In the spring of 2012, a drunken 24-year-old Ivan Turchinov boasted in front of his friends, hackers, in a Kiev nightclub. He boasted that for many years he had hacked into business news feeds and sold unpublished press releases through Moscow intermediaries to stock traders for a share of the profits.

One of the hackers in that club, Alexander Eremenko, had previously worked with Turchinov - and decided to enter the share. Together with his friend Vadim Yermolovich, they broke the Business Wire tape, stole Turchinov’s internal access to the site and forced the Moscow leader, known under the pseudonym eggPLC, to take them into the scheme. Hostile takeover meant that Turchinov had to share. Now three hackers have entered the game.

Traders make lists of buy press releases.

News feeds like Business Wire are centers for the exchange of corporate information, the publication of press releases, statutory announcements and other information that affects the market and is kept under strict embargoes before publication. For at least five years, three American news feeds were cracked using various methods: from SQL injection and phishing emails to Trojans and left-wing accounts. Traders from the US stock exchanges made a list of necessary press releases to buy and pointed out to hackers the right moment to steal information. Then, hackers downloaded stolen press releases to foreign servers for traders — and received their 40% of their profits on various offshore bank accounts. The Verge publication conducted interviews with hackers and investigators, received chat logs and court documents - and traced the development of the case, which law enforcement agencies would later call one of the largest cases of securities fraud in US history.
')

To obtain insider information, traders no longer need a person in the company

This story shows how the Internet has made a quiet revolution in insider trading. To obtain insider information, traders no longer need a person in the company. Instead, they can turn to hackers who find security weaknesses. A large corporation or bank can have good internal security. But organizations that it works with, such as financial institutions, law firms, brokerage firms, small investment advice, or, in this case, news feeds, necessarily have vulnerabilities.

"There is always the human factor"

As one of the participants of the scheme, it does not matter what level of security in the company: "There is always a human factor: the only employee who clicks the link in a phishing email or sells his password."

“Almost every organization that collects useful financial data for traders has been broken at least once,” said Scott Borg, director of the US Cyber ​​Consequences Unit, a non-profit research institute that advises the government. "All the economic analysis departments of the largest countries in the world were almost certainly hacked."

For the most part, says Borg, these hacks do not notice. As a rule, they are “complex and targeted,” and companies often refuse publicity to avoid obligations and reputational damage, or because they simply do not know what kind of information was stolen.

Over the past eight years, the US Securities and Exchange Commission (SEC) has organized three new groups to detect cybercrime and has pushed companies to strengthen their own security and quickly report hacking. The measures have had some success, as evidenced by the recent case of law firms hack with three Chinese hackers , but this is a cat-and-mouse game. Even the SEC is not protected: in 2016 it was hacked. The SEC reported the burglary only in the next year, which caused accusations of hypocrisy.

The international nature of trade in stolen information makes enforcement especially difficult. Shortly before Turchinov boasted to friends at the club, the US Secret Service, whose task is to protect the country's financial infrastructure, became interested in the Ukrainian hacker.

Court documents show that since the beginning of 2012, three news feeds - Business Wire, PR Newswire and Marketwired - have infinitely patched holes and removed malware, trying to block hackers from access. Former cybersecurity expert at the SEC, Askari Foy explained that these companies usually report hacking to the FBI in order to open a criminal case and provide access to their systems for examination.

“They traded high”

When authorities warned PR Newswire of a potential hack, they in March 2012 hired Stroz Friedberg, a private cyber security firm, to investigate further. According to court documents, Turchinov's malware was detected and removed. On March 27, he sent a panicky message to Muscovites, allegedly referring to PR Newswire's internal correspondence, to which he had access:

“When you return, write to me right away, there are several problems. The first and most important is a bummer with PR. They found the module and removed all our crap. They removed the temporary server. I have not yet switched to a new one, I'm waiting. It happened on the 13th [March]. The second problem: your guys discovered. They traded on a large scale and there is a lot of talk about them, that they trade only at the right moment. ”

But by May 30, 2012, thanks in large part to the new colleague Eremenko, the hackers restored access to PR Newswire and returned to business.

The Secret Service decided to send a request for assistance to the intelligence services of Ukraine, according to Ukrainian agent Alexei Tkachenko and court documents. Ukrainian colleagues have established surveillance of Turchinov.

