SEC Settles with Three in Edgar Hack
The Commission settled with three of the individuals charged in the Edgar hacking case. Defendants Sungjin Cho and Ivan Olefir, along with his firm Capyield Systems, Ltd., settled charges by the agency based on hacking into its computer system to steal material nonpublic information. SEC v. Ieremenko, Civil Action No. 2:19-cv-00505 (D.N.Y. Filed Jan. 15, 2019).
Each of the settling defendants consented to the entry of a permanent injunction based on Securities Act Section 17(a) and Exchange Act Section 10(b). The individual defendants also agreed to conduct based injunctions which limit their ability to trade U.S. listed securities and derivatives. Defendant Cho also agreed to pay a penalty of $175,000 while Defendant Oledfir and his firm will pay, on a joint and several basis, a penalty of $250,000.
The original complaint name nine as defendants: Oleksandr Ieremenko of Kiev, Ukrane; Spirit Trade, Ltd., Hong Kong; Sungjin Cho, Los Angeles; David Kwon, Los Angeles; Igor Sabodakha, Kiev, Ukraine; Victoria Vorochek, Luhans’ka Oblast, Ukraine; Ivan Olefir, Luhans’ka Oblast, Ukraine; Capylield Systems, Ltd., Belize City, Belize; and Andrey Sarafanov, Moskva, Russian Federation.
The scheme was launched by international hacker Ieremenko and others in the spring of 2016. See also See SEC v. Dubovoy, Civil Action No 2:150cv006076 (D. N.J.)(charging Mr. Leremenko and others in a hacking scheme). Common hacking techniques were used to search for access to material nonpublic information in EDGAR. The focus was to access test filings – those made by issuers which are not intended to become public. Rather, they are often made prior to the actual filing to ensure that format and other matters are correct. The test filings, accordingly, often contain information which is material and non-public.
To breach EDGAR the hackers sent a series of malicious emails to sec.gov email addresses. The “emails were spoofed to appear as if they were being sent by SEC security personnel . . .[they] contained malware-infected documents . . .” The efforts successfully infected several SEC computer workstations.
To infect the workstations Mr. Ieremenko used a Romanian IP address he had employed during the newswire hacks. He also used the same web browser – a point evidenced by the fact that both intrusions involved an identical user agent string. Stated differently, the hacker left his signature.
Hacker Ieremenko first successfully accessed a test file on EDGAR on May 3, 3016. He began manually exfiltrating electronic copies of test filings. Obtaining this information was the initial focus of the scheme.
The next day Mr. Ieremenko began using “deceptive hacking techniques” at 1:09 PM ET to access and exfiltrate a test filing for Issuer 1 from EDGAR. The test filing contained negative, material nonpublic information about the NYSE listed firm’s financial results. That information was apparently passed to one or more individuals at Spirit Trade. Between 2:57 PM and 3:59 PM ET that firm, controlled by a person who is a veteran of the newswire scheme, sold short 5,500 shares of Issuer I stock. Shortly after the trades were placed the market closed. Issuer 1 released the financial information and the stock price declined. The next morning Spirit Trade closed its position, yielding profits of $9,185 in gross profits. The pattern was repeated several times during May 2016, generating $496,740 in gross illegal trading profits tied to the filings of seventeen issuers.
Beginning in mid-May 2016 Mr. Ieremenko, or others, expanded the scheme. Specifically, an “Exfiltration Machine” was deployed – a server with a program. That server was able to automatically exfiltrate test files, a process initially done manually. This permitted Mr. Ieremenko “to obtain hacked test filings on a greater scale . . . more traders began to monetize the information” – that is, trade on inside information. From at least May 2016 through at least October 20, 2016 Mr. Ieremenko worked with traders located in the United States, Ukraine, and Russia to monetize the information. Virtually all of the traders had participated in the newswire phase of the scheme. During this period one group traded about 369 times using test filings exfiltrated from EDGAR.
In October 2016 SEC IT personnel patched the EDGAR software “in response to a detected attack on the system. . .” Defendant Ieremenko could no longer access the system. Nevertheless, efforts to further compromise EDGAR continued until early the next year. Later Mr. Ieremenko boasted that he had successfully hacked specific newswire companies and “sec.gov.” The SEC’s complaint alleges violations of Securities Act section 17(a) and Exchange Act section 10(b).
Video Program: OCIE Inspections and Exams: A Bad Day? You Need a Team! A video program on meeting the challenges and issues presented by these exams, Wednesday, Nov. 11, 2020; more information and registration (here).