A new wave of cyberattacks is causing disruptions in Japan’s financial markets. Bad actors have compromised thousands of online brokerage accounts and used them to inflate the prices of low-volume stocks. The goal is to sell high, walk away richer, and leave everyday investors holding the bag. 

Since February, more than $700 million in fraudulent trades have been linked to this scheme. The rapid rise in cases, from just 33 in February to 736 by mid-April, is straining trust in Japan’s financial system and slowing the country’s push to encourage a culture of long-term investing. Here’s a breakdown of what happened and effective mitigation strategies for organizations looking to protect themselves from similar threats. 

How did the breach happen?

This isn’t a case of careless password reuse. The attackers behind this scheme are using more advanced techniques to break into accounts and stay undetected.

Adversary-in-the-Middle (AiTM) Attacks

Bad actors trick users into visiting fake brokerage websites that look exactly like the real thing. These sites steal login credentials and, more importantly, session cookies that keep users logged in. Once they have those, attackers can jump into the session without ever triggering a login alert.

This is the same attack pattern that phishing-as-a-service platforms like Darcula, Sneaky 2FA, and Rockstar 2FA provide for $200. 

Infostealer Malware

Delivered through phishing emails or malicious ads, infostealers quietly collect stored browser data like login credentials, cookies, and autofill details. Once installed, these tools exfiltrate sensitive information without alerting the victim. Researchers have identified over 105,000 compromised credentials in Japan alone, indicating this tactic has been widely effective.

After gaining access, the adversaries executed a classic pump-and-dump operation. They used hijacked accounts to purchase low-volume domestic and international stocks, spiking demand and prices. Once inflated, the attackers sold their pre-held positions at a profit. Victims were left holding overpriced shares they never intended to buy. Some accounts were even used for margin trading, amplifying the financial damage.

What are effective mitigation strategies?

This spree of account takeovers was preventable. The financial services sector must adopt modern identity-first protections and raise the bar for account security.

Make phishing-resistant MFA mandatory

Solutions that eliminate phishable credentials like one-time passcodes (OTP), SMS, and push notifications are the only way to fully defend against phishing, adversary-in-the-middle, and brute force attacks. Brokerages must enforce phishing-resistant factors such as device-bound passkeys. These approaches bind access to a verified device, and deliver verifier impersonation resistance, rendering AiTM attacks ineffective.

Adopt passwordless authentication

Adversaries can’t steal what doesn’t exist via AitM or infostealer malware. Plus, the user experience improvement for end-users can accelerate usage of brokerage accounts. No passwords = no friction = nothing to steal. 

Adopted risk-based access controls

As we can see from this attack, just because a password is entered correctly does not mean the account wasn’t compromised. By evaluating real-time user and device posture checks, organizations can increase assurance that it's an authorized user and device requesting access and that both are secure enough to be granted access. Secure-by-design IAM platforms continuously verify that access requests are coming from a trusted device and a legitimate user. 

Conclusion

These weren’t isolated incidents. When adversaries manipulate public markets using compromised personal accounts, it creates systemic risk. This is a clear warning to every financial institution: if your identity infrastructure can’t stop unauthorized access, it won’t just cost your customers, it could move the markets.

Want to see how Beyond Identity helps financial platforms prevent account takeover at scale? Get a demo today.