"Украинских хакеров" в США судят за кражу пресс-релизов
Ринки 12.08.2015 16:30Выходцы из стран СНГ в очередной раз попали попали в число хакеров, арестованных на Восточном побережье по подозрению в краже корпоративных данных. Сотрудники ФБР выявили девять человек, связанных с зарубежными киберпреступниками. Под арест были взяты пятеро. Аресты были произведены на территории штатов Пенсильвания и Джорджия. Как удалось узнать “Славянскому Сакраменто”, арестован также председатель Объединения славянских церквей ЕХБ (Восточного побережья) Виталий Корчевский. Aмериканские власти уже назвали данную аферу беспрецедентной
Хакеры, предположительно находящиеся на Украине и, возможно, в России, взломали серверы лент раскрытия PRNewswire Association LLC, Marketwired и Business Wire (подразделение Berkshire Hathaway Inc. миллиардера Уоррена Баффета), рассказал источник. Их соучастники, находящиеся в США, использовали полученную информацию в операциях с акциями десятков компаний, включая Boeing, Hewlett-Packard, Caterpillar, Oracle, Panera Bread.
Согласно заявлению Комиссии по ценным бумагам и биржам (SEC), инициировавшей расследование, хакеры занимались противозаконной деятельностью в течение пяти лет. По данным следствия, участники схемы успели заработать более 30 млн долларов. Комиссия по ценным бумагам и биржам заявляет, что в результате преступной схемы, в которой были задействованы 12 человек и 15 компаний, якобы было заработано более ста миллионов долларов. Деньги выводились через эстонские банки.
В обвинительном заключении прокуроры описали ряд крупных покупок акций, совершенных в преддверии квартальных отчетов о доходах. Предполагается, что пресс-релизы подвигли хакеров на совершение выгодных сделок. В документе указаны пять имен предполагаемых хакеров: Иван Турчинов, Аркадий Дубовой, Игорь Дубовой, Павел Дубовой и Александр Еременко. Они обвиняются в мошенничестве с ценными бумагами и кибервзломе.
Как явствует из судебных документов, с февраля 2010 года злоумышленники похитили около 150 тысяч пресс-релизов, содержавших закрытые на тот момент данные о заработках корпораций и планах их слияния или поглощения.
Известно, что Аркадий Дубовой с сыном Игорем в настоящее время живут в Грузии, а Павел Дубовой – на Украине.
“Эта интернациональная схема беспрецедентна и по масштабам компьютерных взломов, и по числу трейдеров, и по количеству ценных бумаг, которыми они торговали, и по объему прибылей”, – цитирует слова главы SЕС Мэри Джо Уайт русская служба BBC.
По данным информированных источников, в число пяти арестованных входит выходец из СНГ Виталий Корчевский, возглавляющий небольшой инвестиционный фонд NTS Capital. 50-летний Корчевский подозревается в организации всей преступной схемы. Он был арестован ФБР во вторник утром в своем доме неподалеку от Филадельфии (Пенсильвания). Ему предъявили обвинение по пяти пунктам, включая сговор с целью получения ценных бумаг и отмывание денег.
Как удалось узнать “Славянскому Сакраменто” Виталий Корчевский родился 27 мая 1965 года в г. Джамбуле, Казахстан, затем проживал в Киргизии, Грузии, Харькове. В 1989 г. переехал на постоянное место жительства в США.
Сообщается, что пастор учился в частном университете Regent University, принадлежащем скандально известному телеевангелисту Пэту Робертсону. С 1998 г. являлся заместителем председателя Русско-Украинского Союза Евангельских христиан-баптистов (ЕХБ) США. С 2000 г. занимал пост председателя Объединения славянских церквей ЕХБ США, а также является пастором славянской церкви Brookhaven Slavic Evangelical Baptist Church в г. Филадельфия (штат Пенсильвания).
На ютубе можно найти лекции по управлению финансами, которые вел подозреваемый для русскоязычных семей в Америке. Раннее он являлся президентом Русско-Украинского Союза ЕХБ (с центром в Ашфорде, штат Коннектикут).
Согласно обвинению, Корчевский описывается как один из главных заговорщиков, занимавшийся разработкой рыночной стратегии; ранее он работал с Уолл-Стрит. Затем организовал свой собственный хедж-фонд, который не сделал ни одного вложения с момента организации четыре года назад. Ввиду того, что священник регулярно передвигался по миру (с 2010 г. он сделал 42 поездки за рубеж) и мог сбежать, прокуратура настаивала на тюремном заключении, все же подозреваемый освобожден судом Пенсильвании под залог в $100 000. Пока пастор не нанимал адвоката и вышел из здания суда, оставив прессу без комментариев.
Следующее заседания суда состоится в эту пятницу, затем дело перейдет в суд Нью-Йoрка.
Жена Корчевского описывает супруга как скромного пастора, путешествующего по миру, осуществляя миссию своей церкви. Однако, согласно информации суда, Корчевский представляет из себя “смесь криминала и христианства”, пишет Philly.com.
Несмотря на то, что в социальных сетях он заявлял о своей сертифицированности финансового аналитика, его компания была задействована в сферах на $17 млн с участием мошеннических денег. Как указывает издание, Корчевский занимался этим с 2010 г. до мая этого года.
Например, в 2011 г. Корчевский, благодаря украденному хакерами релизу приобрел 1 100 акций биотехнической компании Dendreon, базирующейся в Сиэтле. Позже эти акции были проданы за $2.3 млн.
По данным SEC, Турчинов и Еременко завели секретный сервер для переправки похищенных пресс-релизов трейдерам в России, на Украине, Кипре и Мальте, во Франции и в трех штатах Америки – Джорджии, Нью-Йорке и Пенсильвании.
В считанные часы или даже минуты до публикации ворованных пресс-релизов эти трейдеры использовали почерпнутую из них инсайдерскую информацию для операций с ценными бумагами и потом отчисляли хакерам условленную долю прибыли.
