Naked Security Naked Security

What are 150,000 stolen press releases worth? About 20 years in prison

What's a press release worth? Rather a lot if you steal them before they go public and help people trade on the secrets you've uncovered...

Press releases. A dime a dozen, right? What could be more worthless? Unless you break into the systems where they’re being staged for release, steal them before they go public, and then help people trade on the secrets you’ve uncovered.

Then, you can make millions. Until, like Vadym Iermolovych and his nine aliases, you get caught.

After that, you plead guilty to aggravated identity theft, and conspiracy to commit wire fraud and computer hacking. Then, you wait until August for your potentially stiff sentence: up to 20 years for wire fraud and a mandatory two years on top for conviction on those identity theft charges.

According to US Attorney Paul J. Fishman, Iermolovych and his fellow Ukrainian computer hackers spent five years hacking into the leading business newswires Marketwired, PRN, and Business Wire.

They scoured not-yet-published releases for earnings, gross margins, revenues, and other confidential information. Trades based on this stolen data allegedly generated some $30 million in illegal profits.

In the government’s recounting, Iermolovych admitted personally hacking into PRN’s network, gaining access via PRN employee user credentials stolen from a hack into a social networking website.

He also admitted selling stolen releases and purchasing illegal access into Business Wire’s network as part of a larger conspiracy to profit from these secrets.

In connection with this case, the federal District of New Jersey (DNJ) also indicted two additional hackers and three traders: Ivan Turchynov, Oleksandr Ieremenko, and Pavel Dubovoy of Ukraine, and Arkadiy Dubovoy and Igor Dubovoy of Alpharetta, Georgia (US). Two more conspirators, Arkadiy Dubovoy and Igor Dubovoy, pleaded guilty earlier this year.

Across the river in New York, the feds charged four more traders: Vitaly Korchevsky, Vladislav Khalupsky, Leonid Momotok and Alexander Garkusha – who also pleaded guilty to wire fraud in this case last December.

The government offered a detailed description of how hackers gained access through targeted phishing, malware, and SQL injection attacks; and shared stolen releases with traders via overseas computer servers, complete with guidance on concealment…

The traders created “shopping lists” or “wish lists” for the hackers listing desired upcoming press releases for publicly traded companies… [T]heir trading activities shadowed the hackers’ capabilities to exfiltrate stolen press releases… trading data often showed a flurry of trading activity around a stolen press release just prior to its public release.

Firms whose stock prices were manipulated included Caterpillar, HP, Home Depot, Panera Bread Co., and Verisign. The traders’ and hackers’ compensation scheme allegedly called for payments to reflect a percentage of profits, transferred via foreign shell companies.

Iermolovych and his cronies evidently stole more than 150,000 press releases during their five-year crime wave. But they missed one: the one that details his guilty plea.