"Украинских хакеров" в США судят за кражу пресс-релизов

Ринки 12.08.2015    16:30

Выходцы из стран СНГ в очередной раз попали попали в число хакеров, арестованных на Восточном побережье по подозрению в краже корпоративных данных. Сотрудники ФБР выявили девять человек, связанных с зарубежными киберпреступниками. Под арест были взяты пятеро. Аресты были произведены на территории штатов Пенсильвания и Джорджия. Как удалось узнать “Славянскому Сакраменто”, арестован также председатель Объединения славянских церквей ЕХБ (Восточного побережья) Виталий Корчевский. Aмериканские власти уже назвали данную аферу беспрецедентной

Хакеры, предположительно находящиеся на Украине и, возможно, в России, взломали серверы лент раскрытия PRNewswire Association LLC, Marketwired и Business Wire (подразделение Berkshire Hathaway Inc. миллиардера Уоррена Баффета), рассказал источник. Их соучастники, находящиеся в США, использовали полученную информацию в операциях с акциями десятков компаний, включая Boeing, Hewlett-Packard, Caterpillar, Oracle, Panera Bread.

Согласно заявлению Комиссии по ценным бумагам и биржам (SEC), инициировавшей расследование, хакеры занимались противозаконной деятельностью в течение пяти лет. По данным следствия, участники схемы успели заработать более 30 млн долларов. Комиссия по ценным бумагам и биржам заявляет, что в результате преступной схемы, в которой были задействованы 12 человек и 15 компаний, якобы было заработано более ста миллионов долларов. Деньги выводились через эстонские банки.

В обвинительном заключении прокуроры описали ряд крупных покупок акций, совершенных в преддверии квартальных отчетов о доходах. Предполагается, что пресс-релизы подвигли хакеров на совершение выгодных сделок. В документе указаны пять имен предполагаемых хакеров: Иван Турчинов, Аркадий Дубовой, Игорь Дубовой, Павел Дубовой и Александр Еременко. Они обвиняются в мошенничестве с ценными бумагами и кибервзломе.

Как явствует из судебных документов, с февраля 2010 года злоумышленники похитили около 150 тысяч пресс-релизов, содержавших закрытые на тот момент данные о заработках корпораций и планах их слияния или поглощения.

Известно, что Аркадий Дубовой с сыном Игорем в настоящее время живут в Грузии, а Павел Дубовой – на Украине.

“Эта интернациональная схема беспрецедентна и по масштабам компьютерных взломов, и по числу трейдеров, и по количеству ценных бумаг, которыми они торговали, и по объему прибылей”, – цитирует слова главы SЕС Мэри Джо Уайт русская служба BBC.

По данным информированных источников, в число пяти арестованных входит выходец из СНГ Виталий Корчевский, возглавляющий небольшой инвестиционный фонд NTS Capital. 50-летний Корчевский подозревается в организации всей преступной схемы. Он был арестован ФБР во вторник утром в своем доме неподалеку от Филадельфии (Пенсильвания).  Ему предъявили обвинение по пяти пунктам, включая сговор с целью получения ценных бумаг и отмывание денег.

Как удалось узнать “Славянскому Сакраменто” Виталий Корчевский родился 27 мая 1965 года в г. Джамбуле, Казахстан, затем проживал в Киргизии, Грузии, Харькове. В 1989 г. переехал на постоянное место жительства в США.

Сообщается, что пастор учился в частном университете Regent University, принадлежащем скандально известному телеевангелисту Пэту Робертсону. С 1998 г. являлся заместителем председателя Русско-Украинского Союза Евангельских христиан-баптистов (ЕХБ) США. С 2000 г. занимал пост председателя Объединения славянских церквей ЕХБ США, а также является пастором славянской церкви Brookhaven Slavic Evangelical Baptist Church в г. Филадельфия (штат Пенсильвания).

На ютубе можно найти лекции по управлению финансами, которые вел подозреваемый для русскоязычных семей в Америке. Раннее он являлся президентом Русско-Украинского Союза ЕХБ (с центром в Ашфорде, штат Коннектикут).

Согласно обвинению, Корчевский описывается как один из главных заговорщиков, занимавшийся разработкой рыночной стратегии; ранее он работал с Уолл-Стрит. Затем организовал свой собственный хедж-фонд, который не сделал ни одного вложения с момента организации четыре года назад. Ввиду того, что священник регулярно передвигался по миру (с 2010 г. он сделал 42 поездки за рубеж) и мог сбежать, прокуратура настаивала на тюремном заключении, все же подозреваемый освобожден судом Пенсильвании под залог в $100 000. Пока пастор не нанимал адвоката и вышел из здания суда, оставив прессу без комментариев.

Следующее заседания суда состоится в эту пятницу, затем дело перейдет в суд Нью-Йoрка.

Жена Корчевского описывает супруга как скромного пастора, путешествующего по миру, осуществляя миссию своей церкви. Однако, согласно информации суда, Корчевский представляет из себя “смесь криминала и христианства”, пишет Philly.com.

Несмотря на то, что в социальных сетях он заявлял о своей сертифицированности финансового аналитика, его компания была задействована в сферах на $17 млн с участием мошеннических денег. Как указывает издание, Корчевский занимался этим с 2010 г. до мая этого года.

Например, в 2011 г. Корчевский, благодаря украденному хакерами релизу приобрел 1 100 акций биотехнической компании Dendreon, базирующейся в Сиэтле. Позже эти акции были проданы за $2.3 млн.

По данным SEC, Турчинов и Еременко завели секретный сервер для переправки похищенных пресс-релизов трейдерам в России, на Украине, Кипре и Мальте, во Франции и в трех штатах Америки – Джорджии, Нью-Йорке и Пенсильвании.

В считанные часы или даже минуты до публикации ворованных пресс-релизов эти трейдеры использовали почерпнутую из них инсайдерскую информацию для операций с ценными бумагами и потом отчисляли хакерам условленную долю прибыли.