According to the man, who was also contacted by Ukrainian agents, they noticed that Turchinov was in touch with a group of 10 other men aged 20-30, including colleagues Eremenko and Yermolovich, who had significant cash and no significant source of income. It is said that Turchinov owned a house in Koncha Zaspa, the Kiev equivalent of Beverly Hills. In social networks, he published an extravagant collection of gold watches, a pistol, a luxury car and photos with friends in Kiev nightclubs.

In November 2012, Ukrainians, accompanied by agents of the United States Secret Service, who had already worked in tandem with the FBI, conducted raids on nine properties around Kiev connected with hackers. They confiscated Eremenko and Turchinov’s laptops, found hundreds of press releases and chat logs with a discussion of the scheme. A few months later, special agent of the United States Secret Service Alexander Parisella arrived in Ukraine to interrogate Turchinov, Eremenko and others, according to court documents.

But then it died down. Ukraine does not extradite its own citizens, so Special Agent Parisella could not do anything except try to force hackers to tell about press releases and the stolen data of payment cards they found.

In Ukraine, none of the hackers, too, was not charged. Ukrainian law enforcement officials said they did not receive the requested request from the US - a fact confirmed by a US agent in court. It seems that the Ukrainian special services had a special relationship with Turchinov, the main suspect of the Americans.

"Now you work for us or go to America"

“Then he paid the cops. Good, not paid. He gave them his collection of watches worth half a million. I gave my house, I gave Bentley. Then they said: “Well, now you work for us or you will go to America,” ”said the man who was in close contact with Turchinov at that time.

After the visit of the special agent Parisella Turchinov continued to crack the press releases, but now under the supervision of intelligence officers, said the head of the Ukrainian cyberpolice Sergey Demidyuk to The Verge . According to him, the special services began to work in parallel with the Moscow intermediaries, using Turchinov’s access and attracting their own traders.

"It must be admitted that this is exactly what happened," said Demidyuk about how the Ukrainian special services allegedly profited from illegal transactions.

Ukrainian intelligence services did not respond to a request to comment on their participation in the scheme.



It is difficult to say how the circuit spun. At the court hearing, the witness called the “main” person, of whom only Valery’s name is known. Witnesses and documents also mention a certain Roman as an intermediary in contacts with traders. Judging by the name of Skype and social contacts, it could be a Russian trader. No one was charged, although Roman had recently traveled to the USA in November 2017. According to several sources, on the Internet, the alleged leader of the gang is known only under the screen name eggPLC.

Demidyuk and others who spoke on condition of anonymity believe that eggPLC is a Moscow stock trader hailing from St. Petersburg who has hired hackers since at least 2008. On a number of underground forums where exploits are bought and sold, we met an eggPLC ad for hackers, he was looking for help in accessing brokerage accounts. According to the person associated with the scheme, then eggPLC used brokerage accounts to raise and lower stock prices, making transactions from their own accounts. This version of the old school stock fraud, known as pump and dump (pump and dump). The scheme was revived in the mid-2000s thanks to hackers.

eggPLC led a full-fledged business in darkweb

Based on the words of Demidyuk and others who are aware of the details of the scheme, eggPLC hired Turchinov to break the news feeds around 2009. Turchinov sent the stolen eggPLC press releases and two other Moscow intermediaries who handed them over to traders; hackers received a share of 40% of the profits, and intermediaries - 10%. From its inactive ICQ numbers, it is clear that eggPLC led a full-fledged business in a darqube. He advertised one number as a personal number; the other was called eggPLC support.

In St. Petersburg, Moscow, Kiev and the United States, stolen press releases attracted more and more traders, some of whom worked in investment companies and others independently. Friends talked to friends, the circle dedicated to growing up.

Two traders, the brothers Pavel and Arkady Dubovye, come from a well-known and rich Ukrainian Baptist family, several of whose members got rich by privatizing Ukrainian factories in the 1990s. Arkady, who owns an ice cream factory in Odessa, emigrated to the suburbs of Atlanta in the mid-1990s thanks to a law granting refugee status to persecuted religious minorities of the Soviet Union. Pavel studied for some time in the USA near Arkady. But along with a large number of relatives, they moved to Kiev when their cousin Alexander was elected to parliament in 2007.

