US charges hacker for breaching brokerage accounts, securities fraud

The U.S. Department of Justice (DoJ) has charged Idris Dayo Mustapha for a range of cybercrime activities that took place between 2011 and 2018, resulting in financial losses estimated to over $5,000,000.

Many of the victimized entities were U.S.-based financial institutions and brokerage firms that suffered direct system compromise from Mustapha and his co-conspirators, who performed unauthorized transactions using other peoples’ brokerage accounts.

The charged individual even had the audacity of flying from London to New York in 2015 to open a Bank of America account to be used for conducting unauthorized trading.

“The defendant was part of a nefarious group that caused millions of dollars in losses to victims by engaging in a litany of cybercrimes, including widespread hacking, fraud, taking control of victims’ securities brokerage accounts, and trading in the name of the victims,” stated U.S. Attorney Breon Peace.

Scheme overview

Starting in 2011, Mustapha and at least one Lithuanian co-conspirator engaged in various schemes to obtain unauthorized access to U.S.-based email servers that supported bank account and brokerage account access to customers.

By doing so, the hackers stole email account credentials (usernames and passwords) and then used them to log in to bank and brokerage platforms.

By accessing the email accounts, the threat actor was able to steal personal information and get acquainted with their communications and regular activities.

Next, Mustapha conducted social engineering against financial institution employees, requesting wire transfers to overseas bank accounts under his control.

In the case of the brokerage accounts, Mustapha accessed them directly and transferred amounts or the entire online securities to other firms and new accounts.

To bypass the imposed blocks that some of the firms placed as an anti-fraud measure, the aggressor fraudulently used the victims’ accounts to place unauthorized trades that benefited stocks under his control.

For this purpose, he frequently liquidated existing stock positions held by the stolen brokerage accounts, engaged in market price manipulation, and more.

Mustapha was eventually arrested in the United Kingdom in August 2021 after having caused a total amount of financial damages that surpassed $5,000,000.

He now faces ten counts, including wire fraud, aggravated identity theft, securities fraud, computer intrusion, access device fraud, etc. The minimum sentence for the above is two years and can go up to 20 years of prison time.

Currently, Mustapha is still in the United Kingdom, and the United States is seeking his extradition to be trialed in the District Court for the Eastern District of New York.