SEC Twitter Hack: Man Sentenced to 14 Months in Prison for Role in Attack That Caused Bitcoin's Price to Soar

A shocking incident of cybercrime has come to light, as a 25-year-old man from Alabama has been sentenced to 14 months in federal prison for his role in the January 2024 hack of the US Securities and Exchange Commission's (SEC) Twitter account. Eric Council Jr., of Athens, Alabama, pleaded guilty to charges related to the attack that saw a fake announcement about Bitcoin posted to the SEC's 660,000+ followers.

The tweet in question was accompanied by a very corporate image picturing SEC chairman Gary Gensler endorsing the announcement, making it difficult for even the most cybersecurity-savvy Twitter users to suspect anything amiss. However, the announcement caused an immediate and dramatic spike in the value of Bitcoin before it slipped down again after Gensler confirmed on his personal account that the SEC's account had been compromised.

According to court documents, Council was part of an online gang specializing in SIM-swapping and hijacking social media accounts. His role was to impersonate the person who managed the SEC's Twitter account – a goal he achieved after creating a fake ID card bearing his face and their name. With this fake identity card, Council walked into an AT&T store in Huntsville, Alabama, and convinced a retail employee to hand over a SIM card for the victim’s phone number.

He then raced to an Apple Store, bought an iPhone, plugged in the SIM, and intercepted the password for the SEC's Twitter account. The attack was made possible by Twitter's vulnerability of allowing users to reset their account passwords just by knowing and having access to their associated cellphone number. Council not only knew the mobile phone number associated with the SEC's Twitter account but also possessed a SIM card that meant he received any messages sent to it.

According to prosecutors, Council received US $50,000 for his part in the plot. In June 2024, the FBI searched Council's apartment and found the fake ID card and a portable ID card printer. Examining Council's laptop also revealed some incriminating internet searches. Facing up to five years in prison, Council was sentenced by Judge Amy Berman Jackson to 14 months in prison, and ordered to pay a forfeiture of US $50,000.

After completing his prison sentence, Council will have to submit to "three years of supervised release" under the condition that he does not use computers to access the dark web or commit further identity fraud. This case serves as a stark reminder of the need for increased cybersecurity measures and vigilance in online transactions.