Следователи приводят такой яркий пример. 1 мая 2013 года хакеры и связанные с ними трейдеры в течение 36 минут, прошедших с поступления в пиар-компанию пресс-релиза о сокращении заработка одной корпорации и до предания его гласности, успели сыграть ее акциями на понижение и заработали 511 тыс. долларов.

Комиссия по ценным бумагам обвиняет всех 32 ответчиков в мошенничестве и просит суд взыскать с них штрафы и полную сумму нечестно нажитой прибыли.

В 57-страничном обвинительном документе, обнародованном в Нью-Джерси, приводится другой пример выгодного использования похищенного пресс-релиза.

В начале 2012 года корпорация Caterpillar прислала в пиар-компанию PRNewswire пресс-релиз, из которого явствовало, что в предыдущем году ее прибыли выросли на 36%.

Эта информация, которая хранилась на сервере пиар-компании менее суток и потом была опубликована, была похищена хакерами и переправлена трейдерам. Они молниеносно приобрели акции и опционы Caterpillar на 8,3 млн долларов.

После оглашения пресс-релиза акции корпорации подскочили в цене на 2%. Мошенники заработали на этой операции около миллиона.

Стратегия незаконной добычи и использования инсайдерской информации была настолько успешна, что вскоре злоумышленникам пришлось нанимать все больше хакеров из СНГ.

На момент ареста пастор владел высоколиквидными активами на сумму в $5 млн. На полученные деньги он приобретал жилую недвижимость в Глен Миллз, Мидии, Верхнем и Западном Чичестере, а также в торговом районе Малверн.

После известия о случившемся, компании Business Wire из Сан-Франциско даже пришлось нанимать экспертов по кибер-безопасности, чтобы те проверили надежность системы.

В числе арестованных также названы Владислав Халупский, Леонид Момоток и Александр Гаркуша.

Как отмечает Bloomberg, это первый случай, когда в США вскрыты инсайдерские операции с непосредственным участием хакеров и нарушениями кибербезопасности. Это демонстрирует уязвимость финансовых рынков в цифровой век. Кроме того, эта технология своего рода “великий уравнитель”: на Уолл-стрит, похоже, больше не нужны особые связи, чтобы получить инсайдерскую информацию, комментирует деловое издание. Оно напоминает, что в последнее время от хакеров крупно пострадали такие корпорации, как Sony Pictures, торговая сеть Target, банк JPMorgan и другие.

ФБР и прокуратура Нью-Йорка начали расследование по наводке Комиссии по ценным бумагам и биржам (SEC) США, обратившей внимание на подозрительные торговые операции некоторых обвиняемых. Позднее Секретная служба США и прокуратура Нью-Джерси начали собственное расследование, предметом которого стала уже деятельность иностранных хакеров, а не американских инвесторов.

По данным источников, расследование началось более двух лет назад, оно раскрывает пятилетнюю преступную схему, действовавшую вплоть до последнего времени

Plaintiff Securities and Exchange Commission (the "Commission"), One Penn Center, 1617 JFK Boulevard, Suite 520, Philadelphia, Pennsylvania 19103, alleges as follows against the following defendants, whose names and last known addresses are set forth below:

a. Arkadiy Dubovoy
3374 Cedar Farms Ct.
Alpharetta, GA 30004

b. Igor Dubovoy
6240 Crested Moss Dr.
Alpharetta, GA 30004

c. Pavel Dubovoy
33 7 4 Cedar Farms Ct.
Alpharetta, GA 30004

d. David Amaryan
Akademichaskaya B. Street, House 15, 1, 255
Moscow, Russia 125130

e. Nelia Dubova
UL Marseljskaya 32/2-1
Odessa, Ukraine

f. Alexander Fedoseev
Holzunova 40 G
Voronezh, Russia 394068

g. Aleksandr Garkusha
4090 Asheville Manor Court
Cumming, GA 30040

h. Oleksander Ieremenko (a.k.a. Aleksander Eremenko)
[Street address unknown]
Kiev, Ukraine

i. Vladislav Khalupsky
2 Armeyskaya Street
Apt. 23
Odessa, Ukraine

J. Vitaly Korchevsky

1709 Slitting Mill Road

Glenn Mills, P A 19342

 

k. Roman Lavlinskiy
Svobody, 10-26 Voronezh
Voronezhskaiy, Russia

l. Oleksandr Makarov
Saksahanskoho 92, 18
Kiev, Ukraine

m. Leonid Momotok
1610 Pepperbush Court
Suwannee, GA 20024

n. Nikolai (Nikolay) Slepenkov
4, Sevanskaya Street,
Apt. 420
Moscow, Russia

o. Andriy Supranonok
7b L. Ukrainky Boulevard, Apt. 51
Kiev, Ukraine, 01001

p. Ivan Turchynov
[Street address unknown]
Kiev, Ukraine

q. Maxim Zakharchenko
Bering Capital Partners Ltd
4th Floor
15 Pozharbky Pereulok
Moscow, Russia 119034

r. APD Developers, LLC
6495 Shiloh Road, Suite 400
Alpharetta, GA 300Q5

s. Beratto Group Ltd.
Geneva place, Waterfront Drive
Roadtown, Tortola BVI

t. Bering Explorer Fund Ltd.
4th Floor

15 Pozharbky Pereulok

Moscow, Russia 119034

 

u. Concorde Bermuda Ltd.
2 Mechnykova Str.
Kiev, Ukraine 0160 1

v. Escada Logistics Ltd.
4, Sevanskaya Street, APT. 420
Moscow, Russia 115516

w. Exante Ltd.
Portomaso Business Tower, Level 7
St. Julians, Malta

x. Global Hedge Capital Group
Bolshoy Savvisky 11
Moscow, Russia 119435

y. Guibor S.A .
.2 Rue Alfred de Vigny
Paris, France 75008

z. Intertrade Pacific S.A.
Akademichaskaya B. Street, House 15, 1, 255
Moscow, Russia 125130

aa. Jaspen Capital Partners Limited
Schorsa, 32G, 1st floor
Kiev, Ukraine, 01001

bb. NTS Capital Fund
1709 Slitting Mill Road
Glenn Mills, PA 19342

cc. Memelland Investments Ltd.
2, Christaki kai Elpinikis Kinni
Flat 8, Summer Gardens, Limassol
4046, Cyprus

dd. Ocean Prime Inc.
16 Sadovnicheskaya St.
Moscow, Russia 115035
ee. Omega 26 Investments Ltd.