Следователи приводят такой яркий пример. 1 мая 2013 года хакеры и связанные с ними трейдеры в течение 36 минут, прошедших с поступления в пиар-компанию пресс-релиза о сокращении заработка одной корпорации и до предания его гласности, успели сыграть ее акциями на понижение и заработали 511 тыс. долларов.
Комиссия по ценным бумагам обвиняет всех 32 ответчиков в мошенничестве и просит суд взыскать с них штрафы и полную сумму нечестно нажитой прибыли.
В 57-страничном обвинительном документе, обнародованном в Нью-Джерси, приводится другой пример выгодного использования похищенного пресс-релиза.
В начале 2012 года корпорация Caterpillar прислала в пиар-компанию PRNewswire пресс-релиз, из которого явствовало, что в предыдущем году ее прибыли выросли на 36%.
Эта информация, которая хранилась на сервере пиар-компании менее суток и потом была опубликована, была похищена хакерами и переправлена трейдерам. Они молниеносно приобрели акции и опционы Caterpillar на 8,3 млн долларов.
После оглашения пресс-релиза акции корпорации подскочили в цене на 2%. Мошенники заработали на этой операции около миллиона.
Стратегия незаконной добычи и использования инсайдерской информации была настолько успешна, что вскоре злоумышленникам пришлось нанимать все больше хакеров из СНГ.
На момент ареста пастор владел высоколиквидными активами на сумму в $5 млн. На полученные деньги он приобретал жилую недвижимость в Глен Миллз, Мидии, Верхнем и Западном Чичестере, а также в торговом районе Малверн.
После известия о случившемся, компании Business Wire из Сан-Франциско даже пришлось нанимать экспертов по кибер-безопасности, чтобы те проверили надежность системы.
В числе арестованных также названы Владислав Халупский, Леонид Момоток и Александр Гаркуша.
Как отмечает Bloomberg, это первый случай, когда в США вскрыты инсайдерские операции с непосредственным участием хакеров и нарушениями кибербезопасности. Это демонстрирует уязвимость финансовых рынков в цифровой век. Кроме того, эта технология своего рода “великий уравнитель”: на Уолл-стрит, похоже, больше не нужны особые связи, чтобы получить инсайдерскую информацию, комментирует деловое издание. Оно напоминает, что в последнее время от хакеров крупно пострадали такие корпорации, как Sony Pictures, торговая сеть Target, банк JPMorgan и другие.
ФБР и прокуратура Нью-Йорка начали расследование по наводке Комиссии по ценным бумагам и биржам (SEC) США, обратившей внимание на подозрительные торговые операции некоторых обвиняемых. Позднее Секретная служба США и прокуратура Нью-Джерси начали собственное расследование, предметом которого стала уже деятельность иностранных хакеров, а не американских инвесторов.
По данным источников, расследование началось более двух лет назад, оно раскрывает пятилетнюю преступную схему, действовавшую вплоть до последнего времениPlaintiff Securities and Exchange Commission (the "Commission"), One Penn Center, 1617 JFK Boulevard, Suite 520, Philadelphia, Pennsylvania 19103, alleges as follows against the following defendants, whose names and last known addresses are set forth below:
a. Arkadiy Dubovoy
3374 Cedar Farms Ct.
Alpharetta, GA 30004
b. Igor Dubovoy
6240 Crested Moss Dr.
Alpharetta, GA 30004
c. Pavel Dubovoy
33 7 4 Cedar Farms Ct.
Alpharetta, GA 30004
d. David Amaryan
Akademichaskaya B. Street, House 15, 1, 255
Moscow, Russia 125130
e. Nelia Dubova
UL Marseljskaya 32/2-1
Odessa, Ukraine
f. Alexander Fedoseev
Holzunova 40 G
Voronezh, Russia 394068
g. Aleksandr Garkusha
4090 Asheville Manor Court
Cumming, GA 30040
h. Oleksander Ieremenko (a.k.a. Aleksander Eremenko)
[Street address unknown]
Kiev, Ukraine
i. Vladislav Khalupsky
2 Armeyskaya Street
Apt. 23
Odessa, Ukraine
J. Vitaly Korchevsky
1709 Slitting Mill Road
Glenn Mills, P A 19342
k. Roman Lavlinskiy
Svobody, 10-26 Voronezh
Voronezhskaiy, Russia
l. Oleksandr Makarov
Saksahanskoho 92, 18
Kiev, Ukraine
m. Leonid Momotok
1610 Pepperbush Court
Suwannee, GA 20024
n. Nikolai (Nikolay) Slepenkov
4, Sevanskaya Street,
Apt. 420
Moscow, Russia
o. Andriy Supranonok
7b L. Ukrainky Boulevard, Apt. 51
Kiev, Ukraine, 01001
p. Ivan Turchynov
[Street address unknown]
Kiev, Ukraine
q. Maxim Zakharchenko
Bering Capital Partners Ltd
4th Floor
15 Pozharbky Pereulok
Moscow, Russia 119034
r. APD Developers, LLC
6495 Shiloh Road, Suite 400
Alpharetta, GA 300Q5
s. Beratto Group Ltd.
Geneva place, Waterfront Drive
Roadtown, Tortola BVI
t. Bering Explorer Fund Ltd.
4th Floor
15 Pozharbky Pereulok
Moscow, Russia 119034
u. Concorde Bermuda Ltd.
2 Mechnykova Str.
Kiev, Ukraine 0160 1
v. Escada Logistics Ltd.
4, Sevanskaya Street, APT. 420
Moscow, Russia 115516
w. Exante Ltd.
Portomaso Business Tower, Level 7
St. Julians, Malta
x. Global Hedge Capital Group
Bolshoy Savvisky 11
Moscow, Russia 119435
y. Guibor S.A .
.2 Rue Alfred de Vigny
Paris, France 75008
z. Intertrade Pacific S.A.
Akademichaskaya B. Street, House 15, 1, 255
Moscow, Russia 125130
aa. Jaspen Capital Partners Limited
Schorsa, 32G, 1st floor
Kiev, Ukraine, 01001
bb. NTS Capital Fund
1709 Slitting Mill Road
Glenn Mills, PA 19342
cc. Memelland Investments Ltd.
