Security Experts:

Russian Charged in Brokerage Account Hacking Scheme

Hackers Allegedly Compromised, Liquidated Brokerage Accounts in $1 Million Trading Account Hacking, Securities Fraud Scheme

A Russian national living in New York has been charged with hacking into retail brokerage accounts and using his access to steal nearly a million dollars by executing sham trades.

According to the U.S. Attorney’s Office, Petr Murmylyuk, of Brooklyn, and others working with him compromised several accounts at Scottrade, E*Trade, Fidelity, Schwab, and other brokerage firms.

Once they had contro of the hacked accounts, they altered the phone numbers and email addresses associated with the accounts to prevent the owners from becoming wise to the breach. After that, the group used stolen identities to open additional accounts at various brokerage firms. From there, the compromised trading accounts were used to make unprofitable and illogical securities trades with the new accounts.

For example, in one scheme the criminals used victims’ accounts to sell options contracts to the profit accounts, and mere minutes afterward, purchased the same contracts for up to nine times the price. Another tactic was to use the profit accounts to make short sales of securities at prices well over market price and make irrational purchases through victim accounts.

Murmylyuk and a conspirator recruited foreign nationals visiting, studying, and living in the U.S. to open bank accounts in order to transfer the proceeds of the sham trades to them, where the stolen money could be later withdrawn. Fidelity, Scottrade, E*Trade, and Schwab have reported combined losses to date of approximately $1 million because of the scams.

If convicted, Murmylyuk faces a maximum potential penalty of five years in prison and a $250,000 fine.

In a related case, Daniyar Zhaxalyk, 25, who entered the United States from Kazakhstan on a student visa, pleaded guilty last week in Houston to one count of money laundering. Zhaxalyk admitted to laundering funds generated in a “sophisticated hack and dump” stock scam that caused more than $400,000 in losses. His actions were similar to those used by Murmylyuk.

At sentencing, Zhaxalyk will face a maximum penalty of 10 years in prison and a $250,000 fine.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.