2 Rue Alfred de Vigny

Paris, France 75008

ff. Southeastern Holding and Investment Company LLC

3421 Preston Pointe Way

Cumming, GA 30041

SUMMARY
1. Defendants perpetrated an international fraudulent scheme by hacking the computer servers of at least two newswire services and stealing, through deception, confidential earnings information for numerous publicly-traded companies from press releases that had not yet been released to the public. Defendants then used that stolen material nonpublic information to trade securities and reap over $1 00 million in unlawful profits.
2. Over an approximately five-year period, defendants Ivan Turchynov and Oleksander Ieremenko-computer hackers residing in the Ukraine (the "hacker defendants")­ hacked into certain U.S. newswire services and, through deception, stole more than 100,000 press releases for publicly-traded companies before they were issued to the public. Many ofthe stolen press releases contained information about quarterly and annual earnings data for these companies.
3. The hacker defendants worked in concert with a network of traders, located in the United States and abroad, who paid the hacker defendants for the stolen information, either through a flat fee or a percentage ofthe illicit profits gained from the illegal trading on the information.
4. The hacker defendants oscillated primarily between two newswire services, focusing on obtaining the press releases from one or the other depending on the hacker defendants' access to the newswire services' computer networks.
5. The hacker defendants stole the press releases and passed them to the trader defendants in the window oftime between when the press releases were uploaded to the newswire service's system and when the press releases were publicly issued. As a result, the trader defendants had an unfair trading advantage over other market participants because they knew the content ofthe press releases before that information was publicly announced.
6. The defendant traders capitalized on this advantage by initiating trades before the press releases were issued to the public. The defendant traders bought or sold securities depending on their anticipation of how the market would respond to the information in the stolen press releases.
7. The traders used deceptive means to conceal their access the stolen releases and make payments to the hackers. The traders also concealed their trading activities through use of multiple accounts and entities.
8. Then, after the press release was publicly issued, and the price ofthe securities changed as the market learned the previously undisclosed information, the defendant traders reaped enormous profits.
9. Collectively, the trader defendants used this stolen information to realize over $1 00 million in illicit gains.
10. On information and belief, at least some ofthe defendants have continued to pursue this scheme at one or more newswire services. As recently as May 2015, some ofthe defendants traded in front ofpress releases issued from a third newswire service that had been hacked.
11. By knowingly or recklessly engaging in the conduct described in this Complaint, defendants violated, and unless enjoined, will continue to violate the securities laws.

 

JURISDICTION AND VENUE

12. The Commission brings this action pursuant to Section 20(b) of the Securities Act [15 U.S.C. §§ 77t(b) and 15 U.S.C. § 77t(e)] and Sections 21(d) and 21A ofthe Exchange Act [15 U.S.C. §§ 78u(d) and 78u-l] to enjoin such transactions, acts, practices, and courses of business, and to obtain disgorgement, prejudgment interest, civil money penalties, and such other and further relief as the Court may deem just and appropriate.
13. This Court has jurisdiction over this action pursuant to Sections 20(b) and 22(a) ofthe Securities Act [15 U.S.C. §§ 77t(b) and 77v(a)] and Sections 21(d), 21(e), 21A and 27 of the Exchange Act [15 U.S.C. §§ 78u(d), 78u(e), 78u-1 and 78aa].
14. Venue in this District is proper pursuant to Section 22(a) ofthe Securities Act [15 U.S.C. § 77v(a)] and Section 27 ofthe Exchange Act [15 U.S.C. § 78aa]. Certainofthe transactions, acts, practices, and courses ofbusiness constituting the violations alleged herein occurred within the District ofNew Jersey and elsewhere, and were effected, directly or indirectly, by making use of the means or instruments or instrumentalities oftransportation or communication in interstate commerce, or ofthe mails, or the facilities of a national securities exchange. For example, during the relevant time period, Newswire Service 2's computer servers, which were hacked in connection with the scheme, were located in Jersey City, New Jersey and Piscataway, New Jersey. In addition, securities transactions related to this matter were executed on NASDAQ servers in Carteret, New Jersey and by broker dealers in Jersey City, New Jersey.

DEFENDANTS
I. The Hacker Defendants

15. Oleksandr Ieremenko, a.k.a. Aleksander Eremenko, ("Ieremenko") is 23 years old and resides in Kiev, Ukraine.
16. Ivan Turchynov ("Turchynov") is 27 years old and resides in Kiev, Ukraine.
17. The hacker defendants perpetrated the scheme from multiple IP addresses, including but not limited to: XX:XXXX:-18.42; X:XXX:X-9.101; XX:XXXX:-136.6; and XX:XXXX:-26.98.
18. To conceal their true identities, the hacker defendants used multiple email accounts and online "handles" in carrying out and communicating about the scheme. To the extent referenced in the complaint, other documents filed with the Court, or exhibits, these unique handles and aliases will be redacted. They will be replaced with the hacker defendant's name followed by "Alias" (i.e., "Ieremenko Alias").

II. The Trader Defendants
A. The Dubovoy Group Defendants
19. The Dubovoy Group defendants are a close-knit group of traders, consisting primarily of family, friends, and business associates ofArkadiy Dubovoy. Collectively, the Dubovoy Group defendants realized over $31 million in illicit gains from the scheme.

