Episode Show Notes



JACK: The stock market; this is where you can go buy part of a company and hope the value of that company goes up so your part is worth more, but it’s a big risk. Predicting the future is hard. Even the most educated and well-researched people who spend their whole life focusing on finance get it wrong a large part of the time. Some think they have it all figured out though, like Gordon Gekko in the 1987 film Wall Street. Here’s a clip from the film. GORDON: The public is out there throwing darts at a board, sport. I don’t throw darts at a board. I bet on sure things. Read Sun Tzu, The Art of War. ‘Every battle is won before it’s ever fought.’ Think about it. You’re not as smart as I thought you were, buddy boy. You ever wonder why fund managers can’t beat the S&P 500? ‘Cause they’re sheep, and sheep get slaughtered.

JACK: So what was Gordon Gekko’s secret so that his stock bets were a sure thing? Well, he was investing using insider information, information that wasn’t yet available to the public. Knowing what a company is about to do or announce gave him a big edge that made him a lot of money.

(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: Insider trading is an age-old concept. It’s been going on for years, and it’s the bugbear of the stock market. This is people getting their hands on the kind of information that trades can be based on to make more money, but it’s information they shouldn’t have. This is financial data or corporate secrets obtained by deceptive or illegal means. Yeah, that gives them a distinct, unfair advantage over other traders, but that’s exactly the problem; it’s not a fair way to trade and it undermines the entire stock market system. As Gordon Gekko famously said in the film Wall Street…

GORDON: The most valuable commodity I know of is information. Wouldn’t you agree?

JACK: What stock market traders aim to do is predict the future. If they can buy a stock that goes up in value, they will make money, sometimes a lot of money, but that’s the hard part, predicting the future. So, forecasts of a company’s profits, sales, overheads, analyst reports, or market shares, these could all be indicators of what may happen in the future. So, they’re all very important to traders. Typically, a company will put these numbers together, then publish them publicly for everyone to see. But sometimes when a company publishes a report, it makes their stock change wildly. [MUSIC] So, what if you could see what these internal reports look like before they got published to the public? If you’re a stock trader and you’ve got some privileged inside information that your fellow traders don’t have, well, that puts you significantly ahead of the game. Think about it; if you knew that company has far exceeded its quarterly growth, that would likely translate to a rise in the stock price as soon as that information became public. So, if you knew this before everyone else, could you use that to your advantage? Well, hell yeah you could.

You could buy that stock and wait for the announcement and watch your net worth rise, then sell it to make a good profit. If you had this sort of advanced information, it would almost surely mean you could make a fortune in the stock market. It works the other way, too. If you know a stock is gonna go down, you can short-sell that stock to make a profit if it goes down, and that works very well. But if you had access to early information like this and used it to make a profit, well, that’s illegal because trading based on inside information is illegal. If you get insider information, you shouldn’t be able to profit from it. This makes the market fair for everyone. But this doesn’t stop people from trying it. I bet a lot of people would love to get insider information on how a company is performing before the public knows. But the problem is, how do you get that insider information in the first place? The obvious answer is an employee inside the company. They might have this information and use it to make some sort of trade or tell a friend to make a trade.

It’s non-public information like the company is about to merge, or they’ve made insane growths or profits, whatever it might be. The point is, they trade on the back of that information, putting them ahead of the game. So, the insider could try to profit off of what they know, or sometimes they could just tell a friend or family member about something going on in the company, and they take that information and invest in the stock. A family member could make a bunch of money from a casual thing said during Thanksgiving dinner or something. Now, an international airport doesn’t sound like a great place for an important business meeting. There are a lot of people and a lot of noise, but I bet there is a lot of business done in airports. Back in early 2011, Atlanta Airport was the scene of one of these meetings, although to be honest, what we’re discussing [MUSIC] wasn’t exactly legal, so maybe the airport wasn’t the best place to have a meeting like this. Hartsfield-Jackson Atlanta International Airport is the busiest airport in the world. It’s huge. I think it has 100 million people fly through it every year, which is like 300,000 people a day. Crazy numbers.

But the meeting going on there that day in early 2011 was a carefully-timed on-the-hop business meeting arranged by a guy named Arkadiy Dubovoy. Now, Arkadiy was a stockbroker from Ukraine. He’s part of a big family who was into stock, big business deals, and real estate, and he basically had a lot of money. Arkadiy moved to the US somewhere in the 1990s and was living in the state of Georgia, according to research by investigative journalist Isobel Koshiw, who dug deep into the story for the Verge. Arkadiy owned an ice cream factory in the city of Odessa in Ukraine, but he had settled in a home in Alpharetta, Georgia, which is just thirty-four miles away from the Atlanta Airport. His business partner was Alexander Garkusha. He was born in Russia but had lived in the US most of his life and holds a US citizenship. Now, the two of them, Arkadiy and Alexander, set up a design and building company in 1997 called APD Developers Inc. They registered it in the state of Georgia with the two of them as directors.

