WEBVTT

00:00:00.371 --> 00:00:06.800
JACK: The stock market; this is where you can go buy part of a company and hope the value of that

00:00:06.800 --> 00:00:12.560
company goes up so your part is worth more, but it’s a big risk. Predicting the future is hard.

00:00:12.560 --> 00:00:16.640
Even the most educated and well-researched people who spend their whole life focusing

00:00:16.640 --> 00:00:22.720
on finance get it wrong a large part of the time. Some think they have it all figured out though,

00:00:22.720 --> 00:00:27.680
like Gordon Gekko in the 1987 film Wall Street. Here’s a clip from the film.

00:00:27.680 --> 00:00:33.360
GORDON: The public is out there throwing darts at a board, sport. I don’t throw darts at a board.

00:00:33.360 --> 00:00:41.280
I bet on sure things. Read Sun Tzu, The Art of War. ‘Every battle is won before it’s ever

00:00:41.280 --> 00:00:46.640
fought.’ Think about it. You’re not as smart as I thought you were, buddy boy.

00:00:46.640 --> 00:00:52.880
You ever wonder why fund managers can’t beat the S&P 500? ‘Cause they’re sheep,

00:00:52.880 --> 00:00:57.680
and sheep get slaughtered. JACK: So what was Gordon Gekko’s secret so that

00:00:57.680 --> 00:01:05.520
his stock bets were a sure thing? Well, he was investing using insider information, information

00:01:05.520 --> 00:01:12.480
that wasn’t yet available to the public. Knowing what a company is about to do or announce gave him

00:01:12.480 --> 00:01:20.640
a big edge that made him a lot of money. (INTRO): [INTRO MUSIC]

00:01:20.640 --> 00:01:30.720
These are true stories from the dark side of the internet. I’m Jack Rhysider. This

00:01:30.720 --> 00:01:46.640
is Darknet Diaries. [INTRO MUSIC ENDS] JACK:

00:01:46.640 --> 00:01:51.840
Insider trading is an age-old concept. It’s been going on for years, and it’s the bugbear of the

00:01:51.840 --> 00:01:56.640
stock market. This is people getting their hands on the kind of information that trades

00:01:56.640 --> 00:02:01.520
can be based on to make more money, but it’s information they shouldn’t have.

00:02:01.520 --> 00:02:08.160
This is financial data or corporate secrets obtained by deceptive or illegal means. Yeah,

00:02:08.160 --> 00:02:14.240
that gives them a distinct, unfair advantage over other traders, but that’s exactly the problem;

00:02:14.240 --> 00:02:20.320
it’s not a fair way to trade and it undermines the entire stock market system. As Gordon Gekko

00:02:20.320 --> 00:02:25.680
famously said in the film Wall Street… GORDON: The most valuable commodity I know of

00:02:25.680 --> 00:02:32.640
is information. Wouldn’t you agree? JACK: What stock market traders aim to do is

00:02:32.640 --> 00:02:36.560
predict the future. If they can buy a stock that goes up in value,

00:02:36.560 --> 00:02:42.160
they will make money, sometimes a lot of money, but that’s the hard part, predicting the future.

00:02:42.160 --> 00:02:48.480
So, forecasts of a company’s profits, sales, overheads, analyst reports, or market shares,

00:02:48.480 --> 00:02:53.600
these could all be indicators of what may happen in the future. So, they’re all very important to

00:02:53.600 --> 00:02:58.480
traders. Typically, a company will put these numbers together, then publish them publicly

00:02:58.480 --> 00:03:04.800
for everyone to see. But sometimes when a company publishes a report, it makes their stock change

00:03:04.800 --> 00:03:12.080
wildly. [MUSIC] So, what if you could see what these internal reports look like before they got

00:03:12.080 --> 00:03:17.920
published to the public? If you’re a stock trader and you’ve got some privileged inside information

00:03:17.920 --> 00:03:23.360
that your fellow traders don’t have, well, that puts you significantly ahead of the game.

00:03:23.360 --> 00:03:29.040
Think about it; if you knew that company has far exceeded its quarterly growth, that would likely

00:03:29.040 --> 00:03:34.960
translate to a rise in the stock price as soon as that information became public. So, if you knew

00:03:34.960 --> 00:03:40.080
this before everyone else, could you use that to your advantage? Well, hell yeah you could.

00:03:40.080 --> 00:03:44.560
You could buy that stock and wait for the announcement and watch your net worth rise,

00:03:44.560 --> 00:03:50.240
then sell it to make a good profit. If you had this sort of advanced information, it would almost

00:03:50.240 --> 00:03:54.720
surely mean you could make a fortune in the stock market. It works the other way, too. If you know

00:03:54.720 --> 00:03:59.200
a stock is gonna go down, you can short-sell that stock to make a profit if it goes down,

00:03:59.200 --> 00:04:03.600
and that works very well. But if you had access to early information like this and

00:04:03.600 --> 00:04:10.560
used it to make a profit, well, that’s illegal because trading based on inside information

00:04:10.560 --> 00:04:16.000
is illegal. If you get insider information, you shouldn’t be able to profit from it.

00:04:16.000 --> 00:04:21.280
This makes the market fair for everyone. But this doesn’t stop people from trying it.

00:04:21.280 --> 00:04:27.280
I bet a lot of people would love to get insider information on how a company is performing before

00:04:27.280 --> 00:04:33.600
the public knows. But the problem is, how do you get that insider information in the first place?

00:04:33.600 --> 00:04:38.640
The obvious answer is an employee inside the company. They might have this information

00:04:38.640 --> 00:04:42.320
and use it to make some sort of trade or tell a friend to make a trade.

00:04:42.320 --> 00:04:47.760
It’s non-public information like the company is about to merge, or they’ve made insane growths or

00:04:47.760 --> 00:04:52.720
profits, whatever it might be. The point is, they trade on the back of that information,

00:04:52.720 --> 00:04:57.840
putting them ahead of the game. So, the insider could try to profit off of what they know,

00:04:57.840 --> 00:05:02.560
or sometimes they could just tell a friend or family member about something going on

00:05:02.560 --> 00:05:07.920
in the company, and they take that information and invest in the stock. A family member could

00:05:07.920 --> 00:05:14.160
make a bunch of money from a casual thing said during Thanksgiving dinner or something. Now, an

00:05:14.160 --> 00:05:19.280
international airport doesn’t sound like a great place for an important business meeting. There

00:05:19.280 --> 00:05:25.680
are a lot of people and a lot of noise, but I bet there is a lot of business done in airports. Back

00:05:25.680 --> 00:05:31.840
in early 2011, Atlanta Airport was the scene of one of these meetings, although to be honest, what

00:05:31.840 --> 00:05:36.960
we’re discussing [MUSIC] wasn’t exactly legal, so maybe the airport wasn’t the best place to have

00:05:36.960 --> 00:05:42.640
a meeting like this. Hartsfield-Jackson Atlanta International Airport is the busiest airport in

00:05:42.640 --> 00:05:47.760
the world. It’s huge. I think it has 100 million people fly through it every year, which is like

00:05:47.760 --> 00:05:53.040
300,000 people a day. Crazy numbers. But the meeting going on there that day in early

00:05:53.040 --> 00:06:01.360
2011 was a carefully-timed on-the-hop business meeting arranged by a guy named Arkadiy Dubovoy.

00:06:01.360 --> 00:06:07.280
Now, Arkadiy was a stockbroker from Ukraine. He’s part of a big family who was into stock,

00:06:07.280 --> 00:06:11.200
big business deals, and real estate, and he basically had a lot of money.

00:06:11.200 --> 00:06:15.840
Arkadiy moved to the US somewhere in the 1990s and was living in the state of Georgia,

00:06:15.840 --> 00:06:21.040
according to research by investigative journalist Isobel Koshiw, who dug deep into the story for

00:06:21.040 --> 00:06:27.120
the Verge. Arkadiy owned an ice cream factory in the city of Odessa in Ukraine, but he had settled

00:06:27.120 --> 00:06:31.920
in a home in Alpharetta, Georgia, which is just thirty-four miles away from the Atlanta Airport.

