Federal grand juries in New Jersey and New York have indicted a total of nine individuals for allegedly violating the anti-fraud provision of the Securities Exchange Act (the “Exchange Act”) and committing wire fraud, computer fraud, identity theft and money-laundering offenses.1 The prosecutions are the first by the US Department of Justice (the “DOJ”) alleging that cyber criminals hacked computers and obtained material, nonpublic information in order to commit securities fraud.
The August 2015 indictments occurred in conjunction with the filing of civil charges against 32 individuals and entities by the US Securities and Exchange Commission (the “SEC”).2 The SEC enforcement action, which was filed in federal court in New Jersey, alleges that the nine indicted individuals and 23 other individuals and companies violated the anti-fraud provisions of the Exchange Act and Securities Act. The civil action seeks $100 million dollars in damages, which is the amount the SEC estimates the 32 defendants realized from their insider trading scheme. The indictments and enforcement action focus on three victims of the defendants’ alleged hacking activities: newswire services that held and disseminated press releases for publicly traded companies.3
According to the indictments, the defendants primarily operated in two groups: “Hackers” and “Traders.” The Hackers compromised computer networks belonging to the three newswires and stole unpublished press releases containing material information about public companies. The Hackers then shared these press releases with the Traders, who would effect trades in the securities of public companies prior to the publication of the press releases. The Traders profited from the resulting price changes and paid the Hackers a percentage of the insider trading profits.
The hacking operation allegedly occurred from February 2010 until May 2015 and involved the theft of more than 150,000 press releases. The defendants executed trades using more than 800 of these press releases and realized more than $100 million in illicit profits, according to the government. They also allegedly disseminated the stolen press releases electronically to third-parties to facilitate further insider trading.
The Hackers are alleged to have used a variety of attacks tools to compromise the newswires’ servers. In some instances, they sent phishing emails to newswire employees that contained links to malicious software that would permit the Hackers to compromise a computer if an employee clicked on the email link. In other instances, the Hackers used what is known as an SQL injection to compromise the newswires’ networks. In an SQL injection attack, the hacker uploads and executes malicious code on a company’s network by entering the code into a entry field of a website (e.g., the login screen). In the case of the newswires, the Hackers allegedly used the SQL injection attack to extract the usernames and passwords from the newswires’ websites and use that information to access the newswires’ websites remotely and download press releases.
Once the Hackers infiltrated the newswires’ networks and downloaded the unpublished press releases, it is alleged that they used a sophisticated system to disseminate the data quickly to the Traders and other parties. This system consisted of a computer server that was controlled by the Hackers and accessible over the Internet. The Hackers sent videos to the Traders instructing them how to log into the server and download the stolen press releases. Although the Hackers allegedly engaged in large-scale collection, at least some of their activities were focused: the Traders sent the Hackers “shopping lists” of companies whose press releases they wanted to receive.
In describing their activities to others, one of the Hackers stated that in exchange for access to the stolen press releases through “the more or less convenient web interface,” the Traders paid a percentage of their monthly or “seasonal” profits to the Hackers, and if they got “really high with time [, they paid] a fixed amount of dough a month.” The civil action alleges that over time, the Traders expanded their activities to include trade “layering” or “spoofing” that would permit them to move the price of securities artificially, even in the absence of insider information from the stolen press releases.
On at least two occasions, one of the newswires detected the Hackers’ activity and terminated their unauthorized access. It is unclear from the indictment if the newswire reported the incidents to law enforcement, but the Hackers were undaunted. According to the indictment, they merely shifted their focus to the other two newswires, while attempting to re-infiltrate the network that had terminated their unauthorized access.
The alleged actions of the Hackers and Traders, and the government’s criminal and civil actions against them, illustrate long-term trends in cybercrime and the efforts to combat it.
The first trend is that cybercriminals are constantly seeking new ways to steal and profit from others’ information. As a result, cyberattacks are increasing in sophistication, variety, impact and scale. US cybersecurity czar Michael Daniel recently noted that cyber attacks are taking up a “greater and greater percentage of the president’s daily briefings.”4
The second trend is that the law enforcement community is seeking broader cooperation among government and private sector entities to meet the challenges posed by evolving cyber threats. US Attorney General Loretta Lynch stressed the need for companies to work “collaboratively [with the DOJ] to identify and notify victims, minimize the impact of an intrusion and help prevent similar attacks in the future.”5 The pending cases in New Jersey and New York reflect this trend of greater cooperation between the DOJ and other regulators in investigations.
According to press releases, the DOJ and the SEC worked with the US Department of Homeland Security, the US Secret Service, the FBI, FINRA, the UK Financial Conduct Authority and the Danish Financial Supervisory Authority to conduct their investigation, which resulted in parallel civil and criminal proceedings.6 A recent report from the National Institute of Standards and Technology indicates that further coordination of this kind is not only likely, but imperative to combating cybersecurity threats.7
Given the current trends and dedication of substantial DOJ and SEC resources to cybersecurity and securities fraud investigations, it would appear that more prosecutions of this kind are likely to happen in the foreseeable future.