U.S. authorities have charged “a suspected Ukrainian computer hacker and several traders” with attempting to cash in on “market-moving corporate earnings news” stolen from Securities and Exchange Commission systems, Reuters reported on Tuesday.
There are 10 defendants charged, two of whom are facing criminal charges, Reuters wrote. The incident in question relates to a 2016 breach of the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database, its corporate filings system. Reuters wrote:
Authorities said the scheme resulted in $4.14 million of illegal trading profit, and cheated ordinary investors.
... Authorities said Oleksandr Ieremenko, 26, and Artem Radchenko, 27, both of Kiev, used a Lithuanian server to hack into Edgar and obtain thousands of “test filings,” including 157 earnings announcements, and shared their findings with traders.
The Department of Justice said conspirators sent fake emails to SEC employees that appeared to be from other employees, enabling Ieremenko and Radchenko to steal filings through phishing attacks and by installing malware on SEC computers.
The Ukrainian men in the case, Ieremenko and Radchenko, are facing 16 indictments including computer fraud, wire fraud, and conspiracy. The SEC is also filing related civil charges against “six individuals and two companies in the United States, Russia and Ukraine,” claiming that they shared in the benefits of the scheme and in some cases shared their ill-gotten gains with Ieremenko, Reuters added.
As the Washington Post noted, publicly traded companies use EDGAR to make public filings—often hours before the potentially market-shifting information contained therein is made officially public. That seems to have made it an attractive target. According to the Wall Street Journal, prosecutors say a key flaw in EDGAR allowed the hackers to bypass a login screen and gain direct access to “test filings,” “documents serving to check that companies have access to the system.” Most of these are blank, but some companies submitted reports containing actual, valuable data to the test filing system, the Journal wrote. In other cases, they allegedly used phishing techniques, including posing as SEC security staff to infect SEC systems and further probe the network.
In court filings, the Post wrote, prosecutors described one way that the defendants allegedly profited from their breach of the system:
In one case, an unnamed company submitted a document to the SEC at 3:32 p.m. that included unreleased quarterly financial results, according to the criminal complaint. About six minutes later, the release was stolen from Edgar. Between 3:42 p.m. and 3:59 p.m. that day, the hackers bought about 121,000 shares of the company’s stock, worth about $2.4 million. The company released the financial statement to the public at 4:02 p.m. announcing “record earnings.” The hackers sold the stock the next day after pocketing more than $270,000 in profit, according to the complaint.
In another incident flagged by the Journal, prosecutors said Ieremenko’s group obtained a test filing from a Nasdaq-listed company just eight minutes after it was uploaded, then netted $307,000 by betting against its stock after it closed 12 percent down for the day.
According to the Journal, prosecutors are also preparing charges against Ieremenko and accomplices for alleged involvement in a 2010-2015 scheme to steal corporate press releases. Ieremenko appears prominently in SEC court documents from 2015 as one of the alleged hackers central to that scheme, meaning that the alleged EDGAR intrusion happened after he had already attracted the agency’s ire.
The SEC faced harsh criticism for first noticing the breach in 2016 but only publicly disclosing it in 2017, when they realized stolen information had been used in trades. As the Post noted, there has “long been disagreement within the SEC and by legal scholars” about whether it has the legal authority to pursue cases like this, as the hackers were unconnected to all companies involved. They could argue that the crime was not insider trading, and thus falls outside the SEC’s jurisdiction.
“Publicly traded companies know that, if they were hacked, litigation would be flying and the SEC could be investigating,” Stanford University professor and former SEC commissioner Joseph Grundfest told the Journal. “But when the SEC is hacked, nothing bad happens to anyone at the commission, and all the fingers instead point to the hackers.”
John Reed Stark, a former SEC enforcement agent who teaches cybersecurity law at Duke University, told the Post the SEC “must have felt an extraordinary amount of pressure to bring this case” and “I think they are spot-on.”