Living in Ukraine in November 2010, Pavel Dubovoy, according to court documents, sent an email to Arkady's construction business partner with instructions on how to get access to the stolen press releases.

After the Christmas holidays, Arkady and his business partner Alexander Garkusha left their homes in Alpharette, Georgia, at Atlanta airport, where they met a Slavic Baptist pastor and a Philadelphia trader named Vitaly Korchevsky.

As a former portfolio manager and vice president of Morgan Stanley, Korchevsky enjoyed a reputation as a good financial planning consultant for representatives of the new immigrant community, many of whom came to America with poor English and a poor understanding of American life. Korchevsky was a prominent religious leader in the American Slavic Baptist community, he was also often invited to preach in the United States and the countries of the former Soviet Union.

“He loves himself and his ambitions”

In the early 2000s, Korchevsky completed work at Morgan Stanley in New York and returned to South Philadelphia, where he spent evenings traveling around the suburbs and visiting Slavic Baptists whom he hoped to attract to his small evangelical Christian meetings. Later, he organized a union of 28 Russian-speaking churches and spent a large part of his large income on creating his own church in Philadelphia. He also sponsored the emigration of many of his parishioners from the former Soviet Union, as he did in the late 1980s. Those often lived in his house until they found work and housing.

“He was very religious ... but when I met him, I saw a businessman in him. He is a man of ambition. This is a man who loves himself and his ambitions, ”said the leader of Slavic Baptists, who had known Korchevsky for three decades. “He likes to be a leader ... and a person to whom people are equal.”



To discuss the scheme, Arkady Dubovaya and Garkusha met with Korchevsky at an airport restaurant when he had a stop in Atlanta. At first the scheme was hard to sell. The financially literate pastor was not impressed. He said that these press releases are publicly available. After the meeting, Arkady decided that this was another bad idea of ​​his younger brother. The second meeting was clouded by technical difficulties. Only from the third attempt did the group finally get proper access to the server in order to demonstrate it to Korchevsky - and the pastor recognized the scheme to work.

Arkady began to open brokerage accounts. Arkady's English was so bad that he asked others, including his son Igor, to write letters on his behalf. He also stated in court that he did not understand the actions and had difficulty using the computer. Therefore, he allowed Korchevsky to trade from his accounts and paid him about 10% of the profits. Korchevsky at that time created a Philadelphia fund and secretly made deals from his accounts, because of which the mediator subsequently refused to cooperate with the group for not paying the full commission.

He wanted to see who sells better: pastor Korchevsky or Khalupsky

Arkady also played a double game. Brother Pavel introduced him to another former treuder from Wall Street, Vladislav Khalupsky, who lived in two cities, traveling between Odessa and Brooklyn. Arkady opened Halupsky accounts for trading. Later he testified that he wanted to see who is selling better: pastor Korchevsky or Khalupsky. Arkady also sent his son Igor to study trading in the Odessa company Halupsky.

The scheme continued to grow. Friends, relatives, colleagues and other parishioners were drawn into it: for everyone it seemed like a sure way to get rich. Two managers of Ukrainian firms Arkady opened accounts, then two of his relatives in Odessa (the Oak family are very large, but only five people are involved). A year later, Arkady, an accountant, and Leonid Momotok, a parishioner, got involved in it. The latter knew a little about stock trading and opened more accounts for trading, including one under the name of his brother. The more unrelated the subjects and accounts are, the more difficult the investigation will be for regulators.

Easy Money

For people like Korchevsky, a registered US investment consultant with more than a decade of experience, the stolen press releases were easy money.

On 3 August 2011, at 15:34, a press release from Dendreon Pharmaceuticals was uploaded to the PR Newswire system - and published less than 30 minutes later at 16:01, immediately after the markets closed. The release announced that the company's new drug would not match the projected sales target. At 15:56, before the release was published and four minutes before the markets closed, Korchevsky bought 1,100 options for sale - a contract that gives the opportunity to sell shares at a certain price during a certain period of time. The next day, the shares of Dendreon fell by 67%, and Korchevsky sold his options with a profit of over $ 2.3 million. Telephone records show that Korchevsky called Arkady twice before the release and twice after the sale of options.