20. As part of this scheme, the Dubovoy Group defendants opened trading accounts in their names, names of companies they owned, and in the names of at least four oftheir associates ("Straw Owners").
a. Straw Owner 1 is the manager ofUkrainian ice cream company owned by Arkadiy Dubovoy, who had straw ownership for accounts at Interactive Brokers ending in *4463, Cimbanque ending in *COli, and Tradestation ending in *7799.
b. Straw Owner 2 is the brother of defendant Leonid Momotok, and had straw ownership for accounts at E*Trade ending in *0592, TD America ending in *2779, Charles Schwab ending in *3160.
c. Straw Owner 3 is the manager of the Ukrainian branch of one of Arkadiy Dubovoy's companies, R.J. Construction, and had straw ownership for Interactive Brokers account ending in *8348.
d. Straw Owner 4 is another manager ofthe Ukranian branch of RJ Construction, and had straw ownership oflnteractive Brokers account ending in *8944, Charles Schwab account ending in *0875, and Bank ofAmerica account ending in *9456.

21. Arkadiy Dubovoy ("Arkadiy Dubovoy") is 50 years old and resides in Alpharetta, Georgia. He is the owner or partial owner of several limited liability corporations ostensibly involved in the construction business, including defendants APD Developers LLC and Southeastern Holding and Investment Company LLC. He also owns Boni Inc. which is purportedly in the brokerage services business. The following brokerage accounts, opened in the name ofArkadiy Dubovoy or in the name of entities he owns, were involved in the scheme and trading in those accounts generated over $11 million in ill-gotten gains: Options House account ending in *8957; Trade King account ending in *8312; Charles Schwab accounts ending in *0365 and *8834; E*Trade account ending in *6987; Fidelity account ending in *6216; Merrill Lynch account ending in *9078; Scottrade account ending in *0584; TD Ameritrade accounts ending in *7954 and *4751.

22. Igor Dubovoy ("Igor Dubovoy") is 28 years old and is Arkadiy Dubovoy's son. He resides in Alpharetta, Georgia. He owns Dawson & Dawson ("Dawson") and M& I Advising Inc. ("M&I Advising"), and assists Arkadiy Dubovoy in operating Boni Inc., an entity used to transfer funds between brokerage accounts. Accounts in the name of M&I Advising (TD Arneritrade account ending *7757) and Dawson (TD Ameritrade account ending *3311) were involved in the scheme. Approximately $250,000 in illicit gains were generated in these accounts. Igor Dubovoy also had trading authority on and/or managed several of Arkadiy ' Dubovoy's brokerage accounts involved in the scheme, including: TD Arneritrade accounts ending in *4751 and *7954, and Charles Schwab account ending*0365. Igor Dubovoy gave Power ofAttorney to Leonid Momotok to trade in the accounts with respect to which Igor Dubovoy was associated.

23. Pavel Dubovoy ("Pavel Dubovoy") is 32 year old and resides in Kiev, Ukraine and Alpharetta, Georgia. He shares a credit card account with Arkadiy Dubovoy. During the scheme, Pavel Dubovoy told other Dubovoy Group defendants, including Aleksandr Garkusha, how to access the press releases the hacker defendants stole. He also directed payments to Turchynov using a Dubovoy entity and confirmed those payments with Arkadiy Dubovoy. Using one or more intermediaries, Pavel Dubovoy also communicated with the hacker defendants and, in at least one instance, told them which press releases to unlawfully acquire.

24. Nelia Dubova ("Dubova") is 38 years old and resides in Odessa, Ukraine. She owned a brokerage account used in the scheme (APX account ending in *4899) and she was the signatory officer for another account involved in the scheme in the name of defendant Beratto Group (APX account ending in *5038). Khalupsky and Igor Dubovoy possessed the login and password information for the Beratto APX *5038 account. The Dubovoy Group defendants used these two accounts to make illicit trades resulting in approximately $1 million in ill-gotten gains.

25. Aleksandr Garkusha ("Garkusha") is 47 years old and resides in Cumming, Georgia. He is the executive vice president of defendant APD Developers, which is owned by Arkadiy Dubovoy. He also manages the trading operations ofTanigold Assets, an entity which was used by Pavel Dubovoy to make payments to Turchynov. In addition, Garkusha was the former principal at Verum Capital Group LLC which was located at the same address as APD Developers in Georgia.

26. Vladislav Khalupsky ("Khalupsky") is 44 years old and resides in Brooklyn, New York, and Odessa, Ukraine. Khalupsky worked in the securities industry as a registered representative until June 2011. Along with Igor Dubovoy, Korchevsky, and Garkusha, Khalupsky helped the Dubovoy Group set up off-shore accounts. He assisted Arkadiy and Igor Dubovoy in wiring money. He directed the configuration of one Arkadiy Dubovoy's brokerage accounts involved in the illegal scheme (Merrill Lynch account ending *9078) (an account he referred to in a conversation with Arkadiy Dubovoy as "our account") and helped to direct the Dubovoy' s trading in other accounts. He made or directed illicit trades in those accounts in connection with the scheme alleged in this Complaint.

27. Vitaly Korchevsky ("Korchevsky") is 49 years old and resides in Glen Mills, Pennsylvania. Korchevsky was a registered investment adviser who previously established and managed hedge funds. He has partnered with Arkadiy Dubovoy in various enterprises, including hedge funds. Korchevsky coordinated his illegal trading with Arkadiy Dubovoy and other members ofthe Dubovoy Group and used the following brokerage accounts to make unlawful trades: E*Trade account ending 6623; Fidelity account ending *4716; and TD Ameritrade accounts ending *2449 and *1014. Along with his wife, Korchevsky owns defendant NTS Capital Fund L.P., which also traded in connection with this scheme. Korchevsky made more than 600 unlawful trades as part ofthe scheme, realizing approximately $17.5 million in illgotten gains.

