Darknet Diaries - 123: Newswires
Episode Date: September 6, 2022Investing in the stock market can be very profitable. Especially if you can see into the future. This is a story of how a group of traders and hackers got together to figure out a way to see ...into the future and make a lot of money from that.SponsorsSupport for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper’s Zero Trust Data Center provides uncompromising visibility across all your data center environments. Visit juniper.net/darknet to learn more.
Transcript
Discussion (0)
the stock market.
This is where you can go buy part of a company
and hope the value of that company goes up
so your part is worth more.
But it's a big risk.
Predicting the future is hard.
Even the most educated and well-researched people
who spend their whole life focusing on finance
get it wrong a large part of the time.
Some think they have it all figured out, though.
Like Gordon Gekko in the 1987 film Wall Street.
Here's a clip from the film.
Public's out there throwing darts at a board, sport.
I don't throw darts at a board.
I bet on sure things.
Read Sun Tzu, The Art of War.
Every battle is won before it's ever fought.
Think about it.
You're not as smart as I thought you were, buddy boy.
You wonder why fund managers can't beat the S&P 500?
Because they're sheep.
And sheep get slaughtered.
So what was Gordon Gekko's secret
so that his stock bets were a sure thing?
Well, he was investing using insider information,
information that wasn't yet
available to the public. Knowing what a company is about to do or announce gave him a big edge
that made him a lot of money.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless. And it's not a fair fight. But I realized I don't need to be fighting this
alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds
and removes personal information from hundreds of data brokers websites and continuously works
to keep it off. Data brokers hate them because Delete.me makes sure your personal profile is
no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete.me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries.
Use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work. If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Insider trading is an age-old concept. It's been going on for years, and it's the bugbear Infosec.com. financial data or corporate secrets obtained by deceptive or illegal means. Yeah, that gives them
a distinct unfair advantage over other traders. But that's exactly the problem. It's not a fair
way to trade, and it undermines the entire stock market system, as Gordon Gekko famously said in
the film Wall Street. The most valuable commodity I know of is information. Wouldn't you agree?
What stock market traders aim to do is predict the future. If they can buy a stock that goes
up in value, they will make money, sometimes a lot of money. But that's the hard part,
predicting the future. So forecasts of a company's profits, sales, overheads, analysts,
reports, or market shares,
these could all be indicators of what may happen in the future.
So they're all very important to traders.
And typically, a company will put these numbers together, then publish them publicly for everyone to see.
But sometimes when a company publishes a report, it makes their stock change wildly. So what if you could see what these internal
reports look like before they got published to the public? If you're a stock trader and you've
got some privileged inside information that your fellow traders don't have, well, that puts you
significantly ahead of the game. Think about it. If you knew that company has far exceeded its quarterly growth,
that would likely translate to a rise in the stock price as soon as that information became public.
So if you knew this before everyone else, could you use that to your advantage? Well, hell yeah,
you could. You could buy that stock and wait for the announcement and watch your net worth rise,
then sell it to make a good profit. If you had this sort of advanced information,
it would almost surely mean you could make a fortune in the stock market.
And it works the other way too.
If you know a stock is going to go down,
you can short sell that stock to make a profit if it goes down.
And that works very well.
But if you had access to early information like this
and used it to make a profit, well, that's illegal. Because
trading based on inside information is illegal. If you get insider information, you shouldn't be
able to profit from it. This makes the market fair for everyone. But this doesn't stop people
from trying it. I bet a lot of people would love to get insider information on how a company is performing before the public
knows. But the problem is, how do you get that insider information in the first place? The obvious
answer is an employee inside the company. They might have this information and use it to make
some sort of trade or tell a friend to make a trade. It's non-public information like the company
is about to merge or they've made insane growths or profits, whatever it might be.
The point is they trade on the back of that information,
putting them ahead of the game.
So the insider could try to profit off of what they know.
Or sometimes they could just tell a friend or family member
about something going on in the company
and they take that information and invest in the stock.
A family member could make a bunch of money from a casual thing said during Thanksgiving dinner or something.
Now, an international airport doesn't sound like a great place for an important business meeting.
There are a lot of people and a lot of noise, but I bet there is a lot of business done in airports.
Back in early 2011, Atlanta Airport was the scene of one of these meetings.
Although, to be honest, what we're discussing wasn't exactly legal.
So maybe the airport wasn't the best place to have a meeting like this.
Hartsford-Jackson Atlanta International Airport is the busiest airport in the world.
It's huge.
I think it has like 100 million people fly through it every year,
which is like 300,000 people a day. Crazy numbers. But the meeting going on there that day in early
2011 was a carefully timed on-the-hop business meeting arranged by a guy named Arkady Dubovoy.
Now, Arkady was a stockbroker from Ukraine. He's part of a big family who was into stock, big business deals and real estate,
and he basically had a lot of money.
Arkady moved to the U.S. somewhere in the 1990s and was living in the state of Georgia,
according to research by investigative journalist Isabel Koshu,
who dug deep into the story for The Verge.
Arkady owned an ice cream factory in the city of Odessa in Ukraine,
but he had settled in a home in Alfreda, Georgia, which is just 34 miles away from the Atlanta airport.
