Cybersecurity

Hackers broke into an SEC database and made millions from inside information, says DOJ

Key Points
  • Federal prosecutors unveil charges against seven individuals Tuesday in an international stock-trading scheme that involved hacking into the SEC's corporate filing database.
  • The operation, taking place from May to at least October 2016, nets $4.1 million for fraudsters from the U.S., Russia and Ukraine, prosecutors say.
Jay Clayton, chairman of U.S. Securities and Exchange Commission (SEC), speaks during an SEC open meeting in Washington, D.C., U.S., on Wednesday, April 18, 2018.
Yuri Gripas | Bloomberg | Getty Images

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission's EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were "test filings," which corporations upload to the SEC's website.

The charges were announced Tuesday by Craig Carpenito, U.S. Attorney for the District of New Jersey, alongside the SEC, the Federal Bureau of Investigation and the U.S. Secret Service, which investigates financial crimes.

SEC sues traders for hacking Edgar system in 2016
VIDEO0:2900:29
SEC sues traders for hacking Edgar system in 2016

The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services.

Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. "After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public," he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito.

Risk factor
VIDEO2:0702:07
Risk factor

The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said. The EDGAR service operates in New Jersey, which is why the Justice Department office in Newark was involved in the case.

Stephanie Avakian, co-head of the SEC's Division of Enforcement, said the same criminals also stole advance press releases sent to three newswire services, though she didn't name the newswires. The hackers used multiple broker accounts to collect the illicit gains, she said.

Two Ukrainians were charged by the Justice Department with hacking the database — Oleksandr Ieremenko and Artem Radchenko. Seven further individuals and entities were also named in a civil suit by the SEC for trading on the illicit information: Sungjin Cho, David Kwon, Igor Sabodakha, Victoria Vorochek, Ivan Olefir, Andrey Sarafanov, Capyield Systems, Ltd. (owned by Olefir) and Spirit Trade Ltd.

Consolidated Audit Trail fears

Also at the time, the incident sparked fears over the SEC's Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.

Full implementation of the CAT has been plagued by delays, with equities reporting now scheduled to begin in November. The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their Social Security numbers and dates of birth.

In September 2017, SEC chairman Jay Clayton announced the EDGAR database had been hacked in a lengthy statement. The commission said the database was penetrated in 2016 but the incident wasn't detected until August 2017.

"Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic," Clayton said at the time. "We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."

SEC sues traders for hacking Edgar system in 2016
VIDEO0:2900:29
SEC sues traders for hacking Edgar system in 2016