I. U.S. v. Willner: The First “Cyber Boiler Room”

On November 8, 2017, federal prosecutors in the Eastern District of New York indicted Joseph P. Willner—a securities trader from Pennsylvania—for securities fraud, money laundering, and associated conspiracy charges related to his alleged operation of a fraudulent cyber trading scheme. [1] The scheme, described by the FBI as “a 21st century cyber boiler room,” cost the targeted brokerage firms more than $2 million, according to the indictment. [2] Prosecutors alleged that between September 2014 and May 2017, Willner offered stock of publicly traded companies at artificially high, above-market prices while his co-conspirators concurrently hacked into the online securities brokerage accounts of targeted brokerage firms and used the accounts of unsuspecting victims to purchase the overpriced stock. [3] By then repurchasing the stocks from the hacked accounts at a lower price, Willner was able to quickly capitalize on the margin, resulting in more than $700,000 in profits. [4] Willner now faces up to twenty years in prison. [5]

II. Willner is One Piece of a Larger Puzzle

A. Predecessor Cases to Willner

This cyber-enabled financial fraud prosecution should not be viewed in a vacuum. Indeed, this particular prosecution emerges from a backdrop of increasingly concentrated efforts by federal authorities to combat rapidly evolving and innovative cyber fraud schemes. To fully understand the context of DOJ’s and the SEC’s heightened focus, we should look to the U.S. v. Korchevsky et al., U.S. v. Turchynov et al., and SEC v. Dubovoy, et al., a series of cyber-enabled financial crimes cases involving high profile prosecutions and enforcement actions that underscored federal authorities’ pivot toward this emerging area of complex financial crimes. [6] Korchevsky, Turchynov, and Dubovoy involved a hacking and insider trading scheme that Andrew Ceresney, the then-Director of the SEC’s Division of Enforcement, called “one of the most intricate and sophisticated trading rings that we have ever seen.” [7] The scheme spanned more than five years, during which conspirators allegedly hacked into newswire services to steal hundreds of corporate earnings announcements prior to public release. [8] The hackers allegedly transmitted the stolen data to traders across the globe, who then used the information to place illicit trades before the information was released to the public. [9] Authorities allege that this scheme generated approximately $100 million in illicit profits. [10]

Since Korchevsky and its related cases, federal authorities have prosecuted a number of cyber-enabled financial crimes across the country. In October 2016, federal prosecutors in the Southern District of New York charged three Chinese traders with insider trading, conspiracy, wire fraud, and computer intrusion for their fraudulent cyber trading scheme, which involved hacking two large U.S. law firms and trading on information stolen from them. [11] In August 2017, Daniel Rivas—a technology consultant working in a global investment bank’s Research and Capital Markets Technology Group—was charged with conspiracy, wire fraud, and multiple counts of securities fraud for his alleged involvement in a scheme in which Rivas accessed and transmitted sensitive information to financial advisers and friends in Miami, New Jersey, and California so that they could trade on this confidential information ahead of the market. [12]

B. Hack of the SEC and Creation of SEC Cyber Unit

This line of cyber-enabled financial crimes is not limited to private institutions and their databases. On September 20, 2017, the SEC announced that its computer system, EDGAR—which receives 1.7 million corporate and securities filings a year—had been hacked, potentially providing “the basis for illicit gain through trading.” [13] Following this cyber intrusion, the SEC announced the creation of a Cyber Unit on September 25, 2017. The SEC’s Cyber Unit has been tasked with “targeting cyber-related misconduct” including market manipulation schemes, hacking to obtain material nonpublic information, intrusions into retail brokerage accounts, and other cyber-related threats. [14] Its resources include staff from across the SEC Enforcement Division with “substantial expertise in the detection and pursuit of fraudulent conduct in an increasingly technological and data-driven landscape.” [15] Its sole mission will be to investigate and bring cases involving cyber-enabled financial fraud.

III. On the Horizon: A Wave of Cyber-Enabled Financial Fraud Cases

In the past two years, public interest surrounding cyber-enabled financial crimes has steadily increased. The public curiosity surrounding these alluring, intricate schemes runs parallel to federal authorities’ heightened interest. The SEC’s formation of a unit dedicated entirely to fighting cyber-enabled financial crimes illustrates the agency’s intent to pursue this new breed of financial fraud. Because the SEC has dedicated additional resources, personnel, and funding to this initiative, we believe that the SEC is expecting a fruitful return on its investment. In fact, on December 4, 2017, the SEC announced the Cyber Unit’s first filing of charges against Dominic Lacroix, an alleged recidivist Quebec securities law violator who operated a fast-moving initial coin offering fraud scheme that generated at least $15 million in sales of securities over the internet since August 2017. [16] This type of action is a sign of what is to come as federal authorities continue to focus their resources on cyber-enabled financial crime. But, because of the complex nature of these cases, it may take several years for the pursuit of some of these sophisticated schemes to unfold publicly. Any lull in media coverage of these cases should not be misinterpreted as calm on the war front. Cyber criminals continue to grow bolder, smarter, and more creative in perpetrating their illegal schemes.

As federal authorities aggressively tackle the threat of cyber-enabled financial crimes with full force, securities firms, broker-dealers, financial advisory firms, and public companies—and their regulatory and compliance personnel—must take note and revisit their internal controls, for the threat is not posed solely by cybercriminals. Victims of these crimes also may find themselves the targets of cyber-related enforcement actions. For example, the SEC can employ the “Safeguards Rule” against regulated financial institutions for failing to adopt policies and procedures reasonably designed to protect customer data. [17] For public companies, the SEC may bring action against companies for failing to timely disclose information about a material cybersecurity failure. Going forward, firms must stay up to date on cybersecurity rules and threats and implement policies and controls in response to these growing risks.