They mainly built family homes, and according to records available online, they were generating revenue of over one million dollars a year. So, they were doing okay as real estate developers. The guy they had arranged to meet at the airport was Vitaly Korchevsky. He was a hedge fund manager from Wall Street, and a good one. Vitaly spent most of his time focusing on the stock market and had been doing that for years and years, so he was pretty experienced when it comes to the stock market. Vitaly worked for Morgan Stanley as a portfolio manager, and at one point was given the title of vice president. Transport yourself inside an investment bank for a second. After you’re an analyst, you then become an associate, and the next rung up the ladder from that is vice president. There are two more after that; senior vice president and managing director. Vitaly was one of Morgan Stanley’s vice presidents, so it’s safe to say Vitaly knew what he was doing when it came to stock investments and trading and managing stock portfolios.

He would be in the position to know how the market would react to certain kinds of information. Vitaly had used his experience to set up his own hedge fund called NTS Capital Fund LP based in the city of Glen Mills, where he lived in Pennsylvania. On his 2012 SEC filing paperwork, it was described as a pooled investment fund and a hedge fund that would accept minimum investments from outside investors of $500 million, which is quite a big minimum. Now, Vitaly had a second life outside of his corporate banking on Wall Street. He was a Slavic Evangelist Baptist pastor. He had his own church in Brookhaven, Pennsylvania called the Slavic Evangelical Baptist Church, and he had a congregation loyal to his church, and he was the pastor. He was also the chairman of the associate of the Slavic Baptist Churches USA and had been since 2003.

Vitaly, it seemed, was a busy, multifaceted guy that many looked up to for advice and support, both financially and spiritually. So now you understand more about Arkadiy, Alexander, and Vitaly, which were the three guys that were meeting in this Atlanta airport. [MUSIC] Vitaly was passing through, waiting for a connecting flight, so his time was a little limited. Somewhere in amongst the monster airport, its two huge terminals and five concourses, the three of them sat down for a chat. Now, it was Pavel, Arkadiy’s brother back in Ukraine, who actually arranged this meeting. He made the introductions and made it happen, and you can think of Pavel as a kind of middleman in all this. He’s gonna pop up a lot in this story. So, Arkadiy sits down with Vitaly and says that he has a foolproof way to get his hands on top-level insider financial information on big US companies before anyone else knows about it. He was talking about having access to the kind of information that would enable an experienced stock trader to make big trades on that company’s stock for insane profits and pretty much never lose money.

It could be done multiple times with multiple different companies, keeping it all under the radar and untrackable. It was an insider trading scheme that he was touting to Vitaly, but it was insider trading with a difference; the insider wasn’t a disgruntled employee or a senior executive spilling secrets to make some money on the side. No, Arkadiy had something far bigger than that. Arkadiy had a solid, reliable stream of information coming to him, which was insider information on dozens of US companies. He was claiming he had access to their financial reports well before the public could see them. Vitaly was paying attention. He knew exactly what to do with early access to financial reports like this, and he understood that this could mean he could make a lot of money. Here’s one more clip from the movie Wall Street.

LOU: [MUSIC] I don’t know where you get your information, son, but I don’t like it. The main thing about money, Bud; it makes you do things you don’t want to do.

JACK: But how was Arkadiy able to get all this information ahead of the public? Well, Arkadiy’s secret was hacking. [MUSIC] He had a guy who was in his twenties from Ukraine called Ivan Turchynov. Now, he lived in Kiev, Ukraine’s capital, the largest city, and specifically in a posh area of town. There’s an area there called Koncha-Zaspa. It’s smart, expensive, and in an area that you’ll find top politicians along with some former presidents living. The homes there go on sale between three and five million dollars, with a river and woodlands on one side and huge gated properties with tens of acres of land on all sides. This is an elite area of Ukraine, and this is where Ivan, the hacker of this story, lived, according to the Verge. He seemed to have a lot of cash and liked to show it off. Clocks were his particular favorite, gold clocks to be more exact, and he had scores of them. He also had a standard luxury car and a busy social life and night life, and he loved to flaunt his wealth and show it all off.

So when you combine Arkadiy’s wealth and business sense with Vitaly’s stock market knowledge and Ivan’s hacking skills and all of them aren’t afraid to do illegal things to make more money, then you start to get quite a spicy recipe. Now, Ivan, the hacker, had been working with Arkadiy to try to find something that they could do to make more money. They were both seeing that when a company publishes a financial report, it makes that company’s stock swing around. So, they wondered if there was a way to get those reports ahead of everyone else, and that’s when they started looking into the world of newswires. [MUSIC] So, this is how newswires work; all companies that are trading publicly on the stock exchange are required by the Security Exchange Commission, the SEC, to publicize their financial statements regularly. These are reports that pop up every few months, and the reports tell investors how the company is performing, what their cash flow is, their revenue, their debts, and they usually include some income statements and cash flow statements and finance and profitability ratios.

