Hack-to-trade schemes and confidential information dealing on the dark web, combined with regulatory warnings about firms’ management of material non-public information (MNPI), are raising further concerns about markets’ ability to keep a lid on insider dealing and other forms of manipulation.
The number of cases brought against individuals using stolen data or MNPI to trade, or offering it for sale on the dark web or in encrypted messaging apps, has grown worldwide. A 2020 report from France’s Autorité des Marchés Financiers ( AMF) counted about 14 such incidents. Since then, regulators and law enforcement agencies have pursued several insider dealing cases with a cyber or dark web connection.
The biggest, perhaps, has involved the fraud charges brought by the U.S. Securities and Exchange Commission (SEC) against five Russian nationals for engaging in an $82 million multi-year scheme to profit from stolen corporate earnings announcements.
Information was obtained by hacking into the systems of two U.S.-based filing agent companies before the announcements were made public.
Financial information providers have been at the centre of many of the hack-to-trade schemes in the past five years. Hackers have compromised BusinessWire, MarketWire PRN, the SEC’s EDGAR system and Nasdaq’s “Directors Desk”, among others, and successfully extracted MNPI.
“All of our customers think a lot about protecting their high-value data. There are a lot of these high-value databases around and while banks are good at cyber security, it gets dicey when data is moved to outsourced providers,” said Max Heinemeyer, vice president of cyber innovation at Darktrace in Amsterdam.
Good regulation should encourage financial services, their suppliers, and companies generally to fund cyber-security programmes and skills development to help meet the cyber threat. Firms should avail themselves of the best practice resources published by the public sector, such as the UK National Cyber Security Centre ( NCSC), Heinemeyer said.
Firms underestimate the insider dealing threat posed by hackers and fail to realise just how successful criminals can be at recruiting insiders to leak data to sell on the dark web, cyber-security experts said.
“It’s an underestimated threat that people don’t realise. Honestly … we’ve seen a spate of ransomware attacks where, if you don’t pay, people actually dump the information on the internet; for some people that’s a treasure chest of information. Every company has information that is of value. It only takes a criminal mind to make money out of it,” said Christiaan Beek, lead scientist and senior principal engineer at Trellix in the Netherlands.
Disgruntled employees can be tempted to leak data for money or in some cases simply because they disagree with their employers’ ethos or business strategy.
“If you combine that with the cryptocurrency exchanges where you can actually launder that money without being traced, that could be interesting for some people. We have seen posts in underground forums where ransomware groups are offering, ‘hey, if you provide us access to your company and they pay for the ransomware, you get a certain percentage guaranteed in your bank account’,” Beek said.
Companies and financial institutions should monitor IT staff carefully and make them part of their cyber-risk assessment, Beek said.
At least three recent insider dealing cases involved IT staff or consultants stealing confidential information from their employers or other sources, according to the AMF report. That tally included the 2019 conviction of an Australian IT consultant who hacked confidential information from a financial information provider and then traded on 70 different occasions in 52 different stocks.
“The IT people in your company have the keys to the kingdom. Is that also part of your risk assessment? Are you checking what they have access to? It’s those questions that I think are normal for risk assessment to ask. And then I’m not sure, to be honest, if everybody’s aware of that,” Beek said.
IT and financial expertise characterise Russian case
Some of the five Russian nationals charged by the SEC in the hack-to-trade scheme were IT professionals. The defendants allegedly shared a portion of their profits by funnelling them through a Russian information technology company which one of them had founded and at which two others served as directors. One of the five defendants had ties to the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU); yet another was a hacker known to U.S. intelligence and law enforcement and was already wanted on hacking charges.
The Russian case is white collar crime which involved hacking and also had an element of state-actor sponsorship. Cyber-security specialists are increasingly raising the alarm about joint ventures between state-sponsored hackers and criminal cyber-crime networks. This particular case, however, does not appear to be state-sponsored. It would, however, be tough to pull off without the state turning a blind eye. These individuals might be called upon to do hacking jobs for the state in return, Heinemeyer said.
Cyber criminals usually want to make fast money churning out ransomware attacks, but this case is one of high skill on the hacking side
— the hacks went undetected for years — as well as some sophistication on the financial side, Heinemeyer said.
“Turn on the computer” to make money
Between 2018 and 2020, the defendants used 20 different brokerage accounts located in Denmark, the United Kingdom, Cyprus and Portugal to generate profits of at least $82 million, using the stolen information to make trades before more than 500 corporate earnings announcements. They used short selling and contracts-for-difference (CFDs) if a stock was likely to decrease, based on the MNPI, and bought shares if the price was likely to rise, the SEC complaint said.
“In a June 2020 text message exchange, Yermakov [defendant] remarked to Kliushin [defendant], in Russian, that they needed to go to work to make money to buy an apartment. Kliushin responded that there was no need to do that, because they just had to ‘turn on the computer’ to make money, an apparent reference to defendants’ illicit hacking and trading activities,” the SEC complaint said.
The fraudulent activity was only detected once the U.S. filing agents discovered the hacks and alerted the authorities. The SEC was then able to see the fraudulent trading activity and track the defendants.
“Statistical analysis shows that there is a less than one-in-one-trillion chance that the trader defendants’ choice to trade so frequently on earnings events tied to the EDGAR filings of the servicers’ public company clients would occur at random,” the SEC complaint said.
Dark web insider information market
U.S. authorities have brought a few cases against individuals attempting to buy and sell inside information on the dark web. The U.S. Department of Justice and the U.S. Attorney’s Office- Southern District of New York in 2021 charged a dark web user
Apostolos Trovias, who went by the name “The Bull”, with securities fraud and money laundering stemming from his scheme to solicit and sell stock trading tips and pre-release earnings and deal information regarding public companies.
The SEC secured a conviction against a former SpaceX engineer in 2021 who sought to buy and sell insider information on the dark web and used stolen personal information purchased in dark web marketplaces to open fraudulent accounts to trade.
Dark web trade in MNPI is rife with scammers and thieves, with lots of law enforcement trying to catch them, Heinemeyer said. The quality of the information in these forums is questionable, and any serious trade potentially happens inside encrypted Telegram and Signal groups, he said.
“These are not hot-shot threat actors,” he said.
SEC warns on MNPI
Separately, the SEC warned investment advisers of common deficiencies related to their firms’ ethics codes or the handling of MNPI. A Division of Examinations risk alert published in April said recent examinations have found several areas of deficiencies in ethics codes, and in compliance safeguards surrounding insider trading and the potential misuse of MNPI.
This article was originally published by Thomson Reuters Accelus Regulatory Intelligence on 13 June 2022
Join Rachel Wolcott and 20+ other RegTech experts at JWG’s 23 June virtual seminar