The Justice Department unsealed an indictment on Tuesday of a U.K. national accused of hacking into several brokerage firms and accounts, causing more than $5 million in losses.
The criminal complaint charges Idris Dayo Mustapha with a hacking campaign that spanned from 2011 and 2018 and involved attacks targeting email servers and computers belonging to U.S. financial institutions.
DOJ officials accused the 32-year-old — who was arrested in the United Kingdom in August 2021 — of hacking into victims’ securities brokerage accounts and either stealing money directly or placing unauthorized stock trades.
Breon Peace, U.S. attorney for the Eastern District of New York, said Mustapha was part of a larger group that “caused millions of dollars in losses to victims by engaging in a litany of cybercrimes, including widespread hacking, fraud, taking control of victims’ securities brokerage accounts, and trading in the name of the victims.”
The financial institutions are not named in the indictment. DOJ officials said Mustapha and his co-conspirators found a way to gain access to brokerage account login information before stealing money from the accounts.
At first, Mustapha and his co-conspirators allegedly began transferring money directly from victim accounts into their own accounts, but the financial institutions eventually began blocking the transfers.
The group then pivoted to accessing the victim accounts and making stock trades to help disguise their intentions. Mustapha eventually flew from the UK to New York to open an account at a U.S. financial institution in New Jersey.
The indictment includes messages Mustapha sent to other members of the group explicitly ordering them to make trades instead of simply transferring the funds to their accounts.
“Better to go trade up and down and not direct fraud wire,” he wrote in one message on April 16, 2016.
The group eventually transferred $104,000 from a brokerage account used to conduct the unauthorized trading to Mustapha’s U.S. bank account.
In another scam, the group allegedly used personal information to contact financial institutions through emails or phone calls and managed to wire funds from accounts to their own overseas accounts.
They successfully stole $50,000 from one victim in 2013 but failed in an attempt to transfer $225,000 from another account.
Mustapha is facing charges related to computer intrusion, securities fraud, money laundering, bank fraud and wire fraud. If convicted, he is facing up to 20 years in prison for each of the money laundering and wire and securities fraud charges as well as a mandatory two-year sentence for the charge of aggravated identity theft.
“Taking over victims’ email accounts and then stealing millions of dollars are just some of the crimes we allege Mustapha committed over the course of many years,” added the FBI’s Michael Driscoll.
U.S. officials are seeking his extradition from the U.K. In 2016, the SEC sued Mustapha for his hacking campaign and received an injunction to freeze some of the stolen assets.
“In one case, Mustapha allegedly hacked into a brokerage account and rapidly purchased shares at increasing prices and then profited by selling his own shares of the stock in his brokerage account. According to the complaint, Mustapha’s scheme made at least $68,000 in profits and caused losses in the victims’ accounts of at least $289,000,” the SEC said at the time.