Boring stuff to most of us, but to the right people, these little bits of information will translate into millions of dollars in profits or losses in the stock market. These companies all need a way of publicizing these reports. I mean, they have to do it by law. They need to tell their investors how they’re doing, and they need a way to tell everyone at the same time. No favorites allowed here. Everyone needs to be able to access it at the same time or else the company can get in trouble for providing insider information. Sure, they can stick this item on their company website somewhere or do a mass e-mail shot, and some of them do just that. But many major US companies use the services of newswires. Newswire agencies specialize in distributing financial reports and other news that a company needs to relay to its shareholders, and they have networks in place already that can get a press release out to the world at a push of a button. For companies, this is a quick and convenient way to just make the whole process easier.

This kind of financial information for big corporate companies can have big impacts on their investors and their stock prices, so it’s common that they put it together in a press release and send it to a newswire who will then publish it publicly when it’s time. A lot of these reports get published just after the market closes on a particular day, because they know this information could then just flow out overnight and hit the stock market floor in the morning. Tried and tested, this is the usual flow of how these things work. Now, the top three financial newswire distributors in 2010 were Business Wire, PR Newswire, and Marketwire. These companies have been around for a while, too; Business Wire was founded in 1961, and they’ve got their headquarters in San Francisco. PR Newswire was founded in 1954 and it’s headquartered in Chicago. Now, that one was originally run entirely by Herbert Muschel out of his New York City home, and that was before computers and the internet and the ability to send out information electronically.

Instead, he used teleprinters to get information out to news outlets in New York. But now we are all digital and networked, so these newswires all compete with each other to try to get the big companies’ business. It’s all very competitive, and it means each of them have to have a good selection of companies as clients. So, when they get a press release, they upload it to their servers where it sits under wraps until the agreed-upon time and date when it should be released to the public, and then it gets published. It’s all very straightforward, but are you seeing the problem yet? [MUSIC] Financial reports from major businesses all sent to the same three places and staged on a server until it’s the right time to publish them? Yeah, I think you know where this is going. In February 2010, Ivan, the hacker in Ukraine, set his sights on Marketwire. He knew somewhere in Marketwire they must be storing these press releases before they’re being published publicly, and he wanted to find where they were. He scanned the website looking for a vulnerability, and found the website was vulnerable to SQL injection attacks.

So, this is where when you fill out any kind of text box or form on a website; the data you typed in may get sent to the SQL database, which is where all the information is stored on the website. So, maybe it’s a search field and maybe you’re on the site searching for press releases for some company. Okay, so when you hit Search, whatever you typed in, that could be sent to the database directly to search it for any hits. I mean, the site has to know that you’re looking for something and has to ask the database if that something you’re looking for is there, right? But what if instead of typing in some company name to search for, instead you just put in all kinds of funky characters that screws up the search and tells the database to do something else altogether like just give me everything in the database, not just what I’ve searched for? This is the kind of behavior Ivan was trying to get the Marketwire website to do. Ivan relentlessly attacked Marketwire’s website, trying many different inputs to try to get something valuable back from the database that he could use.

He spent months on this, submitting hundreds and hundreds of form fields all trying to do SQL injection. Over time, he got it working. I’m not exactly sure what steps he took here, but over the course of five months and 390 SQL injections later, he found a way into where the unreleased press releases were stored, and he scooped up 900 of them. [MUSIC] Then in July 2010, he added PR Newswire to his target list. This website used the PHP language to render the page, and he was able to exploit this PHP code that was on the website to gain access to their servers and went to look around. He left a PHP script there that would give him backdoor access to this place so he could just go back in whenever he pleased and look around in PR Newswire’s network. Of course, as he looked around there, he found exactly where the unreleased press releases were stored in this network. Ivan knew of the other news agency too, Business Wire. Of course he wanted to find a way into this one too, but he was having a hard time with it. We do know that Business Wire employees received a rash of phishing e-mails during this time.

Maybe that was Ivan trying to trick an employee to install some malware or steal their credentials. It does seem like Ivan eventually got a user database to the site somehow, which gave him usernames and hashed passwords, and from there he had to run the hashes through a cracking tool to try to get the password. Eventually he was able to brute force his way into Business Wire this way, and once inside, he started grabbing dozens of non-public press releases. So, Ivan had successfully broken into all three of the leading newswire agencies and syphon off copies of press releases before they were published publicly. [MUSIC] He then sent them directly to Arkadiy and Alexander, and he’s just e-mailing them over bulk attachments, like seventy, eighty, ninety press releases at a time. Bear in mind, this all had to be done in a very short timeframe. The press releases were often uploaded to these newswires just a few hours before they were due to go public. So in that time window is when this scheme had to work. The hackers needed to steal the press release and then pass it to the traders, and then the traders had to look through these press releases to see if there was anything valuable in there, and then decide if they needed to make trades and move themselves into the right positions.