00:06:31.920 --> 00:06:37.440
His business partner was Alexander Garkusha. He was born in Russia but had lived in the US most

00:06:37.440 --> 00:06:42.880
of his life and holds a US citizenship. Now, the two of them, Arkadiy and Alexander, set up

00:06:42.880 --> 00:06:49.040
a design and building company in 1997 called APD Developers Inc. They registered it in the state of

00:06:49.040 --> 00:06:53.360
Georgia with the two of them as directors. They mainly built family homes, and according to

00:06:53.360 --> 00:06:58.320
records available online, they were generating revenue of over one million dollars a year. So,

00:06:58.320 --> 00:07:03.280
they were doing okay as real estate developers. The guy they had arranged to meet at the airport

00:07:03.280 --> 00:07:09.680
was Vitaly Korchevsky. He was a hedge fund manager from Wall Street, and a good one. Vitaly spent

00:07:09.680 --> 00:07:13.760
most of his time focusing on the stock market and had been doing that for years and years,

00:07:13.760 --> 00:07:18.160
so he was pretty experienced when it comes to the stock market. Vitaly worked for Morgan

00:07:18.160 --> 00:07:22.720
Stanley as a portfolio manager, and at one point was given the title of vice president.

00:07:22.720 --> 00:07:27.680
Transport yourself inside an investment bank for a second. After you’re an analyst, you then become

00:07:27.680 --> 00:07:32.320
an associate, and the next rung up the ladder from that is vice president. There are two more

00:07:32.320 --> 00:07:37.680
after that; senior vice president and managing director. Vitaly was one of Morgan Stanley’s vice

00:07:37.680 --> 00:07:42.880
presidents, so it’s safe to say Vitaly knew what he was doing when it came to stock investments

00:07:42.880 --> 00:07:48.320
and trading and managing stock portfolios. He would be in the position to know how the market

00:07:48.320 --> 00:07:53.840
would react to certain kinds of information. Vitaly had used his experience to set up his

00:07:53.840 --> 00:07:59.920
own hedge fund called NTS Capital Fund LP based in the city of Glen Mills, where he lived in

00:07:59.920 --> 00:08:07.120
Pennsylvania. On his 2012 SEC filing paperwork, it was described as a pooled investment fund and

00:08:07.120 --> 00:08:12.720
a hedge fund that would accept minimum investments from outside investors of $500 million, which is

00:08:12.720 --> 00:08:19.120
quite a big minimum. Now, Vitaly had a second life outside of his corporate banking on Wall Street.

00:08:19.120 --> 00:08:26.000
He was a Slavic Evangelist Baptist pastor. He had his own church in Brookhaven, Pennsylvania

00:08:26.000 --> 00:08:31.600
called the Slavic Evangelical Baptist Church, and he had a congregation loyal to his church,

00:08:31.600 --> 00:08:37.920
and he was the pastor. He was also the chairman of the associate of the Slavic Baptist Churches USA

00:08:37.920 --> 00:08:42.000
and had been since 2003. Vitaly, it seemed, was a busy,

00:08:42.000 --> 00:08:48.480
multifaceted guy that many looked up to for advice and support, both financially and spiritually.

00:08:48.480 --> 00:08:52.800
So now you understand more about Arkadiy, Alexander, and Vitaly, which were the

00:08:52.800 --> 00:08:57.120
three guys that were meeting in this Atlanta airport. [MUSIC] Vitaly was passing through,

00:08:57.120 --> 00:09:01.920
waiting for a connecting flight, so his time was a little limited. Somewhere in amongst the

00:09:01.920 --> 00:09:08.800
monster airport, its two huge terminals and five concourses, the three of them sat down for a chat.

00:09:08.800 --> 00:09:13.440
Now, it was Pavel, Arkadiy’s brother back in Ukraine, who actually arranged this meeting.

00:09:13.440 --> 00:09:18.720
He made the introductions and made it happen, and you can think of Pavel as a kind of middleman in

00:09:18.720 --> 00:09:24.720
all this. He’s gonna pop up a lot in this story. So, Arkadiy sits down with Vitaly and says that he

00:09:24.720 --> 00:09:32.320
has a foolproof way to get his hands on top-level insider financial information on big US companies

00:09:32.320 --> 00:09:38.080
before anyone else knows about it. He was talking about having access to the kind of information

00:09:38.080 --> 00:09:44.480
that would enable an experienced stock trader to make big trades on that company’s stock for insane

00:09:44.480 --> 00:09:49.920
profits and pretty much never lose money. It could be done multiple times with multiple

00:09:49.920 --> 00:09:54.960
different companies, keeping it all under the radar and untrackable. It was an insider

00:09:54.960 --> 00:10:01.040
trading scheme that he was touting to Vitaly, but it was insider trading with a difference;

00:10:01.040 --> 00:10:06.560
the insider wasn’t a disgruntled employee or a senior executive spilling secrets to make some

00:10:06.560 --> 00:10:13.280
money on the side. No, Arkadiy had something far bigger than that. Arkadiy had a solid,

00:10:13.280 --> 00:10:20.480
reliable stream of information coming to him, which was insider information on dozens of US

00:10:20.480 --> 00:10:27.040
companies. He was claiming he had access to their financial reports well before the public could see

00:10:27.040 --> 00:10:34.000
them. Vitaly was paying attention. He knew exactly what to do with early access to financial reports

00:10:34.000 --> 00:10:40.560
like this, and he understood that this could mean he could make a lot of money. Here’s one

00:10:40.560 --> 00:10:44.880
more clip from the movie Wall Street. LOU: [MUSIC] I don’t know where you get your

00:10:44.880 --> 00:10:51.440
information, son, but I don’t like it. The main thing about money, Bud; it makes you

00:10:51.440 --> 00:10:57.440
do things you don’t want to do. JACK: But how was Arkadiy able to get

00:10:57.440 --> 00:11:06.400
all this information ahead of the public? Well, Arkadiy’s secret was hacking. [MUSIC]

00:11:06.400 --> 00:11:12.880
He had a guy who was in his twenties from Ukraine called Ivan Turchynov. Now, he lived in Kiev,

00:11:12.880 --> 00:11:16.560
Ukraine’s capital, the largest city, and specifically in a posh area of town.

00:11:16.560 --> 00:11:20.960
There’s an area there called Koncha-Zaspa. It’s smart, expensive, and in an area that

00:11:20.960 --> 00:11:25.120
you’ll find top politicians along with some former presidents living. The homes there go

00:11:25.120 --> 00:11:30.560
on sale between three and five million dollars, with a river and woodlands on one side and huge

00:11:30.560 --> 00:11:36.720
gated properties with tens of acres of land on all sides. This is an elite area of Ukraine,

00:11:36.720 --> 00:11:41.600
and this is where Ivan, the hacker of this story, lived, according to the Verge. He

00:11:41.600 --> 00:11:46.960
seemed to have a lot of cash and liked to show it off. Clocks were his particular favorite,

00:11:46.960 --> 00:11:52.720
gold clocks to be more exact, and he had scores of them. He also had a standard luxury car and

00:11:52.720 --> 00:11:57.520
a busy social life and night life, and he loved to flaunt his wealth and show it all off.

