Ravie Lakshmanan
Robert Westbrook, a 39-year-old London resident, has been charged with a massive hack-to-trade fraud scheme that allegedly brought him nearly $3.75 million in illegal profits. The U.S. Department of Justice (DoJ) arrested Westbrook last week, and he is expected to face extradition to the U.S. on multiple charges, including securities fraud, wire fraud, and computer fraud.
The indictment alleges that between January 2019 and May 2020, Westbrook gained unauthorized access to Microsoft 365 accounts belonging to corporate executives at U.S.-based companies. By accessing these accounts, he obtained insider information, including details about upcoming earnings announcements.
On at least five occasions, Westbrook used this confidential data to buy and sell securities for profit. According to court documents, he set up auto-forwarding rules on the executives’ accounts, which automatically sent sensitive information to email addresses controlled by him. This allowed Westbrook to use the insider knowledge to execute profitable trades.
The Securities and Exchange Commission (SEC) also identified that Westbrook reset the passwords of corporate executives’ accounts at five public companies, obtaining non-public information ahead of at least 14 earnings announcements. Despite his efforts to conceal his identity—using anonymous email accounts, VPNs, and even Bitcoin—authorities were able to track his activities through advanced analytics, crypto asset tracing, and other technologies.
Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, commented, “Even though Westbrook took multiple steps to conceal his identity, our technology can uncover fraud, even in sophisticated international hacking cases.”
Westbrook faces severe penalties if convicted. The charge of securities fraud could result in a maximum sentence of 20 years in prison and a fine of up to $5 million. The wire fraud charges could add another 20-year sentence, with a fine of $250,000 or double the amount of the offense’s gain or loss. Each of the five counts of computer fraud carries a potential five-year prison sentence and a fine of either $250,000 or twice the gain or loss.
This case highlights the growing threat of cyber-based fraud and the importance of robust security measures for protecting sensitive financial information.