His business partner was Alexander Garkusha.
He was born in Russia, but had lived in the U.S. most of his life and holds a U.S. citizenship.
Now, the two of them, R.K.D. and Alexander, set up a design and building company in 1997 called APD Developers, Inc.
They registered it in the state of Georgia with the two of them as directors.
They mainly built family homes, and according to records available online,
they were generating revenue of over $1 million a year.
So they were doing okay as real estate developers.
The guy they had arranged to meet at the airport was Vitaly Korchevsky.
He was a hedge fund manager for
Wall Street, and a good one. Vitaly spent most of his time focusing on the stock market and had been
doing that for years and years, so he was pretty experienced when it comes to the stock market.
Vitaly worked for Morgan Stanley as a portfolio manager and at one point was given the title of
vice president. Transport yourself inside an investment bank for a second. After you're an
analyst, you then're an analyst,
you then become an associate. And the next run up the ladder from that is vice president. And
there are two more after that, senior vice president and managing director. Vitaly was
one of Morgan Stanley's vice presidents. So it's safe to say Vitaly knew what he was doing when it
came to stock investments and trading and managing stock portfolios. He would be in the position to know
how the market would react to certain kinds of information. Vitale had used his experience to
set up his own hedge fund called NTS Capital Fund LP, based in the city of Glen Mills, where he
lived in Pennsylvania. On his 2012 SEC filing paperwork, it was described as a pooled investment
fund and a hedge fund that would accept minimum investments from outside investors of $500 million, which is quite a big minimum.
Now, Vitaly had a second life outside of his corporate banking on Wall Street.
He was a Slavic evangelist Baptist pastor.
He had his own church in Brookhaven, Pennsylvania, called the Slavic Evangelical
Baptist Church. And he had a congregation loyal to his church, and he was the pastor. He was also
the chairman of the Associate of the Slavic Baptist Churches USA, and had been since 2003.
Vitaly, it seemed, was a busy, multifaceted guy that many looked up to for advice and support, both financially and spiritually.
So now you understand more about Arkady, Alexander, and Vitaly, which were the three guys that were
meeting in this Atlanta airport. Vitaly was passing through, waiting for a connecting flight,
so his time was a little limited. Somewhere in amongst the monster airport, it's two huge
terminals and five concourses. The three of them sat down for
a chat. Now, it was Pavel, Arkady's brother back in Ukraine, who actually arranged this meeting.
He made the introductions and made it happen. And you can think of Pavel as a kind of middleman in
all this. He's going to pop up a lot in this story. So Arkady sits down with Vitaly and says
that he has a foolproof way to get his hands on top-level insider financial information on big U.S. companies before anyone else knows about it.
He was talking about having access to the kind of information that would enable an experienced stock trader to make big trades on that company's stock for insane profits and pretty much never lose money.
It could be done multiple times
with multiple different companies
keeping it all under the radar and untrackable.
It was an insider trading scheme
that he was touting to Vitaly,
but it was insider trading with a difference.
The insider wasn't a disgruntled employee
or a senior executive spilling secrets
to make some money on the side.
No, Arkady had something far bigger than that. Arkady had a solid, reliable stream of information
coming to him, which was insider information on dozens of U.S. companies. He was claiming he had
access to their financial reports well before the public could see them.
Vitale was paying attention.
He knew exactly what to do with early access to financial reports like this.
And he understood that this could mean he could make a lot of money.
Here's one more clip from the movie Wall Street.
I don't know where you get your information, son, but I don't like it.
The main thing about money, bud, makes you do things you don't want to do.
But how was Arkady able to get all this information ahead of the public?
Well, Arkady's secret was hacking.
He had a guy who was in his 20s from Ukraine called Ivan Turchnyov. Now,
he lived in Kiev, Ukraine's capital, the largest city, and specifically in a posh area of town.
There's an area there called Koncha Zaspa. It's smart, expensive, and in an area that you'll find
top politicians along with some former presidents living. The homes there go on sale between three
and five million dollars, with a river and woodlands on one side, and huge gated properties
with tens of acres of land on all sides. I mean, this is an elite area of Ukraine, and this is
where Ivan, the hacker of this story, lived, according to The Verge. He seemed to have a lot
of cash and liked to show it off. Clocks were his particular favorite, gold clocks
to be more exact, and he had scores of them. He also had a standard luxury car and a busy social
life and nightlife, and he loved to flaunt his wealth and show it all off. So when you combine
Arkady's wealth and business sense with Vitaly's stock market knowledge and Ivan's hacking skills
and all of them aren't afraid to do illegal things
to make more money, then you start to get quite a spicy recipe. Now, Ivan, the hacker, had been
working with Arkady to try to find something that they could do to make more money. They were both
seeing that when a company publishes a financial report, it makes that company's stock swing
around. So they wondered if there was a way to get those reports ahead of everyone else. And that's when they started looking into the world of news wires.
So this is how news wires work. All companies that are trading publicly on the stock exchange
are required by the Security Exchange Commission, the SEC, to publicize their financial statements
regularly. These are reports that pop up every few months,
and the reports tell investors how the company is performing,
what their cash flow is, their revenue, their debts.
