32 charged over what FBI calls 'largest known computer hacking fraud scheme'
Hackers and inside traders worked together to steal over $100m
An international group of stock traders and two Ukrainian computer hackers who allegedly worked together to make over $100m (£64m) in illegal insider trading profits have been charged with fraud.
The United States Securities and Exchange Commission (SEC) has charged 32 people for taking part in a scheme to profit from stolen information about corporate earnings. The FBI has described the criminal activity as "the largest known computer hacking and securities fraud scheme".
According to the prosecution, the hackers broke into newswire services to find the information required to commit fraud, stealing information from thousands of corporate press releases before they were released to the public and providing it to the insider trading ring. The traders then used the information to buy and sell shares and make millions in illegal profits.
"This international scheme is unprecedented in terms of the scope of the hacking, the number of traders, the number of securities traded and profits generated," said SEC chair Mary Jo White.
"These hackers and traders are charged with reaping more than $100m in illicit profits by stealing non-public information and trading based on that information. That deception ends today as we have exposed their fraudulent scheme and frozen their assets," she added.
Prosecutors allege the Ukrainian hackers were given "shopping lists" describing which corporations to target via services including Business Wire, Marketwired and PR Newswire by the insider traders.
It is thought the hackers accessed more than 150,000 stolen press releases over a five-year period, before sending the stolen data to traders in Russia, Ukraine, Malta, Cyprus, France, and three US states: Georgia; New York; and Pennsylvania. The hackers were then paid a portion of the profits generated by the illegal trading.
"This cyber hacking scheme is one of the most intricate and sophisticated trading rings that we have ever seen, spanning the globe and involving dozens of individuals and entities," said Andrew Ceresney, director of the SEC's Division of Enforcement.
"Our use of innovative analytical tools to find suspicious trading patterns and expose misconduct demonstrates that no trading scheme is beyond our ability to unwind," he added, demonstrating that big data analytics is becoming a useful tool in the fight against fraud.
Matt Middleton-Leal, regional director, UK and Ireland at enterprise security firm CyberArk warned that the incident demonstrates how third parties can be targeted as a "weak point" by cyber criminals looking to steal data.
"It's often said you're only as secure as your weakest link, and this is yet another example of how third parties can be used by attackers to infiltrate a target organisation for financial gain," he said.
"With high-profile corporate network takeovers becoming more commonplace, it's time for organisations to re-assess security programmes by adopting the mind-set that the attacker is already inside," Middleton-Leal continued.
"Ensuring that the privileged access granted to staff and third party contractors is tightly managed and monitored in real-time, with the option to detect and immediately terminate a suspicious session is vital to containing risk and limiting damage," he added.
Don Randall, former head of security at the Bank of England and senior consultant at Bivonas Law has argued that the financial services sector could do more to prevent cyber fraud