17-04-2025
Japanese online brokerage accounts hacked in growing scandal
A wave of unauthorized trading has hit online brokerage accounts in Japan, raising concerns that criminal groups may be using the hijacked accounts to manipulate stock prices.
The breach came to light in late March, when Rakuten Securities disclosed a series of account takeovers. Nomura Securities, SBI Securities and other firms have since confirmed similar incidents. According to the companies, the attackers used phishing schemes — creating websites posing as legitimate sites to steal user IDs and passwords — to impersonate customers and execute trades without their knowledge.
Initial reports indicate the attackers targeted mostly foreign stocks. Rakuten Securities temporarily suspended buy orders for select Chinese equities in response. But the impact has since spread to domestic stocks, with trading halted for some names amid suspicious activity.
Investigators believe the perpetrators bought up large volumes of low-priced, volatile stocks to artificially inflate their prices and then cashed out at a profit. If confirmed, such conduct could constitute market manipulation under the Financial Instruments and Exchange Act.
Brokerages are urging customers to stay vigilant as authorities step up monitoring.
'A significant number of stock prices have been tampered with — we can't ignore this,' said a source at the Securities and Exchange Surveillance Commission (SESC).
The source said more than 100 stocks may have seen irregular price movements. 'I don't recall seeing account takeovers on this scale before,' the person added.
Account hijacking may also fall under Japan's law prohibiting unauthorized access to computer systems. The SESC official emphasized the need to quickly identify those behind the attacks but acknowledged that 'it's difficult to do so through our investigation alone.' Cooperation with law enforcement 'may be necessary,' the person said. Police are currently gathering information.
To guard against further breaches, investors are being urged to stay cautious.
'Don't click on links in emails or SMS messages without thinking,' said a spokesperson from cybersecurity firm Trend Micro. 'Using official apps from each brokerage is also an effective way to protect yourself.'
Many Japanese investors are expressing confusion and frustration after discovering their brokerage accounts were hijacked.
One 36-year-old man, a company employee who had used Rakuten Securities for over a decade, lost about ¥2.1 million ($14,700) in the scheme. Although he reported the incident to police, his case wasn't accepted, leaving him wondering where to turn.
'I have no idea where to bring this,' he said. 'The criminals are doing whatever they want.'
The man had been carefully managing around ¥12 million in Japanese equities, setting the portfolio aside for marriage and retirement. He checked prices nearly every day.
But on the morning of March 20, he noticed something was off. All of his holdings had been sold just before the market closed the previous afternoon, and the proceeds were used to buy 200,000 shares of an unfamiliar Hong Kong-based AI company.
He immediately dumped the newly purchased stock, but by then, the damage was done — he was down over ¥2 million.
Rakuten has warned users about fake websites used in phishing attacks, but the man insists he never entered his password on any suspicious page.
When he contacted the police, he was told the brokerage — not the customer — is considered the legal victim in such cases, meaning he couldn't file a criminal complaint. He also learned it was unlikely the case would be pursued by law enforcement.
A Rakuten Securities spokesperson told reporters the company would continue to cooperate with police and assess each case individually.
Similar cases have been reported at other firms. A 35-year-old man using SBI Securities said his account was hijacked and used to purchase roughly ¥9.6 million in Chinese stocks without his knowledge.
Transaction logs revealed that someone had logged into his account from a region he doesn't live in. But SBI Securities told him he would not be eligible for compensation as long as the correct username and password had been used.
'That means even if their security system is flawed, they take no responsibility,' the man said. 'I can't accept that.'
Translated by The Japan Times
