An international web of hackers and traders made $100 million on Wall Street by stealing a look at corporate press releases before they went out and then trading on that information ahead of the pack, federal authorities charged Tuesday.
Authorities said it was the biggest scheme of its kind ever prosecuted, and one that demonstrated yet another way in which the financial world is vulnerable to cybercrime.
In an insider-trading scandal with a 21st-century twist, the hackers pulled it off by breaking into the computers of some of the biggest business newswire services, which put out earnings announcements and other press releases for a multitude of corporations. Nine people in the U.S. and Ukraine were indicted on federal criminal charges, including securities fraud, computer fraud and conspiracy. And the Securities and Exchange Commission brought civil charges against the nine plus 23 other people and companies in the U.S. and Europe.
The case "illustrates the risks posed for our global markets by today's sophisticated hackers," SEC chief Mary Jo White said. "Today's international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated."
The nine indicted include two people described as Ukrainian computer hackers and six stock traders. Prosecutors said the defendants made $30 million from their part of the scheme. Authorities said that beginning in 2010 and continuing as recently as May, the hackers gained access to more than 150,000 press releases that were about to be issued by Marketwired of Toronto; PR Newswire in New York; and Business Wire of San Francisco. The press releases contained earnings figures and other corporate information.
A strong earnings report or other positive news can cause a company's stock to rise, while disappointing news can make it fall. The conspirators typically used the advance information to buy stock options, which are essentially a bet on the direction a stock will move, authorities said.
In 2013, for example, the hackers got an early peek at a press release from Panera Bread Co. announcing that it was lowering its earnings projections. The hacking ring bet correctly the stock would fall when the news came out, and turned a profit of about $1 million the very next day, according to the indictment. The hackers were routinely paid a cut of the profits, prosecutors alleged.
"This is the story of a traditional securities fraud scheme with a twist — one that employed a contemporary approach to a conventional crime," said Diego Rodriguez, head of the FBI's New York office. Five defendants were arrested in the U.S. on Tuesday, and warrants were issued for four others in Ukraine.
Among those charged were Pavel, Igor and Arkadiy Dubovoy. Authorities said they are related but didn't say how. Arkadiy and Igor were arrested at their homes in Alpharetta, Georgia. Pavel was believed to be in Ukraine. It wasn't immediately known whether the defendants had attorneys. Paul Fishman, U.S. attorney for New Jersey, said the case exemplified the "intersection of hacking and securities fraud" and called the defendants "relentless and patient."
At various times, the indictment alleges, the hackers were locked out of the news services' computer systems. According to Fishman, they eventually managed to get back in, often by simple "phishing," or sending bogus emails with links that, if clicked on, can lead a hacker to a computer user's login and password. The case shows how hackers are expanding their efforts beyond typical moneymaking information such as credit card and Social Security numbers.
It's also another example of how companies are often at the mercy of those they do business with. Many major hackings have been pulled off by penetrating third-party companies that have access to sensitive information. "The lesson in this is your information is only as secure as the people you share it with," said Matthew L. Schwartz, a former federal prosecutor in New York. "If you share that information with a news service, a PR firm or even a law firm, then you need to make sure that it's secure."
Business Wire said it has hired a cybersecurity firm to test its systems and make sure they are protected. PR Newswire said it is cooperating with the investigation, and added: "We take security very seriously and are dedicated to protecting our information and systems." Marketwire did not immediately respond to a request for comment. The hacker group made more than $600,000 by trading the stock of Caterpillar Inc. in 2011 after getting an advance look at a news release that said the heavy-equipment maker's profits were up 27 percent, according to the indictment.
Similarly, the group made more than $1.4 million trading stock in Silicon Valley's Align Technology in 2013 ahead of a press release that said revenue had climbed more than 20 percent, the indictment said. The most serious charges in the indictment, wire fraud and securities fraud, carry up to 20 years in prison. The SEC lawsuit named 17 individuals and 15 companies in the U.S. and abroad, in such places as Russia, France, Malta and Cyprus. The agency is seeking unspecified fines and restitution against the 32 defendants.
110 Reykjavik, Iceland