2, Christaki kai Elpinikis Kinni
Flat 8, Summer Gardens, Limassol
4046, Cyprus
dd. Ocean Prime Inc.
16 Sadovnicheskaya St.
Moscow, Russia 115035
ee. Omega 26 Investments Ltd.
2 Rue Alfred de Vigny
Paris, France 75008
ff. Southeastern Holding and Investment Company LLC
3421 Preston Pointe Way
Cumming, GA 30041
SUMMARY
1. Defendants perpetrated an international fraudulent
scheme by hacking the computer servers of at least two newswire services
and stealing, through deception, confidential earnings information for
numerous publicly-traded companies from press releases that had not yet
been released to the public. Defendants then used that stolen material
nonpublic information to trade securities and reap over $1 00 million in
unlawful profits.
2. Over an approximately five-year period,
defendants Ivan Turchynov and Oleksander Ieremenko-computer hackers
residing in the Ukraine (the "hacker defendants") hacked into certain
U.S. newswire services and, through deception, stole more than
100,000 press releases for publicly-traded companies before they were
issued to the public. Many ofthe stolen press releases contained
information about quarterly and annual earnings data for
these companies.
3. The hacker defendants worked in concert with a
network of traders, located in the United States and abroad, who paid
the hacker defendants for the stolen information, either through a flat
fee or a percentage ofthe illicit profits gained from the illegal
trading on the information.
4. The hacker defendants oscillated
primarily between two newswire services, focusing on obtaining the press
releases from one or the other depending on the hacker defendants'
access to the newswire services' computer networks.
5. The hacker
defendants stole the press releases and passed them to the
trader defendants in the window oftime between when the press releases
were uploaded to the newswire service's system and when the press
releases were publicly issued. As a result, the trader defendants had an
unfair trading advantage over other market participants because
they knew the content ofthe press releases before that information was
publicly announced.
6. The defendant traders capitalized on this
advantage by initiating trades before the press releases were issued to
the public. The defendant traders bought or sold securities depending on
their anticipation of how the market would respond to the information
in the stolen press releases.
7. The traders used deceptive means to
conceal their access the stolen releases and make payments to the
hackers. The traders also concealed their trading activities through use
of multiple accounts and entities.
8. Then, after the press release
was publicly issued, and the price ofthe securities changed as the
market learned the previously undisclosed information, the defendant
traders reaped enormous profits.
9. Collectively, the trader defendants used this stolen information to realize over $1 00 million in illicit gains.
10.
On information and belief, at least some ofthe defendants have
continued to pursue this scheme at one or more newswire services. As
recently as May 2015, some ofthe defendants traded in front ofpress
releases issued from a third newswire service that had been hacked.
11.
By knowingly or recklessly engaging in the conduct described in this
Complaint, defendants violated, and unless enjoined, will continue to
violate the securities laws.
JURISDICTION AND VENUE
12. The Commission brings this action pursuant to Section 20(b) of
the Securities Act [15 U.S.C. §§ 77t(b) and 15 U.S.C. § 77t(e)] and
Sections 21(d) and 21A ofthe Exchange Act [15 U.S.C. §§ 78u(d) and
78u-l] to enjoin such transactions, acts, practices, and courses
of business, and to obtain disgorgement, prejudgment interest, civil
money penalties, and such other and further relief as the Court may deem
just and appropriate.
13. This Court has jurisdiction over this
action pursuant to Sections 20(b) and 22(a) ofthe Securities Act [15
U.S.C. §§ 77t(b) and 77v(a)] and Sections 21(d), 21(e), 21A and 27
of the Exchange Act [15 U.S.C. §§ 78u(d), 78u(e), 78u-1 and 78aa].
14.
Venue in this District is proper pursuant to Section 22(a) ofthe
Securities Act [15 U.S.C. § 77v(a)] and Section 27 ofthe Exchange Act
[15 U.S.C. § 78aa]. Certainofthe transactions, acts, practices, and
courses ofbusiness constituting the violations alleged herein occurred
within the District ofNew Jersey and elsewhere, and were effected,
directly or indirectly, by making use of the means or instruments or
instrumentalities oftransportation or communication in interstate
commerce, or ofthe mails, or the facilities of a national
securities exchange. For example, during the relevant time period,
Newswire Service 2's computer servers, which were hacked in connection
with the scheme, were located in Jersey City, New Jersey and Piscataway,
New Jersey. In addition, securities transactions related to this
matter were executed on NASDAQ servers in Carteret, New Jersey and by
broker dealers in Jersey City, New Jersey.
DEFENDANTS
I. The Hacker Defendants
15. Oleksandr Ieremenko, a.k.a. Aleksander Eremenko, ("Ieremenko") is 23 years old and resides in Kiev, Ukraine.
16. Ivan Turchynov ("Turchynov") is 27 years old and resides in Kiev, Ukraine.
17.
The hacker defendants perpetrated the scheme from multiple IP
addresses, including but not limited to: XX:XXXX:-18.42; X:XXX:X-9.101;
XX:XXXX:-136.6; and XX:XXXX:-26.98.
18. To conceal their true
identities, the hacker defendants used multiple email accounts and
online "handles" in carrying out and communicating about the scheme. To
the extent referenced in the complaint, other documents filed with the
Court, or exhibits, these unique handles and aliases will be redacted.
They will be replaced with the hacker defendant's name followed by
"Alias" (i.e., "Ieremenko Alias").
II. The Trader Defendants
A. The Dubovoy Group Defendants
19.
The Dubovoy Group defendants are a close-knit group of traders,
consisting primarily of family, friends, and business associates
ofArkadiy Dubovoy. Collectively, the Dubovoy Group defendants realized
over $31 million in illicit gains from the scheme.
20. As part of this scheme, the Dubovoy Group defendants opened
trading accounts in their names, names of companies they owned, and in
the names of at least four oftheir associates ("Straw Owners").
a.
Straw Owner 1 is the manager ofUkrainian ice cream company owned
by Arkadiy Dubovoy, who had straw ownership for accounts at Interactive
Brokers ending in *4463, Cimbanque ending in *COli, and Tradestation
ending in *7799.
b. Straw Owner 2 is the brother of defendant Leonid
Momotok, and had straw ownership for accounts at E*Trade ending in
*0592, TD America ending in *2779, Charles Schwab ending in *3160.
c.
