Federal prosecutors have charged a person for an alleged “hack-to-trade” scheme that earned him hundreds of thousands of dollars by breaking into the Office365 accounts of executives at publicly traded corporations and obtaining quarterly financial reports before they were released publicly.
The motion, taken by the office of the US Attorney for the district of Recent Jersey, accuses UK national Robert B. Westbrook of earning roughly $3.75 million in 2019 and 2020 from stock trades that capitalized on the illicitly obtained information. After accessing it, prosecutors said, he executed stock trades. The advance notice allowed him to act and profit on the data before most of the people could. The US Securities and Exchange Commission filed a separate civil suit against Westbrook searching for an order that he pay civil penalties and return all ill-gotten gains.
Buy low, sell high
“The SEC is engaged in ongoing efforts to guard markets and investors from the implications of cyber fraud,” Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, said in a statement. “As this case demonstrates, regardless that Westbrook took multiple steps to hide his identity—including using anonymous email accounts, VPN services, and utilizing bitcoin—the Commission’s advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking.”
A federal indictment filed in US District Court for the District of Recent Jersey said that Westbrook broke into the e-mail accounts of executives from five publicly traded corporations within the US. He pulled off the breaches by abusing the password reset mechanism Microsoft offered for Office365 accounts. In some cases, Westbrook allegedly went on to create forwarding rules that routinely sent all incoming emails to an email address he controlled.
Prosecutors alleged in a single such incident:
On or about January 26, 2019, WESTBROOK gained unauthorized access to the Office365 email account of Company-1 ‘s Director of Finance and Accounting (“Individual-!”) through an unauthorized password reset. In the course of the intrusion, an auto-forwarding rule was implemented, which was designed to routinely forward content from lndividual-1 ‘s compromised email account to an email account controlled by WESTBROOK. On the time of the intrusion, the compromised email account of Individual-I contained non-public details about Company-1 ‘s quarterly earnings, which indicated that Company-1 ‘s sales were down.
Once an individual gains unauthorized access to an email account, it’s possible to hide the breach by disabling or deleting password reset alerts and burying password reset rules deep inside account settings.
Prosecutors didn’t say how the defendant managed to abuse the reset feature. Typically such mechanisms require control of a cellphone or registered email account belonging to the account holder. In 2019 and 2020 many online services would also allow users to reset passwords by answering security questions. The practice continues to be in use today but has been slowly falling out of favor because the risks have come to be more widely understood.
By obtaining material information, Westbrook was in a position to predict how an organization’s stock would perform once it became public. When results were prone to drive down stock prices, he would place “put” options, which give the purchaser the suitable to sell shares at a particular price inside a specified span of time. The practice allowed Westbrook to profit when shares fell after financial results became public. When positive results were prone to send stock prices higher, Westbrook allegedly bought shares while they were still low and later sold them for a better price.
The prosecutors charged Westbrook with one count each of securities fraud and wire fraud and five counts of computer fraud. The securities fraud count carries a maximum penalty of as much as 20 years’ prison time and $5 million in fines The wire fraud count carries a maximum penalty of as much as 20 years in prison and a nice of either $250,000 or twice the gain or loss from the offense, whichever is best. Each computer fraud count carries a maximum five years in prison and a maximum nice of either $250,000 or twice the gain or loss from the offense, whichever is best.
The US Attorney’s office within the District of Recent Jersey didn’t say if Westbrook has made an initial appearance in court or if he has entered a plea.