And they usually include some income statements and cash flow statements
and finance and profitability ratios.
Boring stuff to most of us, but to the right people,
these little bits of information will translate into millions of dollars
in profits or losses in the
stock market. These companies all need a way of publicizing these reports. I mean, they have to
do it by law. They need to tell their investors how they're doing. And they need a way to tell
everyone at the same time. No favorites allowed here. Everyone needs to be able to access it at
the same time or else the company can get in trouble for providing insider information. Sure, they can stick this item on their company website somewhere or do a
mass email shot, and some of them do just that. But many major U.S. companies use the services of
newswires. Newswire agencies specialize in distributing financial reports and other news
that a company needs to relay to its shareholders.
And they have networks in place already that can get a press release out to the world at a push of
a button. For companies, this is a quick and convenient way to just make the whole process
easier. This kind of financial information for big corporate companies can have big impacts on
their investors and their stock prices. So it's common that they put it together in a press release
and send it to a newswire who will then publish it publicly when it's time.
And a lot of these reports get published just after the market closes on a particular day
because they know this information could then just flow out overnight and hit the stock market floor
in the morning. Tried and tested, this is the usual flow of how these things work. Now, the top three financial Newswire distributors in 2010
were BusinessWire, PR Newswire, and MarketWire.
These companies have been around for a while, too.
BusinessWire was founded in 1961,
and they've got their headquarters in San Francisco.
PR Newswire was founded in 1954, and it's headquartered in Chicago.
Now, that one was originally run entirely by Herbert Muschel
out of his New York City home,
and that was before computers and the internet
and the ability to send out information electronically.
Instead, he used teleprinters to get information out to news outlets in New York.
But now we are all digital and networked,
so these news wires all compete with each other
to try to get the big companies business.
It's all very competitive, and it means each of them have to have to get the big company's business. It's all very
competitive, and it means each of them have to have a good selection of companies as clients.
So when they get a press release, they upload it to their servers where it sits under wraps
until the agreed upon time and date when it should be released to the public,
and then it gets published. It's all very straightforward. But are you seeing the problem yet? Financial
reports for major businesses all sent to the same three places and staged on a server until it's
the right time to publish them? Yeah, I think you know where this is going. In February 2010,
Ivan, the hacker in Ukraine, set his sights on MarketWire. He knew somewhere in MarketWire
they must be storing these press releases
before they're being published publicly,
and he wanted to find where they were.
He scanned the website looking for a vulnerability
and found the website was vulnerable
to SQL injection attacks.
So this is where when you fill out
any kind of text box or form on a website,
the data you typed in make it sent to the SQL database, which is where all the information is stored on the
website. So like maybe it's a search field, and maybe you're on the site searching for press
releases for some company. Okay, so when you hit search, whatever you typed in, that could be sent
to the database directly to search it for any hits. I mean, the site has to know that you're looking for something
and has to ask the database if that something you're looking for is there, right?
But what if instead of typing in some company name to search for,
instead you just put in all kinds of funky characters
that screws up the search and tells the database
to do something else altogether,
like just give me everything in the database,
not just what I searched for.
This is the kind of behavior Ivan was trying
to get the MarketWire website to do.
Ivan relentlessly attacked MarketWire's website,
trying many different inputs
to try to get something valuable back from the database
that he could use.
He spent months on this,
submitting hundreds and hundreds of form fields, all trying to do SQL injection, valuable back from the database that he could use. He spent months on this,
submitting hundreds and hundreds of form fields,
all trying to do SQL injection.
Over time, he got it working.
And I'm not exactly sure what steps he took here, but over the course of five months
and 390 SQL injections later,
he found a way into where the unreleased press releases
were stored and he scooped up 900 of them.
Then in July 2010, he added PR Newswire to his target list.
This website used the PHP language to render the page,
and he was able to exploit this PHP code that was on the website
to gain access to their servers and went to look around.
He left a PHP script there that would give him backdoor access
to this place so he could just go back in whenever he pleased and look around in PR Newswire's
network. And of course, as he looked around there, he found exactly where the unreleased
press releases were stored in this network. Ivan knew of the other news agency too, Businesswire.
Of course, he wanted to find a way into this one too, but he was having a hard time with it.
We do know that BusinessWire employees received a rash of phishing emails during this time.
Maybe that was Ivan trying to trick an employee to install some malware or steal their credentials.
It does seem like Ivan eventually got a user database to the site somehow,
which gave him usernames and hashed passwords.
And from there, he had to run the hashes through a cracking tool to try to get the password.
And eventually he was able to brute force his way into BusinessWire this way.
And once inside, he started grabbing dozens of non-public press releases. So Ivan had successfully broken into all three of the leading newswire
agencies and siphoned off copies of press releases before they were published publicly.
He then sent them directly to Arkady and Alexander, and he's just emailing them over
bulk attachments like 70, 80, 90 press releases at a time. And bear in mind, this all had to be
done in a very short time frame.
The press releases were often uploaded to these news wires
just a few hours before they were due to go public.