28. Leonid Momotok ("Momotok") is 47 years old and resides in Cumming, Georgia. He owns a one-percent interest in two ofArkadiy Dubovoy's companies, RJ General Maintenance LLC and defendant Southeastern Holding and Investment Company LLC. Momotok is also the managing member of defendant Southeastern Holding. Momotok had a comprehensive role in the scheme described in this Complaint. He advised Arkadiy Dubovoy how to trade using the stolen information, and he had formal trading authority for brokerage accounts used in the scheme but held in the name of other members ofthe Dubovoy Group, including: Arkadiy Dubovoy's Scottrade account ending *0584; Southeastern Holding's Scottrade account ending *5408, Charles Schwab account ending *3154, and TD America account ending *6350. Momotok also used accounts held by Igor Dubovoy and Straw Owners 1, 2, 3, and 4 to trade in this scheme.

29. APD Developers, LLC ("APD") purports to be a construction business based in Atlanta, Georgia. Arkadiy Dubovoy owns APD and opened brokerage accounts in the name of APD that were used tin the fraudulent scheme, including TD Ameritrade accounts ending *4751 and *7954 and Charles Schwab account ending *0365.

30. Beratto Group LLC ("Beratto") purports to be a real estate and investment company based in the British Virgin Islands. Beratto owned an APX account ending *5038. Dubova, Khalupsky and Igor Dubovoy had access to this account and it was used to make illicit trades in connection with the fraudulent scheme.

31. NTS Capital Fund L.P. ("NTS") purports to be a hedge fund based in Glen Mills, Pennsylvania, owned by Korchevsky and his wife. NTS has a brokerage account at Jeffries/JP Morgan ending in *0336. Unlawful trades were made in this account resulting in approximately $3.2 million in ill-gotten gains.

32. Southeastern Holding and Investment Company LLC ("Southeastern") is a Georgia limited liability corporation with its principal place of business in Cumming, Georgia. Its managing members are Arkadiy Dubovoy and Momotok. Southeastern had the following brokerage accounts, Charles Schwab account ending *3154, and TD Ameritrade account ending *6350. Illicit trades were made in these accounts as part ofthe scheme resulting in approximately $165,000 in ill-gotten gains.

B. The Foreign Trader Defendants

33. David Amaryan ("Amaryan") is 35 years old and resides in Moscow, Russian Federation. He is the CEO ofdefendant Ocean Prime Inc. ("Ocean Prime") and the sole director of defendant Intertrade Pacific S.A., ("Intertrade"). Ocean Prime and Intertrade purport to be proprietary trading funds. Amaryan opened accounts for Ocean Prime (Interactive Brokers account ending *9827) and Intertrade (Interactive Brokers account ending *8284). Illicit trades based on stolen press releases were made in the Ocean Prime and Intertrade accounts resulting in approximately $3.7 million in ill-gotten gains. As described below, Amaryan and defendant Nikolai Slepenkov, who owns defendant Escada Logistics, often made illicit trades in the same securities, on the £arne days and around the same time and, frequently, via the same IP addresses.

34. Ocean Prime Inc. ("Ocean Prime") purports to be a proprietary trading fund established in the British Virgin Islands with its principal place of business in Moscow, Russian Federation.

35. Intertrade Pacific S.A. ("Intertrade") purports to be a proprietary trading fund established in the British Virgin Islands with its principal place of business in Moscow, Russian Federation. Amaryan is the owner and sole director of the fund. Intertrade's address is the same as Amaryan's home address in Moscow.

36. Nikolai Slepenkov ("Siepenkov") is 46 years old and resides in Moscow, Russian Federation. He is the CEO and owner of defendant Escada Logistics Ltd., which purports to be a proprietary trading fund. He has an account at Interactive Brokers ending *6218. In connection with the fraudulent scheme, he executed illicit trades in that account resulting in approximately $1.25 million in ill-gotten gains, often in the same securities, on the same days, close to the same times and frequently via the same IP addresses as Ocean Prime, Intertrade and Escada.

37. Escada Logistics Ltd. ("Escada") purports to be a proprietary trading fund established in the British Virgin Islands with its principal place of business in Moscow, Russian Federation. Slepenkov runs Escada out ofhis apartment in Moscow and opened an account in the name ofEscada at Interactive Brokers (ending *2806), which he used to execute unlawful trades resulting in approximately $850,000 in ill-gotten gains.

38. Alexander Fedoseev ("Fedoseev") is 29 years old and resides in Voronezh, Russian Federation, the same town as defendant Roman Lavlinskiy. Fedoseev owns Interactive Brokers account ending *4148, which he used to make unlawful trades in that account resulting in approximately $700,000 in ill-gotten gains. In the brokerage accounts they controlled, Fedoseev and Lavlinskiy often traded based on stolen press releases in the same securities, on the same days, close to the same times and frequently via the same IP addresses.

39. Roman Lavlinskiy ("Lavlinskiy") is 29 years old and resides in Voronezh, Russian Federation. Lavlinskiy owns or owned Interactive Brokers account ending *7182 and TD Ameritrade accounts ending *3933 and *9065, which he used in connection with the fraudulent scheme to make unlawful trades resulting in over $400,000 in ill-gotten gains. Lavlinskiy's illicit trades were often made in the same securities, on the same days, close to the same times and frequently via the same IP addresses as Fedoseev.

40. Oleksandr Makarov ("Makarov") is 32 years old and resides in Kiev, Ukraine. Previously, he worked in the financial services industry for various investment companies, including Phoenix Capital. He has a brokerage account at Interactive Brokers ending *4548 and a sub-account ending *4548F. In connection with the fraudulent scheme, Makarov executed illicit trades in his account resulting in approximately $80,000 in ill-gotten gains. His illicit trades were often made in the same securities, on the same days and close to the same times, and ofte_n through the same IP addresses as Defendant Concorde Bermuda Ltd.

41. Concorde Bermuda Ltd. ("Concorde") purports to be a hedge fund established in Bermuda with its principal place of business in Kiev, Ukraine. Concorde has proprietary trading accounts at Interactive Brokers ending *4237, *1358, and *2720, which were used in connection with the fraudulent scheme, resulting in approximately $3.6 million in ill-gotten gains. Those trades were often made in the same securities, on the same days and close to the same times, and often through the same IP addresses as defendant Makarov. In addition, Concorde transferred money to defendant Jaspen Capital Partners.