00:11:57.520 --> 00:12:03.600
So when you combine Arkadiy’s wealth and business sense with Vitaly’s stock market knowledge and

00:12:03.600 --> 00:12:08.560
Ivan’s hacking skills and all of them aren’t afraid to do illegal things to make more money,

00:12:08.560 --> 00:12:15.040
then you start to get quite a spicy recipe. Now, Ivan, the hacker, had been working with Arkadiy

00:12:15.040 --> 00:12:19.520
to try to find something that they could do to make more money. They were both seeing that when

00:12:19.520 --> 00:12:24.160
a company publishes a financial report, it makes that company’s stock swing around. So,

00:12:24.160 --> 00:12:28.000
they wondered if there was a way to get those reports ahead of everyone else,

00:12:28.000 --> 00:12:33.440
and that’s when they started looking into the world of newswires. [MUSIC]

00:12:33.440 --> 00:12:37.600
So, this is how newswires work; all companies that are trading publicly on

00:12:37.600 --> 00:12:42.000
the stock exchange are required by the Security Exchange Commission, the SEC,

00:12:42.000 --> 00:12:47.760
to publicize their financial statements regularly. These are reports that pop up every few months,

00:12:47.760 --> 00:12:51.840
and the reports tell investors how the company is performing, what their cash flow is, their

00:12:51.840 --> 00:12:56.240
revenue, their debts, and they usually include some income statements and cash flow statements

00:12:56.240 --> 00:13:01.200
and finance and profitability ratios. Boring stuff to most of us, but to the right

00:13:01.200 --> 00:13:06.400
people, these little bits of information will translate into millions of dollars in profits

00:13:06.400 --> 00:13:12.480
or losses in the stock market. These companies all need a way of publicizing these reports. I mean,

00:13:12.480 --> 00:13:16.880
they have to do it by law. They need to tell their investors how they’re doing, and they need a way

00:13:16.880 --> 00:13:23.120
to tell everyone at the same time. No favorites allowed here. Everyone needs to be able to access

00:13:23.120 --> 00:13:29.120
it at the same time or else the company can get in trouble for providing insider information. Sure,

00:13:29.120 --> 00:13:33.840
they can stick this item on their company website somewhere or do a mass e-mail shot,

00:13:33.840 --> 00:13:40.800
and some of them do just that. But many major US companies use the services of newswires. Newswire

00:13:40.800 --> 00:13:45.680
agencies specialize in distributing financial reports and other news that a company needs to

00:13:45.680 --> 00:13:50.800
relay to its shareholders, and they have networks in place already that can get a press release out

00:13:50.800 --> 00:13:56.000
to the world at a push of a button. For companies, this is a quick and convenient way to just

00:13:56.000 --> 00:13:59.600
make the whole process easier. This kind of financial information for

00:13:59.600 --> 00:14:04.320
big corporate companies can have big impacts on their investors and their stock prices,

00:14:04.320 --> 00:14:08.240
so it’s common that they put it together in a press release and send it to a newswire who

00:14:08.240 --> 00:14:12.880
will then publish it publicly when it’s time. A lot of these reports get published just after

00:14:12.880 --> 00:14:17.440
the market closes on a particular day, because they know this information could then just flow

00:14:17.440 --> 00:14:22.480
out overnight and hit the stock market floor in the morning. Tried and tested, this is the usual

00:14:22.480 --> 00:14:29.040
flow of how these things work. Now, the top three financial newswire distributors in 2010

00:14:29.040 --> 00:14:34.560
were Business Wire, PR Newswire, and Marketwire. These companies have been around for a while,

00:14:34.560 --> 00:14:38.560
too; Business Wire was founded in 1961, and they’ve got their headquarters in San

00:14:38.560 --> 00:14:44.240
Francisco. PR Newswire was founded in 1954 and it’s headquartered in Chicago. Now, that one was

00:14:44.240 --> 00:14:49.360
originally run entirely by Herbert Muschel out of his New York City home, and that was before

00:14:49.360 --> 00:14:53.360
computers and the internet and the ability to send out information electronically.

00:14:53.360 --> 00:14:57.520
Instead, he used teleprinters to get information out to news outlets in New

00:14:57.520 --> 00:15:03.920
York. But now we are all digital and networked, so these newswires all compete with each other

00:15:03.920 --> 00:15:08.640
to try to get the big companies’ business. It’s all very competitive, and it means each of them

00:15:08.640 --> 00:15:13.520
have to have a good selection of companies as clients. So, when they get a press release, they

00:15:13.520 --> 00:15:19.360
upload it to their servers where it sits under wraps until the agreed-upon time and date when

00:15:19.360 --> 00:15:25.120
it should be released to the public, and then it gets published. It’s all very straightforward, but

00:15:25.120 --> 00:15:30.800
are you seeing the problem yet? [MUSIC] Financial reports from major businesses all sent to the same

00:15:30.800 --> 00:15:37.680
three places and staged on a server until it’s the right time to publish them? Yeah, I think you know

00:15:37.680 --> 00:15:46.160
where this is going. In February 2010, Ivan, the hacker in Ukraine, set his sights on Marketwire.

00:15:46.160 --> 00:15:51.440
He knew somewhere in Marketwire they must be storing these press releases before they’re being

00:15:51.440 --> 00:15:57.200
published publicly, and he wanted to find where they were. He scanned the website looking for

00:15:57.200 --> 00:16:02.720
a vulnerability, and found the website was vulnerable to SQL injection attacks.

00:16:02.720 --> 00:16:07.280
So, this is where when you fill out any kind of text box or form on a website;

00:16:07.280 --> 00:16:12.560
the data you typed in may get sent to the SQL database, which is where all the information is

00:16:12.560 --> 00:16:17.440
stored on the website. So, maybe it’s a search field and maybe you’re on the site searching

00:16:17.440 --> 00:16:22.240
for press releases for some company. Okay, so when you hit Search, whatever you typed in,

00:16:22.240 --> 00:16:27.200
that could be sent to the database directly to search it for any hits. I mean, the site has to

00:16:27.200 --> 00:16:31.680
know that you’re looking for something and has to ask the database if that something you’re looking

00:16:31.680 --> 00:16:37.200
for is there, right? But what if instead of typing in some company name to search for,

00:16:37.200 --> 00:16:42.000
instead you just put in all kinds of funky characters that screws up the search and tells

00:16:42.000 --> 00:16:47.920
the database to do something else altogether like just give me everything in the database,

00:16:47.920 --> 00:16:53.120
not just what I’ve searched for? This is the kind of behavior Ivan was trying to get the

00:16:53.120 --> 00:16:59.520
Marketwire website to do. Ivan relentlessly attacked Marketwire’s website, trying many

00:16:59.520 --> 00:17:05.120
different inputs to try to get something valuable back from the database that he could use.

00:17:05.120 --> 00:17:10.320
He spent months on this, submitting hundreds and hundreds of form fields all trying to do

00:17:10.320 --> 00:17:16.320
SQL injection. Over time, he got it working. I’m not exactly sure what steps he took here,

00:17:16.320 --> 00:17:22.960
but over the course of five months and 390 SQL injections later, he found a way into where

00:17:22.960 --> 00:17:30.480
the unreleased press releases were stored, and he scooped up 900 of them. [MUSIC] Then in July 2010,

00:17:30.480 --> 00:17:37.280
he added PR Newswire to his target list. This website used the PHP language to render the page,

00:17:37.280 --> 00:17:43.200
and he was able to exploit this PHP code that was on the website to gain access to their servers and

00:17:43.200 --> 00:17:49.840
went to look around. He left a PHP script there that would give him backdoor access to this place

00:17:49.840 --> 00:17:54.800
so he could just go back in whenever he pleased and look around in PR Newswire’s network.

00:17:54.800 --> 00:17:59.840
Of course, as he looked around there, he found exactly where the unreleased press releases

00:17:59.840 --> 00:18:06.480
were stored in this network. Ivan knew of the other news agency too, Business Wire. Of course

00:18:06.480 --> 00:18:11.120
he wanted to find a way into this one too, but he was having a hard time with it. We do know

00:18:11.120 --> 00:18:15.760
that Business Wire employees received a rash of phishing e-mails during this time.

00:18:15.760 --> 00:18:21.040
Maybe that was Ivan trying to trick an employee to install some malware or steal their credentials.

00:18:21.040 --> 00:18:26.800
It does seem like Ivan eventually got a user database to the site somehow, which gave him

00:18:26.800 --> 00:18:32.160
usernames and hashed passwords, and from there he had to run the hashes through a cracking tool to

00:18:32.160 --> 00:18:38.720
try to get the password. Eventually he was able to brute force his way into Business Wire this way,

00:18:38.720 --> 00:18:44.960
and once inside, he started grabbing dozens of non-public press releases. So,

00:18:44.960 --> 00:18:50.000
Ivan had successfully broken into all three of the leading newswire agencies

00:18:50.000 --> 00:18:55.520
and syphon off copies of press releases before they were published publicly. [MUSIC] He then

00:18:55.520 --> 00:19:00.720
sent them directly to Arkadiy and Alexander, and he’s just e-mailing them over bulk attachments,

00:19:00.720 --> 00:19:06.240
like seventy, eighty, ninety press releases at a time. Bear in mind, this all had to be done

00:19:06.240 --> 00:19:11.040
in a very short timeframe. The press releases were often uploaded to these newswires just a

00:19:11.040 --> 00:19:17.440
few hours before they were due to go public. So in that time window is when this scheme had to work.