I imagine it was a frantic sort of operation, a lot to do in a short time, and then Ivan is sending them dozens of press releases at a time. So, they’re having to make sense of a lot of information fast, because at any minute that’s going to be public and the market may move, and they may miss their chance. Then you have to plan your exit; how long do you wait for the market to adjust before you hop out? A few hours, maybe? There’s a lot going on for these guys to do, and it’s no wonder that they wanted to bring Vitaly into the fold to take a portion of this work and make some money for them, too. They simply couldn’t do it all on their own. Ivan, the hacker, was feeling this process was getting tedious. Having to go in, grab press releases, download them, and e-mail them to the other guys, that’s a lot of steps that he was doing over and over and over throughout the day. So, Ivan came up with a better way. [MUSIC] He set up a dedicated web server.

Every time he accessed the new press releases and grabbed them, he’d upload them to his server. He had it locked down with a username and password, and he gave these credentials to the traders who were involved in the scheme. Now the traders could log in and just pick off the press releases that they liked the best, and it made the process a little bit more automated and easier for the traders to parse the information, and easier for Ivan, too. These traders weren’t necessarily computer savvy with this sort of thing, so Ivan had to make a little how-to video demo that showed them how to access the press releases on the server. Pavel, which is Arkadiy’s brother, was who took the video and shared it with the traders. He also used this video as a way to persuade other traders to join the fold. Now, Ivan also shared tips too on how to use a proxy and a VPN to hide the IP addresses so people would cover their tracks properly. In November 2010, Pavel shared this demo video with Arkadiy, who used it in negotiations with Vitaly.

It was that demonstration that tipped the balance for Vitaly. Seeing for himself in black and white the information that would be available to him if he joined, he knew exactly what he could do with that information, and that was just too attractive for him to turn down. Vitaly Korchevsky, hedge fund manager and Baptist pastor, was in. I feel like I’ve been talking for a while, so I’m gonna take a little break here and get a drink of water, but I’ll be back in a minute to tell you the rest of the story. While Arkadiy was busy expanding this little scheme of his, the SEC was really revving up. [MUSIC] At the start of 2010, they were creating new divisions and departments, and one of the units was called the Market Abuse Unit, and it would focus on cases of insider trading. The SEC is a law enforcement agency which looks for signs of market manipulation. With headquarters in Washington, DC, they have between 3,000 and 4,000 staff across the board, and they have to work real hard to unravel some of these illegal trading schemes and gather the evidence that they need to take them down.

The SEC is out there looking for people doing schemes exactly like what Arkadiy was doing, but it’s really hard with all the money that gets transferred every day in and out of the stock market. But the SEC has a secret weapon called Artemis, which stands for Advanced Relational Trading Enforcements Metrics Investigation System. What a mouthful that is. So, this is like an enormous database system that holds trade records from across the sector, and it uses mathematical algorithms and advanced analytics to analyze and rank the trades depending on what the SEC is looking for. It’s a powerful tool and it’s capable of spotting trading patterns that the human eye or brain just can’t do. In the past, the SEC was kind of a reactive force when it came to insider trading. They’d be informed of an incident or suspicions and then start their investigation. Sometimes when there was significant news about securities involving a company, they would investigate if suspicions were raised looking for trading activity that might have taken place on the back of it. But while criminals are using technology to hack into places in order to do insider trading, the SEC is also using advanced technology to try to detect those illegal trades.

Their tools give them the ability to parse and examine every single trade to try to find indicators of suspicious behavior, and their tool was seeing something suspicious with these trades. In January 2011, Ivan lost his backdoor access into PR Newswire. The newswire didn’t know they had been hacked into; no, no. They just changed their infrastructure, and in that process, they removed the system where his backdoor was implanted on, so access denied for him. It was gonna take him a while to find another way in, but in the meantime, he was just focusing on stealing press releases from Marketwire instead, ensuring the steady flow of releases still got to traders, because if the traders didn’t get the information, then he wasn’t gonna get paid. Ivan gave the traders his bank account details, which were accounts in Estonia and Macao, and this is where he wanted his cut of the profits paid into. Now, as far as I can work out, Ivan was raking in somewhere between 40% and 50% of the profits from the trades made using the information in the press releases he stole, which I guess is fair.

Without this insider information that he’s producing, the traders would have nothing to work with. So his role was crucial in this whole scheme. By July he got back inside PR Newswire, and again he installed some code on their server so he could just hop back in whenever he needed. Great. But that was also the month that this group started to inadvertently leave breadcrumbs behind them, crumbs that would eventually be noticed and followed. [MUSIC] At some point, one of these brokerage accounts they used to trade with became on the US authorities’ watch list. My guess is that it was the SEC that identified a trading account looked suspicious and to keep an eye on it. Well, for some reason, it was Ivan, the hacker, that logged into that brokerage account to check on things. Investigators took note of his IP address for later, and it was later that they saw this same IP log into Marketwire and PR Newswire to download press releases. This would prove to be a crucial link that would connect the hacker with the traders. By this point, the scheme was running very well and this group was making a lot of money. [MUSIC] Take the Dendreon Corp stock, for an example.

