Nine individuals spanning the United States and Ukraine were charged on Tuesday for making $30 million by hacking into business newswire services, reading corporate press releases prior to their release and then selling that information to get ahead on Wall Street.
Federal law enforcement said their take down was the largest scheme of its kind to ever prosecute individuals. The U.S. Securities and Exchange Commission believe the scope of the attack extends beyond the nine, bringing civil charges against an additional 23 people believed to be involved in the profit-driven hacking.
Criminal charges the nine hackers face was released in two indictments that were unsealed in New Jersey and New York City.
The cybercriminals devised a group consisting of two individuals who were described as Ukrainian computer hackers, six stock traders (5 of which were US-based), alongside one U.S. real estate developer. All nine hackers charged face offenses including securities fraud, computer fraud and conspiracy to commit money laundering.
According to prosecutors, back in 2010 the hackers gained initial access to news releases that were issued by PR agencies including Marketwired, PR Newswire and Business Wire, all US-based firms. The news releases hackers stole contained business earnings among a swath of information regarding several other companies.
The six traders on their hacking team would then use the information to make trades prior to the news becoming public, exploiting a time gap that could range anywhere from a few hours to a three days, prosecutors said.
“This is the story of a traditional securities fraud scheme with a twist one that employed a contemporary approach to a conventional crime,” said Diego Rodriguez, head of the Federal Bureau of Investigation’s (FBI) New York Office.
Of the nine, five individuals were arrested Tuesday while warrants for the other four Ukrainians were just issued.
Continuing on, hackers would then cash out based on how much the traders made, prosecutors claimed. The group was also alleged to have created several how-to videos on gaining unauthorized access to press releases stored on websites and servers.
One of the firms affected, Business Wire said the company has hired an outside cybersecurity firm to test the security of their systems. Marketwired and PR Newswire on the other hand have not yet responded to the alleged breach, the Guardian reported.
According to the indictment, the group made more than $600,000 by trading the stock of Peoria, Illinois-based Caterpillar Inc. in 2011 using a release they had stolen that reported the company’s third-quarter profits had climbed 27%.
Again, the group made another $1.4 million trading the stock of Align Technology, the San Jose, California-based company by stealing a copy of a press release prior to its publication, where the report stated annual revenue was up more than 20%.
The hackers allegedly had access to some 150,000 press releases during their three year span, which included corporate deals, earnings and information that could help predict stock market moves.
Information stolen was then forwarded to US associates, who allegedly used the data to make purchases and sales on dozens of companies including Panera Bread Co., Oracle Corp., Boeing Co., Caterpillar Inc., and Hewlett-Packard Co. The money obtained was then transferred to an offshore Estonian bank account. The hackers are said to have cashed out on more than $30 million during their three year run.