A 39-year-old U.K. resident has been arrested and charged with operating a hack-to-trade fraud, which generated millions of dollars by hacking Microsoft Office 365 email accounts. The alleged hacker, Robert Westbrook, a London resident, was arrested in the U.K. “with a view towards extradition to the United States” where he faces charges of securities fraud, wire fraud and five counts of computer fraud.
The Charges Against The London-Based Office 365 Hacker
According to a statement published by Philip R. Sellinger, through the U.S. Attorney’s Office, District of New Jersey, Westbrook is alleged to have gained unauthorized access to Microsoft Office 365 email accounts on at least five occasions between January 2019 and May 2020. These accounts are said to have belonged to corporate executives which gave the hacker access to confidential information regarding not yet public earnings announcements. This information was then used, the indictment said, to “execute profitable securities transactions on the NYSE and NASDAQ exchanges.”
In other words, the hacker is said to have purchased securities using confidential earnings information that were then quickly sold after the earnings data was made public. According to the New Jersey Attorney’s Office, Westbrook is thought to have made substantial profits, more than $3 million in total.
How The Hacker Compromised Office 365 Email Account
Although full details of how the alleged hacker managed to compromise the Microsoft Office 365 accounts of the five executives haven’t been made public at this point, there are plenty of clues that this was most likely a targeted phishing or spoofing attack against them in the first place. The first clue is that Westbrook reset the passwords of the senior-level executives’ accounts, according to a statement published by the U.S. Securities and Exchange Commission. “Westbrook took multiple steps to conceal his identity,” Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, said, “including using anonymous email accounts, VPN services, and utilizing bitcoin.”
The New Jersey Attorney’s Office also said that, on several occasions, the hacker “implemented auto-forwarding rules designed to automatically forward content from the corporate executives’ compromised email accounts to email accounts controlled by Westbrook.”
Office 365 Email Hacker Faces $5 Million Fine And 20 Years In Prison
If successfully extradited from the U.K. and found guilty of the charges of securities fraud, Westbrook faces a maximum penalty of up to 20 years of jail time and a fine of $5 million. The wire fraud charge also carries a 20-year prison term, with a fine of up to $250,000. The lesser computer fraud charges bring a potential five-year prison term and fines of $250,000. Both of the $250,000 fines could be substantially higher as the charges allow for the fine to be twice the profit made from the offense, estimated at $3 million.
However, it is important to remember that the charges and allegations in the indictment are just that, accusations, at this moment in time. The defendant is presumed innocent unless and until proven guilty in a court of law.
I have reached out to Microsoft for a statement.