Why Not Insider Trade on Every Company?

The tale of some Ukrainian hackers re-enchanted the financial world for me.

I don't entirely understand the need for the diagram?

Photographer: Kena Betancur/Getty Images

So one way to insider trade is, you work at a bank, and you advise on mergers, and before a merger happens you meet a guy and write the name of the target on a napkin, and the guy reads the napkin, and then he eats it, and then he buys stock in the target, and he makes money, and then you meet in a parking lot and he hands you a bag of cash representing your cut of his profits. 1 There are a lot of variations, many involving golf, but that's the basic structure. You get your news one piece at a time, from a place where you work, and then you pass it on to someone who doesn't work there to cover your tracks. 

That is pretty laborious. If you are an insider at a company, you can only really insider trade in your company, and the companies it is thinking of buying. If you work at a bank or law firm or financial printer, you have more opportunities, but you are still somewhat constrained. 2 This seems to drive a lot of the demand for leverage in insider trading: It's risky, and you only get a handful of opportunities, so you have to make sure that they pay off big. So instead of buying stock in the merger target for a 20 percent return, you buy short-dated out-of-the-money call options on the target and make a 1,000 percent return. And then you get caught, because the Securities and Exchange Commission knows to look at the options.

Today's big hacker insider trading charges are utterly amazing. Here are the news release and criminal complaint from New Jersey federal prosecutors, the Brooklyn federal criminal complaint, and the SEC news release and civil complaint. The gist is that some guys in Ukraine allegedly hacked into the servers of the big newswire companies (Marketwired, PR Newswire and Business Wire) and stole press releases, and then gave them to some other people to trade on. That right there: That is the way to do it! Why limit yourself to the inside information of one company, or even to the clients of one bank or law firm? If you can see the newswires before they're published, you have all the inside information. "The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies," say prosecutors. "These hackers and traders are charged with reaping more than $100 million in illicit profits," says the SEC. One hundred fifty thousand press releases! One hundred million dollars! Imagine how long it would take to get that much inside information on the golf course.

But that's just, like, good insider trading. Don't get me wrong, I appreciate good insider trading, and this was some very good insider trading. But what I really love about this case is how it re-enchants the financial world. There I was, thinking that the financial system more or less made sense, that it could be explained by the voluntary acts of rational actors, that most market participants were basically honest hardworking people and their algorithms, and that criminality was a relatively minor exception. Like everyone, I was aware of various conspiracy theories about shadowy forces controlling the market, but I did not give them much credence. Occam and Hayek and the rest all provided reasons to doubt a massive overarching conspiracy.

And then today I learned that a shadowy foreign syndicate had access to basically every piece of corporate news before it was made public! (Allegedly! But, you know, according to the U.S. government.) And that it ran, like, a parallel criminal financial system with it. The hackers didn't trade. Instead, they allegedly sold the information to traders, in exchange for a cut of the profits. They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and "created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases." 3  They responded to customer feedback: The traders would send a "shopping list of desired upcoming press releases for publicly traded companies," and the hackers would then go get those press releases. 4  They got paid through wire transfers to offshore bank accounts of shell companies. 5  Their fees were performance-based, and the performance was audited:

At times, the hacker defendants received a flat fee and, at other times, a percentage of the profits obtained from trading on the material nonpublic information stolen by the hacker defendants. The hacker defendants ensured they were receiving the agreed-upon percentage by monitoring the trader defendants' trading, either through reports from the traders or direct access to the accounts used to make unlawful trades. 6

It's all very ... professional. Or I mean, some of it is sort of professional. I enjoyed this story about two of the accused traders:

On or about that same date, defendant PAVEL DUBOVOY sent an email in Russian to an email address associated with defendant ARKADIY DUBOVOY itemizing sums of money received and spent between on or about January 27, 2012 and on or about February 3, 2012. The email specifically listed a $95,000 payment to Shell Company #2 next to the word "guys" written in parentheses. 7

You gotta itemize your expenses. But you can itemize your payments to your criminal conspirators as just "guys."

The size and professionalization of the business, though, shouldn't be confused with sophistication. There are some signs that these guys actually weren't all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. "The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants," reports Bloomberg, and the suspicious trading seems to have involved, you guessed it, trading in options just before the press releases came out. 8 I understand that they only had the press releases for a short time before they were public, but still, they could get all the press releases they wanted. Why buy tons of options, tip off the SEC and kill the golden goose?

Also pleasingly unsophisticated: Prosecutors claim that one of the trader defendants received, and shared with his co-conspirators, an e-mail pitch for a "special daytrading strategy" involving spoofing. 9  Why would that be appealing? We've talked before about how spoofing seems like a dumb and risky way to commit fraud. But, you know, it works, some of the time, so it's got that going for it. If you want to commit securities fraud, sure, go ahead, spoof. Unless you have perfect foreknowledge of the financial results of hundreds of companies! Then maybe stick to insider trading. 10  The fact that these traders even considered spoofing -- and there's no suggestion that their consideration got very far -- suggests that they were not seasoned market pros who knew how incredibly good they had it. They were just, you know, guys. 

