Hackers manipulate stocks in $920 million illicit trading spree

TOKYO – Criminals are hijacking online brokerage accounts in Japan and using them to drive up penny stocks around the world.

The wave of fraudulent trading has reached 100 billion yen (S$920 million) since it started in February, and shows no signs of cresting. 

The scams typically use the hacked accounts to buy thinly traded stocks both domestically and overseas, allowing anyone who has built up a position earlier to cash out at inflated values.

In response, some Japanese securities firms have stopped processing buy orders for certain Chinese, US and Japanese stocks. 

Eight of Japan’s biggest brokers, including Rakuten Securities and SBI Securities, have reported unauthorised trading on their platforms.

The breaches have exposed Japan as a potential weak point in efforts to safeguard markets from hackers. They also threaten to undermine the government’s push to get more people to invest for their retirement. This is particularly so since some victims say they are baffled as to how their accounts were broken into, and the securities companies have so far largely refrained from covering the losses. 

One investor, a Tokyo resident in his mid-50s, said he lost around 50 million yen when his account was hacked and used to buy Japanese and Chinese individual stocks. He said an account notification suddenly popped up on his iPhone on the morning of April 16. Alarmed, he immediately called his brokerage but was told it could not freeze the account.

Even though he had only ever purchased index funds that tracked the S&P 500 index and had never bought individual shares, his account was used to buy stocks on margin. Faced with plummeting prices, he chose to sell the securities on April 17 and 18 to avoid further losses. Since the stocks were bought with leverage, the brokerage said it would liquidate his holdings in the S&P to cover the losses.

One of the stocks the investor said was purchased using his account was DesignOne Japan. On April 16, 5.8 million shares of the stock traded hands, compared with a daily average of 194,000 shares over the last six months. Bloomberg was unable to independently confirm details of the transactions in the investor’s account.

Japan’s government has told brokerages to engage in “good faith” discussions with clients about compensation for losses, Finance Minister Katsunobu Kato said on April 22. 

The Japan Securities Dealers Association, the umbrella group for the country’s securities firms, is also pushing its members to upgrade their systems to make multifactor authentication mandatory. The group’s chairman Toshio Morita criticised the failure to provide compensation for victims, while acknowledging it was up to each firm to set its own policy. 

The criminals behind the scams are likely using techniques called adversary-in-the-middle and infostealers to gain access to the accounts, according to Mr Nobuhiro Tsuji, a cyber-security expert at SB Technology. The first method leverages both fake and legitimate websites to steal cookies, the small text files stored in web browsers that hold session data.

The attack typically begins by luring users to a fake site via a phishing e-mail or malicious ad. The fake site then redirects users to the legitimate site, where his login credentials are intercepted. In some cases, the attackers create extremely elaborate interfaces – for example, one side of the browser shows the real site while the other displays the fake one – to deceive users.

In contrast, infostealers are a type of malware specifically designed to steal sensitive information such as IDs and passwords. Hidden in e-mails, malicious ads, or fraudulent websites, these programs can infect users’ devices and silently exfiltrate all stored personal data – often without users ever realising they have been compromised.

There have been at least 105,000 cases of leaked credentials in Japan, according to a study done by Macnica Security Research Centre. 

One weakness in Japan is the propensity for people to use browsers rather than mobile apps, which have better protection, according to Mr Yutaka Sejiyama, deputy director of Macnica. There has not been a similar surge in cases overseas. BLOOMBERG