There are cases when traders lost money. Despite a positive press release, on April 26, 2013, the stock price of the Internet company Verisign unexpectedly fell. The son of Arkady, Igor Dubovoy, e-mailed Korchevsky: “Arkady asked me to sell all the shares. If you do not have internet, please let me know if this should be done or if you have a service for this. ” Shortly thereafter, Igor closed the positions of Dubovy at a loss of $ 114,038. Then Igor sent Korchevsky another letter: “I already sold everything and just saw your letter. I'm not sure that I made the deal as you planned. ” Korchevsky answered Igor: "It's okay ... this is not the last day ... in any case, it is strange ... got the right numbers ... a mixed reaction."

In Ukraine, Pavel, who led a joint account with his brother Arkady, was responsible for paying commissions to hackers. He paid through his British front company using the account numbers provided by an unknown person, probably Roman, who was mentioned several times in court as Oak's contact person. In one of several letters to Arkady of February 2012, Pavel reported on the payment of $ 95,000 to Turchinov’s Estonian account marked “guys”. The payment was made under the guise of payment for construction equipment from the development company Arcadia. Construction is a typical occupation of Soviet Baptists, who are often denied access to public housing. The letter also indicated that $ 160,000 had been paid to Vlad, that is, Khalupsky, a Ukrainian-American trader and an investment consultant. Pavel also sent out lists of expected press releases to Arcadia in Georgia and hackers through Moscow intermediaries.

It is unclear how Paul met Roman, who introduced Paul to the scheme and worked for the leader of the group, testify. It is also not entirely clear what Paul earned his living. His cousin politician Alexander, in an interview with The Verge, called him a "technical specialist" and a "freelancer" who also worked in real estate, although he did not express confidence in his abilities as a trader.

Pavel on the phone in March denied any involvement in insider trading and trading in general. “Honestly, I have very little in common with this case. My relatives are much more involved - such words of Paul about the scheme with press releases are indicated in the indictment of the US authorities. - I have nothing to do with it. I have never had brokerage accounts and have not conducted any transactions. I don’t even know how to do it ... I don’t know what is going on in this business ... I don’t know why [they pointed at me]. ”

Pavel subsequently rejected repeated requests for a meeting and did not answer specific questions about the hacking scheme.

Passengers of the first four rows got up and announced that they were agents of the US Secret Service

In November 2014, almost two years after the visit of Agent Parisella to Kiev, the third hacker, 27-year-old Yermolovich, arrived at a luxury resort on the sunny coast of Cancun (Mexico) to rest from the frosty Ukrainian winter. Immediately after midnight, when he rested in the hotel restaurant, a group of Mexican law enforcement officers approached the table, according to an informed source. The police said he was not welcome in Mexico and would take him to the airport. According to them, the Ukrainian consulate agreed to send it back to Ukraine. Meanwhile, the police searched the room upstairs, woke the hacker's wife and confiscated his laptop. When Yermolovich arrived at the airport in the dark, he was pushed into the tail of a commercial passenger plane and was told that he was transferring to Dallas, Texas.

As the source said, when the plane landed in Dallas, the passengers of the first four rows got up and announced that they were agents of the US Secret Service. Yermolovich will not go to Ukraine. Mexicans handed it over to US law enforcement. The extradition procedure was not carried out.

At first, Yermolovich was charged with selling payment data from more than 300 stolen corporate databases. The charge was based on information found on his laptop in Kiev during a search in 2012. Then, law enforcement agencies found press releases on a laptop confiscated by Mexican authorities. After being transferred to a Hudson County Correctional Facility in New Jersey, authorities submitted a choice to Yermolovich: imprisonment for a term of two to three years or 20 years, proposing to sign a plea agreement.

Even having obtained one of the hackers, it was difficult to open the entire network. Yermolovich claimed that he did not know any of the traders and communicated on the Internet only with the Moscow leadership. Moreover, traders got access to press releases through a temporary offshore server, minimizing traces.

Experts say that proof of such insider trading often depends on what measures the trader has taken to avoid detection. According to Borg, director of the US Cyber ​​Security Division, even international cooperation will not help prove insider trading if a trader changes accounts. Traders can hide traces by opening accounts in brokerage offices anonymously through cryptocurrencies or dummy firms, which are then closed.

