Office 365 hacked and manager emails used for insider trading

Some time ago, a Brit figured out how to gain access to the Office365 accounts of managers at various companies. He used this to obtain confidential information, which he misused for insider trading in stocks.

Quarterly reports in advance

US prosecutors have now brought charges against the man over an alleged “hack-to-trade” plan. The accused is said to have gained access to, among other things, quarterly reports by breaking into Office 365 accounts of executives of listed companies before they were made public, the US magazine reported Ars Technica citing the authorities.

He then used this inside information to make stock trades that earned him a profit of around $3.75 million between 2019 and 2020. The United States District Attorney’s Office of New Jersey has now filed criminal charges. And the US Securities and Exchange Commission (SEC) is also taking civil action against the man in order to skim off the ill-gotten gains.

According to the SEC, the defendant took various measures to conceal his identity, including using anonymous email accounts, VPN services and Bitcoin. Despite these precautions, the agency’s investigators managed to uncover the illegal activity using advanced data analysis and cryptocurrency tracing.

Five companies affected

The indictment describes how the man found a way to break into the email accounts of executives at five US companies using the password reset function of Microsoft’s Office 365. He is said to have set up automatic forwarding rules there to forward all incoming emails to an account he controls.

In this way, he received non-public information about companies’ quarterly results and was able to predict how their share prices would develop after publication. The defendant has now been charged with several counts of securities fraud, fraud and computer fraud.

The penalties could be drastic: Securities fraud and fraud could each be punishable by up to 20 years in prison and fines of up to $5 million. Each count of computer fraud could also carry a penalty of up to five years in prison and a fine of up to $250,000.