00:19:17.440 --> 00:19:21.360
The hackers needed to steal the press release and then pass it to the traders, and then the

00:19:21.360 --> 00:19:25.680
traders had to look through these press releases to see if there was anything valuable in there,

00:19:25.680 --> 00:19:29.920
and then decide if they needed to make trades and move themselves into the right positions.

00:19:29.920 --> 00:19:36.000
I imagine it was a frantic sort of operation, a lot to do in a short time, and then Ivan is

00:19:36.000 --> 00:19:39.760
sending them dozens of press releases at a time. So, they’re having to make sense of

00:19:39.760 --> 00:19:45.280
a lot of information fast, because at any minute that’s going to be public and the market may move,

00:19:45.280 --> 00:19:49.440
and they may miss their chance. Then you have to plan your exit; how long do you wait for

00:19:49.440 --> 00:19:54.400
the market to adjust before you hop out? A few hours, maybe? There’s a lot going on for these

00:19:54.400 --> 00:19:59.200
guys to do, and it’s no wonder that they wanted to bring Vitaly into the fold to take a portion

00:19:59.200 --> 00:20:05.520
of this work and make some money for them, too. They simply couldn’t do it all on their own.

00:20:05.520 --> 00:20:10.800
Ivan, the hacker, was feeling this process was getting tedious. Having to go in, grab press

00:20:10.800 --> 00:20:15.200
releases, download them, and e-mail them to the other guys, that’s a lot of steps that he was

00:20:15.200 --> 00:20:20.320
doing over and over and over throughout the day. So, Ivan came up with a better way. [MUSIC] He

00:20:20.320 --> 00:20:24.800
set up a dedicated web server. Every time he accessed the new press releases and

00:20:24.800 --> 00:20:29.920
grabbed them, he’d upload them to his server. He had it locked down with a username and password,

00:20:29.920 --> 00:20:34.400
and he gave these credentials to the traders who were involved in the scheme. Now the traders

00:20:34.400 --> 00:20:39.840
could log in and just pick off the press releases that they liked the best, and it made the process

00:20:39.840 --> 00:20:44.160
a little bit more automated and easier for the traders to parse the information, and easier for

00:20:44.160 --> 00:20:48.960
Ivan, too. These traders weren’t necessarily computer savvy with this sort of thing, so

00:20:48.960 --> 00:20:53.680
Ivan had to make a little how-to video demo that showed them how to access the press releases on

00:20:53.680 --> 00:20:59.600
the server. Pavel, which is Arkadiy’s brother, was who took the video and shared it with the traders.

00:20:59.600 --> 00:21:04.480
He also used this video as a way to persuade other traders to join the fold.

00:21:04.480 --> 00:21:10.480
Now, Ivan also shared tips too on how to use a proxy and a VPN to hide the IP addresses so people

00:21:10.480 --> 00:21:17.200
would cover their tracks properly. In November 2010, Pavel shared this demo video with Arkadiy,

00:21:17.200 --> 00:21:23.120
who used it in negotiations with Vitaly. It was that demonstration that tipped the balance

00:21:23.120 --> 00:21:28.480
for Vitaly. Seeing for himself in black and white the information that would be available

00:21:28.480 --> 00:21:34.000
to him if he joined, he knew exactly what he could do with that information, and that was

00:21:34.000 --> 00:21:40.720
just too attractive for him to turn down. Vitaly Korchevsky, hedge fund manager and Baptist pastor,

00:21:40.720 --> 00:21:44.880
was in. I feel like I’ve been talking for a while, so I’m gonna take a little break

00:21:44.880 --> 00:21:50.400
here and get a drink of water, but I’ll be back in a minute to tell you the rest of the story.

00:21:50.400 --> 00:21:55.600
While Arkadiy was busy expanding this little scheme of his, the SEC was really revving

00:21:55.600 --> 00:22:01.520
up. [MUSIC] At the start of 2010, they were creating new divisions and departments, and one

00:22:01.520 --> 00:22:08.160
of the units was called the Market Abuse Unit, and it would focus on cases of insider trading.

00:22:08.160 --> 00:22:13.360
The SEC is a law enforcement agency which looks for signs of market manipulation.

00:22:13.360 --> 00:22:18.640
With headquarters in Washington, DC, they have between 3,000 and 4,000 staff across the board,

00:22:18.640 --> 00:22:23.360
and they have to work real hard to unravel some of these illegal trading schemes and gather the

00:22:23.360 --> 00:22:28.160
evidence that they need to take them down. The SEC is out there looking for people doing

00:22:28.160 --> 00:22:33.840
schemes exactly like what Arkadiy was doing, but it’s really hard with all the money that gets

00:22:33.840 --> 00:22:39.840
transferred every day in and out of the stock market. But the SEC has a secret weapon called

00:22:39.840 --> 00:22:45.840
Artemis, which stands for Advanced Relational Trading Enforcements Metrics Investigation System.

00:22:45.840 --> 00:22:50.880
What a mouthful that is. So, this is like an enormous database system that holds trade

00:22:50.880 --> 00:22:56.240
records from across the sector, and it uses mathematical algorithms and advanced analytics

00:22:56.240 --> 00:23:00.560
to analyze and rank the trades depending on what the SEC is looking for.

00:23:00.560 --> 00:23:05.840
It’s a powerful tool and it’s capable of spotting trading patterns that the human eye or brain just

00:23:05.840 --> 00:23:11.760
can’t do. In the past, the SEC was kind of a reactive force when it came to insider trading.

00:23:11.760 --> 00:23:16.720
They’d be informed of an incident or suspicions and then start their investigation. Sometimes when

00:23:16.720 --> 00:23:20.880
there was significant news about securities involving a company, they would investigate

00:23:20.880 --> 00:23:26.160
if suspicions were raised looking for trading activity that might have taken place on the back

00:23:26.160 --> 00:23:32.000
of it. But while criminals are using technology to hack into places in order to do insider trading,

00:23:32.000 --> 00:23:37.200
the SEC is also using advanced technology to try to detect those illegal trades.

00:23:37.200 --> 00:23:42.000
Their tools give them the ability to parse and examine every single trade to try to find

00:23:42.000 --> 00:23:50.560
indicators of suspicious behavior, and their tool was seeing something suspicious with these trades.

00:23:50.560 --> 00:23:57.360
In January 2011, Ivan lost his backdoor access into PR Newswire. The newswire didn’t know they

00:23:57.360 --> 00:24:02.000
had been hacked into; no, no. They just changed their infrastructure, and in that process,

00:24:02.000 --> 00:24:07.600
they removed the system where his backdoor was implanted on, so access denied for him. It was

00:24:07.600 --> 00:24:12.640
gonna take him a while to find another way in, but in the meantime, he was just focusing on stealing

00:24:12.640 --> 00:24:18.160
press releases from Marketwire instead, ensuring the steady flow of releases still got to traders,

00:24:18.160 --> 00:24:22.320
because if the traders didn’t get the information, then he wasn’t gonna get paid.

00:24:22.320 --> 00:24:27.600
Ivan gave the traders his bank account details, which were accounts in Estonia and Macao,

00:24:27.600 --> 00:24:32.960
and this is where he wanted his cut of the profits paid into. Now, as far as I can work out,

00:24:32.960 --> 00:24:38.560
Ivan was raking in somewhere between 40% and 50% of the profits from the trades

00:24:38.560 --> 00:24:43.120
made using the information in the press releases he stole, which I guess is fair.

00:24:43.120 --> 00:24:47.760
Without this insider information that he’s producing, the traders would have nothing to

00:24:47.760 --> 00:24:55.520
work with. So his role was crucial in this whole scheme. By July he got back inside PR Newswire,

00:24:55.520 --> 00:25:00.400
and again he installed some code on their server so he could just hop back in whenever he needed.

