A British man faces extradition to the US after hacking Office 365 email accounts of executives in order to gain inside information for stock trades.
The US Department of Justice said London-based Robert Westbrook began his hack-to-trade scheme in 2019 and ran for at least a year until 2020. By using the information collected, he made $3.75 million, according to the US Securities and Exchange Commission (SEC). He has been arrested in the UK.
According to court filings, Westbrook accessed Office 365 email accounts of corporate executives, with an eye to viewing future earnings announcements, using that information to buy shares that he then sold on for profit after the companies' results were public.
The SEC said Westbrook targeted five public companies, accessing 14 earnings announcements before they were publicly released to purchase securities using the information.
The companies haven't been named, but one was based in Florida, another in Arkansas, and three in California. Four are listed on the NYSE and one on the NASDAQ. Targets included chief financial officers, an associate controller, and a director of marketing.
"Westbrook gained unauthorized access into the Hacked Companies’ computer systems to obtain pre-release corporate earnings information—including draft earnings releases, press releases, and scripts—and then used that information to trade in the securities of the Hacked Companies in advance of their public earnings announcements," according to an SEC filing.
"Prior to these public earnings announcements, Westbrook established large and risky options positions in the Hacked Companies’ securities, and often sold out of those positions shortly after the public earnings announcements."
How the hack worked
Westbrook is accused of targeting five executives using a similar set of techniques, namely resetting their Microsoft Office 365 account by guessing their reset authentication questions, thereby gaining access to their email.
To help him answer those questions, Westbrook allegedly used a genealogy website, which he subscribed to using a VPN and Bitcoin to cover his tracks. Most of the targeted companies used the same system for password resets; it hasn't been named.
According to the DoJ, Westbrook is accused in some cases of using auto-forwarding tools to send emails from the hacked email accounts to his own. In one instance, he allegedly set emails to forward if they featured attachments or came from an accounting firm.
In one case, according to a court document, Westbrook is accused of accessing the Office 365 email of a company's director of finance, using auto forwarding to see quarterly earnings before they were public.
Two days before the results were announced — which included a decline in sales — Westbrook is accused of buying options that took advantage of that knowledge, making $322,781 when he sold two days later. Additionally, Westbrook is accused of reading a CFO's emails for more than a year, using the information gleaned for trading.
Despite the insider information, the court filing says Westbrook actually made a loss on four of the 14 trades following the earnings announcements.
"The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud," said Jorge G. Tenreiro, Acting Chief of the SEC’s Crypto Assets and Cyber Unit, in a statement.
"As this case demonstrates, even though Westbrook took multiple steps to conceal his identity – including using anonymous email accounts, VPN services, and utilizing bitcoin – the Commission’s advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking."
If extradited and found guilty, securities fraud in the US carries a maximum penalty of 20 years in prison and a fine of $5 million, while the hacking aspect means Westbrook faces an additional 20 years in prison and a fine of either $250,000 or twice the gain or loss from the offense, whichever is larger.
Individual computer fraud counts carry up to five years in prison as well. Westbrook also faces a civil complaint from the SEC.