So in that time window is when this scheme had to work.
The hackers needed to steal the press release and then pass it to the traders,
and then the traders had to look through these press releases
to see if there was anything valuable in there,
and then decide if they needed to make trades and move themselves into the right positions. I imagine
it was a frantic sort of operation, a lot to do in a short time. And then Ivan is sending them
dozens of press releases at a time. So they're having to make sense of a lot of information fast
because at any minute that's going to be public and the market may move and they may miss their
chance. Then you have to plan your exit. How long be public, and the market may move, and they may miss their chance.
Then you have to plan your exit.
How long do you wait for the market to adjust before you hop out?
A few hours, maybe?
There's a lot going on for these guys to do, and it's no wonder that they wanted to bring Vitaly into the fold to take a portion of this work and make some money for them, too.
They simply couldn't do it all on their own.
Ivan, the hacker, was feeling this process was getting
tedious. Having to go in, grab press releases, download them, and email them to the other guys,
that's a lot of steps that he was doing over and over and over throughout the day.
So Ivan came up with a better way. He set up a dedicated web server. Every time he accessed
new press releases and grabbed them, he'd upload them to his server,
and he had it locked down with a username and password. And he gave these credentials to the
traders who were involved in the scheme. Now, the traders could log in and just pick off the
press releases that they liked the best, and it made the process a little bit more automated and
easier for the traders to parse the information and easier for Ivan, too. These traders weren't
necessarily computer savvy
with this sort of thing,
so Ivan had to make a little how-to video demo
that showed them how to access
the press releases on the server.
And Pavel, which is Arkady's brother,
was who took the video and shared it with the traders.
And he also used this video as a way
to persuade other traders to join the fold.
Now, Ivan also shared tips too
on how to use a proxy and a VPN
to hide the IP addresses so people would cover their tracks properly. In November 2010, Pavel
shared this demo video with Arkady, who used it in negotiations with Vitaly. It was that
demonstration that tipped the balance for Vitaly, seeing for himself in black and white the information that would be available to him if he joined.
He knew exactly what he could do with that information,
and that was just too attractive for him to turn down.
Vitaly Korchevsky, hedge fund manager and Baptist pastor, was in.
I feel like I've been talking for a while,
so I'm going to take a little break here and get a drink of water,
but I'll be back in a minute to tell you the rest of the story.
This episode is sponsored by NetSuite.
What does the future hold for business?
You don't know?
Well, me neither.
But what I do know is that you don't have to be months ahead of your competitors
to be more successful.
Just a few days or even a few hours can work wonders.
So until someone brings you a crystal ball, NetSuite can give you an advantage.
More than 38,000 businesses have future-proofed their business with NetSuite by Oracle.
It's a cloud ERP service and one that I'd be using if I needed the help.
NetSuite brings accounting, financial management, inventory, and HR into one fluid platform.
When you're closing the books in days, not weeks, you're spending less time looking backwards and more time on what's next. Thank you. data. Speaking of opportunity, download the CFO's guide to AI and machine learning at netsuite.com slash darknet. The guide is free to you at netsuite.com slash darknet, netsuite.com
slash darknet. While Arkady was busy expanding this little scheme of his, the SEC was really
revving up. At the start of 2010, they were creating new
divisions and departments. One of the units was called the Market Abuse Unit, and it would focus
on cases of insider trading. The SEC is a law enforcement agency which looks for signs of
market manipulation. With headquarters in Washington, D.C., they have between 3,000 and 4,000
staff across the board, and they have between 3,000 and 4,000 staff
across the board. And they have to work real hard to unravel some of these illegal trading schemes
and gather the evidence that they need to take them down. The SEC is out there looking for people
doing schemes exactly like what Arkady was doing. But it's really hard with all the money that gets
transferred every day in and out of the stock market. But the SEC has a secret weapon called Artemis,
which stands for Advanced Relational Trading Enforcements Metrics Investigation System.
What a mouthful that is.
So this is like an enormous database system that holds trade records from across the sector,
and it uses mathematical algorithms and advanced analytics
to analyze and rank the trades depending on what the SEC is looking for.
It's a powerful tool and is capable of spotting trading patterns
that the human eye or brain just can't do.
In the past, the SEC was kind of a reactive force when it came to insider trading.
They'd be informed of an incident or suspicions and then start their investigation.
Sometimes when there was significant news about securities involving a company,
they would investigate if suspicions were raised looking for trading activity
that might have taken place on the back of it.
But while criminals are using technology to hack into places in order to do insider trading,
the SEC is also using advanced technology to try to detect those illegal trades.
Their tools give them the ability to parse and examine every single trade
to try to find indicators of suspicious behavior.
And their tool was seeing something suspicious with these trades.
In January 2011, Ivan lost his backdoor access into PR Newswire.
The Newswire didn't know they had been hacked into.
No, no. They just changed their infrastructure. And in that process, they removed the system
where his backdoor was implanted on. So access denied for him. It was going to take him a while
to find another way in. But in the meantime, he was just focusing on stealing press releases from
MarketWire instead, ensuring the steady flow of releases still got to traders.
