Charges have been pressed against nine traders hailing from Ukraine, Russia and California for allegedly stealing US$4.1 million by hacking the Securities and Exchange Commission’s (SEC) corporate database in 2016.
The international insider trading scheme, comprising of Ukrainian hacker Oleksandr Ieremenko, six Californian, Ukrainian and Russian traders, and two others, was presented with civil charges by the SEC on Tuesday.
Alongside the SEC charges, the US attorney’s office for New Jersey also filed criminal charges against Ieremenko and Artem Radchenko – another accused hacker.
The US attorney for New Jersey, Craig Carpenito, said the criminal activity was a “sophisticated hacking and insider trading scheme to cheat the securities market and the investing public.”
According to the SEC, the traders accumulated an illegal profit of US$4.1 million by trading before information of 157 earnings releases were made public. The Commission believes the traders took advantage of non-public information that businesses had recorded with the American securities regulator.
In 2017, the SEC admitted to a “software vulnerability” and a resulting hack of its Edgar system, which stores the data of millions of companies and their earnings announcements. Although the issue was resolved almost immediately after being discovered, it is believed that the hackers exploited the exposure to make their profits.
Since stepping into the role of SEC chairman in 2017, Jay Clayton has made cybersecurity a number one priority within the agency, but believes it still faces the same threats of cyber-criminal activity as any other organisation in the market.
He said: “No system can be entirely safe from a cyber intrusion. These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders.”
The SEC reported that the hackers allegedly gained access to its corporate filings system through a phishing attack, which were in the form of emails to SEC employees that were supposedly from fellow members of staff. Through this method, the hackers were able to install malware onto the computers to facilitate the theft of information and provide access to earnings information before they were released.
Despite its own regulatory advice to institutions in that they should report a hack to authorities within a week of realisation, the SEC waited eight months to reveal the details of the 2016 security breach. It also revealed that the information of two individuals had been stolen, which included the theft of their names, social security numbers and dates of birth.
This is not Ieremenko’s first scuffle with the SEC; in 2015 he was charged alongside 42 others for allegedly netting more than US$100 million in illegal profits by hacking newswire services to access insider information before it was made public.
See the original article here: Cybersecuritynews.co.uk