Washington, D.C. – In a landmark case highlighting the growing cybersecurity threats to financial institutions and digital platforms, Eric Council Jr., a 25-year-old Alabama resident, has pleaded guilty to conducting a SIM-swapping attack that led to the hijacking of the U.S. Securities and Exchange Commission’s (SEC) official X (formerly Twitter) account in January 2024. His cyber intrusion enabled the posting of a fraudulent Bitcoin ETF approval announcement, momentarily influencing the cryptocurrency market before the hoax was exposed.
The Anatomy of the Attack: How Council Gained Access
SIM-Swapping: A Gateway to High-Profile Accounts
SIM-swapping, a well-documented form of social engineering, involves fraudulently transferring a victim’s phone number to a SIM card controlled by the attacker. This enables cybercriminals to bypass multi-factor authentication (MFA) mechanisms, gaining unauthorized access to digital accounts linked to the phone number.
In Council’s case, he targeted an individual responsible for managing the SEC’s social media accounts. By leveraging a fraudulent identification card, which he fabricated using an identification card printer, he impersonated the victim and successfully seized control of their cellular number.
Once in possession of the phone number, Council executed a password reset on the SEC’s X account, granting himself full control. He then transferred account access to co-conspirators, who compensated him with $50,000 in Bitcoin for his role in facilitating the breach.
The Fake Announcement & Market Manipulation
Shortly after gaining control over the SEC’s official X account, Council and his accomplices published a fabricated post falsely announcing the approval of Bitcoin Exchange-Traded Funds (ETFs). The now-infamous post read:
“Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges. The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”
Given the SEC’s authoritative stance on cryptocurrency regulations, the deceptive announcement immediately triggered a spike in Bitcoin’s value, driving prices up by $1,000 in a matter of minutes. However, the celebration was short-lived, as SEC Chair Gary Gensler quickly disavowed the post, confirming that the agency’s account had been compromised. This revelation prompted a swift $2,000 drop in Bitcoin’s price, causing losses for traders who acted on the fraudulent information.
The SEC officially confirmed that a SIM-swapping attack was responsible for the breach, raising urgent concerns over the security of high-profile institutional accounts and the vulnerabilities of SMS-based authentication measures.
The Investigation: Council’s Digital Footprint Led to His Downfall
Following the incident, the FBI launched an extensive investigation, ultimately linking Council to the cyberattack. Forensic analysis of his personal computer revealed that he had conducted multiple searches relating to FBI investigations, including:
- “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them?”
- “How can I know for sure if I am being investigated by the FBI?”
These searches, along with evidence of his fraudulent ID card creation activities, provided authorities with sufficient grounds to arrest and charge him.
Legal Consequences: Maximum Five-Year Sentence Looms
After initially pleading not guilty, Council reversed course and pleaded guilty to charges of conspiracy to commit aggravated identity theft and access device fraud. Under federal sentencing guidelines, he faces a maximum penalty of five years in prison.
His sentencing hearing is scheduled for May 16, 2025, where the court will determine his final punishment. Given the severity of the financial impact and the national security implications, legal experts anticipate a harsh sentence to serve as a deterrent to future cybercriminals.
How a SIM-Swap Exploit Works: Technical Breakdown
1. Target Identification & Reconnaissance
- Attackers use OSINT (Open-Source Intelligence) techniques, social media scraping, and dark web data leaks to gather personal information.
- They look for phone numbers, email addresses, dates of birth, and security question answers from past breaches.
2. Gaining Personal Information for Social Engineering
- Cybercriminals phish victims or buy leaked credentials to obtain date of birth, address, and account PINs.
- If needed, they impersonate financial institutions or service providers to trick victims into revealing additional details.
3. Executing the SIM Swap with the Carrier
- The attacker calls the victim’s mobile provider, claiming their phone was lost or stolen.
- They use stolen personal details to verify their identity and convince customer support to transfer the phone number to a new SIM.
- Once the swap is completed, the victim loses service, while the attacker receives their calls and messages.
4. Account Takeover & Exploitation
- The attacker resets passwords for high-value accounts (email, crypto exchanges, financial services).
- They intercept SMS-based two-factor authentication codes, bypassing security measures.
- They take full control of accounts, locking out the original user and executing fraud or financial theft.
Mitigations: How to Prevent SIM-Swapping Attacks
1. Strengthen Mobile Carrier Security
✅ Set a unique PIN or passphrase with your carrier for SIM changes.
✅ Enable port-freezing or no-SIM-swap policies if your provider offers them.
✅ Link security alerts to an alternate email or authentication app.
2. Avoid SMS-Based Multi-Factor Authentication (MFA)
✅ Use app-based authenticators (Google Authenticator, Authy, Microsoft Authenticator).
✅ Prefer security keys (YubiKey, Titan Key) for high-risk accounts.
3. Monitor & Lock Personal Data
✅ Freeze your credit to prevent identity theft.
✅ Enable real-time SMS/email alerts for suspicious logins or account changes.
4. Be Aware of Phishing & Social Engineering
✅ Never share personal details over the phone unless you initiated the call.
✅ Ignore suspicious SMS links or emails claiming “account security alerts.”
✅ Regularly review security settings for sensitive accounts.
A Wake-Up Call for Cybersecurity & Financial Markets
The Council case underscores several critical cybersecurity vulnerabilities, particularly within financial institutions and regulatory bodies. It also serves as a warning that social engineering exploits, when combined with weak authentication protocols, can lead to high-impact financial fraud and market manipulation.
While individuals must take steps to protect themselves, mobile carriers, financial regulators, and social media platforms must enhance their security frameworks to reduce the risk of SIM-swapping attacks. The cryptocurrency and financial trading sectors, in particular, remain prime targets for cybercriminals seeking to exploit market movements for illicit gain.
With the SEC breach demonstrating the real-world consequences of inadequate security measures, organizations must move beyond SMS-based authentication and adopt stronger, more resilient security strategies. As cybercriminals evolve, so must the defensive measures protecting high-value targets.
The sentencing of Eric Council Jr. on May 16, 2025, will be a defining moment for law enforcement’s stance on cyber fraud—one that could shape the future of digital security policies across regulatory agencies, financial institutions, and telecommunications providers.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
