Insider trading can generate millionaire profits for criminals
Network security and ethical hacking experts
from the International Institute of Cyber Security report that the U.S. Securities and Exchange Commission
(SEC) has accused seven people and two organizations of integrating an
international fraud scheme that achieved hack the SEC documentation system,
stealing non-public corporate information in order to illegally generate profits
through insider trading.
In addition, the U.S. Attorney General Office
recently issued a criminal indictment against two Ukrainian individuals, accusing
them of crimes such as electronic fraud, securities fraud, and computer fraud,
among others.
The SEC accuses a Ukrainian man of performing
hacking activities to implement a fraud scheme in order to steal and misuse
insider information during the year 2016, in complicity with six individuals
and two organizations in California, Ukraine and Russia.
The defendant, called Oleksandr Ieremenko, would have hacked the SEC’s electronic
document system known as EDGAR, which processes about two million documents a
year. The Commission claims that Ieremenko managed to bypass the system’s
authentication controls. Artem Radchenko,
another Ukrainian citizen, is also named in the indictment to collaborate with
Ieremenko, also mentioning the participation of other accomplices not yet
identified.
“The defendant allegedly organized
sophisticated hacking campaigns to steal SEC confidential information, in a
clear intrusion against market integrity and legitimate competition”, mentioned
experts in network security. On the other hand, the U.S. Department of Justice (DOJ) issued a
statement mentioning that “those who attack our financial markets to make gains
illegitimately will be persecuted and prosecuted, regardless of their place of
residence”.
EDGAR: The compromised
system
Hackers would have accessed non-public
“test files” that companies upload in this SEC system before they are
publicly disclosed. Subsequently, the attackers sold this information to third
parties, beginning in the mid-2016, as the Commission mentions.
“Some of these test files included reports on
corporate earnings, as well as other data that were not yet publicly disclosed”,
says the SEC complaint. “Stolen information would subsequently have been sold
to third parties to perform profitable securities operations with prior knowledge
of insider information”.
In the criminal complaint, the SEC describes
how this hacking group operates:
- ‘Public
Company 1’ uploads its second quarter earnings report to the EDGAR system on
May 19, 2016, at 3:32 P.M. - About
five minutes later, hackers steal this information and load a copy to a server
in Lithuania - Between
3:42 P.M. and 3:59 P.M., one of the accomplices buys about $2.4M USD in ‘Public
Company 1’ shares - At
4:02 P.M., ‘Public Company 1’ publishes its second quarter earnings report and
announces that, according to its expectations, it will generate record earnings
in 2016 - The
next day, the accomplices sell all the shares they acquired from ‘Public
Company 1’, earning a profit of over $270k USD in less than 24 hours
Network security experts collaborating with the
SEC discovered these intrusions and law enforcement agencies in the United
States started the investigation process and denounced the perpetrators.
