Insider trading can generate millionaire profits for criminals
Network security and ethical hacking experts from the International Institute of Cyber Security report that the U.S. Securities and Exchange Commission (SEC) has accused seven people and two organizations of integrating an international fraud scheme that achieved hack the SEC documentation system, stealing non-public corporate information in order to illegally generate profits through insider trading.
In addition, the U.S. Attorney General Office recently issued a criminal indictment against two Ukrainian individuals, accusing them of crimes such as electronic fraud, securities fraud, and computer fraud, among others.
The SEC accuses a Ukrainian man of performing hacking activities to implement a fraud scheme in order to steal and misuse insider information during the year 2016, in complicity with six individuals and two organizations in California, Ukraine and Russia.
The defendant, called Oleksandr Ieremenko, would have hacked the SEC’s electronic document system known as EDGAR, which processes about two million documents a year. The Commission claims that Ieremenko managed to bypass the system’s authentication controls. Artem Radchenko, another Ukrainian citizen, is also named in the indictment to collaborate with Ieremenko, also mentioning the participation of other accomplices not yet identified.
“The defendant allegedly organized sophisticated hacking campaigns to steal SEC confidential information, in a clear intrusion against market integrity and legitimate competition”, mentioned experts in network security. On the other hand, the U.S. Department of Justice (DOJ) issued a statement mentioning that “those who attack our financial markets to make gains illegitimately will be persecuted and prosecuted, regardless of their place of residence”.
EDGAR: The compromised system
Hackers would have accessed non-public “test files” that companies upload in this SEC system before they are publicly disclosed. Subsequently, the attackers sold this information to third parties, beginning in the mid-2016, as the Commission mentions.
“Some of these test files included reports on corporate earnings, as well as other data that were not yet publicly disclosed”, says the SEC complaint. “Stolen information would subsequently have been sold to third parties to perform profitable securities operations with prior knowledge of insider information”.
In the criminal complaint, the SEC describes how this hacking group operates:
- ‘Public Company 1’ uploads its second quarter earnings report to the EDGAR system on May 19, 2016, at 3:32 P.M.
- About five minutes later, hackers steal this information and load a copy to a server in Lithuania
- Between 3:42 P.M. and 3:59 P.M., one of the accomplices buys about $2.4M USD in ‘Public Company 1’ shares
- At 4:02 P.M., ‘Public Company 1’ publishes its second quarter earnings report and announces that, according to its expectations, it will generate record earnings in 2016
- The next day, the accomplices sell all the shares they acquired from ‘Public Company 1’, earning a profit of over $270k USD in less than 24 hours
Network security experts collaborating with the SEC discovered these intrusions and law enforcement agencies in the United States started the investigation process and denounced the perpetrators.