Because if the traders didn't get the information, then he wasn't going to get paid.
Ivan gave the traders his bank account details, which were accounts in Estonia and Macau.
And this is where he wanted his cut of the profits paid into.
Now, as far as I can work out, Ivan was raking in somewhere between 40 and 50% of the profits
from the trades made using
information in the press releases he stole, which I guess is fair. Without this insider information
that he's producing, the traders would have nothing to work with. So his role was crucial
in this whole scheme. By July, he got back inside PR Newswire. And again, he installed some code on their servers so he could just hop back in whenever he needed.
Great.
But that was also the month that this group started to inadvertently leave breadcrumbs behind them.
Crumbs that would eventually be noticed and followed.
At some point, one of these brokerage accounts they used to trade with became on the U.S. authorities'
watch list. My guess is that it was the SEC that identified a trading account looked suspicious and to keep an eye on it. Well, for some reason, it was Ivan, the hacker, that logged into that
brokerage account to check on things. Investigators took note of his IP address for later, and it was
later that they saw this same IP log into MarketWire and PR Newswire
to download press releases.
This would prove to be a crucial link
that would connect the hacker with the traders.
By this point, the scheme was running very well,
and this group was making a lot of money.
Take the Dendreon Corp stock for an example.
So this is a big biotech and pharmaceutical company based out of money. Take the Dendreon Corp stock for an example. So this is a big biotech
and pharmaceutical company based out of Seattle. And on August 3rd, 2011, PR Newswire uploaded a
press release for Dendreon onto their server at 3.34 p.m. At 4.01 p.m., less than a half hour later
and one minute after the stock market shut down for the day, the press release was made public as Dendreon wanted.
But four minutes before it went public, at 3.56, Pastor Vitaly suddenly purchased 1,100 put options of Dendreon Corp.
As soon as the press release became public, the stock price rose, and the following day, Vitaly sold all 1,100 options and made a clear profit of more than $2.3 million.
Yes, million.
In less than 24 hours.
Across this period, there were more than four direct contacts between Vitaly and Arkady,
which lends us to believe that these trades were conducted using insider information.
In the middle of October, they were at it again.
This time, the target company was Caterpillar Inc.
You know this
company. They're massive. They make construction and mining equipment, big turbine engines,
and natural gas engines, and they've been doing it for almost 100 years. And they make boots,
too. So Caterpillar used PR Newswire when they had a press release ready to go out to the public.
They'd send it along with the date and time for it to be released, and PR Newswire would upload
it onto the server so it was all ready to go.
And that's exactly what they did on October 21st, 2011.
The release said that the company's profit after tax
for its third quarter was up 27% compared to 2010.
That's great news for the company and its investors,
and it was supposed to go public
three days after it was uploaded.
But not long after it was uploaded, the traders began to pounce.
Suddenly, shares of Caterpillar were bought in multiple brokerage accounts worth $5.9 million.
That was about 3,800 shares in the company.
And if you dig a little deeper, you find that they purchased them through EDGX,
using a brokerage account registered to Arkady.
When the press release went public on October 24th, as planned,
the price of the stock in Caterpillar Inc. shot up
exactly as the traders thought it would.
On that very same date, the traders sold their shares
and made a profit of more than $648,000.
The group didn't stop there.
On January 25th, 2012,
Caterpillar gave another press release to Newswire,
and this one said the company's profits were up 36% from the year before.
And just like what happened three months earlier,
after this press release was uploaded to PR Newswire,
the traders appeared and began to move Caterpillar stock.
This time they purchased around 600 shares, which was about $8.3 million,
and the brokerage account they used was an account that was registered to Arcadie.
While all this was going on, away from prying eyes,
there was some serious unrest going on in the front of house of these news wires.
In the very same month that Arcadie was making these insider trades on Caterpillar
for millions of dollars, MarketWired filed a $25 million lawsuit against PR Newswire. They were
blaming their rival for poaching their staff. The concern was that they were trying to get their
hands on confidential information and trade secrets from inside the company. A senior staff member at
MarketWire, their chief technology officer, had left and started working for PR Newswire,
and a couple of the staff followed and joined him. So everything was not
rosy between these two newswires. But while they were battling it out in court, they didn't know
at the very same time Ivan was rummaging around in their servers stealing extremely sensitive
information. Forget about staff breaching confidentiality, they should have been focusing
on securing their networks better. I don't think anything actually came of this lawsuit, and the
two companies just ended up being disgruntled at each other. It was just a weird time for them to be focused on this,
which might be a reason why they didn't spot intruders lurking about in their servers.
So this scheme was becoming a pretty well-oiled machine of securities fraud. Two distinct skill
sets coming together to make millions of dollars, hack into companies and steal press releases, and then make trades based on that information. With each new press release,
it was a potential big payday for them. And with so many press releases, it was just rinse and
repeat and reap the rewards. Ivan didn't know who Arkady was hiring to do the trades. At least,
I don't think he knew. And I'm fairly certain the traders didn't know who the hackers were either.
And there was this layer in between.
Middlemen, if you will, there to act as a messenger and go between.
Like Pavel, which is Arkady's brother.