Straw Owner 3 is the manager of the Ukrainian branch of one of
Arkadiy Dubovoy's companies, R.J. Construction, and had straw ownership
for Interactive Brokers account ending in *8348.
d. Straw Owner 4 is
another manager ofthe Ukranian branch of RJ Construction, and had straw
ownership oflnteractive Brokers account ending in *8944, Charles Schwab
account ending in *0875, and Bank ofAmerica account ending in *9456.
21. Arkadiy Dubovoy ("Arkadiy Dubovoy") is 50
years old and resides in Alpharetta, Georgia. He is the owner or partial
owner of several limited liability corporations ostensibly involved in
the construction business, including defendants APD Developers LLC
and Southeastern Holding and Investment Company LLC. He also owns Boni
Inc. which is purportedly in the brokerage services business. The
following brokerage accounts, opened in the name ofArkadiy Dubovoy or in
the name of entities he owns, were involved in the scheme and trading
in those accounts generated over $11 million in ill-gotten gains:
Options House account ending in *8957; Trade King account ending in
*8312; Charles Schwab accounts ending in *0365 and *8834; E*Trade
account ending in *6987; Fidelity account ending in *6216; Merrill Lynch
account ending in *9078; Scottrade account ending in *0584; TD
Ameritrade accounts ending in *7954 and *4751.
22. Igor Dubovoy ("Igor Dubovoy") is 28 years old and is Arkadiy Dubovoy's son. He resides in Alpharetta, Georgia. He owns Dawson & Dawson ("Dawson") and M& I Advising Inc. ("M&I Advising"), and assists Arkadiy Dubovoy in operating Boni Inc., an entity used to transfer funds between brokerage accounts. Accounts in the name of M&I Advising (TD Arneritrade account ending *7757) and Dawson (TD Ameritrade account ending *3311) were involved in the scheme. Approximately $250,000 in illicit gains were generated in these accounts. Igor Dubovoy also had trading authority on and/or managed several of Arkadiy ' Dubovoy's brokerage accounts involved in the scheme, including: TD Arneritrade accounts ending in *4751 and *7954, and Charles Schwab account ending*0365. Igor Dubovoy gave Power ofAttorney to Leonid Momotok to trade in the accounts with respect to which Igor Dubovoy was associated.
23. Pavel Dubovoy ("Pavel Dubovoy")
is 32 year old and resides in Kiev, Ukraine and Alpharetta, Georgia. He
shares a credit card account with Arkadiy Dubovoy. During the scheme,
Pavel Dubovoy told other Dubovoy Group defendants, including Aleksandr
Garkusha, how to access the press releases the hacker defendants stole.
He also directed payments to Turchynov using a Dubovoy entity and
confirmed those payments with Arkadiy Dubovoy. Using one or more
intermediaries, Pavel Dubovoy also communicated with the
hacker defendants and, in at least one instance, told them which press
releases to unlawfully acquire.
24. Nelia Dubova ("Dubova") is
38 years old and resides in Odessa, Ukraine. She owned a brokerage
account used in the scheme (APX account ending in *4899) and she was
the signatory officer for another account involved in the scheme in the
name of defendant Beratto Group (APX account ending in *5038). Khalupsky
and Igor Dubovoy possessed the login and password information for the
Beratto APX *5038 account. The Dubovoy Group defendants used these two
accounts to make illicit trades resulting in approximately $1 million in
ill-gotten gains.
25. Aleksandr Garkusha ("Garkusha")
is 47 years old and resides in Cumming, Georgia. He is the executive
vice president of defendant APD Developers, which is owned by Arkadiy
Dubovoy. He also manages the trading operations ofTanigold Assets, an
entity which was used by Pavel Dubovoy to make payments to Turchynov. In
addition, Garkusha was the former principal at Verum Capital Group LLC
which was located at the same address as APD Developers in Georgia.
26. Vladislav Khalupsky ("Khalupsky")
is 44 years old and resides in Brooklyn, New York, and Odessa, Ukraine.
Khalupsky worked in the securities industry as a
registered representative until June 2011. Along with Igor Dubovoy,
Korchevsky, and Garkusha, Khalupsky helped the Dubovoy Group set up
off-shore accounts. He assisted Arkadiy and Igor Dubovoy in wiring
money. He directed the configuration of one Arkadiy Dubovoy's
brokerage accounts involved in the illegal scheme (Merrill Lynch account
ending *9078) (an account he referred to in a conversation with Arkadiy
Dubovoy as "our account") and helped to direct the Dubovoy' s trading
in other accounts. He made or directed illicit trades in those accounts
in connection with the scheme alleged in this Complaint.
27. Vitaly Korchevsky ("Korchevsky")
is 49 years old and resides in Glen Mills, Pennsylvania. Korchevsky was
a registered investment adviser who previously established and managed
hedge funds. He has partnered with Arkadiy Dubovoy in various
enterprises, including hedge funds. Korchevsky coordinated his illegal
trading with Arkadiy Dubovoy and other members ofthe Dubovoy Group and
used the following brokerage accounts to make unlawful trades: E*Trade
account ending 6623; Fidelity account ending *4716; and TD
Ameritrade accounts ending *2449 and *1014. Along with his wife,
Korchevsky owns defendant NTS Capital Fund L.P., which also traded in
connection with this scheme. Korchevsky made more than 600 unlawful
trades as part ofthe scheme, realizing approximately $17.5 million in
illgotten gains.
28. Leonid Momotok ("Momotok")
is 47 years old and resides in Cumming, Georgia. He owns a one-percent
interest in two ofArkadiy Dubovoy's companies, RJ General Maintenance
LLC and defendant Southeastern Holding and Investment Company
LLC. Momotok is also the managing member of defendant Southeastern
Holding. Momotok had a comprehensive role in the scheme described in
this Complaint. He advised Arkadiy Dubovoy how to trade using the stolen
information, and he had formal trading authority for brokerage accounts
used in the scheme but held in the name of other members ofthe Dubovoy
Group, including: Arkadiy Dubovoy's Scottrade account ending *0584;
Southeastern Holding's Scottrade account ending *5408, Charles Schwab
account ending *3154, and TD America account ending *6350. Momotok also
used accounts held by Igor Dubovoy and Straw Owners 1, 2, 3, and 4 to
trade in this scheme.
