Hackers are hijacking Japanese trading accounts to pump penny stocks

Hackers are breaking into Japanese online brokerage accounts and using them to push up the prices of penny shares around the world, Japanese regulators and industry officials say. 

Police, brokers, and the Financial Services Agency (FSA) estimate that about ¥100 billion—roughly $710 million—has already been churned through these fraudulent trades, most of them in penny stocks.

The pattern is straightforward: thieves seize a client’s login, buy low-cap shares in Japan, the United States, or China, and lift the price high enough for earlier holders—often the hackers themselves—to cash out.

Worried that their platforms are being used as launchpads for the scams, several Japanese securities houses have halted new buy orders in certain small-cap names listed in China, the U.S. and at home.

Major brokers in Japan have confirmed the suspicious transactions from hackers

Eight of the country’s largest online brokers, among them Rakuten Securities Inc. and SBI Securities Co., have confirmed unauthorized transactions. The attackers’ success has turned Japan into a potential weak link in the defense of global markets, exposing holes in the nation’s cybersecurity practices just as the government is urging households to pour more retirement money into equities.

Victims say the experience is baffling and costly. Mai Mori, a 41-year-old part-time worker in Aichi Prefecture, discovered that her Rakuten retirement account had been used to buy Chinese shares worth ¥639,777—about twelve percent of her savings. She called Rakuten, which advised her to file a police report.

“The police told me that in most fraud cases, the victims often end up having to just quietly accept the loss,” Mori recalled. “Basically, there’s not much that can be done.”

Rakuten says it will “continue to examine each case individually and respond in good faith.” Rival SBI states that it is “listening to individual circumstances and responding promptly.” SMBC Nikko Securities Inc. adds that it reviews every complaint and “will consider individual responses.”

Not every victim is willing to go public. A Tokyo man in his mid-50s, who asked not to be named, says he lost about ¥50 million when his brokerage account was hijacked on the morning of April 16. An alert flashed on his iPhone, but when he rang the firm, he was told technicians could not freeze the account in time to stop the trades.

On April 22, Finance Minister Katsunobu Kato urged securities companies to hold “good-faith” talks with affected customers about reimbursing losses. So far, however, few investors have received compensation.

Cases of suspicious trading have been increasing in Japan

The scale of the problem is growing fast. According to the FSA, suspicious trading cases leapt to 736 in the first half of April from just 33 in February. Officials did not disclose the total amount stolen, but industry analysts warn that the surge threatens the government’s long-running campaign to shift household cash from bank deposits into investment accounts.

Cybersecurity specialists say the scammers probably rely on two techniques: “adversary-in-the-middle” attacks and infostealer malware.

In the first case, victims are lured to a phony webpage—often through a phishing email or a malicious online advertisement—that discreetly redirects them to the genuine brokerage site.

While the client types in a username and a one-time password, the attacker scoops up the session cookies and gains control of the account. Some fake sites display the real page alongside the counterfeit one, creating an illusion of authenticity.

A cultural preference for desktop browsers over mobile trading apps is another weakness, says Yutaka Sejiyama, deputy director at Macnica Security Research. Mobile apps tend to use stronger biometric checks and encrypted channels. “If people switched to apps, many of these thefts could have been stopped,” he argues.

By contrast, infostealers are small programs hidden in attachments, ads, or bogus links. Once inside a computer or phone, they sift through files and browsers for stored IDs and passwords and send the data to the attacker without the owner noticing.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now