Cybercrime in Japan’s Retail Brokerage: Phishing and Market Manipulation Uncovered

According to the FSA, this surge in cybercrime was largely due to phishing campaigns using fake websites mimicking legitimate securities firms. Once investors were lured, the hackers:

• Captured login IDs and passwords to access trading accounts;
• Sold existing holdings in the victims’ accounts; and
• Bought low‑priced illiquid foreign equities, in many early reports these were Chinese small‑cap stocks

In addition to phishing, some investors were exposed to malware infections that siphoned credentials silently until fraudulent transactions occurred.

It is alleged that the trades executed via hijacked accounts were used to inflate prices in thinly‑traded names, creating exit liquidity for positions established elsewhere, market manipulation enabled by cyber intrusion.

The FSA’s initial briefings highlighted purchases of Chinese stocks, but subsequent advisories removed the country reference, focusing instead on the small‑cap/illiquid profile. This matters for surveillance patterning across venues and jurisdictions.

February–March 2025 — the spike begins.

Multiple online brokers reported compromised accounts. By March, investors were finding unrecognised trades, including large purchases of low‑priced foreign stocks and forced sales of domestic holdings. Attempted unauthorised logins surged month‑on‑month (from double‑digits in Jan/Feb) into the thousands by March.

April 2025 — first FSA snapshot.

In an urgent warning, the FSA reported a sharp increase in unauthorised access/trading via online services. As of 16 April, 12 securities firms had reported fraudulent activity, with ~$350m in fraudulent sales and ~$315m in purchases.

Mid‑ to late April — containment kicks in.
To blunt the manipulation emerging from hijacked retail accounts, several brokers applied symbol‑level throttles, stopping buy orders in selected Chinese, U.S. and domestic small‑caps; in parallel, the Japan Exchange Group (JPX) intensified surveillance of unauthorised transactions, tightening the market’s first line of defence.

Japan’s government signalled expectations for victim compensation, with the Finance Minister calling for “good‑faith” engagement with clients, reinforcing the FSA’s investor‑protection stance.

The Japan Securities Dealers Association (JSDA) urged members to upgrade systems and mandate multi‑factor authentication (MFA) to raise the baseline of account protection, complementing the FSA’s warnings.

End‑April / Early May update — the denominator grows.

By end‑April, totals had escalated to ~¥305bn in unauthorised trades (≈$2.0bn), with 3,505 illicit transactions and 6,380 cases of unauthorised access logged for Jan–Apr (figures cited by the Minister of State for Financial Services and reported by major outlets).

November 2025 — potential suspects.

Two suspects were arrested in relation to a series of cases in which accounts at online securities firms were hijacked and used to manipulate stocks. According to the arrest warrant they fraudulently accessed 10 securities accounts on the 17th March 2025, less than 1% of the 6,380 cases logged between Jan-Apr.

It’s likely that there is a lot more that will hit the public domain in relation to this, as investigations are clearly ongoing. We will come back to this in a later instalment.

• Credential compromise can be weaponised to generate coordinated buying pressure in illiquid names, turning cyber intrusion directly into market manipulation. The FSA’s warnings and data reinforce that phishing/malware are market‑conduct threats once coupled with real‑time trading access.
• The FSA publicly set the expectation that brokerages cover customer losses, while JSDA pushed toward mandatory MFA. Firms that lag on MFA/session security face conduct risk and supervisory pressure.
• With 6,380 unauthorised accesses and 3,505 illicit trades across Jan–Apr, the case argues for standardised, cross‑industry action: shared threat indicators, rapid phishing‑site takedown, and behavioural analytics tuned to sell‑then‑buy‑foreign patterns.
• Broker SOC/Surveillance should be able to halt buy‑side activity in selected symbols within minutes when compromise is suspected. During the crisis, several Japanese brokers temporarily restricted buy orders in certain overseas and domestic small‑caps, signalling the operational feasibility of symbol‑level brakes. Bake that “kill‑switch” into incident playbooks.