The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers "gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks." 11  They gained access to Business Wire after "the login credentials of approximately fifteen Business Wire employees had been 'bruted.'" 12  I do not myself claim to be a sophisticated computer hacker. But here's how prosecutors describe bruting:

"Brute Force Attacks" or "bruting" referred to decrypting data by running programs that systematically checked all possible passwords until the correct password was revealed. 13

So I mean ... that's pretty easy? Slow and boring, but easy? Like, I could probably write a program to do that? I might have a tougher time developing an SQL injection attack, but conveniently in five seconds of Googling I found this "SQL Injection Tutorial for Beginners," which seems quite helpful, even for beginners. The idea seems to be that many websites are linked up to Structured Query Language databases, and that some of those websites have such lax security that they let web users access the underlying databases. So you go to a press-release website, use it to access the associated press-release database, and search for the press releases that aren't yet on the website. "This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements," says my tutorial.

These are solvable problems! 14  Filter that input correctly. Make your employees use two-factor authentication to log into the press-release database. Why didn't that happen? I don't know. Part of it is just, like, this started in 2010, maybe people didn't fully understand the problems back then. I'm pretty sure they're getting better now. 15  

But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn't hold the nuclear launch codes. They held press releases -- documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You'd have to be paranoid to even think of it. But -- allegedly! -- it's exactly what happened.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

  1. This description is a composite, though the napkins come from this case and the bags of cash from this one (among others).

  2. There is a theory of insider trading where you work at a hedge fund and spend all day soliciting corporate insiders at many companies for tips, which frankly also seems laborious. But even where the hedge funders are charged, they're accused of having one or two or a handful of tipsters; it's still pretty limited.

  3. Paragraph 66 of the District of New Jersey complaint.

  4. That's from paragraph 73 of the New Jersey complaint. It is not clear how perfectly the hackers filled the shopping list, though "the Trader Defendants and their co-conspirators traded ahead of several of the press releases referred to in the list."

  5. See, e.g., paragraphs 103-109 of the New Jersey complaint.

  6. Paragraph 81 of the SEC complaint. Paragraph 82 goes on:

    For example, on July 20, 2011, the Dubovoy Group provided the hacker defendants account information and login credentials to one of the trading accounts in the name of Arkadiy Dubovoy. This allowed the hacker defendants to monitor the trading in this account to determine the compensation owed for certain trades.

  7. Paragraph 108 of the New Jersey complaint.

  8. E.g. paragraph 42 of the Brooklyn complaint:

    For example, on August 3, 2011, the DNDN press release was uploaded on PR Newswire at approximately 3:34 PM and issued to the public less than thirty minutes later at approximately 4:01 PM. Within this twenty-seven minute window, beginning at approximately 3:56 PM, the defendant VITALY KORCHEVSKY bought 1,100 put options of DNDN. The next day, KORCHEVSKY sold all 1,100 put options for a profit of more than $2.3 million.

  9. Paragraph 110 of the New Jersey complaint:

    During the course of the scheme described herein, the Trader Defendants also explored additional opportunities to commit securities fraud. For example, on or about January 19, 2013, defendant PAVEL DUBOVOY received an email from another individual, which email was subsequently shared with defendant ARKADIY DUBOVOY and CC-2. The email described a "proprietary trading business" that involved a "special daytrading strategy[.]" The email further stated that the "strategy ... never los[t] money in the twelve months of 2012[.]" The email offered a description of the "trading strategy," and referred to an attached video showing the "strategy" in action. The email and video essentially described a fraudulent securities trading practice known as "layering" or "spoofing," pursuant to which traders placed non-bona fide orders to buy or sell securities and then quickly canceled those orders before they were executed in order to trick others to execute against them. If successful, traders engaged in such schemes could artificially move the price of securities up or down and profit from the artificial price movements through trades they placed in other accounts they controlled. 

  10. All of this paragraph is extra super not legal advice. 

  11. Paragraph 40 of the New Jersey complaint.

  12. Paragraph 58 of the New Jersey complaint.

  13. Paragraph 23 of the New Jersey complaint.

  14. To be fair, the hackers allegedly used other hacking techniques, including phishing and malware installations, that may (or may not) have been more sophisticated.

  15. From Bloomberg

    Business Wire said Tuesday in an e-mailed statement that it has been cooperating with the Justice Department and has hired a cybersecurity firm to “conduct additional forensic testing of its systems, and to provide assurance that Business Wire’s network is fully operational and secure.”

To contact the author on this story:
Matt Levine at mlevine51@bloomberg.net

To contact the editor on this story:
Zara Kessler at zkessler@bloomberg.net

Before it's here, it's on the Bloomberg Terminal.