Securities Trading Accounts Compromised; Further Attacks Expected

Market Manipulation Benefits Criminals

In March 2025, stories appeared in the news and social media of brokerage account holders discovering that their shares had been sold and replaced with unfamiliar ones, in an assumed hack. Japan’s Financial Services Agency says that it is aware of a total of 7,139 illegal financial transactions as of June, and that total proceeds from the illegal sale of securities reached ¥571 billion. This amount includes unauthorized sales of shares held in brokerage accounts—a serious state of affairs that has cost some investors most of their retirement savings.

Japanese brokerage accounts used to be considered safe. Even if someone managed to gain access to the account and sell the shares, he or she would still need to open a bank account in the name of the victim to withdraw the proceeds. There is no point in hacking someone’s brokerage account if you can’t access your ill-gotten gains.

The latest strategy gets around this. Using phishing (a technique where users are directed to fake websites indistinguishable from their legitimate counterparts) and malware (tools used to steal information from the victim’s computer), attackers obtained the login IDs, passwords, and PINs necessary to access brokerage accounts and trade securities.

After logging into the victim’s account, the hackers sold the securities in it, receiving proceeds from the sale. Rather than withdrawing that money, however, the criminals used it to buy up large quantities of specific stocks, pushing up the price of those stocks. It appears that the hackers, having already invested in the same stocks themselves, then sold off their own portfolios to make a profit.

These attacks tend to target illiquid stocks that are only traded in small volumes. Trades of one such stock had averaged just tens of thousands shares per day, but skyrocketed to 4.46 million and 3.31 million shares per day on March 26 and 27, causing price volatility. In the absence of any obvious bull case, the surge in value is believed to be the result of illegal manipulation.

Vulnerabilities Exploited

It was the deregulation of the Japanese finance industry (the “Financial Big Bang”) that heralded the launch of online share trading in the country. Operators rushed to join the online brokerage industry, with SoftBank (the predecessor of the Softbank Group) and Sumitomo Bank (the predecessor of Sumitomo Mitsui Banking) founding their own brokerages in 1998 and 1999, respectively, through mergers with US corporations. While the industry experienced its share of hiccups, 25 years went by without any significant unlawful transactions of the type we are seeing now. So why the sudden increase?

The rise in cybercrime is as big an issue in Japan as it is elsewhere. According to the Japan Consumer Credit Association, a record ¥55.5 billion of credit card fraud was committed in 2024. The National Police Agency says that in 2024, wire fraud that targeted online banking resulted in the transfer of ¥8.69 billion, and that a similar level of fraud was seen the year before as well.

Hackers tend to target vulnerabilities. Brokerages (unlike their counterparts in the credit card and banking industries, which have worked to beef up security) operate with relatively low levels of security, and this is possibly the reason that they were targeted. One study found over 100,000 stolen credit card account records on the dark web. It is easy to see how the emergence of this latest technique, which targets brokerage accounts, has increased the value of stolen account information that had previously been ignored by criminals.

As is evident from the fact that multiple brokerages were hacked at the same time, this case was not one of hackers exploiting a vulnerability in a specific system. At the same time, it is doubtful that the brokerages ever dreamed that attackers would use phishing and malware to steal the account details of so many customers.

Warnings Having an Impact

While the latest scam started with Japan’s most popular brokerages—SBI Securities and Rakuten Securities—it later moved on to other operators, both large and small. Measures by brokerages to issue warnings and require additional login authentication saw the total volume of fraudulent transactions decrease from a peak of 2,932 in April to 2,329 in May and then 783 in June.

Because of the seriousness of the attacks, there is an increasing movement in the industry to compensate victims for losses. The NISANippon Individual Savings Account, system had only just been overhauled in 2024. At a time when the public is increasingly turning from passive savings to more active investment, the securities industry appears to have placed priority on reassuring investors. There were also delays in rolling out additional authentication to some brokerage apps. The fact that securities companies were forced to admit certain failings was another reason that they took the extraordinary step of compensating for losses in these cases, something that, strictly speaking, is not required under the regulations.

Increasing Sophistication

One wonders who is responsible for these attacks. The fact that the hackers initially targeted Chinese stocks made some suspect involvement by overseas criminal groups based in China and elsewhere. However, unlike wire fraud, whose victims are limited to account holders in a closed environment, the securities market is home to a great many investors. Some of them would have profited unexpectedly when the stocks they happened to invest in suddenly skyrocketed in value. The brokerages therefore take the position that it is not possible to determine who intentionally ramped the share price for profit.

Developments in other industries also played a role. It takes significant linguistic ability for someone who is not a native speaker of Japanese to write the language naturally, something that in the past had long been the greatest defense against infiltration by overseas hackers. However, generative AI and other new tools have made it possible to create fake emails and websites whose sophistication amazes even major securities brokerages.

The unique nature of the brokerage industry was a factor, too. Demand from customers for simple login and ordering processes remains strong. Securities companies face a dilemma in that while higher hurdles, like two-factor authentication, improve security, they also make trading less convenient.

These companies’ call centers are currently overrun by accountholders struggling with tougher security requirements. The issue of illicit transactions is not over. Users of trading sites now need to take a similar attitude if they are to protect their assets.

(Originally published in Japanese. Banner photo © Pixta.)