Dubov family was not so careful

Since 2010, the SEC Center for Analysis and Detection (Analysis and Detection Center) conducted a joint investigation into the signs of insider trading in conjunction with the Financial Industry Regulatory Authority (FINRA), a Wall Street regulator. Their algorithms are designed to detect stock price fluctuations prior to large corporate announcements, which indicates insider information from bidders, says Janet Austin, a professor at the University of New Brunswick and author of Insider Trading and Market Manipulation: Investigation and Persecution Without Borders . The Center for Risk and Quantitative Analytics (Center for Risk and Quantitative Analytics) SEC then examines the object that makes the suspicious transactions - whether it has a connection with the company, for example, a relative or past employer. If they cannot find a direct connection, then they store data in case the object again comes into view. But the large volume of transactions in the market makes it difficult to detect.

FINRA assisted the SEC in investigating press releases. Both agencies declined to comment on this story. According to Austin, probably aware of the leakage of press releases, regulators have raised the logs of suspicious transactions and identified the persons involved.

Oak has repeatedly used the same brokerage accounts, owning some of them directly or through the next of kin with common names. Their involvement is also easily confirmed by the fact that they belonged to the same church community.

In 2014, intermediaries found that the Oak family was trading with a much larger number of accounts than they had stated. According to court testimony, they began to threaten Paul. In January 2015, Arkady went to Ukraine, where he met Valery, the “main guy.” Their intermediary and contact person Roman offered various compensation options for the family to regain access: for example, $ 50,000 per day or $ 100,000 per week with a deposit of $ 300,000 (amounts indicate how valuable black-press releases have become).

Nothing succeeded. As a result, the group found another way to access press releases through Arkady's cousin's husband, Valery Pichnenko, who contacted the intermediary through his own channels. Picnenko kept the press releases on an inconspicuous mail account, where Igor dropped in and forwarded letters to Vitaly.

But as news feeds do not always inform customers about security problems, the mediators decided not to inform traders that they had arrested one of the hackers.



In August 2015, nine months after the arrest of Yermolovich, FBI agents brought Pastor Vitaly Korchevsky with graying, combed hair out of his prestigious country house in Philadelphia. On the same day, Arkady, Igor, Garkusha and Momotok were arrested in their homes in Georgia.

Korchevsky was accused of receiving $ 17.5 million of illegal profits, Arkady - $ 11 million, Igor - $ 249 thousand. Momotok and Garkusha earned about $ 1.3 million and $ 125,000, respectively.

The news shook the American Slavic Baptist community and the parishioners of Korchevsky, many of whom refused to believe in his guilt. Because of the persecution of Baptists in the Soviet Union, many of them are suspicious of the authorities and the media, explained Elena Panich, a researcher of post-Soviet Baptists.

Supporters of Korchevsky argued that this was a plot by the US government aimed at persecuting the Christian leader. The defense stated, and the American prosecutors admitted this in court that neither press releases nor any evidence were found on Korchevsky’s computers that he had been in contact with hackers.

, . , . . , , , , -. , , .

. Facebook .

« , — , . — . , , , … , , … , . : ? ?»

, , , . . 2016 « » Facebook , , :

, ? , . , , . , .

- . , . , 9- . , , : «, , … », — , . .

« , , - , , — , . — : , ».

« , , - . , . , , », — , .

2015 - — , Viber. Yahoo, , , . - — , . 200 -, , , .

, -, , 2017 . , .

. , , . , . , . , , — .

6 . . , , Bloomberg . .

After the verdict was announced, Korchevsky addressed his community in Philadelphia with gratitude for his support. With a smile of an innocent man, he said that he intended to appeal the verdict:

The Lord clearly showed: there is not a single proof that I owned any information. They simply do not exist. Of course, they talked about the destroyed computer, although a 17-year-old PC was found in my house. But God knows, and before his face we can safely say: there was nothing like that. No computer or mobile phone has been destroyed.

SEC , -. , - . -, .

, , , -. , - .

— , Copperstone Capital 2015 - . , . , , - — . , , , . SEC $10 . , . , . SEC $53 , .

, — , . 2017 30 .

. , SEC, $100 . , . , , . , , 100 . 42 , 20 .



, - — , . , , , .

, . : , 80- . — , ( ). — , , . .

Word of Life , . , , — , . , — , . ( , , , , ).