00:25:00.400 --> 00:25:06.480
Great. But that was also the month that this group started to inadvertently leave breadcrumbs

00:25:06.480 --> 00:25:12.960
behind them, crumbs that would eventually be noticed and followed. [MUSIC] At some point,

00:25:12.960 --> 00:25:18.800
one of these brokerage accounts they used to trade with became on the US authorities’ watch list. My

00:25:18.800 --> 00:25:23.600
guess is that it was the SEC that identified a trading account looked suspicious and to keep an

00:25:23.600 --> 00:25:29.920
eye on it. Well, for some reason, it was Ivan, the hacker, that logged into that brokerage account

00:25:29.920 --> 00:25:35.760
to check on things. Investigators took note of his IP address for later, and it was later that

00:25:35.760 --> 00:25:42.560
they saw this same IP log into Marketwire and PR Newswire to download press releases.

00:25:42.560 --> 00:25:46.400
This would prove to be a crucial link that would connect the hacker

00:25:46.400 --> 00:25:52.080
with the traders. By this point, the scheme was running very well and this

00:25:52.080 --> 00:25:56.640
group was making a lot of money. [MUSIC] Take the Dendreon Corp stock, for an example.

00:25:56.640 --> 00:26:01.920
So, this is a big bio-tech and pharmaceutical company based out of Seattle, and on August 3,

00:26:01.920 --> 00:26:10.720
2011, PR Newswire uploaded a press release for Dendreon onto their server at 3:34 PM. At 4:01 PM,

00:26:10.720 --> 00:26:15.440
less than a half hour later and one minute after the stock market shut down for the day, the press

00:26:15.440 --> 00:26:21.920
release was made public as Dendreon wanted. But four minutes before it went public, at 3:56,

00:26:21.920 --> 00:26:29.040
Pastor Vitaly suddenly purchased 1,100 put options of Dendreon Corp. As soon as the press

00:26:29.040 --> 00:26:34.560
release became public, the stock price rose, and the following day, Vitaly sold all 1,100

00:26:34.560 --> 00:26:41.440
options and made a clear profit of more than $2.3 million. Yes, million, in less than twenty-four

00:26:41.440 --> 00:26:47.120
hours. Across this period, there were more than four direct contacts between Vitaly and Arkadiy,

00:26:47.120 --> 00:26:52.400
which lends us to believe that these trades were conducted using insider information. In the middle

00:26:52.400 --> 00:26:57.520
of October, they were at it again. This time, the target company was Caterpillar Inc. You know this

00:26:57.520 --> 00:27:01.920
company; they’re massive. They make construction and mining equipment, big turbine engines and

00:27:01.920 --> 00:27:07.120
natural gas engines, and they’ve been doing it for almost a hundred years. They make boots, too. So,

00:27:07.120 --> 00:27:11.600
Caterpillar used PR Newswire when they had a press release ready to go out to the public.

00:27:11.600 --> 00:27:15.680
They’d send it along with the date and time for it to be released, and PR Newswire would upload

00:27:15.680 --> 00:27:21.920
it onto the server so it was all ready to go, and that’s exactly what they did on October 21, 2011.

00:27:21.920 --> 00:27:28.160
The release said that the company’s profit after tax for its third quarter was up 27% compared to

00:27:28.160 --> 00:27:34.880
2010. That’s great news for the company and its investors, and it was supposed to go public three

00:27:34.880 --> 00:27:40.960
days after it was uploaded. But not long after it was uploaded, the traders began to pounce.

00:27:40.960 --> 00:27:47.200
Suddenly shares of Caterpillar were bought in multiple brokerage accounts worth $5.9 million.

00:27:47.200 --> 00:27:51.280
That was about 3,800 shares in the company, and if you dig a little deeper, you find that they

00:27:51.280 --> 00:27:57.200
purchased them through EDGX using a brokerage account registered to Arkadiy. When the press

00:27:57.200 --> 00:28:03.760
release went public on October 24 as planned, the price of the stock in Caterpillar Inc shot up,

00:28:03.760 --> 00:28:08.400
exactly as the traders thought it would. On that very same date, the traders sold their

00:28:08.400 --> 00:28:17.280
shares and made a profit of more than $648,000. The group didn’t stop there. On January 25, 2012,

00:28:17.280 --> 00:28:21.040
Caterpillar gave another press release to newswire, and this one said the company’s

00:28:21.040 --> 00:28:26.160
profits were up 36% from the year before, and just like what happened three months earlier,

00:28:26.160 --> 00:28:29.680
after this press release was uploaded to PR Newswire, the traders appeared

00:28:29.680 --> 00:28:34.240
and began to move Caterpillar stock. This time they purchased around 600 shares, which

00:28:34.240 --> 00:28:39.360
was about $8.3 million, and the brokerage account they used was an account that was registered to

00:28:39.360 --> 00:28:45.360
Arkadiy. While all this was going on away from prying eyes, there was some serious unrest

00:28:45.360 --> 00:28:50.320
going on in the front of house of these newswires. In the very same month that Arkadiy was making

00:28:50.320 --> 00:28:56.480
these insider trades on Caterpillar for millions of dollars, Marketwire filed a $25 million lawsuit

00:28:56.480 --> 00:29:02.000
against PR Newswire. They were blaming their rival for poaching their staff. The concern

00:29:02.000 --> 00:29:06.000
was that they were trying to get their hands on confidential information and trade secrets

00:29:06.000 --> 00:29:11.360
from inside the company. A senior staff member at Marketwire, their chief technology officer,

00:29:11.360 --> 00:29:16.800
had left and started working for PR Newswire, and a couple of the staff followed and joined him.

00:29:16.800 --> 00:29:21.280
So, everything was not rosy between these two newswires. But while they were battling it

00:29:21.280 --> 00:29:25.760
out in court, they didn’t know at the very same time Ivan was rummaging around in their servers,

00:29:25.760 --> 00:29:30.720
stealing extremely sensitive information. Forget about staff breaching confidentiality;

00:29:30.720 --> 00:29:33.840
they should have been focusing on securing their networks better.

00:29:33.840 --> 00:29:37.520
I don’t think anything actually came of this lawsuit, and the two companies just ended up

00:29:37.520 --> 00:29:42.160
being disgruntled at each other. It was just a weird time for them to be focused on this,

00:29:42.160 --> 00:29:46.880
which might be a reason why they didn’t spot intruders lurking about in their servers.

00:29:46.880 --> 00:29:53.200
So, this scheme was becoming a pretty well-oiled machine of securities fraud; two distinct skill

00:29:53.200 --> 00:29:58.160
sets coming together to make millions of dollars, hack into companies, and steal press releases,

00:29:58.160 --> 00:30:02.000
and then make trades based on that information. With each new press release,

00:30:02.000 --> 00:30:07.520
it was a potential big payday for them. With so many press releases, it was just rinse and repeat

00:30:07.520 --> 00:30:12.880
and reap the rewards. Ivan didn’t know who Arkadiy was hiring to do the trades. At least,

00:30:12.880 --> 00:30:17.120
I don’t think he knew, and I’m fairly certain the traders didn’t know who the hackers were, either.

00:30:17.120 --> 00:30:23.040
There was this layer in-between, middlemen, if you will, there to act as a messenger and go-between,

00:30:23.040 --> 00:30:28.080
like Pavel, which is Arkadiy’s brother. [MUSIC] They were the firebrake that stopped prying eyes

00:30:28.080 --> 00:30:34.160
or investigative hands from finding direct links between the hacker group and the trading group.

00:30:34.160 --> 00:30:45.200
At least, they were supposed to be.

00:30:45.200 --> 00:30:50.880
By the time 2012 rolled around, Ivan had been sailing along in a real comfy position. Now, Ivan

00:30:50.880 --> 00:30:56.480
is a bit flashy with his gold clocks, nice cars, and big house as I mentioned before. Earlier that

00:30:56.480 --> 00:31:02.160
year, he was in a club in Kiev and decided to brag to some of his friends about this amazing scam

00:31:02.160 --> 00:31:08.560
that he’s been pulling off for years. But this was a mistake. Don’t get drunk and tell people

00:31:08.560 --> 00:31:15.280
about your very profitable hacking scheme. One of these friends of his was Oleksandr Ieremenko.