42. Exante Ltd. ("Exante") purports to be a Malta-based hedge fund. Exante holds proprietary trading accounts at Interactive Brokers (ending *2751) and at Lek Securities, which were used in connection with the fraudulent scheme to make trades resulting in approximately $24.5 million in ill-gotten gains. Several ofExante's directors are also owners of defendant Global Hedge Capital Fund Ltd., and the two entities share employees. Exante and Global Hedge frequently made illicit trades in the same securities, on the same days and around the same time, and often through the same IP addresses.

43. Global Hedge Capital Fund Ltd. ("Global Hedge") purports to be a Cayman Islands-based hedge fund with its principal place of business in Moscow, Russian Federation. Several ofits owners are directors ofExante and the two entities share employees. Global Hedge has a proprietary trading account at Interactive Brokers ending *4444. In connection with the fraudulent scheme, Global Hedge executed unlawful trades in that account resulting in over $3.8 million in ill-gotten gains, often in the same securities, on the same days and close to the same times, and often through the same IP addresses as Exante.

44. Memelland Investments Ltd. ("Memelland") purports to be a hedge fund established in the British Virgin Islands with its principal place of business in Limassol, Cyprus. Meinelland has a trading account at Interactive Brokers ending *2799, which was used in connection with the fraudulent scheme to make illicit trades, realizing profits of approximately $375,000.

45. Guibor S.A. ("Guibor") purports to be a proprietary trading fund established in France with its principal place of business in Paris, France. It shares a business address and an owner with defendant Omega 26 Investments Ltd. Guibor has a proprietary trading account at Interactive Brokers ending *2450, which was used in connection with the fraudulent scheme to execute trades resulting in $3.5 million in ill-gotten gains. Guibor and Omega 26 frequently traded in the same securities, on the same days and close to the same times, and often through the same IP addresses.

46. Omega 26 Investments Ltd. ("Omega 26") purports to be a proprietary trading :fimd established in Samoa with its principal place of business in Paris, France. Omega 26 has proprietary trading accounts at Interactive brokers ending *2898 which it used in connection with the fraudulent scheme to execute trades resulting in approximately $2.1 million in ill-gotten gains. In addition, Omega 26 also had a proprietary trading account at Cantor Fitzgerald ending *055, which, on information and belief, it used to make unlawful trades in connection with the scheme resulting in approximately another $1 million in ill-gotten gains.

47. Bering Explorer Fund Ltd. ("Bering") purports to be a Bahamian company with its principal place of business in Moscow, Russian Federation. Bering had accounts at Cantor Fitzgerald Europe ending *966 and *969, which were used in connection with the fraudulent scheme to make trades resulting in over $6.6 million in ill-gotten gains.

48. Maxim Zakharchenko ("Zakharchenko") resides in the Russian Federation. He is one oftwo Bering directors, and had trading authority in Bering's brokerage accounts at Cantor Fitzgerald Europe. On information and belief, Zakharchenko directed Bering's illicit trades.

49. Andriy Supranonok ("Supranonok") is 33 years old and resides in Kiev, Ukraine. He is the CEO and owns 30% of defendant Jaspen Capital Partners' shares. Supranonok has an account at GFT UK Global Markets Limited ending *1765 and is an authorized trader in certain ofJaspen's brokerage accounts. Previously, Supranonok was employed as head of sales and trading at Kiev-based Phoenix Capital, where Makarov was also employed.

50. Jaspen Capital Partners ("Jaspen") purports to be a Bermudian company based in Kiev, Ukraine. Jaspen also purports to be a full service investment bank that provides advisory services including asset management and sales and trading. Jaspen had the following proprietary trading accounts:

Interactive Brokers accounts ending *2712 and *6768;

R.J. O'Brien account ending*0006;

and AJK, Inc. accounts ending *0397, *5787, *5796, and *0765;
ADM Investor Services International Limited ending *CM07, *CM08, and *CM21 (based in London, England);

Cantor Fitzgerald Europe ending *011, *994 (based in London, England);

 and Saxo Bank A/S ending *INET and *NET2 (based in Hellerup, Denmark). In connection with the fraudulent scheme, illicit trades were placed in some of Jaspen's accounts and Supranonok's account resulting in nearly $25 million in ill-gotten gains.

 

HACKED NEWSWIRE SERVICES
51. Newswire Service 1 is a newswire service based in Toronto, Canada. It provides end-to-end content, news production, and distribution services to its clients, including many issuers in the United States.

52. Newswire Service 2 is a newswire service with headquarters in New York, New York. It provides end-to-end content, news production, and distribution services to its clients, including many issuers in the United States. Throughout the relevant time period, Newswire Service 2's computer servers were located in Jersey City, New Jersey and Piscataway, New Jersey. Collectively, Newswire Service 1 and Newswire Service 2 are referred to herein as the "Newswire Services."

53. Newswire Service 3 is a newswire service with its headquarters in New York and California. On information and belief, from at least December 2014 through May 2015, at least some ofthe defendants perpetrated the same scheme against Newswire Service 3, and may have targeted other newswire services as well.

TERMS USED IN THIS COMPLAINT

Options

54. A stock option, commonly referred to as an "option," gives its purchaser-holder the option to buy or sell shares of an underlying stock at a specified price (the "strike" price) prior to the expiration date. Options are generally sold in "contracts," which give the option holder the opportunity to buy or sell 100 shares of an underlying stock.

55. A "call" option gives the purchaser-holder ofthe.option the right, but not the obligation, to purchase a specified amount of an underlying security at a specified strike price within a specific time period. Generally, the buyer of a call option anticipates that the price of the underlying security will increase during a specified amount oftime.

56. A "put" option gives the holder ofthe option the right, but not the obligation, to sell a specified amount of an underlying security at a specified strike price within a specific time period. Generally, the buyer of a put option anticipates that the price ofthe underlying security will decrease during a specified amount oftime.

