A British man has been charged in New York with unauthorized computer intrusion, securities fraud, wire fraud and other crimes, causing more than $5m of losses.
According to a 10-count complaint made public yesterday, Idris Dayo Mustapha, 32, a UK citizen, and others used phishing and other means to obtain user credentials from January 2011 to March 2018.
The complaint revealed that Mustapha gained access to US-based computers, including email servers and computers belonging to US financial institutions, to steal money from online bank accounts and securities brokerage accounts.
Mustapha was arrested in the UK in August 2021, and the US is seeking his extradition to the Eastern District of New York.
Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, assistant director-in-charge of FBI's New York Field Office, announced the charges:
“As alleged in the complaint, the defendant was part of a nefarious group that caused millions of dollars in losses to victims by engaging in a litany of cybercrimes, including widespread hacking, fraud, taking control of victims’ securities brokerage accounts, and trading in the name of the victims,” stated United States Attorney Peace. “Protecting residents of the Eastern District and financial institutions from cyber-criminals is a priority of this Office," he added.
The complaint said that once financial institutions began to block those unauthorized transfers, Mustapha and his co-conspirators accessed other victims’ brokerage accounts and placed unauthorized stock trades within those accounts while simultaneously trading profitably in the same stocks from accounts they controlled.
If convicted, Mustapha faces up to 20 years in prison on each of various wire fraud, securities fraud and money laundering charges and a mandatory two-year sentence for aggravated identity theft.
Commenting on the story, Jake Moore, global cybersecurity advisor at ESET, said: “Digital bank robberies are extremely rare but impressively lucrative should they pay off. When banks are targeted it is often thought they won’t be successful but this highlights the persistence of cyber-criminals and what extents they will go to exploit any opportunity. Phishing is still the main attack vector and remains vulnerable on many levels. The human element within email manipulation clearly shows that we are still in a time where all staff need to be extra vigilant and cautious of every email.”