They were the firebreak that stopped prying eyes or investigative hands
from finding direct links between the hacker group and the trading group.
At least, they were supposed to be.
By the time 2012 rolled around,
Ivan had been sailing along in a real comfy position.
Now, Ivan is a bit flashy with his gold clocks,
nice cars, and big house, as I mentioned before.
And earlier that year, he was in a club in Kiev and decided to brag to some of his friends about this amazing scam that he's been pulling on
for years. But this was a mistake. Don't get drunk and tell people about your very profitable
hacking scheme. One of these friends of his was Oleksandr Ermenko. He was in his 20s,
similar age to Ivan, and they worked together
in the past. So Olek
thinks this gig sounded pretty cool
and wanted to get in. But instead
of asking nicely to be let in,
he decided to double-cross Ivan.
Or maybe he asked Ivan nicely,
but Ivan said, no, I don't know.
Now, according to The Verge,
it sounds like Olek called his
friend Vadim,
and together they figured out what this whole scheme was, and they wanted in.
They hacked into one of the news wires themselves and cut Ivan's access off.
They just chucked him out and sat in there themselves.
So this news wire was completely unaware that they've been hacked twice now by competing hackers,
with one hacker being locked out and a new set of hackers being put in his place. Ivan had a big problem. He lost access to a big source of these very valuable press releases, and worse, his own friends were sitting there
instead. He tells his middlemen, who deal directly with the traitors, what happened. And safe to say
that no one on that side was pleased to hear this. So a new deal got
made. Olek and Vadim's little takeover stunt worked, and they both got brought into the fold.
The traders were happy again. The more hackers means the more press releases and the more chances
to make money. Ivan, though, was not so happy about this change. Now he had to split his share with these other two
compared to just having it all for himself.
He wasn't the sole hacker anymore,
and that means a big hit on his profits.
While Ivan's distracted by his friends hustling in on this scam,
he didn't notice some attention starting to come his way from the U.S. authorities,
and it was a sign of what was to come.
Now, NewsWires are the same as any
other company. They take their network security seriously and regularly do audits and checks to
make sure that their systems are secure. And sometimes they find something. Maybe permissions
were too relaxed on some system, or things weren't locked down like they should. But whatever security
they had in place, it wasn't enough to stop this crew or detect them once they got in.
But in March of 2012, the FBI told PR Newswire that they've been breached.
And this is how they first heard their systems were compromised.
The FBI somehow saw this was happening before PR Newswire even knew it was going on.
According to The Verge, PR Newswire then called in a security firm called Strauss Friedberg
to investigate what was going on in their networks.
And during that examination, they found Ivan's back door.
And they saw how he was stealing press releases.
The tech guys obviously removed it and cut Ivan's access off.
And after some panicked emails to Ivan's middlemen,
it was OLIC who managed to get code back into the systems and restore their access into PR Newswire so they could continue.
But unbeknownst to them, the authorities were now on to Ivan and they had him firmly in their sights.
Working in tandem with the US, Ukrainian intelligence services put surveillance on
Ivan. What triggered them initially to find him exactly? I don't know.
But by watching Ivan, they found out pretty quick who his friends were. And eight months later,
with the help of the FBI and the U.S. Secret Service, nine properties in Kiev were raided.
Both Ivan and Olek's laptops were seized in the raids. These were the laptops the two hackers
were using to access the Newswire systems.
There were hundreds of stolen press releases on them and reams of online chat logs, which gave
the feds clear insight into the whole operation. A big success, you would think. But then it all
went silent, like eerily quiet. Nothing happened at all for a while. There was evidence that they
had identified culprits, but nothing
went any further. You see, Ukraine has laws in place that prohibit extraditing their own citizens
to another country. Under the Constitution of Ukraine, citizens are guaranteed care and
protection. So Ivan and Oleg were, at least for the moment, safe from U.S. authorities.
And they knew it. So they did what all money-hungry hackers do.
They carry on with the scheme.
Hackers know the value of information. Yeah, there's different motives for when people hack
stuff and different targets. But really, most of it is about information. Who has there's different motives for when people hack stuff and different targets,
but really, most of it is about information. Who has it, who wants it, and how much can it be sold for? Financial, business, or personal, data is ridiculously sellable, and the more value it is
to the buyer, the more profit it will be to sell. The longer the scam was running, the more confident
everybody got. But the hackers were not traders.
They didn't follow the stock markets.
They didn't know which press releases were necessarily more valuable or useful than the others.
In 2012, a group of traders involved in the scam had expanded.
A new guy was brought on the team. His name was Leonid Momotek.
Leonid was a stock trader friend of Arkady's and worked in construction for his day job,
and they went to church together.
He was 46 years old and lived in Suwannee, which is in Georgia in the U.S., a pretty city about 30 miles away from Atlanta.
Arkady introduced him to the scam, and he opened up a set of brokerage accounts with TD Ameritrade, and he started trading on the stolen press release information.
The traders eventually got into a groove.
They knew which companies used which Newswire agencies
and when upcoming press releases were going to be released.
So they started requesting which press releases they wanted early access to.
It was like an order system.