Short-Selling

57. Short-selling is the sale of a security not owned by the seller and is a technique used to take advantage of an anticipated decline in price. An investor borrows stock for delivery at the time ofthe short sale. If the seller can buy that stock later at a lower price, a profit results; if, however, the price rises, a loss results.

Contracts for Differences

58. A contract for difference ("CFD") is a stock derivative that is an agreement between two parties to exchange the difference in value of an underlying stock between the time the contract is opened and the time at which it is closed. Ifthe share price increases for the underlying security, the seller pays this difference to the buyer. If, however, the underlying share price declines, the buyer must pay the seller the difference.

59. A CFD typically mirrors the movement and pricing of its underlying stock on a dollar-for-dollar basis, such that any fluctuation in the market price ofthe underlying security is reflected in the unrealized gain or loss of the CFD position.

60. Generally, the investor in a CFD position benefits by acquiring the future price movement ofthe underlying common stock without having to pay for or take formal ownership ofthe underlying shares.

61. Generally, the investor in a CFD is not required to pay for the underlying shares ofthe security. Instead the CFD investor only pays the transaction fees charged by the CFD provider. Thus, a CFD, like a stock option, allows an investor to recognize significant value from an underlying equity's price movement without having to pay for the underlying shares. 

Margin

62. "Buying on Margin" is the practice of borrowing money to purchase securities.

63. Buying with borrowed money can be extremely risky because both gains and losses are amplified. That is, while the potential for greater profit exits, there is a corresponding potential for greater losses. Buying on margin also subjects a trader to additional costs such as the interest payment for use of the borrowed money. 

IP Address

64. An "internet protocol address" ("IP address") is a unique number required for online activity conducted by a computer or other device connected to the internet. In simple terms, it is like a return address on a letter.

 

FACTS

The Newswire Services Are Repositories For Material Nonpublic Information

65. The Newswire Services edited and released press releases for publicly-traded companies (also known as "issuers") in the United States. Often these press releases contained quarterly earnings data and other important financial information for a given issuer. Until the Newswire Services released the press release to the general public, the sensitive financial information in the press releases constituted material non-public information.

66. To facilitate the process of disseminating quarterly earnings information to the public, issuers routinely provided draft press releases to the Newswire Services. The Newswire Services then edited, prepared, and stored electronically the press release for public dissemination.

67. In providing these services, the Newswire Services become repositories for material non-public information from their issuer-clients. From 2010 through early 2014, the Newswire Services issued more than one million press releases on behalf oftheir clients. Many ofthese releases related to issuer earnings announcements. The publication of quarterly earnings information often has a significant positive or negative short-term effect on a given issuer's share price.
68. For each press release, there is a window oftime between when the issuer provides a draft press release to the Newswire Service and when the Newswire Service publishes the release (the "window"). This window varied between a number ofminutes and a number of days.

The Hacker Defendants Fraudulently Accessed Unpublished Press Releases From Newswire Service 1 and Newswire Service 2

69. Defendants took advantage ofthe window by hacking into the Newswire Services' computer systems, accessing the press releases prior to their publication, and then trading on the material, non-public information contained in the releases before the information was published to the investing public. After the press release was publicly issued, defendants then closed the trading position they had opened during the window oftime between the upload of the press release and its public dissemination.

70. From 2010 until2014, the hacker defendants electronically intruded ("hacked"), without authorization, into the Newswire Services' computer systems and stole over 100,000 press releases before they were publicly issued.

71. The hacker defendants used deceptive means to gain unauthorized access to the Newswire Services' computer systems, using tactics such as: (a) employing stolen username/password information of authorized users to pose as authorized users; (b) deploying malicious computer code designed to delete evidence ofthe computer attacks; (c) concealing the identity and location ofthe computers used to access the Newswire Services' computers; and (d) using back-door access-modules.

 

 

72. The hacker defendants' theft of un-published press releases oscillated between the two Newswire Services depending on their ability to gain access to the Newswire Services' servers. The following chart indicates the time periods during which the hacker defendants were focusing on the different Newswire Services:

Date Range N ewswire Service 1 Newswire Service 2
February 2010 to July 2010 Hackers had access to network and press releases. Limited access to the network.
July 2010 to January 2011 Hackers had access to network ?nd press releases. Hackers had access to network and press releases
January 2011 to July 2011 Hackers had access to network and press releases. Change in N ewswire Service 2's computer system blocked access.
July 2011 to March 2012 Hackers had access to network and press releases. Hackers had access to network and press releases.
March 2012 to January 2013 Hackers had access to network and press releases. Change in Newswire Service 2's computer system blocked access.
January 2013 to March 2013 Hackers had access to network and press releases. Hackers had access to network and press releases.
March 2013 to November 2013 Hackers had access to network and press releases. Change in Newswire Service 2's computer system blocked access.
November 2013 to Present Change in Newswire Service 1's computer system blocked access. Continued attempts by hackers to access the network

Continued attempts by hackers to access the network

73. The Trader Defendants' trading activity mirrored the access and focus ofthe hacker defendants. When the hacker defendants stole press releases from Newswire Service 1, the trader defendants traded in the securities ofthe issuers whose press releases were stolen from Newswire Service 1. When the hacker defendants stole press releases from Newswire Service 2, the trader defendants traded in the securities ofissuers whose press releases were stolen from Newswire Service 2.

The Stolen Press Releases Gave The Defendants An Illegal Trading Advantage

74. Throughout this scheme, the hacking defendants stole more than 100,000 press releases before they were publicly issued. Many of the stolen press releases included corporate earnings results and, often, forecasted future earnings.