, Word of Life . 2017 . 10 .

, - , .

« , »

«, . . . , », — .

, 2015 , , . , . , . 2017 , , , . : Facebook . , .

, , . , .

- , 2017 , «» BBC . , , , BBC, . , $100 000, , $200 000 $200 000 .

This is not the end of the drama in Paul’s life. According to cousin Alexander Dubovoy, in February he was shot three times and wounded during a meeting in a cafe when Pavel tried to save an unknown woman from being beaten by a group of men. In a telephone interview from the hospital, Pavel said that the conflict with pastor Kunz around the co-built church was “settled”. He denied any involvement in the leak of press releases, but did not answer further detailed questions.

Answering the question, Alexander Dubovoy explained that the family did not consider the scheme with press releases contrary to their faith: “As far as I read and heard from relatives, and I know him well, they, and he, in particular, did not see in this theft. " Pavel was a tool or a link and did not know how the information would be used, Alexander said.

The FBI refused to give an official comment on the case and the alleged involvement of the Ukrainian special services.

Hacker Turchinov also avoided the consequences. According to the head of the Ukrainian cyber police Demidyuk, in 2016 Turchinov hacked into the database of the tax service of Ukraine ordered by another Ukrainian business group, stealing information and changing tax information in the interests of the customer. When the police launched an investigation in January 2017, Turchinov fled through the war-torn eastern territories of Ukraine to Russia, a country inaccessible to the American and Ukrainian authorities.

For Eremenko, the conviction signaled the beginning of a new stage in his hacking career. According to Demidyuk, when the American accusations were announced in August 2015, some “not very good people” in the special services of Ukraine, together with the hacker Turchinov, used Yeremenko’s lack of knowledge of the Ukrainian law on extradition to blackmail him. Yeremenko was told that if he paid, he would be safe from extradition, which in fact did not threaten him legally. Turchinov, acting as an intermediary, amused himself even more by doubling the amount of blackmail. Eremenko paid. Comrades parted when Eremenko discovered deception.

Hacker skills Eremenko subsequently used Artemy Radchenko, a stylishly dressed, ambitious 23-year-old man with dubious connections. In October 2015, two months after Yeremenko was charged in the United States, they created Benjamin Capital Group, a UK-registered investment bank that worked in Kiev. According to the head of Ukraine’s cyber police and a source with knowledge, Benjamin Capital was created under the guise of a legally clean trading and investment company. But Radchenko attracted investors willing to pay for Yeremenko's proven hacking abilities in order to obtain insider information. They hired workers, rented servers and two floors of office space.

In corporate forums, employees complained about management and salary delays. In the winter of 2017, Eremenko realized that Radchenko had spent all the investors' money, as well as profits from their work, to buy apartments abroad and luxury cars, Demidyuk said.

Radchenko continued to keep Eremenko in the company under the threat of violence. Before everything fell apart, Eremenko was obsessed with hacking into the EDGAR financial reporting system and achieved some success, according to Demidiuk and a source familiar with the case. EDGAR is used by all companies trading on US stock exchanges to submit financial reports, which are then published on the Internet. When Eremenko finally decided to leave, Radchenko was furious.

Radchenko hired thugs

“Radchenko hired thugs to beat or, I don't know, even kill Eremenko. It was a vendetta. Because from what we know about Radchenko ... he is very aggressive, ”said Demidyuk.

Besides the fact that Radchenko did not pay his employees, he made a fatal mistake without paying his bodyguards. Large clients gradually left Benjamin Capital, and their place was taken by dubious individuals, including representatives of organized crime. Investors colluded with Radchenko’s bodyguards and beat him “well”, according to Demidiuk. Then they began to look for Eremenko. But instead of punishing him, some investors suggested that the hacker move to Russia, work for them and pay off Radchenko’s debt.

The SEC hacks, including the EDGAR financial reporting system, occurred from October 2016 to April 2017, Reuters reports, citing an unnamed source, although in the SEC statements published in September, only the 2016 hacking is mentioned. The SEC says the investigation is ongoing.

---

UPD. On August 26, Roman Vishnevsky mentioned in the article registered on Habré and made a statement about the unreliability of the information published in The Verge article: “My lawyers in New York have already written a letter demanding to remove me from the publication,” said Roman in a comment for Habrahabr .