00:31:15.280 --> 00:31:20.720
He was in his twenties, similar age to Ivan, and they worked together in the past. So, Olek thinks

00:31:20.720 --> 00:31:26.640
this gig sounded pretty cool and wanted to get in. But instead of asking nicely to be let in,

00:31:26.640 --> 00:31:33.120
he decided to double-cross Ivan, or maybe he asked Ivan nicely, but Ivan said no. I don’t know. Now,

00:31:33.120 --> 00:31:38.960
according to the Verge, it sounds like Olek called his friend Vadym, and together they figured out

00:31:38.960 --> 00:31:45.040
what this whole scheme was, and they wanted in. They hacked into one of the newswires themselves

00:31:45.040 --> 00:31:50.720
and cut Ivan’s access off. They just chucked him out and sat in there themselves. So,

00:31:50.720 --> 00:31:55.840
this newswire was completely unaware that they’ve been hacked twice now by competing hackers,

00:31:55.840 --> 00:31:59.760
with one hacker being locked out and a new set of hackers being put in his place.

00:31:59.760 --> 00:32:05.920
Ivan had a big problem; he lost access to a big source of these very valuable press releases,

00:32:05.920 --> 00:32:10.960
and worse, his own friends were sitting there instead. He tells his middlemen who deal

00:32:10.960 --> 00:32:16.320
directly with the traders what happened, and safe to say that no one on that side

00:32:16.320 --> 00:32:24.560
was pleased to hear this. So, a new deal got made; Olek and Vadym’s little takeover stunt worked, and

00:32:24.560 --> 00:32:29.680
they both got brought into the fold. The traders were happy again. The more hackers means the more

00:32:29.680 --> 00:32:35.520
press releases and the more chances to make money. Ivan, though, was not so happy about this change.

00:32:35.520 --> 00:32:41.200
Now he had to split his share with these other two, compared to just having it all for himself.

00:32:41.200 --> 00:32:46.320
He wasn’t the sole hacker anymore, and that means a big hit on his profits.

00:32:46.320 --> 00:32:51.360
While Ivan’s distracted by his friends hustling in on this scam, he didn’t notice some attention

00:32:51.360 --> 00:32:57.440
starting to come his way from the US authorities, and it was a sign of what was to come.

00:32:57.440 --> 00:33:01.600
Now, newswires are the same as any other company. They take their network security

00:33:01.600 --> 00:33:06.720
seriously and regularly do audits and checks to make sure that their systems are secure.

00:33:06.720 --> 00:33:10.320
Sometimes they find something; maybe permissions were too relaxed on some

00:33:10.320 --> 00:33:14.800
system or things weren’t locked down like they should. But whatever security they had in place,

00:33:14.800 --> 00:33:21.360
it wasn’t enough to stop this crew or detect them once they got in. But in March of 2012,

00:33:21.360 --> 00:33:26.560
the FBI told PR Newswire that they’ve been breached.

00:33:26.560 --> 00:33:30.320
[MUSIC] This is how they first heard their systems were compromised; the FBI

00:33:30.320 --> 00:33:35.360
somehow saw this was happening before PR Newswire even knew it was going on. According to the Verge,

00:33:35.360 --> 00:33:41.040
PR Newswire then called in a security firm called Stroz Friedberg to investigate what was going on

00:33:41.040 --> 00:33:47.360
in their networks. During that examination, they found Ivan’s backdoor and they saw how

00:33:47.360 --> 00:33:53.440
he was stealing press releases. The tech guys obviously removed it and cut Ivan’s access off,

00:33:53.440 --> 00:33:57.520
and after some panicked e-mails to Ivan’s middlemen, it was Olek who managed to get

00:33:57.520 --> 00:34:03.040
code back into the systems and restore their access into PR Newswire so they could continue.

00:34:03.040 --> 00:34:08.080
But unbeknownst to them, the authorities were now onto Ivan, and they had him firmly in their

00:34:08.080 --> 00:34:15.120
sights. Working in tandem with the US, Ukrainian intelligence services put surveillance on Ivan.

00:34:15.120 --> 00:34:18.640
What triggered them initially to find him exactly? I don’t know,

00:34:18.640 --> 00:34:24.080
but by watching Ivan, they found out pretty quick who his friends were, and eight months later,

00:34:24.080 --> 00:34:30.080
with the help of the FBI and the US Secret Service, nine properties in Kiev were raided.

00:34:30.080 --> 00:34:35.600
Both Ivan and Olek’s laptops were seized in the raids, and these were the laptops the two hackers

00:34:35.600 --> 00:34:40.480
were using to access the newswire systems. There were hundreds of stolen press releases on them,

00:34:40.480 --> 00:34:45.840
and reams of online chat logs which gave the feds clear insight into the whole operation.

00:34:45.840 --> 00:34:52.240
A big success, you would think, but then it all went silent, like eerily quiet.

00:34:52.240 --> 00:34:57.520
Nothing happened at all for a while. There was evidence that they had identified culprits,

00:34:57.520 --> 00:35:02.640
but nothing went any further. You see, Ukraine has laws in place that prohibit extraditing

00:35:02.640 --> 00:35:07.760
their own citizens to another country. Under the constitution of Ukraine, citizens are guaranteed

00:35:07.760 --> 00:35:14.720
care and protection. So, Ivan and Olek were, at least for the moment, safe from US authorities,

00:35:14.720 --> 00:35:20.080
and they knew it, [MUSIC] so they did what all money-hungry hackers do; they carry on with the

00:35:20.080 --> 00:35:35.920
scheme. Hackers know the value of information. Yeah, there’s different motives for when people

00:35:35.920 --> 00:35:41.200
hack stuff and different targets, but really, most of it is about information. Who has it,

00:35:41.200 --> 00:35:46.640
who wants it, and how much can it be sold for? Financial, business, or personal, data

00:35:46.640 --> 00:35:52.480
is ridiculously sellable, and the more value it is to the buyer, the more profit it will be to sell.

00:35:52.480 --> 00:35:56.720
The longer this scam was running, the more confident everybody got. But the hackers

00:35:56.720 --> 00:36:01.040
were not traders; they didn’t follow the stock markets. They didn’t know which press releases

00:36:01.040 --> 00:36:06.480
were necessarily more valuable or useful than the others. In 2012, a group of traders involved in

00:36:06.480 --> 00:36:12.720
the scam had expanded. A new guy was brought on the team. His name was Leonid Momotok.

00:36:12.720 --> 00:36:17.200
Leonid was a stock trader friend of Arkadiy’s and worked in construction for his day job,

00:36:17.200 --> 00:36:21.600
and they went to church together. He was forty-six years old and lived in Suwanee,

00:36:21.600 --> 00:36:26.480
which is in Georgia, in the US, a pretty city about thirty miles away from Atlanta.

00:36:26.480 --> 00:36:30.960
Arkadiy introduced him to the scam, and he opened up a set of brokerage accounts

00:36:30.960 --> 00:36:35.760
with TD Ameritrade, and he started trading on this stolen press release information.

00:36:35.760 --> 00:36:41.120
The traders eventually got into a groove. They knew which companies used which newswire agencies

00:36:41.120 --> 00:36:45.840
and when upcoming press releases were going to be released. So, they started requesting which press

00:36:45.840 --> 00:36:52.160
releases they wanted early access to. [MUSIC] It was like an order system. On October 8, 2013,

00:36:52.160 --> 00:36:57.600
Pavel sent his brother Arkadiy a spreadsheet of eighteen companies due to announce press releases.

00:36:57.600 --> 00:37:01.920
Arkadiy sent it to his business partner Alexander. Across the rest of October,

00:37:01.920 --> 00:37:07.680
Vitaly, Arkadiy, and Leonid all made large trades on six of these companies right before the

00:37:07.680 --> 00:37:13.200
releases were published. The traders were sending the hackers their shopping list of press releases.