29. APD Developers, LLC ("APD")
purports to be a construction business based in Atlanta, Georgia.
Arkadiy Dubovoy owns APD and opened brokerage accounts in the name
of APD that were used tin the fraudulent scheme, including TD Ameritrade
accounts ending *4751 and *7954 and Charles Schwab account ending
*0365.
30. Beratto Group LLC ("Beratto")
purports to be a real estate and investment company based in the
British Virgin Islands. Beratto owned an APX account ending
*5038. Dubova, Khalupsky and Igor Dubovoy had access to this account and
it was used to make illicit trades in connection with the fraudulent
scheme.
31. NTS Capital Fund L.P. ("NTS")
purports to be a hedge fund based in Glen Mills, Pennsylvania, owned by
Korchevsky and his wife. NTS has a brokerage account at Jeffries/JP
Morgan ending in *0336. Unlawful trades were made in this account
resulting in approximately $3.2 million in ill-gotten gains.
32. Southeastern Holding and Investment Company LLC ("Southeastern") is a Georgia limited liability corporation with its
principal place of business in Cumming, Georgia. Its managing members
are Arkadiy Dubovoy and Momotok. Southeastern had the
following brokerage accounts, Charles Schwab account ending *3154, and
TD Ameritrade account ending *6350. Illicit trades were made in these
accounts as part ofthe scheme resulting in approximately $165,000 in
ill-gotten gains.
B. The Foreign Trader Defendants
33. David Amaryan ("Amaryan") is 35 years old
and resides in Moscow, Russian Federation. He is the CEO ofdefendant
Ocean Prime Inc. ("Ocean Prime") and the sole director of defendant
Intertrade Pacific S.A., ("Intertrade"). Ocean Prime and Intertrade
purport to be proprietary trading funds. Amaryan opened accounts for
Ocean Prime (Interactive Brokers account ending *9827) and Intertrade
(Interactive Brokers account ending *8284). Illicit trades based on
stolen press releases were made in the Ocean Prime and Intertrade
accounts resulting in approximately $3.7 million in ill-gotten gains. As
described below, Amaryan and defendant Nikolai Slepenkov, who owns
defendant Escada Logistics, often made illicit trades in the
same securities, on the £arne days and around the same time and,
frequently, via the same IP addresses.
34. Ocean Prime Inc. ("Ocean Prime") purports to
be a proprietary trading fund established in the British Virgin Islands
with its principal place of business in Moscow, Russian Federation.
35. Intertrade Pacific S.A. ("Intertrade")
purports to be a proprietary trading fund established in the British
Virgin Islands with its principal place of business in Moscow,
Russian Federation. Amaryan is the owner and sole director of the fund.
Intertrade's address is the same as Amaryan's home address in Moscow.
36. Nikolai Slepenkov ("Siepenkov") is 46 years
old and resides in Moscow, Russian Federation. He is the CEO and owner
of defendant Escada Logistics Ltd., which purports to be a proprietary
trading fund. He has an account at Interactive Brokers ending *6218. In
connection with the fraudulent scheme, he executed illicit trades in
that account resulting in approximately $1.25 million in ill-gotten
gains, often in the same securities, on the same days, close to the same
times and frequently via the same IP addresses as Ocean
Prime, Intertrade and Escada.
37. Escada Logistics Ltd. ("Escada") purports to
be a proprietary trading fund established in the British Virgin Islands
with its principal place of business in Moscow, Russian Federation.
Slepenkov runs Escada out ofhis apartment in Moscow and opened an
account in the name ofEscada at Interactive Brokers (ending *2806),
which he used to execute unlawful trades resulting in approximately
$850,000 in ill-gotten gains.
38. Alexander Fedoseev ("Fedoseev") is 29 years
old and resides in Voronezh, Russian Federation, the same town as
defendant Roman Lavlinskiy. Fedoseev owns Interactive Brokers account
ending *4148, which he used to make unlawful trades in that account
resulting in approximately $700,000 in ill-gotten gains. In the
brokerage accounts they controlled, Fedoseev and Lavlinskiy often traded
based on stolen press releases in the same securities, on the same
days, close to the same times and frequently via the same IP addresses.
39. Roman Lavlinskiy ("Lavlinskiy") is 29 years
old and resides in Voronezh, Russian Federation. Lavlinskiy owns or
owned Interactive Brokers account ending *7182 and TD Ameritrade
accounts ending *3933 and *9065, which he used in connection with
the fraudulent scheme to make unlawful trades resulting in over $400,000
in ill-gotten gains. Lavlinskiy's illicit trades were often made in the
same securities, on the same days, close to the same times and
frequently via the same IP addresses as Fedoseev.
40. Oleksandr Makarov ("Makarov") is 32 years
old and resides in Kiev, Ukraine. Previously, he worked in the financial
services industry for various investment companies, including Phoenix
Capital. He has a brokerage account at Interactive Brokers ending *4548
and a sub-account ending *4548F. In connection with the fraudulent
scheme, Makarov executed illicit trades in his account resulting in
approximately $80,000 in ill-gotten gains. His illicit trades were often
made in the same securities, on the same days and close to the same
times, and ofte_n through the same IP addresses as Defendant Concorde
Bermuda Ltd.
41. Concorde Bermuda Ltd. ("Concorde")
purports to be a hedge fund established in Bermuda with its principal
place of business in Kiev, Ukraine. Concorde has proprietary trading
accounts at Interactive Brokers ending *4237, *1358, and *2720, which
were used in connection with the fraudulent scheme, resulting in
approximately $3.6 million in ill-gotten gains. Those trades were often
made in the same securities, on the same days and close to the same
times, and often through the same IP addresses as defendant Makarov. In
addition, Concorde transferred money to defendant Jaspen Capital
Partners.
