Full Program »
On the Feasibility of Automating Stock Market Manipulation
This work presents the first findings and analysis on the feasibility of using botnets to automate stock market manipulation. To this end, we collect and analyze our own data, spanning case files, security surveys of online brokerages, and dark web marketplace listings. We are the first to address the technical challenges faced by our modeled criminal, including how to adapt existing techniques for automation, the cost of hijacking brokerage accounts, avoiding detection, and more. We consolidate our findings into a working proof-of-concept, man-in-the-browser malware, Bot2Stock, capable of controlling victim email and brokerage accounts to commit fraud.
We evaluate our bots and protocol using agent-based market simulations, where we find that a 1.5% ratio of bots to benign traders yields a 2.8% return on investment (ROI) per attack. Given the short duration of each attack (<1 minute), achieving this ratio is trivial, requiring only 4 bots to target stocks like IBM. 1,000 bots, cumulatively gathered over 1 year with no single bot being controlled for more than a day, can turn $100,000 into $1,022,000, placing Bot2Stock on par with existing botnet scams. This projected profit margin is also consistent with real-world, human-driven scams uncovered by the U.S. Securities and Exchange Commission. Our dark web scraper observed 1,005 suitable stolen Charles Schwab accounts sold in a 3-month period on 1 marketplace, demonstrating the feasibility of gathering 1,000 bots over a yearlong campaign.