75. It is common for financial analysis firms to estimate or predict a given issuer's quarterly or annual earnings. The "market" reaches a consensus expectation based on these different predictions. When an issuer releases its earnings, the share price for that issuer generally increases if its earnings exceed the market consensus and generally decreases if its earnings fall short ofthe consensus prediction. Accordingly, the stolen press releases contained material information that a trader could use to place securities trades and reap illicit profits.
The Hacker Defendants Distributed The Stolen Information

To Traders In Exchange For A Percentage OfTheir Profits Or A Flat Fee

76. The hacker defendants joined with the trading defendants to profit on the material nonpublic information they stole through their deceptive hacks on the Newswire Services. The hackers distributed video evidence oftheir ability to steal information from the Newswire Services. On October 25,2010, Turchynov attached a video file to an outgoing email message.
This video shows a computer screen listing more than 300 files, many containing the term "release" in the file name. A text window then pops up with a message in Russian, explaining that what appears on the screen is an administrative panel for files and explaining how to download the files. The message concludes that access data will be sent to the email the viewer provides.

77. As the video continues, it shows ten files being selected and downloaded to a zip file dated October 24, 2010. The video further shows that the IP address used to download the files was :XXXXX:X-26.98.

78. Newswire Service 2's server logs confirm that its servers were unlawfully accessed on October 24, 201 0-the date ofthe zip file in the Turchynov video. Newswire Service 2's logs also confirm that, on October 24, 2010, the ten files in the Turchynov video were downloaded via IP address XX:X:XXX-26.98.

79. In October 2010 alone, Turchynov distributed via email more than 400 stolen press releases from Newswire Service 2.

80. Ieremenko also distributed stolen press releases electronically. For example, on October 10, 2012, Iermenko electronically sent a link to a press release stolen from Newswire Service 1 to an unidentified person before the press release was publicly issued and described how he now had emails for employees at Newswire Service 1 that would allow him to hack into their host server.

81. As part of the scheme, the trader defendants compensated the hacker defendants for stealing the press releases from the Newswire Services. At times, the hacker defendants received a flat fee and, at other times, a percentage ofthe profits obtained from trading on the material nonpublic information stolen by the hacker defendants. The hacker defendants ensured they were receiving the agreed-upon percentage by monitoring the trader defendants' trading, either through reports from the traders or direct access to the accounts used to make unlawful trades.

82. For example, on July 20, 2011, the Dubovoy Group provided the hacker defendants account information and login credentials to one ofthe trading accounts in the name ofArkadiy Dubovoy. This allowed the hacker defendants to monitor the trading in this account to determine the compensation owed for certain trades.

83. The next day, that account was accessed from IP address X::X:XX:X:X-18.42-the IP address for a workstation Turchynov used to access webpages and one ofthe IP addresses the hacker defendants used to hack the Newswire Services. Over the next six months, that same IP address accessed Dubovoy's trading account more than 300 times.

84. At times, the hacker defendants used entities for the purpose of collecting their share ofthe ill-gotten gains from the illicit trading. For example, upon information and belief, an individual associated with Turchynov controlled, in whole or in part, an account at a bank in Estonia. In February and March 2012, the Dubovoy Group defendants sent $225,000 to that account. The Dubovoy Group defendants attempted to conceal the illegal payments by sending them from Tanigold Assets, one ofArkadiy Dubovoy's companies, and mislabeling them as payments for "technological equipment" and "building equipment."

The Dubovoy Group Communicated With The Hacker Defendants

85. The Dubovoy Group had access to the press releases the hacker defendants stole.
On November 26,2010, Pavel Dubovoy emailed Garkusha a link to theinternet location ofthe
server Turchynov used in the October 24, 2010 internet hacking video-a server located at the IP
address :X:XX::XX::X-26.98-as well as login and password information to the server. Pavel
Dubovoy provided instructions, which informed the reader how to log in to the server and
download files and advised users to conceal the identity ofthe computer they used to access the
server. Garkusha forwarded Pavel Dubovoy's email to an unidentified individual.
86. In addition, as noted earlier, on July 20, 2011, the Dubovoy Group defendants
provided the hacker defendants with access to at least one ofthe brokerage accounts held in the
name ofArkadiy Dubovoy. The next day, a Ukrainian IP address (XX::XXX:X-18.42) began
accessing that brokerage account. Turchynov used that same IP address to access webpages, and the hacker defendants used that IP address in multiple hacking attacks on the Newswire Services. That IP address also accessed a second brokerage account belonging to Arkadiy Dubovoy.

87. Turchynov used another IP address, XXX:XX-9.101, to hack Newswire Service 2 from January 15, 2013 to March 2, 2013. That same IP address was also used to access one of Arkadiy Dubovoy'sbrokerage accounts in May 2012.

88. In addition, the Dubovoy Group defendants instructed the hacker defendants about which press releases to target. For example, on October 12, 2011, via an intermediary, Pavel Dubovoy emailed Turchynov a list offourteen U.S. issuers whose upcoming earnings releases were to be disseminated after the U.S. markets closed on October 12, 2011 and October 13, 2011, and the following week as well.

89. Moreover, although the defendants took extensive measures to conceal their fraud, those efforts were not always successful. For example, on December 18, 2013, at approximately 1:21 p.m. ET, Khalupsky emailed a screen shot of an unpublished press release relating to an earnings announcement the hacker defendants had stolen from Newswire Service 1 to his own email account. The unpublished release had been stolen by the hacker defendants and was not published until hours later, at 4:04pm ET. To take the picture, Khalupsky used a smartphone application that does not retain data. However, the picture was preserved because Khalupsky sent it via email.

Trading By The Dubovoy Group Defendants

90. The Dubovoy Group defendants worked in concert to execute the fraudulent scheme, using the information stolen by the hacker defendants to make illicit trades in numerous accounts. They shared control ofthe accounts involved in the scheme, either through formal trading authorization or informally via shared logins and security information which allowed scheme members to pose as one another and trade online.

91. The Dubovoy Group defendants tried to conceal their fraud by deceptively spreading their illicit tra Теги:   Oracle Hewlett-Packard Boeing Caterpillar Panera Bread PRNewswire Association LLC Marketwired Business Wire Переглядів:   3752