On October 8, 2013, Pavel sent his brother Arkady a spreadsheet of 18 companies
due to announced press releases.
Arkady sent it to his business partner Alexander. Across the rest of October, Vitaly, Arkady,
and Leonid all made large trades on six of these companies right before the releases were published.
Now, the traders were sending the hackers their shopping list of press releases.
In October 2013, a company called Align Technologies sent their press release to MarketWired.
I guess MarketWired changed their name from MarketWire to MarketWired, just to be confusing.
But for Align Tech stock, in that 15-hour window between when the press release was uploaded to when it was made public,
Arkady had purchased 91,000 shares.
Two hours after Arkady's trades, Vitaly pops up and buys 95,000 shares.
And after that press release went live to the public, the pair unloaded their positions
and made about $1.4 million in profits. This scheme was on fire and seemed to be doing better
than ever. The traders were making enormous profits on this insider information, and the
hackers were happily getting paid a percentage cut for every trade.
Everyone was happy.
Now Arkady had been in on this from day one, and he decided he'd kinda like to expand
this a little more and make more money.
Money is attractive, right?
And so I think he was taken in by the allure of all the cash and spending and watching
his offshore bank account grow.
So early to mid-2013, he brings
in another trader to join his group. This guy is named Vlad, and he's a trader. He used to work on
Wall Street that Pavel knew. And once Pavel made the connections, he introduces Arkady to Vlad.
And Vlad had his own trading company in UK, but he lived in Brooklyn, New York and traded on Wall
Street a lot. But he has a home in Odessa in Ukraine.
Vlad really liked this plan and was on board.
And the deal was done.
Vlad came in on the same plan that Vitaly was in on.
Arkady opened up a brokerage account and funded it.
And Vlad and Vitaly just did their trades.
Vlad got a percentage cut just as Vitaly did,
and Vlad was just another trader in this scheme.
But I'm not sure if Arkady told the hackers about this new trader.
I mean, if the hackers knew there was a new trader here
bringing in all kinds of extra money,
they'd know that they should be getting a cut from those profits.
So it's possible Arkady didn't tell them.
I'm not sure.
But for a person who isn't afraid to break a bunch of laws to make more money,
I wouldn't put it past him that he was keeping some secrets from his own team. Arkady was ready to bring on even more people,
but of course it's hard to find people you trust. So he turned to his son, Igor. Igor helped to move
the press releases around and get them to Vitaly and Vlad. And I don't think Vitaly or Vlad knew each other either.
In fact, they may have never even met each other during this whole scheme.
Soon though, that would turn completely on its head. The morning of Tuesday, August 15th, 2015,
started as a quiet day for Vitaly. He was at home in his Glen Hills, Pennsylvania house
when he heard a knock on the door. And when he opened it,
he was greeted by a team of FBI agents with a warrant for his arrest. Vitale was handcuffed,
hands behind his back, and led out to awaiting police vehicles. And just about 900 miles away
in Georgia, at the exact time, two more FBI teams were knocking on other doors. Arkady and his son
were arrested. And in the same morning,
Alexander and Leonid were also arrested in their homes that morning. Vadim, one of the hackers,
had already been arrested on completely separate charges of credit card fraud. Vadim was picked up
while he was on holiday in Mexico, like a year earlier, and he had been handed straight over to
the U.S. authorities when he got arrested. Within hours, New Jersey U.S. attorney Paul Fishman
was leading a press conference explaining the day's events.
Here's a clip from that.
This morning, we're here to announce criminal and civil charges
in a broad-ranging, cutting-edge international scheme
at the intersection of hacking and securities fraud.
For more than five years, hackers largely operating in Ukraine repeatedly penetrated
the networks and servers of MarketWired, PR Newswire, and BusinessWire.
Over that five-year period, using a variety of hacking techniques and tactics, including
brute force attacks, SQL injection attacks, and phishing, those hackers stole well over 100,000 confidential
news releases before they were distributed. Two indictments charging a total of nine individuals.
We allege that the conspirators stole more than 100,000 news releases, traded ahead of more than
800 releases, and made more than $30 million. In addition, the SEC has filed a civil complaint
charging those individuals and a host of others
with similar trading conduct.
We also collectively, among all of us,
have seized 17 bank and brokerage accounts so far,
which we believe contain more than $6.5 million.
We've also collectively seized 15 properties,
including a houseboat, a shopping center,
and an apartment complex.
The New Jersey indictment charged Vitale, Vlad, Alexander, and Leonid with five charges
of conspiracy to commit wire fraud, securities fraud, and money laundering conspiracy.
The New York indictment charged Arkady with 23 more charges of wire and securities fraud,
aggravated identity theft, and money laundering.
Not only did they charge Arkady with all that, but they also charged his son Igor and his brother Pavel with more charges.
And Ivan and Oleg, the hackers involved, also were charged with the same 23 charges.
Along with the criminal charges in the two indictments,
the SEC also filed a civil complaint against Arkady, Pavel, and Igor Dubovoy,
Ivan and Oleg, Vlad and Vitaly, and Leonid and Alexander.
And that complaint also charged another 23 individuals and companies who had been trading on this stolen information.
