Three Chinese miscreants have made millions on the stock market using insider information stolen from US law firms.
That's according to America's financial watchdog, the SEC, which this month won a default judgment against the trio. The blokes infiltrated systems used by two New York law firms, extracted confidential documents describing upcoming mergers and acquisitions, and traded shares capitalizing on this information, we're told.
Chinese citizens Iat Hong, 26, Bo Zheng, 30, and Hung Chin, 50, were fined $8,895,561.12 after the SEC claimed they infected legal firms with malware. US District Judge Valerie Caproni of the Southern District of New York also issued an order [PDF] freezing any funds the trio had in the US.
"As we allege, the defendants' 'hacking to trade' scheme involved numerous levels of deception as they gained broad access to the nonpublic networks of two law firms, stole confidential information and then used it for substantial personal gain," SEC crime-buster Antonia Chion previously claimed.
"This action marks the end of their alleged deception and serves as a stark reminder to companies and firms that your networks can be vulnerable targets."
According to US prosecutors – who brought criminal charges against the trio in 2016 – the crew hacked into IT administrator accounts, giving them root access to internal staff emails. Seven law firms that specialized in mergers and acquisition were targeted, and two fell victim.
The Dept of Justice claims the organizations were compromised between April 2014 and late 2015, and that the trio used information gleaned from the mailboxes to buy stock in at least five publicly traded companies before they were bought by other businesses – banking over $4m in profit.
The two law firms in question appear to have had little or no intrusion protection systems, since the attackers were able to download 50GB of data from one of them without raising an alarm. In that case the trio are accused of using inside information on Intel's purchase of Altera to reap profits of $1.4m.
Their pattern of trading was, however, picked up by SEC trading computers and flagged as possibly dodgy. The SEC moved on the case and informed prosecutors.
"As alleged, the defendants – including Iat Hong, who was arrested in Hong Kong on Christmas Day – targeted several major New York law firms, specifically looking for inside information about pending mergers and acquisitions," then-Manhattan US Attorney Preet Bharara said in December.
"This case of cyber-meets-securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals."
Hong and Chin were well used to using malware to further their aims, according to prosecutors. They ran a robotics controller chip manufacturing business in Hong Kong, and it's claimed they also used software nasties to hack into competitors and steal product plans and proprietary design schematics. Hong was arrested in Macau although we know of no extradition process.
The three have been charged in the US with conspiracy to commit securities fraud, conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer intrusion, unlawful access, and intentional damage. If found guilty they could spend 70 years in prison – if they ever reach American soil. ®