An international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades, targeting a core vulnerability of the financial system in one of the digital age's most sprawling insider-trading schemes, federal investigators said Tuesday.
Since 2010, more than 30 hackers and traders across the U.S., Ukraine, Russia and other countries coordinated to steal and profit from more than 150,000 press releases, which were scheduled to be delivered to investors from corporate wire services Business Wire, PR Newswire and Marketwired.
With advance details on financial performance and corporate mergers from dozens of companies — including Bank of America, Boeing, Ford Motor, Home Depot, defense contractor Northrop Grumman and Smith & Wesson — the team made rapid and lucrative trades from shared brokerage accounts, funneling the money through shell companies and offshore bank accounts in Estonia and Macau.
Unlike the recent high-profile hacks of health insurers and government agencies, the sophisticated hacks targeted not just people's identities, but corporate intelligence, and some hackers and traders were even aided by former broker-dealers registered with the Securities and Exchange Commission.
By breaking into the wire services, some of Wall Street's most vital and unnoticed information hubs, investigators said the hackers and traders were able to defraud investors on a massive scale while leaving no public trace, a worrying development for the increasingly intricate networks that keep the financial world online.
The “brazen scheme ... was unprecedented in terms of the scope of the hacking, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated,” SEC Chair Mary Jo White said Tuesday at a Newark news conference alongside Secretary of Homeland Security Jeh Johnson. “The traders were market-savvy, using equities and options … to maximize their profits.”
The years-long subterfuge highlights the hidden danger of modern finance and the broader Web, in which any one compromised link in the larger chain can quietly endanger the system for years. The hackers, experts said, didn't have to breach many individual companies or vacuum up a large amount of files to succeed. Instead, they hit data-rich clearinghouses knowing exactly what they wanted, ensuring an efficient attack.
"With these financial schemes, it didn’t used to be this tailored. It used to be more smash-and-grab, where they'd go in, siphon off whatever they can and sell it on the underground," said Jen Weedon, manager of threat intelligence at FireEye, a cyber-security firm. "Now cyber-criminals are looking more and more like these organized nation-state groups: They have a supply chain, they have a division of labor and they have customers with requirements that they're going off and executing on."
The scheme was detailed in a sweeping lawsuit filed by the SEC, which announced civil charges against 32 defendants. Federal prosecutors in Brooklyn and New Jersey also filed criminal charges. Federal agents on Tuesday began arresting suspects Tuesday, with nine facing criminal charges for their role in grabbing $30 million in profits.
Authorities said they have also seized a house boat, an apartment complex, a shopping center and a dozen other properties, as well as more than a dozen brokerage accounts holding $6.5 million.
Two Ukrainian hackers, Oleksandr Ieremenko, 23, and Ivan Turchynov, 27, were said to have spearheaded the scheme, by cracking into the newswires and then listing the information on secret outposts accessed by traders in the U.S., Russia, Ukraine, Malta, Cyprus and France.
The hackers, who breached the wires and swiped employee credentials through a series of attacks, shared the stolen intelligence with a black-market network of traders, who would then pay the hackers a cut of their ill-gotten profits, indictments show.
Speaking in Russian, Turchynov said in an online chat in 2011 that rogue traders who made money from the hacked information would need to share a cut of their "seasonal" profits, according to the indictment. He added, "If you get really high with time you pay a fixed amount of dough a month."
The hackers, who called the early-accessed filings "fresh stuff," masked their movements through proxy servers and stolen employee identities, and recruited traders with videos showcasing how swiftly they could steal corporate data before its release. Traders kept "shopping lists" of the releases they wanted from select public companies, many of whom were large Fortune 500 conglomerates with heavy interest in market trading.
The ability to see a stock's near-future generated windfalls at warp speed; in one instance, traders made half a million dollars in 36 minutes. In a 2013 scheme, the traders bought more than $8 million in shares of Align Technology after stolen documents showed that the medical-device maker's revenues had recently soared. One day later, when the news went public, the traders cashed out for a profit of more than $1.4 million.
The hackers tapped an armament of brute-force, injection and "spear-phishing" attacks, bulldozing through security systems, implanting malicious code or persuading employees to click on booby-trapped links.
SEC investigators unraveled the scheme with the help of "enhanced trading surveillance" technology, White said, which can comb through millions of financial trades, track suspicious behavior and otherwise sniff out threats to "the integrity of our markets."
The charged traders included Vitaly Korchevsky, 49, an investment advisor who ran once managed mutual funds for Morgan Stanley; Arkadiy Dubovoy, 50, and Igor Dubovoy, 28, a father-and-son team living in Alpharetta, Georgia; and a relative, Pavel Dubovoy, 32, in Ukraine.
The traders were helped by four co-conspirators in Alpharetta and Suwanee, Georgia; Glenn Mills, Pennsylvania; and Brooklyn, two of whom were formerly broker-dealers registered with the SEC. The indictments and complaints did not list attorneys for those charged.
In 2013, investigators said, the team explored even newer ways of defrauding trades, including tricking sellers by rapidly buying and cancelling trades, which one called a "special daytrading strategy."
These hackers aren't alone in setting their sights on hyper-profitable market-moving events. In December, FireEye told the Federal Bureau of Investigation that another hacker group, called FIN4, had targeted the computer networks of more than 100 health care, law and pharmaceutical firms, hoping to grab insider intelligence on "impending market catalysts" that could help the group rake in cash from lucrative trades.
The case also echoes a decade-old scheme masterminded by two employees of Estonian financial-services firm Lohmus Haavel & Viisemann, whose theft of Business Wire releases netted them nearly $8 million in illicit profits before their arrest. The firm agreed to a civil settlement and $14 million in fines.
The wire services said they were cooperating closely with federal investigators, and Business Wire, a subsidiary of Warren Buffett's investment empire Berkshire Hathaway, said it had hired a cybersecurity team to test its systems and ensure its "network is fully operational and secure.”
Company chief executive Cathy Baron Tamraz said in a statement that Business Wire leads multiple security audits every year. But "despite extreme vigilance and commitment," Tamraz said, "recent events illustrate that no one is immune to the highly sophisticated illegal cyber-intrusions that are plaguing every aspect of our society."