Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Regulator: US Brokerage Accounts Hacked by UK Citizen

SEC Says Fraud Scheme Put $9 Million at Risk
Regulator: US Brokerage Accounts Hacked by UK Citizen

The U.S. Securities and Exchange Commission has obtained an emergency court order to freeze the assets of a British citizen who it has accused of hacking into brokerage accounts in the United States and abroad to manipulate and fraudulently profit from stock price fluctuations that he engineered.

See Also: What Mega Breaches Can Teach about Best Practices

On June 22, the SEC filed a complaint in the U.S. District Court in the Southern District of New York, alleging that Idris Dayo Mustapha "hacked into numerous accounts of U.S. customers of broker-dealers in and outside the U.S." He's been accused of violating federal security laws' anti-fraud provisions. The SEC says it's seeking permanent injunctions; return of allegedly ill-gotten gains, with interest; as well as financial penalties.

Mustapha's scheme earned him profits of at least $68,000, according to the SEC's complaint, and led to at least $289,000 in losses for the owners of the brokerage accounts into which he allegedly hacked.

Judge Alison J. Nathan granted the SEC's request to freeze approximately $100,000 in Mustapha's assets and ordered him to not destroy evidence. The SEC, in its complaint, says it's still gathering evidence related to how Mustapha allegedly hacked into victims' accounts.

The SEC, which enforces U.S. securities laws and oversees the nation's stock and options exchanges, cannot file criminal charges, but it can file complaints and refer cases to federal or state prosecutors.

Profits and losses via Mustapha's alleged short-selling scheme of the listed stock symbols. (Source: SEC complaint against Idris Dayo Mustapha.)

Where is Mustapha?

Authorities do not appear to know Mustapha's whereabouts; the government says it plans to issue a summons for him to appear in court via the email address used to register his brokerage account, as well as by delivering a letter to his brokerage firm, which it hopes will communicate the summons to him.

Between February and May, according to the complaint, Mustapha hacked into accounts owned by five customers of an unnamed U.S. brokerage firm, as well as four customers of two unnamed foreign brokerage firms.

The SEC says in its court filings that the allegations against Mustapha are the result of an "expedited investigation" and that it's continuing to analyze other profits in Mustapha's U.S. brokerage account to see if they tie to fraudulent activity.

The agency says the alleged fraud could be even more wide-reaching. "Mustapha used sophisticated and deceptive means to orchestrate the account intrusions and unauthorized trading, which constitute securities fraud," the SEC says in its complaint. "The commission has been able to link Mustapha to the account intrusions specifically identified in the complaint, but there is a substantial risk that he may be continuing his scheme through other brokerage accounts that the commission has not yet identified."

Anatomy of a Short-Selling Scheme

Mustapha is accused of hacking into one of the victim's accounts to increase the price of the stock of Lawson Products, trading as "LAWS," and then begin selling short the stock in his own brokerage account, according to the SEC's complaint. Short selling, or shorting, refers to selling shares that an individual doesn't own - but has been loaned by a brokerage - on the belief that the value of the stock will fall. After selling these shares and having the amount credited to their account, the trader later "closes" by buying the shares. If the price has fallen, they make a profit, while if it's risen, they must pay the difference.

"[One] way in which an investor can make a profit through a short sale is to engage in a fraudulent scheme intended to depress the stock price and then purchase the stock at the depressed price. That is what Mustapha did here," the SEC's complaint says.

Mark Albers, an SEC forensic accountant, details in a declaration to the court how a related series of May 17 trades, which occurred during the following U.S. Eastern times, unfolded:

  • 1:33:26 p.m. to 1:34:49 p.m.: Victim account - without accountholder's authorization - purchased LAWS shares at prices that began at $18.99 per share, increasing to up to $19.49 per share, and accounted for about 12,779 shares of the approximately 13,779 LAWS shares traded at that time.
  • 1:34:46 p.m. to 1:34:47 p.m.: Mustapha's brokerage account sold short at least 4,200 shares of LAWS stock at $19.49 per share.
  • 1:39:10 p.m. to 1:40:00 p.m. The victim account sold 8,000 shares of LAWS at prices that decreased from $19.05 to $18.71.
  • 1:41:20 p.m. to 1:41:24 p.m.: The Mustapha account purchased LAWS stock for about $18.75 per share.

As a result of the trades - which accounted for 78 percent of all LAWS shares traded that day - Albers says Mustapha's account profited $11,688 from the short selling, while the victim's account lost $48,218.

Daily trading volume for LAWS stock. (Source: SEC complaint against Idris Dayo Mustapha.)

"Mustapha accessed the [victim's] account ... on May 17, 2016, with an IP address that was an 'anonymizer,' or an anonymous proxy tool, to mask his true originating IP address," according to the SEC's complaint. The complaint doesn't detail how the SEC traced the anonymizer to Mustafa, but it suggests that the agency may have subpoenaed or otherwise obtained related records from the unnamed anonymous proxy service.

The same computer MAC address was used to access both Mustapha's brokerage account as well as many of the victim accounts, Albers says.

$9 Million Put at Risk

The nine victims of Mustapha's alleged trades that the SEC has identified to date collectively lost at least $289,400 as a result of unauthorized trades, which also put $9 million of the account holders' capital at risk, Albers says.

Between March 11 and May 13, 11 transfers - totaling $109,000 - were made from a brokerage account registered in Mustapha's full name to a U.S. bank account registered in his full name, Albers adds, noting that they appeared to be fraudulently obtained profits. Subsequently, $12,000 was transferred, and in late May, an attempt to also transfer $25,000 was made.

The SEC's related investigation is ongoing.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.