The Securities and Exchange Commission charged nine defendants in connection with a scheme to hack into the agency's EDGAR corporate filing system to steal non-public information and use it for illegal trading.
A Ukrainian hacker, six individual traders in California, Ukraine and Russia, and two entities were charged in the scheme that netted at least $4.1 million in illegal profits, the SEC said Tuesday.
According to the SEC complaint, Oleksandr Ieremenko gained access to EDGAR in 2016, extracting files containing non-public earnings results. The information was passed to individuals who used it to "trade in the narrow window between when the files were extracted from SEC systems and when the companies released the information to the public," an SEC news release said. In total, the traders traded before at least 157 earnings releases from May to October 2016.
Mr. Ieremenko allegedly circumvented EDGAR controls that require user authentication and then obtained non-public "test files," which issuers may submit in advance of making their official filings to help make sure EDGAR will process the filings as intended, according to the SEC.
"The trader defendants charged today are alleged to have taken multiple steps to conceal their fraud, including using an offshore entity and nominee accounts to place trades," said Steven Peikin, co-director of the SEC's enforcement division, in a news release. "Our staff's sophisticated analysis of the defendants' trading exposed the common element behind their success, providing overwhelming evidence that each of them traded based on information hacked from EDGAR."
Coupled with parallel criminal charges from the U.S. attorney's office in New Jersey, the SEC charged each of the defendants with violating the federal securities anti-fraud laws and related SEC anti-fraud rules, and seeks a final judgment ordering the defendants to pay penalties, return their ill-gotten gains with prejudgment interest and enjoin them from committing future violations of the anti-fraud laws, according to the news release.
In September 2017, SEC Chairman Jay Clayton first said in a statement that the EDGAR system had been hacked the previous year.
"This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types," said Mr. Clayton in a statement following the announcement Tuesday. "These threats to our marketplace are significant and ongoing, and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion."