Stealing advanced information from news wires focused on issuing press releases may seem like a low security situation, but think again.
An alliance of U.S.-based stock traders and Ukraine-based hackers made as much as $100 million in illegal profits over five years after stealing confidential corporate press releases and they are now facing charges, U.S. officials said.
Charges ended up filed against nine people in the insider-trading case that marks the first time officials filed criminal charges for a securities fraud scheme involving hacked inside information, prosecutors said. The information came from press releases from distributors Business Wire, Marketwired and PR Newswire.
“This is the story of a traditional securities fraud scheme with a twist — one that employed a contemporary approach to a conventional crime,” said FBI Assistant Director-in-Charge Diego Rodriguez.
Prosecutors said Ukraine-based hackers improperly accessed press releases before the distributors planned to release them to the public. The traders gave the hackers “shopping lists” of releases, prosecutors said.
The hackers created a “video tutorial” to help traders see the stolen releases, and received a portion of the profits from trades based on the information in them, prosecutors said.
“Companies need to be aware of the risks their supply chain presents to the business,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “This is a case where sensitive information was transferred to a third party, and while the sensitivity was time limited, the data was clearly at risk.”
“Data becomes a target when it has value. Many would wonder why hackers would want access to this type of information, but many forget that hacking is a business, a big business,” said Ken Westin, senior security analyst at Tripwire. “PR is not the only target, as law firms and manufacturing are also sources of information that can be of value to those with knowledge of the markets and willing to take the necessary risks.”
“This creates a dangerous scenario where zero-value assets that are protected by minimal security come under attack from hackers who have the know-how to convert the asset into significant monetary gain,” said John Gunn, vice president at VASCO Data Security. “These hacker mash-ups will become more frequent as enabling technologies make criminal collaboration easier.”
Nine people ended up indicted by grand juries in Brooklyn, NY, and in Newark, NJ, on charges they made $30 million in illegal profits starting around February 2010.
Five ended up arrested on Tuesday, and international arrest warrants went out for the other four.
A related U.S. Securities and Exchange Commission civil lawsuit charged 17 people and 15 corporate entities, and said thefts of inside information resulted in more than $100 million in illegal profit.
The SEC said the network included traders in New York, Cyprus, France, Malta and Russia. It is seeking civil penalties, and has already obtained court-ordered asset freezes.
Law enforcement officials have warned companies for years about securing their computer networks against hackers, whose victims over the past two years have included leading retailers and U.S. government personnel.
“This case illustrates how cyber criminals and those who commit securities fraud are evolving and becoming more sophisticated,” U.S. Attorney Paul Fishman in New Jersey said at the news conference. “The hackers were relentless and they were patient.”
The breaches could put more pressure on the business, founded decades ago before the ubiquity of the Internet and which depend on clients trusting them with sensitive information. In recent years, major U.S. companies including Google, Microsoft, Wal-Mart and Tesla have started to publish important information on their own websites or social media platforms, reducing their dependence on the wires.
Authorities said the scheme involved trades on such companies as Acme Packet Inc, Align Technology Inc, Caterpillar Inc, Dealertrack Technologies Inc, Dendreon Corp, Edwards Lifesciences Corp, Hewlett-Packard Co, Home Depot Inc and Panera Bread Co.
The indictment in Brooklyn charged four traders: Vitaly Korchevsky, 50, a former hedge fund manager from Pennsylvania; Vladislav Khalupsky, 45, of Brooklyn and Odessa, Ukraine; and Leonid Momotok, 47, and Alexander Garkusha, 47, of the U.S. state of Georgia. The charges included securities fraud, wire fraud and money laundering conspiracy.
Korchevsky appeared without a lawyer in Philadelphia federal court. He ended up released on a $100,000 bond and told to surrender his passport.
A prosecutor told the court Korchevsky was a flight risk with $5 million at his disposal and he had traveled abroad 42 times since 2010. Korchevsky’s wife told the judge that 99 percent of her husband’s travel was in his role as a pastor. Later, prosecutors asked another judge to revoke the first judge’s release of Korchevsky.
A separate indictment made public in New Jersey charged Ivan Turchynov, 27, and Oleksandr Ieremenko, 24, two purported hackers who live in Ukraine; Pavel Dubovoy, 32, a trader from Ukraine; and Arkadiy Dubovoy, 51, and his son Igor Dubovoy, 28, traders from Georgia.
Arkadiy and Igor Dubovoy appeared in Atlanta federal court, and will appear there again on Thursday, including over whether they should defend themselves in New Jersey.