### UK National Indicted in Multi-Million Dollar “Hack-to-Trade” Operation
In a noteworthy case that underscores the convergence of cybercrime and financial deceit, federal prosecutors have indicted a UK citizen, Robert B. Westbrook, for an alleged “hack-to-trade” operation. Westbrook is charged with unlawfully accessing the Office365 accounts of executives at publicly traded firms to acquire confidential financial data, which he then leveraged to execute profitable stock trades. The operation reportedly netted him around $3.75 million between 2019 and 2020.
The charges, initiated by the US Attorney’s Office for the District of New Jersey, encompass securities fraud, wire fraud, and computer fraud. Alongside the criminal allegations, the US Securities and Exchange Commission (SEC) has filed a civil lawsuit aimed at reclaiming Westbrook’s illicit earnings and imposing civil sanctions.
### The Operation: Hacking to Capitalize on Non-Public Information
Westbrook’s purported operation involved breaching the email accounts of executives at five publicly traded firms in the US. According to the federal indictment, he took advantage of the password reset functionality of Microsoft’s Office365 platform to gain unauthorized entry to these accounts. Once inside, he implemented auto-forwarding rules that redirected all incoming emails to an account he controlled, enabling him to track confidential conversations, including quarterly financial disclosures.
In one instance, Westbrook allegedly infiltrated the email account of a Director of Finance and Accounting at a firm, referred to as “Company-1,” in January 2019. The compromised account held non-public information that indicated a decline in the company’s sales. Equipped with this insider information, Westbrook managed to make informed stock trades before the news became public.
### Buy Low, Sell High: The Dynamics of the Fraud
With access to sensitive financial information, Westbrook could anticipate how a company’s stock would react once the data was disclosed. This insight permitted him to execute trades that profited from the expected market response.
For instance, when Westbrook predicted that a company’s stock would plummet due to dismal financial results, he purchased “put” options, which allow the holder to sell shares at a predetermined price within a specific timeframe. This tactic enabled him to profit when the stock value decreased after the adverse financial data was made public.
Conversely, when Westbrook predicted that a company’s stock would increase due to favorable financial performance, he acquired shares at a lower price prior to the announcement. After the stock price rose, he sold the shares for a profit.
### SEC’s Action: Advanced Analytics and Crypto Tracing
The SEC has been diligently working to safeguard markets and investors against cyber fraud, and this case reinforces the agency’s commitment to that endeavor. Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, highlighted that despite Westbrook’s attempts to hide his identity—utilizing anonymous emails, VPN services, and cryptocurrency—the SEC’s advanced data analytics and tracing technology successfully uncovered the fraud.
“Despite Westbrook taking various precautions to hide his identity, the Commission’s advanced data analytics, crypto asset tracing, and technology can reveal fraud even in cases involving complex international hacking,” Tenreiro stated.
### Method of the Hack
The indictment does not provide specific information on how Westbrook managed to exploit the password reset feature of Office365. Typically, password resets necessitate access to a registered email account or control over a linked mobile phone number. Sometimes, users can reset passwords by answering security questions, a practice increasingly criticized for its susceptibility to exploitation.
Once Westbrook accessed the executives’ email accounts, he could mask his intrusion by disabling password reset notifications and burying forwarding rules deep within the account settings. This strategy allowed him to maintain access without raising alarms.
### Legal Repercussions: A Long Journey Ahead
Westbrook faces a range of serious charges, each carrying severe penalties. The securities fraud charge alone could result in a maximum of 20 years in prison and a fine of up to $5 million. The wire fraud charge also has a maximum possible sentence of 20 years and a fine of either $250,000 or double the gain or loss from the offense, whichever is greater. Each of the five counts of computer fraud carries a maximum sentence of five years in prison and a fine of either $250,000 or twice the gain or loss from the offense.
As of now, it is uncertain whether Westbrook has made a preliminary court appearance or entered a plea. The US Attorney’s Office has not provided any further updates on his legal situation.
### Wider Implications: Cybersecurity and Insider Trading
This case serves as a stark reminder of the escalating threat posed by cybercrime within the financial sector. The capability to breach email accounts and access sensitive financial information significantly jeopardizes market integrity. It also underscores the necessity for robust cybersecurity measures, particularly for executives at publicly traded companies who
