A raft of US senators have demanded answers from the Securities and Exchange Commission (SEC) after a security incident led to false and market-moving information being published by the financial regulator.
At 4:11 pm ET on January 9, a post was published to the SEC’s X account announcing the approval of spot bitcoin ETFs, a type of financial product that would allow people to invest in the crypto asset through a regular brokerage. By 4:26 pm, SEC chair Gary Gensler had issued a retraction and said the agency’s account had been “compromised,” and that an “unauthorized tweet was posted.” The damage had already been done.
There has been speculation by media outlets, including Fox Business, that the SEC might be tasked with investigating itself over market manipulation infractions, as a regulator responsible for protecting US investors from precisely that threat. More likely, says a former SEC attorney who asked not to be named, given that bitcoin is classified as a commodity in the US, such an investigation would fall to the US Commodities and Futures Trading Commission (CFTC).
But even then, the issue of jurisdiction aside, unanswered questions remain about the practicability of any potential investigation, says Charley Cooper, former chief operating officer at the CFTC. “The idea of the commodities regulator investigating the securities regulator is unprecedented,” he says. “There is no manual for this.”
In a statement, the CFTC said it has “enforcement authority” with respect to any alleged manipulation of bitcoin, but declined to confirm whether it would investigate in this instance.
In the minutes after the fake post was published, the price of bitcoin jumped around 2.5 percent, but has since fallen to below 2.5 percent of its original price. In all, the incident led to a $40 billion swing in the combined value of bitcoin in circulation.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham GearHow Do You Solve a Problem Like Polestar?By Carlton Reid SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
GearX said an “unidentified individual” had used a phone number tied to the SEC’s account to seize control. The account “did not have two-factor authentication enabled” at the time of the hack, X said.
In a cosigned letter, Republican senators J. D. Vance and Thom Tillis demanded the SEC answer for the “widespread confusion” and damage to investors it had caused. The incident is “antithetical to the Commission’s tripart mission to protect investors, maintain a fair, orderly and efficient market, and facilitate capital formation,” the pair wrote. Senators Bill Hagerty and Cynthia Lummis, both Republicans, added their voices to the chorus with separate posts on X.
In their letter, Vance and Tillis set a deadline of January 23 for the SEC to elucidate its plans to investigate what happened, among other things.
In a statement, the SEC said it will “work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct,” but provided no further specifics.
In practice, an “alphabet soup of investigations” is likely to ensue, according to John Stark, who served for 18 years as an attorney at the SEC. Those investigations will likely involve separate inquiries conducted by the SEC itself, the US Department of Justice—which will focus on identifying the hacker—and potentially other regulatory bodies. The DOJ did not respond to a request for comment.
The SEC’s internal investigation, says Stark, will likely be conducted by the Office of the Inspector General, independent to the rest of the agency, and will focus instead on any “staff misconduct” that might have enabled the security breach. The findings of what is likely to be a “robust investigation” will be provided to Congress, he says, but not for a number of months.
In July, the SEC imposed new rules on companies that register with the agency, requiring them to disclose material cybersecurity incidents and their “nature, scope, and timing” within four business days. The SEC did not respond when asked whether it will make a preliminary disclosure of this kind.
In the aftermath of the security breach, Gensler—something of a cartoon villain in crypto circles due to his agency’s aggression toward the industry—has faced mockery and calls for his resignation among crypto personalities on X.
It is unlikely, though, says industry analyst Noelle Acheson, formerly of crypto brokerage Genesis, that Gensler will be forced to resign. “I can’t see him letting go of the job,” she says, “unless it’s pried from his grasp.”
“The Twitterverse has been calling for Gensler’s resignation forever. But this isn’t the kind of thing you resign for,” says Stark. “At worst, SEC staff will be found to be guilty of the same thing as a lot of companies: sloppiness with respect to cybersecurity.”
Though an organization like the SEC should be expected to uphold tight security stands, says Stark, who currently works as a cybersecurity consultant, it is impossible to prevent all breaches. “You can do everything you can to stop them,” he says. “But sooner or later, some person screws up.”