It sounds like those in on the scheme couldn't keep quiet and were telling others to do some trades too.
Mary Jo White, the SEC chair, explained more at the press conference.
While the SEC has uncovered and
successfully litigated hacking and trading schemes in the past, today's international case is
unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the
number of securities unlawfully traded, and the amount of the profits generated. A total of seven people were arrested that were involved with this scheme,
and pretty quickly people started admitting to guilty pleas.
Alexander, Arkady, his son Igor, and Leonid all pled guilty,
but Vitaly and Vlad both stuck with saying they weren't guilty.
These two traitors were trying to say that they had no idea
the information they got was stolen or insider information, which means they brought this whole case to trial, which is great news for me because as a journalist, I can now see all the information in this case, the evidence, the testimony.
It all went into the public domain over this four-week trial.
Vitale had almost 80 members of his church congregation support him during his first court hearing.
They couldn't believe their pastor could be involved
in something as shady and dishonest as this.
But this was no match for the SEC, Secret Service,
and FBI on the prosecution side.
They came with piles of evidence
showing exactly what Vitale traded
and when and how they tied him to Arkady.
Prosecutors claim that Vitaly made over
$15 million from insider trading he conducted. They even had logs and evidence collected from
the raids in Ukraine off of Ivan and Olek's laptops, and they showed how the group changed
IP addresses, used VPNs, multiple computers, burner phones, and offshore accounts to conduct
this scheme. It was pretty clear that Vlad and Vitaly knew exactly what they were involved with.
Some of the most damning evidence came against the pair from Arkady and his son Igor.
They had been arrested in the raids in 2015,
and both pled guilty to the charges against him,
but they started producing evidence against Vitaly and Vlad too,
which looks to me like they may have done that to look like they're cooperating and
maybe reduce jail time. The court found Vitale and Vlad guilty of all charges. Vitale had to
serve five years in prison along with an order to pay $14 million in forfeiture and a $250,000 fine.
Vlad was jailed for four years. A year later in 2019, Leonid was sentenced by a New York judge
to three years of supervised release and was ordered to pay $1.3 million and do 100 hours
of community service. A month later, Alexander was sentenced to time served. Alexander gave
evidence against Vitaly and Vlad during the trial, which the judge found especially compelling,
according to a news report. Alexander cooperated with authorities after he was arrested
and aided their investigation into the scheme and how it all worked.
Vadim was the only hacker to be caught by U.S. authorities in the scheme.
He was arrested for credit card fraud through hacking,
but the Fed soon linked him to OLEC.
Vadim pleaded guilty in May 2016 and took a plea deal.
He admitted personally to hacking all three of the newswires
and stealing employee credentials. He also admitted to selling the information he stole.
A year later, he was sentenced to two and a half years in prison with a three-year supervised
release to follow. He was ordered to pay restitution of just over $3 million. Arkady and his son Igor,
from what I can see, they're still awaiting sentencing. After their guilty pleas, everything just got delayed because of COVID.
The authorities said that there were a total of 32 people involved with this scheme in some way or another.
Seven got caught and were found guilty that we know of, but three key players remain in the wind.
The hackers Ivan and Oleg and Arkady's brother, Pavel, all three are
suspected to be in Ukraine, which is sort of protected from the long arm of the U.S. authorities.
But the U.S. Secret Service has put a $1 million reward for the capture of Olek.
Supposedly after this, Olek went on to hack into the SEC itself and then sold that information he
stole to someone else, potentially using it to make
money on the stock market too. Ivan and Pavel are also on the U.S. Secret Service list of most
wanted fugitives, but there is no reward listed for them. In the end, this scheme seemed to make
everyone a profit of over $30 million, which is quite an epic run. And I find this whole scheme
somewhat surprising. I just never thought about using
hacking to steal financial information to then use to make money on the stock market.
It's pretty clever and inventive, if you ask me. It's also fascinating to see how the SEC
has tools now to detect when people are making huge profits very quickly and are able to do it
again and again. The average trader doesn't make profits like that. So for the SEC to spot anomalies in real time, that's going to cut down on the ability for anyone else to do this
in the future. But in the end, I think this crew was driven by greed. $1 million wasn't good enough.
$5 million wasn't good enough. $10 million wasn't good enough. And of course, one newswire agency
wasn't good enough. Neither were two. They wanted all three. And then they kept expanding their team
and making their trades more frequent. And at some point, you simply can't hide all these
tracks and wash all your accounts and phones fast enough. And if it feels like you're able to do all
this and get away with it, then yeah, I can see you might get lazy and cut corners on how everything
is done. So in the end, I think it was greed that brought this whole thing crashing down. dot darknetdiaries.com and pick up a new shirt. This show is made by me, The Shadow,
Jack Recider.
This episode was written
by Fiona Guy.
Sound design by me?
Oh yeah, that's right.
I added the music
for this episode.
Editing helped this episode
by The Devious Damien.
Our mixing is done
by Proximity Sound
and our theme music
is done by the wicked fast
Brinkmaster Cylinder.
A hacker went into a bar
and he said,
give me your strongest link.
This is Darknet Diaries.