Sometimes, the simplest plans are the smartest. And the most illegal.
That’s certainly the case with a group of accused criminals, including six American stock traders and two Ukrainian hackers, along with 23 other defendants — who stand accused of running a very, very lucrative scheme for almost five years, according to the AP.
The scam was simple: Hack into the unpublished databases of services that issue press releases for companies. Gather information about forthcoming announcements from companies, usually sales or profit announcements that could easily precipitate a rise or fall in stock prices. Then use that intelligence to anticipate what stocks should be bought (or sold), before the data goes public. Finally, profit. It’s an absurdly straightforward crime, and one that has remained unnoticed for a remarkably long time.
The SEC’s announcement about the fraud charges has more details. For example, the two Ukrainian ringleaders of the scheme “recruited” stock traders, who hailed from the US, Russia, Ukraine, Malta, Cyprus, and France, using a sort of highlight reel that showed their skills at procuring the information. The SEC also says that the duo posed as employees at the press release services in question. The press release services include major companies like Business Wire, which publishes press releases for many, many technology companies, and PR Newswire, which is one of the most recognisable names in the business, as well as Marketwired. If you’ve worked in either media or the corporate world, odds are good you’ve dealt with one of these services before — and for the past five years, they have been infiltrated by this ring.
So, what types of releases was the group using to make trades? The AP gives us a few examples. In one case, a press release from Panera — yes, the salad-and-sammy place — was scheduled to announce bad news. “The hacking ring bet correctly the stock would fall when the news came out, and turned a profit of about $US1 million the very next day, according to the indictment,” writes David Porter. In another instance, Align Technology — the company that makes Invisalign — was set to announce good news about its revenue. Using that intel, Porter says the ring made more than $US1.4 million.
Then there’s this remarkable anecdote from the SEC’s announcement, which details an as-of-yet-unnamed company’s press release from 2013. The news was that its revenues were down further than expected, and that the company would “revise” its earnings and projects to reflect the downturn, the SEC explains. There were only 36 minutes between when the press release was submitted to the news service and the announcement. Yet within ten minutes of sending the news to the service, traders were able to make more than $US500,000 selling the flailing company’s stock.
Whoa. It’s certainly a clever scheme, and it’s also a terrifying one — not because of the speed with which the information was utilised, but rather because it the security gap between the companies and their PR partners was that gaping wide. Let it be a reminder, even for all of us non-corporate entities: If you’re sharing personal information with any third party, you should probably assume it’s not private.
AP Photo/Seth Wenig