00:37:13.200 --> 00:37:19.600
In October 2013, a company called Align Technology sent their press release to Marketwired. I guess

00:37:19.600 --> 00:37:24.640
Marketwired changed their name from Marketwire to Marketwired just to be confusing.

00:37:24.640 --> 00:37:29.520
But for Align Tech stock in that fifteen-hour window between when the press release was uploaded

00:37:29.520 --> 00:37:36.000
to when it was made public, Arkadiy had purchased 91,000 shares. Two hours after Arkadiy’s trades,

00:37:36.000 --> 00:37:41.680
Vitaly pops up and buys 95,000 shares. After that press release went live to the public,

00:37:41.680 --> 00:37:49.680
the pair unloaded their positions and made about $1.4 million in profits. This scheme was on fire

00:37:49.680 --> 00:37:54.560
and seemed to be doing better than ever. The traders were making enormous profits on this

00:37:54.560 --> 00:37:59.760
insider information, and the hackers were happily getting paid a percentage cut for every trade.

00:37:59.760 --> 00:38:05.040
Everyone was happy. Now, Arkadiy had been in on this from day one, and he decided he’d kinda

00:38:05.040 --> 00:38:10.240
like to expand this a little more and make more money. Money is attractive, right? So,

00:38:10.240 --> 00:38:14.240
I think he was taken in by the allure of all the cash and spending and watching his offshore

00:38:14.240 --> 00:38:20.480
bank account grow. So, early to mid-2013, he brings in another trader to join his group.

00:38:20.480 --> 00:38:25.840
This guy’s named Vlad, and he’s a trader. He used to work on Wall Street that Pavel knew,

00:38:25.840 --> 00:38:30.320
and once Pavel made the connections, he introduces Arkadiy to Vlad.

00:38:30.320 --> 00:38:34.160
Vlad had his own trading company in the UK, but he lived in Brooklyn, New York

00:38:34.160 --> 00:38:39.280
and traded on Wall Street a lot, but he has a home in Odessa in Ukraine. Vlad really liked this

00:38:39.280 --> 00:38:45.280
plan and was on board. The deal was done; Vlad came in on the same plan that Vitaly was in on.

00:38:45.280 --> 00:38:50.800
Arkadiy opened up a brokerage account and funded it, and Vlad and Vitaly just did their trades.

00:38:50.800 --> 00:38:56.560
Vlad got a percentage cut just as Vitaly did, and Vlad was just another trader in this scheme.

00:38:56.560 --> 00:39:01.840
But I’m not sure if Arkadiy told the hackers about this new trader. I mean, if the hackers

00:39:01.840 --> 00:39:06.160
knew there was a new trader here bringing in all kinds of extra money, they’d know that they should

00:39:06.160 --> 00:39:11.840
be getting a cut from those profits. So, it’s possible Arkadiy didn’t tell them. I’m not sure,

00:39:11.840 --> 00:39:17.280
but for a person who isn’t afraid to break a bunch of laws to make more money, I wouldn’t put it past

00:39:17.280 --> 00:39:22.800
him that he was keeping some secrets from his own team. Arkadiy was ready to bring on even more

00:39:22.800 --> 00:39:30.240
people, but of course it’s hard to find people you trust, so he turned to his son, Igor.

00:39:30.240 --> 00:39:36.880
Igor helped to move the press releases around and get them to Vitaly and Vlad. I don’t think Vitaly

00:39:36.880 --> 00:39:41.600
or Vlad knew each other, either. In fact, they may have never even met each other during this whole

00:39:41.600 --> 00:39:47.280
scheme. Soon though, that would turn completely on its head. [MUSIC] The morning of Tuesday,

00:39:47.280 --> 00:39:54.000
August 15, 2015, started as a quiet day for Vitaly. He was at home in his Glen Hills,

00:39:54.000 --> 00:39:58.960
Pennsylvania house when he heard a knock on the door. When he opened it, he was greeted by a

00:39:58.960 --> 00:40:05.680
team of FBI agents with a warrant for his arrest. Vitaly was handcuffed, hands behind his back, and

00:40:05.680 --> 00:40:11.680
led out to awaiting police vehicles. Just about 900 miles away in Georgia, at the exact time,

00:40:11.680 --> 00:40:16.800
two more FBI teams were knocking on other doors. Arkadiy and his son were arrested,

00:40:16.800 --> 00:40:21.920
and in the same morning, Alexander and Leonid were also arrested in their homes that morning.

00:40:21.920 --> 00:40:26.560
Vadym, one of the hackers, had already been arrested on completely separate charges

00:40:26.560 --> 00:40:32.320
of credit card fraud. Vadym was picked up while he was on holiday in Mexico a year earlier,

00:40:32.320 --> 00:40:36.240
and he had been handed straight over to the US authorities when he got arrested.

00:40:36.240 --> 00:40:42.480
Within hours, New Jersey US attorney Paul Fishman was leading a press conference explaining the

00:40:42.480 --> 00:40:46.640
day’s events. Here’s a clip from that. PAUL: This morning, we’re here to announce

00:40:46.640 --> 00:40:53.000
criminal and civil charges in a broad-ranging, cutting edge, international scheme at the inner

00:40:53.000 --> 00:40:58.880
section of hacking and securities fraud. For more than five years, hackers largely

00:40:58.880 --> 00:41:04.560
operating in Ukraine repeatedly penetrated the networks and servers of Marketwired,

00:41:04.560 --> 00:41:09.840
PR Newswire, and Business Wire. Over that five-year period, using a variety of hacking

00:41:09.840 --> 00:41:16.640
techniques and tactics including brute force attacks, SQL injection attacks, and phishing,

00:41:16.640 --> 00:41:23.280
those hackers stole well over 100,000 confidential news releases before they were distributed. Two

00:41:23.280 --> 00:41:28.160
indictments charging a total of nine individuals, we allege that the conspirators stole more than

00:41:28.160 --> 00:41:34.000
100,000 news releases, traded ahead of more than 800 releases, and made more than $30

00:41:34.000 --> 00:41:39.360
million. In addition, the SEC has filed a civil complaint charging those individuals

00:41:39.360 --> 00:41:44.960
and a host of others with similar trading conduct. We also collectively, among all of us, have seized

00:41:44.960 --> 00:41:50.720
seventeen bank and brokerage accounts so far which we believe contain more than $6.5 million.

00:41:50.720 --> 00:41:54.560
We’ve also collectively seized fifteen properties including a house boat, a

00:41:54.560 --> 00:41:59.040
shopping center, and an apartment complex. JACK: The New Jersey indictment charged Vitaly,

00:41:59.040 --> 00:42:05.120
Vlad, Alexander, and Leonid with five charges of conspiracy to commit wire fraud, securities fraud,

00:42:05.120 --> 00:42:09.600
and money laundering conspiracy. The New York indictment charged Arkadiy with twenty-three

00:42:09.600 --> 00:42:15.120
more charges of wire and securities fraud, aggravated identity theft, and money laundering.

00:42:15.120 --> 00:42:19.760
Not only did they charge Arkadiy with all that, but they also charged his son Igor and his brother

00:42:19.760 --> 00:42:25.680
Pavel with more charges. Ivan and Olek, the hackers involved, also were charged with the same

00:42:25.680 --> 00:42:30.560
twenty-three charges. Along with the criminal charges and the two indictments, the SEC also

00:42:30.560 --> 00:42:37.840
filed a civil complaint against Arkadiy, Pavel, and Igor Dubovoy, Ivan and Olek, Vlad and Vitaly,

00:42:37.840 --> 00:42:42.880
and Leonid and Alexander. That complaint also charged another twenty-three individuals and

00:42:42.880 --> 00:42:48.160
companies who had been trading on this stolen information. It sounds like those in on the scheme

00:42:48.160 --> 00:42:54.080
couldn’t keep quiet and were telling others to do some trades, too. Mary Jo White, the SEC chair,

00:42:54.080 --> 00:42:58.640
explained more at the press conference. MARY: While the SEC has uncovered and successfully

00:42:58.640 --> 00:43:05.440
litigated hacking and trading schemes in the past, today’s international case is unprecedented

00:43:05.440 --> 00:43:10.800
in terms of the scope of the hacking at issue, the number of traders involved,

00:43:10.800 --> 00:43:16.320
the number of securities unlawfully traded, and the amount of the profits generated.

