NEWARK, N.J. (AP) — An international web of hackers and traders made $100 million on Wall Street by stealing a look at corporate press releases before they went out and then trading on that information ahead of the pack, federal authorities said Tuesday.
Authorities said it was the biggest scheme of its kind ever prosecuted, and one that demonstrated yet another way in which the financial world is vulnerable to cybercrime.
In an insider-trading scandal with a 21st-century twist, the hackers pulled it off by breaking into the computers of some of the biggest business newswire services, which put out earnings announcements and other press releases for a multitude of corporations.
Nine people in the U.S. and Ukraine were indicted on federal criminal charges, including securities fraud, computer fraud and conspiracy. And the Securities and Exchange Commission brought civil charges against the nine plus 23 other people and companies.
The case “illustrates the risks posed for our global markets by today’s sophisticated hackers,” SEC chief Mary Jo White said. “Today’s international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated.”
The nine indicted include two people described as Ukrainian computer hackers and six stock traders. Prosecutors said the defendants made $30 million from their part of the scheme.
At the same time, the SEC brought a lawsuit that details a sprawling network of hackers and traders stretching from the U.S. to Russia and Ukraine, France, Malta and Cyprus, all accused of using the stolen advance information to make money.
Authorities said that beginning in 2010 and continuing as recently as May, the hackers gained access to more than 150,000 press releases that were about to be issued by Marketwired of Toronto; PR Newswire in New York; and Business Wire of San Francisco. The press releases contained earnings figures and other corporate information.
The defendants then used roughly 800 of those news releases to make trades before the information came out, exploiting a time gap ranging from hours to three days, prosecutors said.
In one day in 2013, for example, the group traded more than 75,000 shares of Panera Bread Co. stock in a little over an hour and made $900,000, authorities said.
A strong earnings report or other positive news can cause a company’s stock to rise, while disappointing news can make it fall. The conspirators typically used the advance information to buy stock options, which are essentially a bet on the direction a stock will move, authorities said.
The hackers were paid based on how much profit the traders made, prosecutors alleged.
“This is the story of a traditional securities fraud scheme with a twist – one that employed a contemporary approach to a conventional crime,” said Diego Rodriguez, head of the FBI’s New York office.
Five defendants were arrested in the U.S. on Tuesday, and warrants were issued for four others in Ukraine.
Among those charged were Pavel, Igor and Arkadiy Dubovoy. Authorities said they are related but didn’t say how. Arkadiy and Igor were arrested at their homes in Alpharetta, Georgia. Pavel was believed to be in Ukraine.
It wasn’t immediately known when the defendants were to appear in court or whether they had attorneys.
Paul Fishman, U.S. attorney for New Jersey, said the case exemplified the “intersection of hacking and securities fraud” and called the defendants “relentless and patient.”
At various times, the indictment alleges, the hackers were locked out of the news services’ computer systems. According to Fishman, they eventually managed to get back in, often using simple “phishing,” or sending bogus emails with links that, if clicked on, can eventually lead a hacker to a computer user’s login and password.
The case shows how hackers are expanding their efforts beyond typical moneymaking information such as credit card and Social Security numbers.
It’s also another example of how companies are often at the mercy of those they do business with. Many major hackings have been pulled off through third-party companies that have access to sensitive information.
Business Wire said it has hired a cybersecurity firm to test its systems and make sure they are secure. Marketwired and PR Newswire did not immediately return emails seeking comment.
The hacker group made more than $600,000 by trading the stock of Caterpillar Inc. in 2011 after getting a peek at a news release that said the heavy-equipment maker’s profits were up 27 percent, according to the indictment.
Similarly, the group made more than $1.4 million trading stock in Silicon Valley’s Align Technology in 2013 ahead of a press release that said revenue had climbed more than 20 percent, the indictment said.
The most serious charges in the indictment, wire fraud and securities fraud, carry up to 20 years in prison.
The SEC lawsuit named 17 individuals and 15 companies in the U.S. and abroad. The agency is seeking unspecified fines and restitution against the 32 defendants.