Hack-to-Trade: The Robert Westbrook Case

The SEC claims that Westbrook executed a sophisticated hacking scheme targeting Microsoft Office 365 environments used by senior executives at at least five U.S. public companies. Rather than relying on a single point of compromise, Westbrook combined credential harvesting, password-reset manipulation, MFA-bypass techniques, and inbox-rule persistence.

The conduct is alleged to have occurred between January 2019 and August 2020, during which Westbrook assembled an extensive toolkit to breach corporate accounts and conceal his identity:

• VPN services purchased with Bitcoin: Westbrook allegedly used crypto-funded VPN subscriptions to mask his location. Forensic evidence has linked VPN log-ins to email forwarding events taking place within seconds of each other, with the same VPN IP also used to access anonymous email accounts receiving stolen MNPI.
• Use of online directory and genealogy services: subscriptions to these services provided Westbrook with personal and family information that could be used to guess security questions for targeted executives, enabling Westbrook to reset the passwords for their email accounts.
• CAPTCHA-solving services: four of the five target companies required CAPTCHA verification for password resets, and these tools supposedly helped Westbrook bypass those controls.
• Acquisition of hacking resources online: Westbrook purchased multiple technical hacker manuals, a vulnerability scanner, and was in communication with online platforms known for distributing hacking software.

Using this toolkit, the SEC alleges that he:

• Gained unauthorised access to executive email accounts by triggering password resets, which he successfully passed through.
• Created forwarding rules to anonymous accounts hosted by overseas providers less accessible to law enforcement.
• Collected sensitive financial documents and traded ahead of at least 14 earnings announcements.
• Generated $3.75 million in profit using the stolen MNPI by purchasing stocks and short-dated options ahead of key announcements, and then unwinding his positions immediately after the market reacted to the MNPI.

The SEC uncovered the scheme using advanced data analytics, crypto-asset tracing, and forensic cybersecurity techniques, ultimately identifying that Westbrook had accessed confidential earnings data belonging to multiple U.S. public companies. The investigators had to prove that the trading pattern was not coincidental, but instead directly tied to the hacked data. This required extensive analytics across the affected issuers’ earnings cycles, market data, and brokerage activity. Blockchain analysis was also needed to link pseudonymous activity back to identifiable entities, as some of the operational infrastructure was paid for or routed through cryptocurrency services. After tracing the digital intrusion activity and connecting it to trading patterns, U.S. authorities coordinated with UK law enforcement, leading to Westbrook’s arrest in London late last year and a demand for his extradition.

On 27 September 2024, the SEC filed its civil complaint in the U.S. District Court for the District of New Jersey. In parallel, the U.S. Attorney’s Office brought criminal charges, including securities fraud, wire fraud, and five counts of computer fraud. The potential penalties Westbrook faces are considerable:

• Securities fraud: up to 20 years’ imprisonment and fines up to $5 million
• Wire fraud: up to 20 years and substantial fines
• Computer fraud: up to 5 years per count, with additional penalties linked to financial gain or loss

Following his arrest, Westbrook has attempted to contest extradition and hearings appear to be ongoing.  It seems likely, therefore, that this case will not reach its final conclusion for some time yet – potentially well into 2026 or 2027.  One to keep an eye on.

• This is a fascinating example of cyber-enabled insider trading, rather than a traditional tip-based form of misconduct.  It shows how hackers can weaponise easily-accessible digital tools to obtain MNPI “at scale”.  In this instance, auto-forwarding rules configured on executive email accounts would have created a steady, automated supply of sensitive corporate information.   Sprinkle in some AI, and the whole end-to-end process of insider trading could be automated using this approach.
• Could internal surveillance teams at brokers have caught this?  In short, is too early to know.  If the case ever goes to court it is likely that further details will then emerge as to the style of trades that Westbrook made and via what channels.  Was his activity split, for example, across multiple brokerages?  It seems very likely, given how much effort he went to to conceal his online identity.  Certainly surveillance teams at brokers would not have visibility into whether their customers are sitting on hacked corporate emails and could not have pieced the whole picture together in the way that a regulatory body can.  Investigators have subpoena power, cross-market visibility, access to breach-notifications, and intelligence sharing with other agencies. Internal surveillance teams might catch unusual earnings-timed options bets, but only regulators can reliably correlate trading with cyber intrusion activity.
• Sophisticated concealment still leaves traces visible to the SEC.  The SEC’s crypto-tracing and behavioural-analytics capabilities now sit at the heart of cyber-enabled market-abuse investigations. The SEC’s Crypto Assets and Cyber Unit, rebranded in February 2025 to the Cyber and Emerging Technologies Unit (CETU), combines cyber-forensics capabilities and cross-market tools, to investigate cyber-related misconduct and particularly frauds impacting retail investors.
• The use of options trading for deliberate risk/reward optimisation serves as a reminder of the need for cross-product surveillance.  The use of options suggests Westbrook understood leverage and sought to maximise returns from the MNPI. By using short-dated options instead of stock, Westbrook could exploit the precise timing of the earnings information while minimising upfront cost and maximising the payoff.  Surveillance programmes seeking to identify this type of illicit activity need to analyse derivatives trading activity in relation to price movements in the underlying or related securities.
• Email security and robust Identity and Access Management (IAM) frameworks are frontline controls.  Robust multi-factor authentication, continuous monitoring of inbox rules, and governance around password reset portals are essential. Weak authentication processes and reliance on knowledge-based security questions increase vulnerability. In addition, it highlights that senior executives should avoid placing sensitive personal details, such as those pertaining to their family history, on publicly-accessible platforms, as this information can be weaponised to bypass identity checks or aid in targeted social-engineering attacks.
• Finally, as AI-enabled tooling becomes ever more easy to obtain and combine, systematic insider trading and market abuse have the potential to become an endemic problem in the markets.