32 hackers and traders charged with $100m in “insider trading” using stolen press releases

Share price image courtesy of Shutterstock

What a difference half an hour can make!

When a publicly-traded company announces to the world that it isn’t going to meet its earnings forecast, its share price usually goes off the boil a bit, as investors sell off shares.

That’s why strict rules apply to people who have advance knowledge of such announcements – such as the staff at the company involved, its financial advisors, and its public relations team.

With insider information like this, selling the company’s shares short (effectively, predicting that they’ll go down instead of up) becomes as good as a certainty, so what’s known as “insider trading” is illegal, at least in the USA.

Of course, newswire services often have early knowledge of investment-related announcements, which are typically prepared some time in advance, checked, edited, approved, uploaded ready for release, and finally made live to the world.

So, to a cybercrook, who isn’t intending to comply with the law anyway, this makes the not-yet-published data stored by PR newswire services into an intriguing target.

According to allegations in criminal charges laid yesterday by the US Securities and Exchange Commission (SEC), that’s exactly the “business model” used by a multinational team of hacker-investors.

The SEC claims that:

[O]ver a five-year period, Ivan Turchynov and Oleksandr Ieremenko spearheaded the scheme, using advanced techniques to hack into two or more newswire services and steal hundreds of corporate earnings announcements before the newswires released them publicly. The SEC further charges that Turchynov and Ieremenko created a secret web-based location to transmit the stolen data to traders in Russia, Ukraine, Malta, Cyprus, France, and three U.S. states, Georgia, New York, and Pennsylvania. The traders are alleged to have used this nonpublic information in a short window of opportunity to place illicit trades in stocks, options, and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers.

In one example alleged in the charge sheet, just 36 minutes of advance warning about an “earnings downgrade” was enough for the defendants to place sure-fire short-selling trades that netted more than $500,000 in the first 10 minutes after the announcement went public.

And that was just one success of many, if the SEC’s claims are true: the charges allege that the crooks made more than $100,000,000 over five years by following this hack-steal-trade-profit process.

The charges even say that the ringleaders made a video advertising their hacking abilities in order to attract crooked traders into their scheme.

As we have come to expect in cases like this, the multinational nature of the investigation required a multinational effort by law enforcement.

The SEC’s press release formally thanks not only a number of investigative divisions inside the SEC, but also the US Attorney’s Offices for the District of New Jersey and the Eastern District of New York; the FBI; the Department of Homeland Security; the US Secret Service; the Financial Industry Regulatory Authority; the UK Financial Conduct Authority; and the Danish Financial Supervisory Authority.

Quite a list!

What to do?

There’s a warning in this for all of us.

Even data that we intend to make public soon may be of immense value to crooks who get hold of it before time and use it for nefarious purposes.

Of course, if you have a web publishing system, it’s almost certainly connected to the outside world, precisely so that you can publish information for public consumption.

So you need to make sure that it isn’t too accessible from the outside.

You may want to consider some or all of the following:

* Use two-factor authentication so that stolen or leaked passwords aren’t enough on their own to give crooks access.

* Patch early, patch often: keep your operating system, web server and content management system up-to-date. Don’t be low-hanging fruit for crooks exploiting security holes that you could already have closed.

* Use anti-virus software, even (or perhaps especially!) on your servers – including Linux servers, which are often left unprotected. Crooks may install malware to give themselves ongoing remote access even after you’ve responded by installing patches or changing passwords.

* Consider security tools such as a Web Application Firewall (WAF) to harden your web services. Crooks often used automated probes to search for likely security weaknesses they can then figure out how to exploit.

Leave a Reply