Ukrainian hacker admits hacks of MarketWired, PRN, and Business Wire press releases for securities fraud scheme
A Ukrainian hacker today admitted his role in an international scheme to hack into three business newswires, steal yet-to-be published press releases containing non-public financial information, and use the information to make trades that allegedly generated approximately $30 million in illegal profits, U.S. Attorney Paul J. Fishman announced.
Vadym Iermolovych, 28, of Kiev, Ukraine, pleaded guilty before U.S. District Judge Madeline Cox Arleo to a three-count information charging him with conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft.
Iermolovych was arrested on Nov. 12, 2014 in connection with other charges related to computer hacking and credit card fraud. Today’s guilty plea marks the first conviction of one of the hackers responsible for breaching the networks of Marketwired L.P. (Marketwired), PR Newswire Association LLC (PRN), and Business Wire (collectively, the “Victim Newswires”), and stealing press releases containing confidential nonpublic financial information relating to hundreds of companies traded on the NASDAQ and NYSE.
According to documents filed in this case and statements made in court:
At today’s plea hearing, Iermolovych admitted that he was personally involved in the hacks into the Victim Newswires. He admitted to hacking into PRN’s network between January 2013 and March 2013. He also admitted that he obtained a set of user credentials of PRN employees stolen from a computer hack into a social networking website and then used at least one of those credentials to ultimately gain access into PRN’s computer network. Iermolovych also admitted that he sold press releases stolen from the network intrusion into Marketwired, and purchased access into Business Wire’s network, all in furtherance of a larger conspiracy to profit from the stolen draft press releases.
Five other members of the conspiracy – two computer hackers and three securities traders – were charged by federal indictment brought by the District of New Jersey (DNJ). The related 23-count DNJ indictment charged Ivan Turchynov, 28, Oleksandr Ieremenko, 24, and Pavel Dubovoy, 33, all of Ukraine, Arkadiy Dubovoy, 51, and Igor Dubovoy, 29, of Alpharetta, Georgia. Arkadiy Dubovoy and Igor Dubovoy both pleaded guilty to the wire fraud conspiracy charged in Count One of the DNJ indictment on Feb. 18, 2016 and Jan. 20, 2016, respectively.
The Eastern District of New York (EDNY), in a related indictment, charged four securities traders: Vitaly Korchevsky, 50, of Glen Mills, Pennsylvania, Vladislav Khalupsky, 45, of Brooklyn, New York and Odessa, Ukraine, Leonid Momotok, 48, of Suwanee, Georgia, and Alexander Garkusha, 48, of Cummings and Alpharetta, Georgia. Garkusha pleaded guilty to the wire fraud conspiracy charged in Count One of the EDNY indictment on Dec. 21, 2015.
As alleged in the indictments, between February 2010 and August 2015, computer hackers based in Ukraine, gained unauthorized access into the computer networks of Marketwired L.P. (Marketwired), PR Newswire Association LLC (PRN), and Business Wire. They used a series of targeted cyber-attacks, including “phishing” attacks and SQL injection attacks, to gain access to the computer networks. The hackers moved through the computer networks and stole press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, and other confidential and material information.
The hackers shared the stolen releases with the traders using overseas computer servers that they controlled. In a series of emails, the hackers even shared “instructions” on how to access and use the overseas server where they shared the stolen releases with the traders, and the access credentials and instructions were distributed amongst the traders. In an email, which was sent by one of the traders, the instructions for accessing the overseas server suggested that users conceal their Internet Protocol address when accessing the server as a precaution to avoid detection. The traders created “shopping lists” or “wish lists” for the hackers listing desired upcoming press releases for publicly traded companies from Marketwired and PRN. Trading data obtained over the course of the investigation showed that, after the shopping list was sent, the traders and others traded ahead of several of the press releases listed on it.
The traders generally traded ahead of the public distribution of the stolen releases, and their trading activities shadowed the hackers’ capabilities to exfiltrate stolen press releases. In order to execute their trades before the releases were made public, the traders sometimes had to execute trades in extremely short windows of time between when the hackers illegally accessed and shared the releases and when the press releases were disseminated to the public by the newswires, usually shortly after the close of the markets. Frequently, all of this activity occurred on the same day. Thus, the trading data often showed a flurry of trading activity around a stolen press release just prior to its public release.
The traders traded on stolen press releases containing material nonpublic information about the following publicly traded companies that included, among hundreds of others: Align Technology Inc., Caterpillar Inc., Hewlett Packard, Home Depot, Panera Bread Co., and Verisign Inc.
The traders paid the hackers for access to the overseas servers based, in part, on a percentage of the money the traders made from their illegal trading activities. The hackers and traders used foreign shell companies to share in the illegal trading profits.
The conspiracy to commit wire fraud charge is punishable by a potential penalty of 20 years in prison and a $250,000 fine, or twice the gross gain or loss from the offense. The conspiracy to commit fraud and related activity in connection with computers carries a potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense. The aggravated identity theft charge carries a mandatory penalty of two years in prison consecutive to any sentence received in connection with the other two counts. Iermolovych’s sentencing is scheduled for Aug. 22, 2016.
U.S. Attorney Fishman credited the special agents of the U.S. Secret Service, Criminal Investigations Division, under the direction of Director Joseph P. Clancy, and special agents from the Newark Field Office, under the direction of Acting Special Agent in Charge Jeffrey Wood, with the ongoing investigation leading to today’s plea.
The government is represented by Assistant U.S. Attorneys Andrew S. Pak and Daniel Shapiro of the Economic Crimes Unit, Computer Hacking & Intellectual Property Section, David M. Eskew, Deputy Chief of the General Crimes Unit, Assistant U.S. Attorney Svetlana M. Eisenberg of the General Crimes Unit, and Assistant U.S. Attorney Sarah Devlin of the Asset Forfeiture and Money Laundering Unit.
Defense counsel: K. Anthony Thomas, Esq.
SOURCE: U.S. Attorney’s Office, District of New Jersey