So, this is a big bio-tech and pharmaceutical company based out of Seattle, and on August 3, 2011, PR Newswire uploaded a press release for Dendreon onto their server at 3:34 PM. At 4:01 PM, less than a half hour later and one minute after the stock market shut down for the day, the press release was made public as Dendreon wanted. But four minutes before it went public, at 3:56, Pastor Vitaly suddenly purchased 1,100 put options of Dendreon Corp. As soon as the press release became public, the stock price rose, and the following day, Vitaly sold all 1,100 options and made a clear profit of more than $2.3 million. Yes, million, in less than twenty-four hours. Across this period, there were more than four direct contacts between Vitaly and Arkadiy, which lends us to believe that these trades were conducted using insider information. In the middle of October, they were at it again. This time, the target company was Caterpillar Inc. You know this company; they’re massive. They make construction and mining equipment, big turbine engines and natural gas engines, and they’ve been doing it for almost a hundred years. They make boots, too. So, Caterpillar used PR Newswire when they had a press release ready to go out to the public.

They’d send it along with the date and time for it to be released, and PR Newswire would upload it onto the server so it was all ready to go, and that’s exactly what they did on October 21, 2011. The release said that the company’s profit after tax for its third quarter was up 27% compared to 2010. That’s great news for the company and its investors, and it was supposed to go public three days after it was uploaded. But not long after it was uploaded, the traders began to pounce. Suddenly shares of Caterpillar were bought in multiple brokerage accounts worth $5.9 million. That was about 3,800 shares in the company, and if you dig a little deeper, you find that they purchased them through EDGX using a brokerage account registered to Arkadiy. When the press release went public on October 24 as planned, the price of the stock in Caterpillar Inc shot up, exactly as the traders thought it would. On that very same date, the traders sold their shares and made a profit of more than $648,000. The group didn’t stop there. On January 25, 2012, Caterpillar gave another press release to newswire, and this one said the company’s profits were up 36% from the year before, and just like what happened three months earlier, after this press release was uploaded to PR Newswire, the traders appeared and began to move Caterpillar stock.

This time they purchased around 600 shares, which was about $8.3 million, and the brokerage account they used was an account that was registered to Arkadiy. While all this was going on away from prying eyes, there was some serious unrest going on in the front of house of these newswires. In the very same month that Arkadiy was making these insider trades on Caterpillar for millions of dollars, Marketwire filed a $25 million lawsuit against PR Newswire. They were blaming their rival for poaching their staff. The concern was that they were trying to get their hands on confidential information and trade secrets from inside the company. A senior staff member at Marketwire, their chief technology officer, had left and started working for PR Newswire, and a couple of the staff followed and joined him. So, everything was not rosy between these two newswires. But while they were battling it out in court, they didn’t know at the very same time Ivan was rummaging around in their servers, stealing extremely sensitive information. Forget about staff breaching confidentiality; they should have been focusing on securing their networks better.

I don’t think anything actually came of this lawsuit, and the two companies just ended up being disgruntled at each other. It was just a weird time for them to be focused on this, which might be a reason why they didn’t spot intruders lurking about in their servers. So, this scheme was becoming a pretty well-oiled machine of securities fraud; two distinct skill sets coming together to make millions of dollars, hack into companies, and steal press releases, and then make trades based on that information. With each new press release, it was a potential big payday for them. With so many press releases, it was just rinse and repeat and reap the rewards. Ivan didn’t know who Arkadiy was hiring to do the trades. At least, I don’t think he knew, and I’m fairly certain the traders didn’t know who the hackers were, either. There was this layer in-between, middlemen, if you will, there to act as a messenger and go-between, like Pavel, which is Arkadiy’s brother. [MUSIC] They were the firebrake that stopped prying eyes or investigative hands from finding direct links between the hacker group and the trading group. At least, they were supposed to be.

By the time 2012 rolled around, Ivan had been sailing along in a real comfy position. Now, Ivan is a bit flashy with his gold clocks, nice cars, and big house as I mentioned before. Earlier that year, he was in a club in Kiev and decided to brag to some of his friends about this amazing scam that he’s been pulling off for years. But this was a mistake. Don’t get drunk and tell people about your very profitable hacking scheme. One of these friends of his was Oleksandr Ieremenko. He was in his twenties, similar age to Ivan, and they worked together in the past. So, Olek thinks this gig sounded pretty cool and wanted to get in. But instead of asking nicely to be let in, he decided to double-cross Ivan, or maybe he asked Ivan nicely, but Ivan said no. I don’t know. Now, according to the Verge, it sounds like Olek called his friend Vadym, and together they figured out what this whole scheme was, and they wanted in. They hacked into one of the newswires themselves and cut Ivan’s access off. They just chucked him out and sat in there themselves. So, this newswire was completely unaware that they’ve been hacked twice now by competing hackers, with one hacker being locked out and a new set of hackers being put in his place.

