already determined that the breach occurred through a SIM-swapping attack via a telecommunications carrier, and confirmed that the agency’s Twitter/X account did not have multifactor authentication in place. SIM-swapping attacks use social engineering and other methods to induce carriers to re-assign a cell phone number to another device controlled by the attacker.

“These SIM swapping schemes, where fraudsters trick service providers into giving them control of unsuspecting victims’ phones, can result in devastating financial losses to victims and leaks of sensitive personal and private information,” said U.S. Attorney Matthew Graves. “Here, the conspirators allegedly used their illegal access to a phone to manipulate financial markets. Through indictments like this, we will hold accountable those who commit these serious crimes.”

According to authorities, Council Jr., who went by the online handles “Ronin,” “Easymunny,” and “AGiantSchnauzer,” was provided a fake identification card template and other personal information for the individual controlling the number attached to the SEC’s account.

According to the indictment, Council was tipped off by other co-conspirators that an individual, identified only as “C.L” had a phone number with access to the SEC’s Twitter account. They then used an encrypted messaging service to send Council personal information, an identification card template and a photo of “C.L” to create a false identity. The co-conspirators also relayed that “C.L” had a cell phone account with telecommunications carrier AT&T.

Council, who had his own identification card printer, printed out the fake ID and used it at an AT&T store on Jan. 9, 2024, posing as an “FBI agent who broke his phone and needed a new SIM card.” After obtaining a replacement card, he visited another cell phone provider store and used it to re-assign C.L’s cell phone number to his device, giving him control over the individual’s phone, its data and access codes for the SEC’s Twitter/X account.

He then passed those codes along to his co-conspirators, who posted the fake tweet. He was paid an unspecified fee in bitcoin and later returned the phone.

Authorities claim Council Jr. later conducted a series of incriminating internet searches for “SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” and “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them.”

The short takeover of the account and the financial impact of the fake post caused outrage in Congress and among identity experts, who expressed disbelief that a high-profile social media account for an agency with market-moving regulatory powers was hijacked so easily and did not use multifactor authentication.

A Scoop News Group review of federal rules and regulations around agency social media use found that while many agencies strongly encouraged or internally required their accounts to have multifactor authentication and other protections in place, there are no standard or mandatory rules requiring them to do so.

The Office of Management and Budget, which has the authority to implement cybersecurity policy across the federal government, repeatedly declined to answer questions from CyberScoop in the wake of the hack about whether federal agencies were required to use multifactor authentication for social media accounts.

Grant Schneider, who served as federal chief information security officer in OMB before leaving government in 2020, told CyberScoop that much of the authority OMB and other agencies have over civilian federal cybersecurity policy derives from the Federal Information Security Management Act, a law originally passed in 2002 and updated in 2014.

Because that law is focused on “federal information and federal information systems,” when an agency is using a social media platform that is not housing or processing federal data, “I’m not convinced that OMB or [the Cybersecurity and Infrastructure Security Agency], at least under FISMA, has the authority to direct how agencies secure those accounts,” Schneider said.