Naked Security Naked Security

Hackers break into newswire services, trade on what they find

Some financially-motivated hackers go straight for the money, but others take a more circuitous route, going after information that they can use for profit. That’s what criminals convicted this week did until they were caught in 2015, earning millions in ill-gotten gains.

Some financially-motivated hackers go straight for the money. Others, however, take a more circuitous route, going after information that they can use for profit. That’s what criminals convicted this week did until they were caught in 2015, earning millions in ill-gotten gains in the process.
Former hedge fund manager Vitaly Korchevsky and securities trader Vladislav Khalupsky were convicted in federal court this week. They took part in a five-year fraud that saw them trade on the information in illegally-accessed press releases.
The pair worked with hackers to break into newswire services in New York and Toronto. The hackers would then access embargoed press releases and quarterly earnings releases before the public got to see them.

A sneak peek

These releases often generate significant movements in the companies’ stock price because they give the market a chance to measure their performance against its expectations. If a company has earned less than the market expects, shares can drop, and vice versa.
The companies writing these releases typically upload them to news services ahead of time so that they are ready to publish. The duo was part of a criminal enterprise that hacked into the news services to get the information ahead of everyone else and trade on it.
A collection of hackers based in the Ukraine collaborated with traders in the US to execute the scam. The hackers gained access to the newswire press releases, stealing over 100,000 of them before they were publicly issued.
Hacking techniques included stealing the login credentials of legitimate users, and installing malware to secure further access and cover their tracks.
The hackers would forward the press releases to the traders. The traders would then action trades via multiple brokerage firms, using several entities and individuals’ names to try and obfuscate what they were doing.

Inside an international press release-stealing ring

Court documents filed in 2015 (and provided here courtesy of The Register) give some more detail on the scam. Between 2011 and 2014, a group of traders organized by Aradiy Dubovoy, based in Alpharetta, Georgia, used this information to make more than 1,400 trades, leading to a profit of more than $31m.
The traders maximised their trading power by using options, which enabled them to use leverage and make more money. Another group of foreign trading entities, with close links to Dubovoy’s group, made 804 trades overall, for a total profit of $45.1m.
In one 2011 example, the traders purchased stock in the firm Caterpillar in the window between the company uploading its Q3 earnings to a news service and the public announcement. When the earnings were revealed, stock in the company rose $4.38. The Dubovoy group and the foreign trading entities pocketed $724,000 in profits.
The traders also profited $513,000 from stock in food manufacturer TreeHouse, $511,000 in network equipment company Brocade, $1.37m in VMware, and $1.09m in RadioShack, among others.
The hackers procuring these releases received either a flat fee or a cut of the profits, which they would evaluate by monitoring the traders’ accounts. The traders often told the hackers which press releases to get.
Khalupsky, who had split his time between New York and Ukraine, helped the Dubovoy group set up its offshore accounts, and helped wire money for them. Korchevsky worked with him, and made over 600 illegal trades, profiting around $17.5m. Sentences could amount to 20 years, according to the DoJ.

Milliseconds matter

Trading on information accessed before everyone else is known as ‘front running’, and it is a relative of insider trading. It’s something that the government and financial markets are understandably nervous about.
In 2016, hackers gained access to a test system that enabled companies to practice submitting corporate filings to the SEC’s EDGAR database. The SEC subsequently said that the hack “may have provided the basis for illicit gain through trading.”
While some criminals work with windows ranging from minutes to hours, those windows are getting narrower.
In 2013, gold futures rocketed in a 30-second window after the Federal Reserve announced that it wouldn’t rein back on its quantitative easing policy. Someone traded on that information for a huge profit exactly as the information dropped at 2PM eastern time.
Once released, information from the Federal Reserve takes 7 milliseconds to reach Chicago, where futures are traded. The trades happened before the news arrived there. Thanks to low-latency flash trading, this seemingly tiny time difference is significant, and it raised eyebrows at Chicago-based research firm Nanex. The company concluded that someone had access to the information beforehand and programmed their trades in advance.
Another potentially weak point is the lockup room system used to secure information before it is released at government agencies like the Department of Labor. These lockup rooms are closely guarded to ensure that information doesn’t leak ahead of time and give some people a front-running opportunity.
In 2012, after a five-year investigation, officials pulled the credentials of some news agencies and recommended that the Department replace the computer equipment in the lockup room. Quartz has a great story about vulnerabilities in the US systems for keeping financial data secret and then distributing it at the right time.
All of which goes to show that knowledge is power. And these days, when gaining access to it, every millisecond counts.

Leave a Reply

Your email address will not be published. Required fields are marked *