SEC says hacked news releases were used to make illegal trades

An international network of hackers gained access to computer systems of business-newswire services to pull inside information from pending merger announcements, netting more than $100 million in illicit profits, according to federal indictments and a civil complaint unveiled Tuesday morning.

The indictments, filed in U.S. District Court in Newark, N.J., and U.S. District Court in Brooklyn, N.Y., said the hacking network downloaded more than 150,000 press releases. A network of traders in the U.S. made the illegal trades, paying the hackers for the information with either a flat rate or a percentage of the profits, the indictments said.

Among the victimized news wires were Business Wire, Marketwired LP and PR Newswire Assn. LLC, according to the indictments.

The indictments and a companion case filed by the Securities and Exchange Commission were unveiled Tuesday by SEC Chairwoman Mary Jo White, Homeland Security Secretary Jeh Johnson, Paul J. Fishman, U.S. attorney for New Jersey, and other top federal law enforcement officials.

Fisher said the indictment described “a cutting-edge, international scheme at the intersection of hacking and securities fraud.”

Officials said the case illustrates the increasing sophistication of criminal networks, both in their ability to hack sophisticated computer security systems as well as their acumen in using intricate trading strategies to conceal the scheme and who was behind it.

Using accounts at mainstream brokerages, the defendants traded in options (buying the right to buy or sell a security at a future time and a set price), short sales (borrowing shares and selling them to profit from a stock’s decline), and other types of sophisticated trades to fool securities regulators, officials said.

The indictments describe an elaborate array of hacking techniques, including phishing to fool unsuspecting employees at the wire service companies into allowing access to the system, so-called “brute force” attacks to decrypt data, and other ploys to gain access to the press releases.

White said the case also served as “a stark reminder to companies that your computer systems are vulnerable targets,” and urged stepped-up vigilance.

SIGN UP for the free California Inc. business newsletter >>

Federal authorities filed criminal charges against nine individuals, five of whom were known as the “trader defendants,” including three from Ukraine and others living in Georgia, Pennsylvania and Brooklyn. The SEC, meanwhile, filed civil charges against a wider network that included the five who were indicted and hackers, traders and small securities firms in Moscow, Paris, Cyprus and Malta.

The case, one of the most sweeping involving hacking and insider trading, points up the vulnerability of the financial services industry in the digital age.

Authorities said the network stole the press releases from the servers of the newswire companies shortly before the information was to be released. The network then traded ahead of more than 800 stolen press releases, generating millions of dollars in illegal profits, according to the U.S. attorney’s office.

Earlier Tuesday, the government seized 17 bank and brokerage accounts containing more than $6.5 million in alleged criminal proceeds.

ALSO:

Columbia House — 12 albums for a penny! — files for bankruptcy

Google, coming to grips with its giant size, forms a parent company: Alphabet

For high-risk start-ups like Uber, big ambitions don’t make losses any less unsettling