Ivan had a big problem; he lost access to a big source of these very valuable press releases, and worse, his own friends were sitting there instead. He tells his middlemen who deal directly with the traders what happened, and safe to say that no one on that side was pleased to hear this. So, a new deal got made; Olek and Vadym’s little takeover stunt worked, and they both got brought into the fold. The traders were happy again. The more hackers means the more press releases and the more chances to make money. Ivan, though, was not so happy about this change. Now he had to split his share with these other two, compared to just having it all for himself. He wasn’t the sole hacker anymore, and that means a big hit on his profits. While Ivan’s distracted by his friends hustling in on this scam, he didn’t notice some attention starting to come his way from the US authorities, and it was a sign of what was to come. Now, newswires are the same as any other company. They take their network security seriously and regularly do audits and checks to make sure that their systems are secure. Sometimes they find something; maybe permissions were too relaxed on some system or things weren’t locked down like they should. But whatever security they had in place, it wasn’t enough to stop this crew or detect them once they got in. But in March of 2012, the FBI told PR Newswire that they’ve been breached.

[MUSIC] This is how they first heard their systems were compromised; the FBI somehow saw this was happening before PR Newswire even knew it was going on. According to the Verge, PR Newswire then called in a security firm called Stroz Friedberg to investigate what was going on in their networks. During that examination, they found Ivan’s backdoor and they saw how he was stealing press releases. The tech guys obviously removed it and cut Ivan’s access off, and after some panicked e-mails to Ivan’s middlemen, it was Olek who managed to get code back into the systems and restore their access into PR Newswire so they could continue. But unbeknownst to them, the authorities were now onto Ivan, and they had him firmly in their sights. Working in tandem with the US, Ukrainian intelligence services put surveillance on Ivan. What triggered them initially to find him exactly? I don’t know, but by watching Ivan, they found out pretty quick who his friends were, and eight months later, with the help of the FBI and the US Secret Service, nine properties in Kiev were raided. Both Ivan and Olek’s laptops were seized in the raids, and these were the laptops the two hackers were using to access the newswire systems. There were hundreds of stolen press releases on them, and reams of online chat logs which gave the feds clear insight into the whole operation.

A big success, you would think, but then it all went silent, like eerily quiet. Nothing happened at all for a while. There was evidence that they had identified culprits, but nothing went any further. You see, Ukraine has laws in place that prohibit extraditing their own citizens to another country. Under the constitution of Ukraine, citizens are guaranteed care and protection. So, Ivan and Olek were, at least for the moment, safe from US authorities, and they knew it, [MUSIC] so they did what all money-hungry hackers do; they carry on with the scheme. Hackers know the value of information. Yeah, there’s different motives for when people hack stuff and different targets, but really, most of it is about information. Who has it, who wants it, and how much can it be sold for? Financial, business, or personal, data is ridiculously sellable, and the more value it is to the buyer, the more profit it will be to sell. The longer this scam was running, the more confident everybody got. But the hackers were not traders; they didn’t follow the stock markets. They didn’t know which press releases were necessarily more valuable or useful than the others. In 2012, a group of traders involved in the scam had expanded. A new guy was brought on the team. His name was Leonid Momotok.

Leonid was a stock trader friend of Arkadiy’s and worked in construction for his day job, and they went to church together. He was forty-six years old and lived in Suwanee, which is in Georgia, in the US, a pretty city about thirty miles away from Atlanta. Arkadiy introduced him to the scam, and he opened up a set of brokerage accounts with TD Ameritrade, and he started trading on this stolen press release information. The traders eventually got into a groove. They knew which companies used which newswire agencies and when upcoming press releases were going to be released. So, they started requesting which press releases they wanted early access to. [MUSIC] It was like an order system. On October 8, 2013, Pavel sent his brother Arkadiy a spreadsheet of eighteen companies due to announce press releases. Arkadiy sent it to his business partner Alexander. Across the rest of October, Vitaly, Arkadiy, and Leonid all made large trades on six of these companies right before the releases were published. The traders were sending the hackers their shopping list of press releases. In October 2013, a company called Align Technology sent their press release to Marketwired. I guess Marketwired changed their name from Marketwire to Marketwired just to be confusing.