42. Exante Ltd. ("Exante") purports to be a
Malta-based hedge fund. Exante holds proprietary trading accounts at
Interactive Brokers (ending *2751) and at Lek Securities, which were
used in connection with the fraudulent scheme to make trades resulting
in approximately $24.5 million in ill-gotten gains. Several ofExante's
directors are also owners of defendant Global Hedge Capital Fund Ltd.,
and the two entities share employees. Exante and Global Hedge frequently
made illicit trades in the same securities, on the same days and around
the same time, and often through the same IP addresses.
43. Global Hedge Capital Fund Ltd. ("Global
Hedge") purports to be a Cayman Islands-based hedge fund with its
principal place of business in Moscow, Russian Federation. Several ofits
owners are directors ofExante and the two entities share employees.
Global Hedge has a proprietary trading account at Interactive Brokers
ending *4444. In connection with the fraudulent scheme, Global Hedge
executed unlawful trades in that account resulting in over $3.8 million
in ill-gotten gains, often in the same securities, on the same days and
close to the same times, and often through the same IP addresses as
Exante.
44. Memelland Investments Ltd. ("Memelland")
purports to be a hedge fund established in the British Virgin Islands
with its principal place of business in Limassol, Cyprus. Meinelland has
a trading account at Interactive Brokers ending *2799, which was used
in connection with the fraudulent scheme to make illicit trades,
realizing profits of approximately $375,000.
45. Guibor S.A. ("Guibor") purports to be a
proprietary trading fund established in France with its principal place
of business in Paris, France. It shares a business address and an owner
with defendant Omega 26 Investments Ltd. Guibor has a proprietary
trading account at Interactive Brokers ending *2450, which was used in
connection with the fraudulent scheme to execute trades resulting in
$3.5 million in ill-gotten gains. Guibor and Omega 26 frequently traded
in the same securities, on the same days and close to the same times,
and often through the same IP addresses.
46. Omega 26 Investments Ltd. ("Omega 26")
purports to be a proprietary trading :fimd established in Samoa with its
principal place of business in Paris, France. Omega 26 has proprietary
trading accounts at Interactive brokers ending *2898 which it used in
connection with the fraudulent scheme to execute trades resulting in
approximately $2.1 million in ill-gotten gains. In addition, Omega 26
also had a proprietary trading account at Cantor Fitzgerald ending *055,
which, on information and belief, it used to make unlawful trades in
connection with the scheme resulting in approximately another $1 million
in ill-gotten gains.
47. Bering Explorer Fund Ltd. ("Bering") purports to be a Bahamian company with its principal place of business in Moscow, Russian Federation. Bering had accounts at Cantor Fitzgerald Europe ending *966 and *969, which were used in connection with the fraudulent scheme to make trades resulting in over $6.6 million in ill-gotten gains.
48. Maxim Zakharchenko ("Zakharchenko") resides
in the Russian Federation. He is one oftwo Bering directors, and had
trading authority in Bering's brokerage accounts at Cantor Fitzgerald
Europe. On information and belief, Zakharchenko directed Bering's
illicit trades.
49. Andriy Supranonok ("Supranonok") is 33 years old and resides in Kiev, Ukraine. He is the CEO and owns 30% of defendant Jaspen Capital Partners' shares. Supranonok has an account at GFT UK Global Markets Limited ending *1765 and is an authorized trader in certain ofJaspen's brokerage accounts. Previously, Supranonok was employed as head of sales and trading at Kiev-based Phoenix Capital, where Makarov was also employed.
50. Jaspen Capital Partners ("Jaspen") purports
to be a Bermudian company based in Kiev, Ukraine. Jaspen also purports
to be a full service investment bank that provides advisory services
including asset management and sales and trading. Jaspen had the
following proprietary trading accounts:
Interactive Brokers accounts ending *2712 and *6768;
R.J. O'Brien account ending*0006;
and AJK, Inc. accounts ending *0397, *5787, *5796, and *0765;
ADM Investor Services International Limited ending *CM07, *CM08, and *CM21 (based in London, England);
Cantor Fitzgerald Europe ending *011, *994 (based in London, England);
and Saxo Bank A/S ending *INET and *NET2 (based in Hellerup, Denmark). In connection with the fraudulent scheme, illicit trades were placed in some of Jaspen's accounts and Supranonok's account resulting in nearly $25 million in ill-gotten gains.
HACKED NEWSWIRE SERVICES
51. Newswire Service
1 is a newswire service based in Toronto, Canada. It
provides end-to-end content, news production, and distribution services
to its clients, including many issuers in the United States.
52. Newswire Service 2 is a newswire service with headquarters in
New York, New York. It provides end-to-end content, news production,
and distribution services to its clients, including many issuers in the
United States. Throughout the relevant time period, Newswire Service 2's
computer servers were located in Jersey City, New Jersey and
Piscataway, New Jersey. Collectively, Newswire Service 1 and Newswire
Service 2 are referred to herein as the "Newswire Services."
53. Newswire Service 3 is a newswire service with its
headquarters in New York and California. On information and belief, from
at least December 2014 through May 2015, at least some ofthe defendants
perpetrated the same scheme against Newswire Service 3, and may
have targeted other newswire services as well.
TERMS USED IN THIS COMPLAINT
Options
54. A stock option, commonly referred to as an "option," gives its purchaser-holder the option to buy or sell shares of an underlying stock at a specified price (the "strike" price) prior to the expiration date. Options are generally sold in "contracts," which give the option holder the opportunity to buy or sell 100 shares of an underlying stock.
55. A "call" option gives the purchaser-holder ofthe.option the
right, but not the obligation, to purchase a specified amount of an
underlying security at a specified strike price within a specific time
period. Generally, the buyer of a call option anticipates that the price
of the underlying security will increase during a specified amount
oftime.
56. A "put" option gives the holder ofthe option the right, but
not the obligation, to sell a specified amount of an underlying security
at a specified strike price within a specific time period. Generally,
the buyer of a put option anticipates that the price ofthe underlying
security will decrease during a specified amount oftime.
