Cybercriminals are Manipulating Markets in $700+ Million Illicit Trading Spree
Regulators, Governments and Investors Struggle to Cope
Cybercriminals are hijacking online brokerage accounts in Japan and using them to drive up penny stocks around the world. The wave of fraudulent trading is now over $700 million since it started in February and shows no signs of cresting. Based on what has been reported, the scams typically use the hacked accounts to buy thinly traded stocks both domestically and overseas. This classic pump and dump scheme allows anyone who has built up a position earlier to cash out at inflated values. In response to this attack, some Japanese brokerage firms have stopped processing buy orders for certain Chinese, US and Japanese stocks. So far eight of the country’s biggest brokers including Rakuten Securities Inc. and SBI Securities Co. have reported unauthorized trading on their platforms. The breaches have exposed Japan as a potential weak point in efforts to safeguard global markets from hackers. They also threaten to undermine the Japanese government’s push to get more people to invest for their retirement, particularly since some victims say they are baffled as to how their accounts were broken into and the brokerage firms have largely refrained from covering the losses.
An example of passing the blame
In one report a 41-year-old part-time worker, who did not want to be named because of privacy concerns, said her Rakuten Securities account was hacked and used to buy Chinese stocks in a transaction that cost her ¥639,777, or about 12% of her brokerage account. When she noticed, she contacted Rakuten and was told to file a police report. However, her local police would not accept a criminal complaint because they said she wasn’t the victim — Rakuten Securities was. She said that Rakuten then told her that it wasn’t at fault and therefore could not help her.
Usually, the local police do not have the resources to go after cyber criminals and companies expect subscribers or users to keep their accounts safe and secured to some degree. This basically illustrates a loophole that allows everyone to pass the blame. This is directly illustrated by the 41 year old's statement when questioned about what is being done to help her, “The police told me that in most fraud cases, the victims often end up having to just quietly accept the loss."
The government weights in
Japan’s government has told brokerage houses to engage in discussions with clients about compensation for losses, Finance Minister Katsunobu Kato said on April 22, but what actually will be done has yet to be seen and it is unknown if anyone will be compensated for losses. The Japan Securities Dealers Association, the umbrella group for the country’s securities firms, is also pushing its members to upgrade their systems to make multi-factor authentication mandatory. The group’s chairman, Toshio Morita, criticized the failure to provide compensation for victims, while acknowledging that it was up to each firm to set their own policy.
Security experts have weighed in
According to Japan’s Financial Services Agency, cases of fraudulent trading jumped to 736 in the first half of April from 33 in February but they have not reported on how much the victims had lost. This puts the government’s strategy of getting more people to invest at risk. An expansion of a tax exemption program for small investments spurred a 20% rise in Nippon Individual Savings Accounts as of the end of 2024 versus the previous year, according to the FSA. That momentum has slowed down and the government might not reach its target of having 34 million users in five years, according to Yusuke Maeyama, a researcher at NLI Research Institute.
Nobuhiro Tsuji, a cybersecurity expert at SB Technology has indicated that the criminals behind the scams are likely using techniques called adversary-in-the-middle and infostealers to gain access to the accounts, according to . The first method leverages both fake and legitimate websites to steal cookies, the small text files stored in web browsers that hold session data. The attack typically begins by luring the user to a fake site via a phishing email or malicious ad. This fake site then redirects the user to the legitimate site, where their login credentials are intercepted. Infostealers are a type of malware specifically designed to steal sensitive information such as IDs and passwords. Hidden in emails, malicious ads, or fraudulent websites, these programs can infect a user’s device and silently exfiltrate all stored personal data — often without the user ever realizing they’ve been compromised. According to Macnica Security Research Center, there have been at least 105,000 cases of leaked credentials in Japan recently.
Conclusion
Some key takeaways of this news are to enable multifactor authentication an all accounts. Especially those related to finance, banking and securities trading. The other aspect of this is how the attackers gained access in the first place. It is very possible that spear phishing campaigns are at actively being used to target the Japanese Populus since hackers know that they are being guided to invest more. Being vigilant and aware of what is being clicked on and acted upon is becoming more important now than ever. Security training, endpoint protection, and email filtering are all great options to educate and protect in this case. Another issue is many individuals in Japan only want to use a computer browser instead of a mobile app to access their banking accounts. Using the platform’s mobile app would be another way to lower the attack footprint.
In summary:
Enable multi-factor authentication if offered by the broker.
Use direct links or bookmarks to access your brokerage company's site and never follow provided links or links found elsewhere.
Avoid clicking links in unsolicited emails or text messages.
Create strong, unique passwords and don't reuse them across accounts.
Use a password manger but not a browser password manger.
Keep your software and security solutions up to date.
Never access financial accounts on public Wi-Fi or shared devices.
Report suspicious activity immediately to your brokerage company and police.