But for Align Tech stock in that fifteen-hour window between when the press release was uploaded to when it was made public, Arkadiy had purchased 91,000 shares. Two hours after Arkadiy’s trades, Vitaly pops up and buys 95,000 shares. After that press release went live to the public, the pair unloaded their positions and made about $1.4 million in profits. This scheme was on fire and seemed to be doing better than ever. The traders were making enormous profits on this insider information, and the hackers were happily getting paid a percentage cut for every trade. Everyone was happy. Now, Arkadiy had been in on this from day one, and he decided he’d kinda like to expand this a little more and make more money. Money is attractive, right? So, I think he was taken in by the allure of all the cash and spending and watching his offshore bank account grow. So, early to mid-2013, he brings in another trader to join his group. This guy’s named Vlad, and he’s a trader.

He used to work on Wall Street that Pavel knew, and once Pavel made the connections, he introduces Arkadiy to Vlad. Vlad had his own trading company in the UK, but he lived in Brooklyn, New York and traded on Wall Street a lot, but he has a home in Odessa in Ukraine. Vlad really liked this plan and was on board. The deal was done; Vlad came in on the same plan that Vitaly was in on. Arkadiy opened up a brokerage account and funded it, and Vlad and Vitaly just did their trades. Vlad got a percentage cut just as Vitaly did, and Vlad was just another trader in this scheme. But I’m not sure if Arkadiy told the hackers about this new trader. I mean, if the hackers knew there was a new trader here bringing in all kinds of extra money, they’d know that they should be getting a cut from those profits. So, it’s possible Arkadiy didn’t tell them. I’m not sure, but for a person who isn’t afraid to break a bunch of laws to make more money, I wouldn’t put it past him that he was keeping some secrets from his own team. Arkadiy was ready to bring on even more people, but of course it’s hard to find people you trust, so he turned to his son, Igor.

Igor helped to move the press releases around and get them to Vitaly and Vlad. I don’t think Vitaly or Vlad knew each other, either. In fact, they may have never even met each other during this whole scheme. Soon though, that would turn completely on its head. [MUSIC] The morning of Tuesday, August 15, 2015, started as a quiet day for Vitaly. He was at home in his Glen Hills, Pennsylvania house when he heard a knock on the door. When he opened it, he was greeted by a team of FBI agents with a warrant for his arrest. Vitaly was handcuffed, hands behind his back, and led out to awaiting police vehicles. Just about 900 miles away in Georgia, at the exact time, two more FBI teams were knocking on other doors. Arkadiy and his son were arrested, and in the same morning, Alexander and Leonid were also arrested in their homes that morning. Vadym, one of the hackers, had already been arrested on completely separate charges of credit card fraud. Vadym was picked up while he was on holiday in Mexico a year earlier, and he had been handed straight over to the US authorities when he got arrested. Within hours, New Jersey US attorney Paul Fishman was leading a press conference explaining the day’s events. Here’s a clip from that.

PAUL: This morning, we’re here to announce criminal and civil charges in a broad-ranging, cutting edge, international scheme at the inner section of hacking and securities fraud. For more than five years, hackers largely operating in Ukraine repeatedly penetrated the networks and servers of Marketwired, PR Newswire, and Business Wire. Over that five-year period, using a variety of hacking techniques and tactics including brute force attacks, SQL injection attacks, and phishing, those hackers stole well over 100,000 confidential news releases before they were distributed. Two indictments charging a total of nine individuals, we allege that the conspirators stole more than 100,000 news releases, traded ahead of more than 800 releases, and made more than $30 million. In addition, the SEC has filed a civil complaint charging those individuals and a host of others with similar trading conduct. We also collectively, among all of us, have seized seventeen bank and brokerage accounts so far which we believe contain more than $6.5 million. We’ve also collectively seized fifteen properties including a house boat, a shopping center, and an apartment complex.

JACK: The New Jersey indictment charged Vitaly, Vlad, Alexander, and Leonid with five charges of conspiracy to commit wire fraud, securities fraud, and money laundering conspiracy. The New York indictment charged Arkadiy with twenty-three more charges of wire and securities fraud, aggravated identity theft, and money laundering. Not only did they charge Arkadiy with all that, but they also charged his son Igor and his brother Pavel with more charges. Ivan and Olek, the hackers involved, also were charged with the same twenty-three charges. Along with the criminal charges and the two indictments, the SEC also filed a civil complaint against Arkadiy, Pavel, and Igor Dubovoy, Ivan and Olek, Vlad and Vitaly, and Leonid and Alexander. That complaint also charged another twenty-three individuals and companies who had been trading on this stolen information. It sounds like those in on the scheme couldn’t keep quiet and were telling others to do some trades, too. Mary Jo White, the SEC chair, explained more at the press conference.

MARY: While the SEC has uncovered and successfully litigated hacking and trading schemes in the past, today’s international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the number of securities unlawfully traded, and the amount of the profits generated.

