There once existed a time when a crew of skydiving surfers could throw on surprisingly well crafted ex-president masks, stroll into a cash-heavy bank and rob the institution blind. There was a time when the weapon of choice for a bank robbery was a sawn off shotgun and an ingenious disguise. There was a time when a handwritten note riddled with grammatical errors was handed over to a shaking bank teller or power tools and explosives were used to bust open vault doors as a get-away driver idled at the curb waiting for the right moment to disappear in a fog of tire smoke. But that time has faded. That time is over. The ex-presidents are finished, and new, invisible and far more effective crews are moving in and taking over the very old and familiar business model of robbery.
Organized gangs of international hackers have replaced the old tools and techniques of the trade with skills and technology that yield results and efficiencies unimaginable to even the most prolific robbers and thieves of the past era. And by some experts’ accounts, these organizations are just getting started. This is not news though. It is well-known that hackers are so adept at navigating code and circumventing security systems that, with the assistance of only a laptop, an internet connection and likely some Red Bull, Adderall and a few late nights, they are able to access the most sensitive data on the most sensitive servers. Amongst many other companies, Adobe, Zappos and AshleyMadison.com have all been hacked. Even the United States Office of Personnel Management suffered the largest breach of government data in history this year. And now, increasingly, the financial securities industry needs to be worried.
This week, the Securities and Exchange Commission (SEC) announced in a press release that Ukrainian-based Jaspen Capital Partners Limited and CEO Andriy Supranonok have agreed to pay $30 million to settle allegations that they made massive financial gains from trading on non-public corporate news releases that were hacked and stolen from newswire services. It appears now that the glory days of receiving stock tips while enjoying a 25-year-old scotch at a roof-top party in Manhattan have diminished in favor of those traders obtaining their tips from the murky labyrinth of the hacking world.
The SEC laid down charges last month against 34 defendants who allegedly took part in a scheme in which two hackers residing in the Ukraine covertly hacked into U.S. and Canadian newswire services. According to the SEC’s complaint (filed in the U.S. District Court for the District of New Jersey), the hackers made out like bandits and gained access to more than 100,000 press releases for publicly traded companies before they were issued to the public, and which contained quarterly earnings data and other important financial information for a given issuer. The SEC alleges that the hackers used a variety of deceptive tools to hack the newswire services, including using stolen username/password information of authorized users, deploying malicious code to erase any traces of the hacks, concealing the identity and location of the computers that were used to conduct the hacks, and employing backdoor access modules to computer systems.
The hackers then worked seamlessly with a global network of traders spanning France, Russia, Ukraine, Malta, Cyprus and the U.S., and which also included Jaspen and Supranonok. Those diplomacy skills were likely assisted by huge financial gain as the traders would pay the hackers for the stolen information on a flat fee arrangement or a percentage of profits that they gained from the illegal trading on the data. The network of traders would place trades on the stocks in the short window of time before the press release actually went public and collectively realized over $100 million in illegal profits.
The press release from the SEC states that Jaspen and Supranonok alone made approximately $25 million buying and selling financial instruments known as contracts-for-differences (CFDs) on the basis of the hacked data stolen from two newswire services between 2010 and 2014, and from a third newswire service in 2015. Without admitting any wrongdoing, Jaspen and Supranonok agreed to settle the SEC’s charges for $30 million (pending court approval).
The TOR network, DDOS attacks, DNS poisoning, black hats, packet sniffers, injection attacks — if any of these terms or concepts seems unfamiliar and foreign, it might be time to stop watching classic ‘90s bank robbery movies and start getting in the game. Old-school safe crackers are in declining demand, digital-age hackers are the rage, and your business needs to be prepared.