Short-Selling
57. Short-selling is the sale of a security not owned by the
seller and is a technique used to take advantage of an anticipated
decline in price. An investor borrows stock for delivery at the time
ofthe short sale. If the seller can buy that stock later at a lower
price, a profit results; if, however, the price rises, a loss results.
Contracts for Differences
58. A contract for difference ("CFD") is a stock derivative that
is an agreement between two parties to exchange the difference in value
of an underlying stock between the time the contract is opened and the
time at which it is closed. Ifthe share price increases for
the underlying security, the seller pays this difference to the buyer.
If, however, the underlying share price declines, the buyer must pay the
seller the difference.
59. A CFD typically mirrors the movement and pricing of its
underlying stock on a dollar-for-dollar basis, such that any fluctuation
in the market price ofthe underlying security is reflected in the
unrealized gain or loss of the CFD position.
60. Generally, the investor in a CFD position benefits by
acquiring the future price movement ofthe underlying common stock
without having to pay for or take formal ownership ofthe underlying
shares.
61. Generally, the investor in a CFD is not required to pay for
the underlying shares ofthe security. Instead the CFD investor only pays
the transaction fees charged by the CFD provider. Thus, a CFD, like a
stock option, allows an investor to recognize significant value from an
underlying equity's price movement without having to pay for the
underlying shares.
Margin
62. "Buying on Margin" is the practice of borrowing money to purchase securities.
63. Buying with borrowed money can be extremely risky because
both gains and losses are amplified. That is, while the potential for
greater profit exits, there is a corresponding potential for greater
losses. Buying on margin also subjects a trader to additional costs such
as the interest payment for use of the borrowed money.
IP Address
64. An "internet protocol address" ("IP address") is a unique number
required for online activity conducted by a computer or other device
connected to the internet. In simple terms, it is like a return address
on a letter.
FACTS
The Newswire Services Are Repositories For Material Nonpublic Information
65. The Newswire Services edited and released press releases for publicly-traded companies (also known as "issuers") in the United States. Often these press releases contained quarterly earnings data and other important financial information for a given issuer. Until the Newswire Services released the press release to the general public, the sensitive financial information in the press releases constituted material non-public information.
66. To facilitate the process of disseminating quarterly earnings
information to the public, issuers routinely provided draft press
releases to the Newswire Services. The Newswire Services then edited,
prepared, and stored electronically the press release for
public dissemination.
67. In providing these services, the Newswire Services become
repositories for material non-public information from their
issuer-clients. From 2010 through early 2014, the Newswire Services
issued more than one million press releases on behalf oftheir clients.
Many ofthese releases related to issuer earnings announcements. The
publication of quarterly earnings information often has a significant
positive or negative short-term effect on a given issuer's share price.
68.
For each press release, there is a window oftime between when the
issuer provides a draft press release to the Newswire Service and when
the Newswire Service publishes the release (the "window"). This window
varied between a number ofminutes and a number of days.
The Hacker Defendants Fraudulently Accessed Unpublished Press Releases From Newswire Service 1 and Newswire Service 2
69. Defendants took advantage ofthe window by hacking into the
Newswire Services' computer systems, accessing the press releases prior
to their publication, and then trading on the material, non-public
information contained in the releases before the information was
published to the investing public. After the press release was publicly
issued, defendants then closed the trading position they had opened
during the window oftime between the upload of the press release and its
public dissemination.
70. From 2010 until2014, the hacker defendants electronically
intruded ("hacked"), without authorization, into the Newswire Services'
computer systems and stole over 100,000 press releases before they were
publicly issued.
71. The hacker defendants used deceptive means to gain
unauthorized access to the Newswire Services' computer systems, using
tactics such as: (a) employing stolen username/password information of
authorized users to pose as authorized users; (b) deploying malicious
computer code designed to delete evidence ofthe computer attacks; (c)
concealing the identity and location ofthe computers used to access the
Newswire Services' computers; and (d) using back-door access-modules.
72. The hacker defendants' theft of un-published press releases
oscillated between the two Newswire Services depending on their ability
to gain access to the Newswire Services' servers. The following chart
indicates the time periods during which the hacker defendants
were focusing on the different Newswire Services:
Date Range N ewswire Service 1 Newswire Service 2
February 2010 to July 2010 Hackers had access to network and press releases. Limited access to the network.
July 2010 to January 2011 Hackers had access to network ?nd press releases. Hackers had access to network and press releases
January 2011 to July 2011 Hackers had access to network and press releases. Change in N ewswire Service 2's computer system blocked access.
July 2011 to March 2012 Hackers had access to network and press releases. Hackers had access to network and press releases.
March 2012 to January 2013 Hackers had access to network and press releases. Change in Newswire Service 2's computer system blocked access.
January 2013 to March 2013 Hackers had access to network and press releases. Hackers had access to network and press releases.
March 2013 to November 2013 Hackers had access to network and press releases. Change in Newswire Service 2's computer system blocked access.
November 2013 to Present Change in Newswire Service 1's computer system blocked access. Continued attempts by hackers to access the network
Continued attempts by hackers to access the network
73. The Trader Defendants' trading activity mirrored the access and focus ofthe hacker defendants. When the hacker defendants stole press releases from Newswire Service 1, the trader defendants traded in the securities ofthe issuers whose press releases were stolen from Newswire Service 1. When the hacker defendants stole press releases from Newswire Service 2, the trader defendants traded in the securities ofissuers whose press releases were stolen from Newswire Service 2.
The Stolen Press Releases Gave The Defendants An Illegal Trading Advantage
74. Throughout this scheme, the hacking defendants stole more
than 100,000 press releases before they were publicly issued. Many of
the stolen press releases included corporate earnings results and,
often, forecasted future earnings.
75. It is common for financial analysis firms to estimate or predict a
given issuer's quarterly or annual earnings. The "market" reaches a
consensus expectation based on these different predictions. When an
issuer releases its earnings, the share price for that issuer generally
increases if its earnings exceed the market consensus and generally
decreases if its earnings fall short ofthe consensus prediction.