JACK: A total of seven people were arrested that were involved with this scheme, and pretty quickly, people started admitting to guilty pleas. Alexander, Arkadiy, his son Igor, and Leonid all pled guilty, but Vitaly and Vlad both stuck with saying they weren’t guilty. These two traders were trying to say that they had no idea the information they got was stolen or insider information, which means they brought this whole case to trial, which is great news for me because as a journalist, I can now see all the information in this case; the evidence, the testimony. It all went into the public domain over this four-week trial. Vitaly had almost eighty members of his church congregation support him during his first court hearing. They couldn’t believe their pastor could be involved in something as shady and dishonest as this, but this was no match for the SEC, Secret Service, and FBI on the prosecution side. They came with piles of evidence showing exactly what Vitaly traded and when and how they tied him to Arkadiy. Prosecutors claimed that Vitaly made over $15 million from insider trading he conducted.

They even had logs and evidence collected from the raids in Ukraine off of Ivan and Olek’s laptops, and they showed how the group changed IP addresses, used VPNs, multiple computers, burner phones, and offshore accounts to conduct this scheme. It was pretty clear that Vlad and Vitaly knew exactly what they were involved with. Some of the most damning evidence came against the pair from Arkadiy and his son, Igor. They had been arrested in the raids in 2015, and both pled guilty to the charges against him, but they started producing evidence against Vitaly and Vlad, too, which looks to me like they may have done that to look like they’re cooperating and maybe reduce jail time. The court found Vitaly and Vlad guilty of all charges. Vitaly had to serve five years in prison along with an order to pay $14 million in forfeiture, and a $250,000 fine. Vlad was jailed for four years. A year later, in 2019, Leonid was sentenced by a New York judge to three years of supervised release and was ordered to pay $1.3 million and do one hundred hours of community service. A month later, Alexander was sentenced to time served. Alexander gave evidence against Vitaly and Vlad during the trial, which the judge found especially compelling, according to a news report.

Alexander cooperated with authorities after he was arrested, and he did their investigation into the scheme and how it all worked. Vadym was the only hacker to be caught by US authorities in this scheme. He was arrested for credit card fraud through hacking, but the feds soon linked him to Olek. Vadym pleaded guilty in May 2016, and took a plea deal. He admitted personally to hacking all three of the newswires and stealing employee credentials. He also admitted to selling the information he stole. A year later, he was sentenced to two-and-a-half years in prison with a three-year supervised release to follow. He was ordered to pay restitution of just over $3 million. Arkadiy and he son Igor, from what I can see, they’re still awaiting sentencing. After their guilty pleas, everything just got delayed because of COVID. The authorities said that there were a total of thirty-two people involved with this scheme in some way or another. Seven got caught and were found guilty that we know of, but three key players remain in the wind; the hackers Ivan and Olek, and Arkadiy’ brother Pavel. All three are suspected to be in Ukraine, which is sort of protected from the long arm of the US authorities. But the US Secret Service has put a one million-dollar reward for the capture of Olek. Supposedly after this, Olek went on to hack into the SEC itself, and then sold that information he stole to someone else, potentially using it to make money on the stock market, too.

Ivan and Pavel are also on the US Secret Service list of most-wanted fugitives, but there’s no reward listed for them. In the end, this scheme seemed to make everyone a profit of over $30 million, which was quite an epic run, and I find this whole scheme somewhat surprising. I just never thought about using hacking to steal financial information to then use to make money on the stock market. It’s pretty clever and inventive, if you ask me. It’s also fascinating to see how the SEC has tools now to detect when people are making huge profits very quickly and are able to do it again and again. The average trader doesn’t make profits like that, so for the SEC to spot anomalies in real time, that’s gonna cut down on the ability for anyone else to do this in the future. But in the end, I think this crew was driven by greed. $1 million wasn’t good enough. $5 million wasn’t good enough. $10 million wasn’t good enough. Of course, one newswire agency wasn’t good enough; neither were two. They wanted all three. Then they kept expanding their team and making their trades more frequent, and at some point you simply can’t hide all these tracks and wash all your accounts and phones fast enough. If it feels like you’re able to do all this and get away with it, then yeah, I can see you might get lazy and cut corners on how everything is done. So in the end, I think it was greed that brought this whole thing crashing down.

(OUTRO): [OUTRO MUSIC] If you like the show, you might want to check out the shop. I’ve been working hard at making some pretty cool shirts for you. There are over thirty designs now, and surely there’s one that you would like. So, head over to shop.darknetdiaries.com and pick up a new shirt. This show is made by me, the shadow, Jack Rhysider. This episode was written by Fiona Guy, sound design by me? Oh yeah, that’s right; I added the music for this episode. Editing help this episode by the devious Damienne. Our mixing is done by Proximity Sound, and our theme music is done by the wicked-fast Breakmaster Cylinder. A hacker went into a bar and he said give me your strongest link. This is Darknet Diaries.


(Transcribed by Leah Hervoly)

Transcription performed by LeahTranscribes