DOJ and SEC Announce Charges Connected to Hack of SEC’s EDGAR System


Posted on January 22, 2019, by Peter Baldwin and James G. Lundy in Cybersecurity, DOJ, SEC. Comments Off on DOJ and SEC Announce Charges Connected to Hack of SEC’s EDGAR System

Last week, the Department of Justice (“DOJ”) and the Securities & Exchange Commission (“SEC”) announced charges connected to a large-scale, international conspiracy to hack into the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and profit by trading on stolen material, non-public information. The conduct underlying these cases was one of the principal reasons that the SEC created its Division of Enforcement “Cyber Unit” to target cyber-related securities fraud violations.

In a 16-count indictment unsealed in the United States District Court for the District of New Jersey, two Ukrainian citizens, Artem Radchenko and Oleksander Ieremenko, were charged with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud. The SEC’s complaint charged nine defendants – Ieremenko, six traders in California, Ukraine, and Russian, and two entities – with antifraud violations of the federal securities laws.

The charging documents allege that Ieremenko and Radchenko hacked into the EDGAR system and stole thousands of files, including annual and quarterly earnings reports containing non-public financial information. The defendants gained access to the SEC’s networks by using a series of targeted cyberattacks, including directory traversal attacks, phishing attacks, and infecting computers with malware. The defendants extracted thousands of filings from the EDGAR system to a server they controlled in Lithuania. The defendants then profited by selling access to the stolen, confidential information and by trading on the stolen information prior to its distribution to the public. In total, the defendants and their co-conspirators are alleged to have traded before at least 157 separate earnings releases, and they generated over $4 million in illegal proceeds.

Some of the individuals charged in these cases were previously charged in connection with a similar scheme to hack into the computer systems of multiple newswire organizations and steal press releases containing financial information that had not yet been released to the public. Several of the same methods used to hack the newswire organizations were also employed to hack the EDGAR system.

The criminal and civil charges in these cases are a reminder that both DOJ and the SEC have prioritized combatting cybercrime and, in particular, network intrusions. They also serve as a stark reminder that any organization, even a U.S. government agency, can be targeted and victimized by cybercriminals. Companies and firms would be wise to examine the techniques used by the defendants in these cases and ensure that their own cyber defenses are sufficient to protect against and thwart similar attacks. For additional guidance, companies and firms can look to SEC guidance and actions issued since the creation of the SEC’s Cyber Unit.





Comments are closed.



From the Blog:

CFTC Divisions Publish Inaugural Exam Priorities

In an effort to increase awareness and attention by regulated entities, the CFTC’s divisions of Market Oversight (DMO), Swap Dealer & Intermediary Oversight (DSIO), and Clearing...

Good Disclosure of Bad Internal Controls Is Not Enough

On January 29, the SEC announced settled charges with four public companies for failing to maintain adequate internal control over financial reporting (ICFR). According...

Alert: FINRA’s 529 Plan Share Class Initiative to Self-Report

On January 28, 2019, FINRA released its Regulatory Notice 19-04 announcing its 529 plan self-reporting initiative. This initiative is part of FINRA efforts to...