00:43:16.320 --> 00:43:20.320
JACK: A total of seven people were arrested that were involved with this scheme,

00:43:20.320 --> 00:43:26.240
and pretty quickly, people started admitting to guilty pleas. Alexander, Arkadiy, his son Igor,

00:43:26.240 --> 00:43:33.120
and Leonid all pled guilty, but Vitaly and Vlad both stuck with saying they weren’t guilty. These

00:43:33.120 --> 00:43:37.680
two traders were trying to say that they had no idea the information they got was stolen

00:43:37.680 --> 00:43:44.080
or insider information, which means they brought this whole case to trial, which is great news

00:43:44.080 --> 00:43:48.560
for me because as a journalist, I can now see all the information in this case; the evidence,

00:43:48.560 --> 00:43:53.600
the testimony. It all went into the public domain over this four-week trial. Vitaly had

00:43:53.600 --> 00:43:58.160
almost eighty members of his church congregation support him during his first court hearing. They

00:43:58.160 --> 00:44:03.200
couldn’t believe their pastor could be involved in something as shady and dishonest as this,

00:44:03.200 --> 00:44:10.240
but this was no match for the SEC, Secret Service, and FBI on the prosecution side. They came with

00:44:10.240 --> 00:44:15.920
piles of evidence showing exactly what Vitaly traded and when and how they tied him to Arkadiy.

00:44:15.920 --> 00:44:21.760
Prosecutors claimed that Vitaly made over $15 million from insider trading he conducted.

00:44:21.760 --> 00:44:27.200
They even had logs and evidence collected from the raids in Ukraine off of Ivan and Olek’s laptops,

00:44:27.200 --> 00:44:31.760
and they showed how the group changed IP addresses, used VPNs, multiple computers,

00:44:31.760 --> 00:44:37.120
burner phones, and offshore accounts to conduct this scheme. It was pretty clear that Vlad and

00:44:37.120 --> 00:44:41.680
Vitaly knew exactly what they were involved with. Some of the most damning evidence came

00:44:41.680 --> 00:44:46.960
against the pair from Arkadiy and his son, Igor. They had been arrested in the raids in 2015,

00:44:46.960 --> 00:44:52.240
and both pled guilty to the charges against him, but they started producing evidence against Vitaly

00:44:52.240 --> 00:44:58.080
and Vlad, too, which looks to me like they may have done that to look like they’re cooperating

00:44:58.080 --> 00:45:04.720
and maybe reduce jail time. The court found Vitaly and Vlad guilty of all charges. Vitaly

00:45:04.720 --> 00:45:10.240
had to serve five years in prison along with an order to pay $14 million in forfeiture,

00:45:10.240 --> 00:45:18.000
and a $250,000 fine. Vlad was jailed for four years. A year later, in 2019, Leonid was sentenced

00:45:18.000 --> 00:45:24.160
by a New York judge to three years of supervised release and was ordered to pay $1.3 million and do

00:45:24.160 --> 00:45:29.040
one hundred hours of community service. A month later, Alexander was sentenced to time served.

00:45:29.040 --> 00:45:33.600
Alexander gave evidence against Vitaly and Vlad during the trial, which the judge found especially

00:45:33.600 --> 00:45:37.760
compelling, according to a news report. Alexander cooperated with authorities after he

00:45:37.760 --> 00:45:43.440
was arrested, and he did their investigation into the scheme and how it all worked. Vadym was the

00:45:43.440 --> 00:45:47.680
only hacker to be caught by US authorities in this scheme. He was arrested for credit card

00:45:47.680 --> 00:45:53.680
fraud through hacking, but the feds soon linked him to Olek. Vadym pleaded guilty in May 2016,

00:45:53.680 --> 00:45:58.000
and took a plea deal. He admitted personally to hacking all three of the newswires and

00:45:58.000 --> 00:46:02.960
stealing employee credentials. He also admitted to selling the information he stole. A year later,

00:46:02.960 --> 00:46:08.480
he was sentenced to two-and-a-half years in prison with a three-year supervised release to follow.

00:46:08.480 --> 00:46:15.120
He was ordered to pay restitution of just over $3 million. Arkadiy and he son Igor, from what I can

00:46:15.120 --> 00:46:19.520
see, they’re still awaiting sentencing. After their guilty pleas, everything just got delayed

00:46:19.520 --> 00:46:24.720
because of COVID. The authorities said that there were a total of thirty-two people involved with

00:46:24.720 --> 00:46:30.880
this scheme in some way or another. Seven got caught and were found guilty that we know of,

00:46:30.880 --> 00:46:37.840
but three key players remain in the wind; the hackers Ivan and Olek, and Arkadiy’ brother Pavel.

00:46:37.840 --> 00:46:43.360
All three are suspected to be in Ukraine, which is sort of protected from the long arm of the US

00:46:43.360 --> 00:46:49.040
authorities. But the US Secret Service has put a one million-dollar reward for the capture of Olek.

00:46:49.040 --> 00:46:54.880
Supposedly after this, Olek went on to hack into the SEC itself, and then sold that information

00:46:54.880 --> 00:46:59.440
he stole to someone else, potentially using it to make money on the stock market, too.

00:46:59.440 --> 00:47:04.000
Ivan and Pavel are also on the US Secret Service list of most-wanted fugitives,

00:47:04.000 --> 00:47:09.360
but there’s no reward listed for them. In the end, this scheme seemed to make everyone a

00:47:09.360 --> 00:47:15.280
profit of over $30 million, which was quite an epic run, and I find this whole scheme

00:47:15.280 --> 00:47:21.040
somewhat surprising. I just never thought about using hacking to steal financial information to

00:47:21.040 --> 00:47:26.320
then use to make money on the stock market. It’s pretty clever and inventive, if you ask me. It’s

00:47:26.320 --> 00:47:31.600
also fascinating to see how the SEC has tools now to detect when people are making huge profits very

00:47:31.600 --> 00:47:36.320
quickly and are able to do it again and again. The average trader doesn’t make profits like that, so

00:47:36.320 --> 00:47:41.440
for the SEC to spot anomalies in real time, that’s gonna cut down on the ability for anyone

00:47:41.440 --> 00:47:46.160
else to do this in the future. But in the end, I think this crew was driven by greed.

00:47:46.160 --> 00:47:51.440
$1 million wasn’t good enough. $5 million wasn’t good enough. $10 million wasn’t good enough.

00:47:51.440 --> 00:47:55.760
Of course, one newswire agency wasn’t good enough; neither were two. They wanted all three.

00:47:55.760 --> 00:47:59.680
Then they kept expanding their team and making their trades more frequent, and at some point

00:47:59.680 --> 00:48:05.280
you simply can’t hide all these tracks and wash all your accounts and phones fast enough. If it

00:48:05.280 --> 00:48:10.240
feels like you’re able to do all this and get away with it, then yeah, I can see you might get lazy

00:48:10.240 --> 00:48:15.200
and cut corners on how everything is done. So in the end, I think it was greed that

00:48:15.200 --> 00:48:22.240
brought this whole thing crashing down. (OUTRO): [OUTRO MUSIC] If you like the show,

00:48:22.240 --> 00:48:25.760
you might want to check out the shop. I’ve been working hard at making some pretty cool shirts

00:48:25.760 --> 00:48:31.200
for you. There are over thirty designs now, and surely there’s one that you would like. So,

00:48:31.200 --> 00:48:37.760
head over to shop.darknetdiaries.com and pick up a new shirt. This show is made by me, the shadow,

00:48:37.760 --> 00:48:43.120
Jack Rhysider. This episode was written by Fiona Guy, sound design by me? Oh yeah, that’s right;

00:48:43.120 --> 00:48:48.080
I added the music for this episode. Editing help this episode by the devious Damienne. Our mixing

00:48:48.080 --> 00:48:53.360
is done by Proximity Sound, and our theme music is done by the wicked-fast Breakmaster Cylinder.

00:48:53.360 --> 00:49:01.840
A hacker went into a bar and he said give me your strongest link. This is Darknet Diaries.