Accordingly, the stolen press releases contained material information
that a trader could use to place securities trades and reap illicit
profits.
The Hacker Defendants Distributed The Stolen Information
To Traders In Exchange For A Percentage OfTheir Profits Or A Flat Fee
76. The hacker defendants joined with the trading defendants to
profit on the material nonpublic information they stole through their
deceptive hacks on the Newswire Services. The hackers distributed video
evidence oftheir ability to steal information from the
Newswire Services. On October 25,2010, Turchynov attached a video file
to an outgoing email message.
This video shows a computer screen
listing more than 300 files, many containing the term "release" in the
file name. A text window then pops up with a message in Russian,
explaining that what appears on the screen is an administrative panel
for files and explaining how to download the files. The message
concludes that access data will be sent to the email the
viewer provides.
77. As the video continues, it shows ten files being selected and
downloaded to a zip file dated October 24, 2010. The video further
shows that the IP address used to download the files was :XXXXX:X-26.98.
78. Newswire Service 2's server logs confirm that its servers
were unlawfully accessed on October 24, 201 0-the date ofthe zip file in
the Turchynov video. Newswire Service 2's logs also confirm that, on
October 24, 2010, the ten files in the Turchynov video were downloaded
via IP address XX:X:XXX-26.98.
79. In October 2010 alone, Turchynov distributed via email more than 400 stolen press releases from Newswire Service 2.
80. Ieremenko also distributed stolen press releases
electronically. For example, on October 10, 2012, Iermenko
electronically sent a link to a press release stolen from
Newswire Service 1 to an unidentified person before the press release
was publicly issued and described how he now had emails for employees at
Newswire Service 1 that would allow him to hack into their host server.
81. As part of the scheme, the trader defendants compensated the
hacker defendants for stealing the press releases from the Newswire
Services. At times, the hacker defendants received a flat fee and, at
other times, a percentage ofthe profits obtained from trading on
the material nonpublic information stolen by the hacker defendants. The
hacker defendants ensured they were receiving the agreed-upon percentage
by monitoring the trader defendants' trading, either through reports
from the traders or direct access to the accounts used to make
unlawful trades.
82. For example, on July 20, 2011, the Dubovoy Group provided the
hacker defendants account information and login credentials to one
ofthe trading accounts in the name ofArkadiy Dubovoy. This allowed the
hacker defendants to monitor the trading in this account to determine
the compensation owed for certain trades.
83. The next day, that account was accessed from IP address
X::X:XX:X:X-18.42-the IP address for a workstation Turchynov used to
access webpages and one ofthe IP addresses the hacker defendants used to
hack the Newswire Services. Over the next six months, that same
IP address accessed Dubovoy's trading account more than 300 times.
84. At times, the hacker defendants used entities for the purpose
of collecting their share ofthe ill-gotten gains from the illicit
trading. For example, upon information and belief, an individual
associated with Turchynov controlled, in whole or in part, an account at
a bank in Estonia. In February and March 2012, the Dubovoy Group
defendants sent $225,000 to that account. The Dubovoy Group defendants
attempted to conceal the illegal payments by sending them from Tanigold
Assets, one ofArkadiy Dubovoy's companies, and mislabeling them
as payments for "technological equipment" and "building equipment."
The Dubovoy Group Communicated With The Hacker Defendants
85. The Dubovoy Group had access to the press releases the hacker defendants stole.
On November 26,2010, Pavel Dubovoy emailed Garkusha a link to theinternet location ofthe
server Turchynov used in the October 24, 2010 internet hacking video-a server located at the IP
address :X:XX::XX::X-26.98-as well as login and password information to the server. Pavel
Dubovoy provided instructions, which informed the reader how to log in to the server and
download files and advised users to conceal the identity ofthe computer they used to access the
server. Garkusha forwarded Pavel Dubovoy's email to an unidentified individual.
86. In addition, as noted earlier, on July 20, 2011, the Dubovoy Group defendants
provided the hacker defendants with access to at least one ofthe brokerage accounts held in the
name ofArkadiy Dubovoy. The next day, a Ukrainian IP address (XX::XXX:X-18.42) began
accessing
that brokerage account. Turchynov used that same IP address to access
webpages, and the hacker defendants used that IP address in multiple
hacking attacks on the Newswire Services. That IP address also accessed a
second brokerage account belonging to Arkadiy Dubovoy.
87. Turchynov used another IP address, XXX:XX-9.101, to hack
Newswire Service 2 from January 15, 2013 to March 2, 2013. That same IP
address was also used to access one of Arkadiy Dubovoy'sbrokerage
accounts in May 2012.
88. In addition, the Dubovoy Group defendants instructed the
hacker defendants about which press releases to target. For example, on
October 12, 2011, via an intermediary, Pavel Dubovoy emailed Turchynov a
list offourteen U.S. issuers whose upcoming earnings releases were to
be disseminated after the U.S. markets closed on October 12, 2011 and
October 13, 2011, and the following week as well.
89. Moreover, although the defendants took extensive measures to
conceal their fraud, those efforts were not always successful. For
example, on December 18, 2013, at approximately 1:21 p.m. ET, Khalupsky
emailed a screen shot of an unpublished press release relating to an
earnings announcement the hacker defendants had stolen from Newswire
Service 1 to his own email account. The unpublished release had been
stolen by the hacker defendants and was not published until hours later,
at 4:04pm ET. To take the picture, Khalupsky used a smartphone
application that does not retain data. However, the picture was
preserved because Khalupsky sent it via email.
Trading By The Dubovoy Group Defendants
90. The Dubovoy Group defendants worked in concert to execute the
fraudulent scheme, using the information stolen by the hacker
defendants to make illicit trades in numerous accounts. They shared
control ofthe accounts involved in the scheme, either through
formal trading authorization or informally via shared logins and
security information which allowed scheme members to pose as one another
and trade online.
91. The Dubovoy Group defendants tried to conceal their fraud by
deceptively spreading their illicit tra
Теги:
Oracle
Hewlett-Packard
Boeing
Caterpillar
Panera Bread
PRNewswire Association LLC
Marketwired
Business Wire
Переглядів:
3762