On February 14, 2023, a federal jury in Boston, Massachusetts, convicted Russian businessman, Vladislav Klyushin, of participating in an elaborate hack-to-trade conspiracy that netted millions through securities trades based on nonpublic information stolen from U.S. computer networks. Mr. Klyushin, whose company boasted of ties to the Kremlin, was arrested two years ago in Switzerland and extradited after a nine month tussle between the U.S. and Russia. His lawyer maintained the charges were a pretext to get him into the hands of U.S. authorities so he could be pressured for information about the Russian cyber espionage group, Fancy Bear, known for hacking Democratic National Committee emails to influence the 2016 presidential election.

1. Introduction

On March 21, 2021, Mr. Klyushin was arrested in Sion, Switzerland, while en route by private jet to a ski holiday with his family. On December 18, 2021, he was extradited to the United States and the indictment dated April 6, 2021, was unsealed two days later by the U.S. Attorney’s Office in Boston. (here) The four-count indictment in the United States District Court, District of Massachusetts, alleged a conspiracy to obtain unauthorized access to computers, and to commit wire fraud and securities fraud with two co-conspirators, Ivan Ermakov and Nikolai Rumiantcev. (here) Mr. Klyushin was the first deputy general director of M-13, an information technology company based in Moscow, Russia. At various times, he purported to be the owner of the company. Mr. Ermakov and Mr. Rumiantcev were both employed as deputy general directors. U.S. Attorney Nathaniel Mendell said the case is connected to the 2016 hack of the DNC by Russia.

On December 20, 2021, the U.S. Securities and Exchange Commission filed a complaint in the same court. (here) The SEC alleges the defendants deceptively obtained nonpublic pre-release earnings announcements of companies with shares of stock traded on U.S. securities exchanges by hacking into the computer systems of two “service-provider firms” and used the information to profit by trading in advance of the public release of the earnings information. The co-defendant, Mr. Ermakov, is a former officer in the Russian Main Intelligence Directorate (GRU). He was previously charged in 2018 in federal court in Washington, D.C. for his alleged role in a hacking and influence operation related to the 2016 U.S. presidential election. He was also charged in 2018 in federal court in Pittsburgh, Pennsylvania, for his alleged role in hacking and related disinformation operations targeting international anti-doping agencies, sporting federations and anti-doping officials. (here)

2. A Murky Background

According to Mr. Klyushin’s Swiss lawyer, Oliver Ciric, the cybersecurity expert had previously “spurned approaches by U.S. and British intelligence agencies” while traveling in Europe. “He was perceived by U.S. intelligence as someone who may have confidential information or state secrets,” Mr. Ciric said. (here) In 2021, Gotham City, a Swiss investigative news site specializing in court cases and economic crime, added to the murkiness of Mr. Klyushin’s background when it reported that he has close ties to Alexei Gromov, a senior executive in the Russian presidential administration who is considered “the person in charge of the Kremlin’s media control”. (here) Mr. Gromov was placed under U.S. sanctions in 2021 for his alleged involvement in Russian efforts to interfere in the 2020 presidential election. (here)

Speculative interest in Mr. Klyushin’s broader connection with Mr. Ermakov has been heightened by the indictment filed in the District Court in Washington, D.C. which alleges that Mr. Ermakov was a member of a group of Russian military intelligence officers involved in a computer hacking conspiracy to interfere in the 2016 U.S. election. A federal arrest warrant has been issued for Mr. Ermakov. (here) Although nothing in the 2016 indictment accuses Mr. Klyushin of participating in election hacking, he is likely to be privy to Russian intelligence secrets according to Frank Figliuzzi, a former chief of counterintelligence for the FBI. “There’s likely more than meets the eye to this indictment and extradition,” Mr. Figliuzzi told Ken Dilanian of NBC News. (here)

3. The Conspiracy

The company, M-13, purported to offer cybersecurity consulting, penetration testing, and information technology and media monitoring services. Penetration testing, also called “pen testing”, is an authorized, simulated cyberattack used to evaluate an organization’s ability to protect its computer systems, networks and applications. A pen test looks for exploitable vulnerabilities in a computer system that could be leveraged by a hacker to obtain unauthorized access to the system. According to the company’s website, it also provided advanced persistent threat emulation services described as the “most sound and modern method of testing and analyzing the infrastructure’s security.” The website also indicated that the company’s IT solutions were used by “the Administration of the President of the Russian Federation, the Government of the Russian Federation, federal ministries and departments, regional state executive bodies, commercial companies and public organizations.”

Two filing agents identified in the indictment by the pseudonyms “Filing Agent 1” and “Filing Agent 2” were companies in the United States that provided their clients with secure technology and communications platforms for preparing and submitting regulatory filings to the U.S. Securities and Exchange Commission (SEC). The clients of the filing agents were public companies whose securities were traded on NASDAQ and the New York Stock Exchange. Under United States securities laws, publicly traded companies must regularly disclose their financial performance through the SEC to the general public. Publicly traded companies are also required to file periodic “current reports” disclosing events of significance to shareholders.

Many companies provide financial reports to filing agents which file them electronically using the SEC’s Electronic Data Gathering, Analysis and Retrieval system (EDGAR). In order to make EDGAR filings, filing agents first receive and store the companies’ financial results on their own secure computer networks. Prior to their filing and public disclosure, the results are considered highly confidential business information. The indictment alleged that Mr. Klyushin, Mr. Ermakov and Mr. Rumiantcev conspired to obtain unauthorized access to the computer networks of the two filing agents using stolen employee credentials. They viewed or download the financial disclosures of hundreds of publicly traded companies including reports that had not been filed with the SEC. Armed with non-public information, the defendants allegedly traded in the securities of those companies earning tens of millions of dollars in illegal profits.

The objects of the conspiracy, then, were to obtain unauthorized access to computers with intent to defraud, and to commit wire fraud and securities fraud. The alleged purposes of the conspiracy that dub it as a hack-and-trade plot were: (a) to obtain material non-public information about the financial performance of publicly traded companies; (b) to enrich the conspirators by trading securities on the basis of that information; and, (c) to conceal the conspirators’ actions from the companies, securities regulators and law enforcement. In summary, among the manner and means by which the defendants carried out the conspiracy, were the following:

• obtaining unauthorized access to the computer networks of Filing Agent 1 and Filing Agent 2;
• deploying malicious infrastructure capable of harvesting employees’ usernames and passwords;
• using stolen usernames and passwords to misrepresent themselves as employees of the two filing agents;
• leasing proxy (or intermediary) computer networks outside Russia that obscured the origin of their attacks;
• subscribing to email addresses and payments systems used in furtherance of the attacks in others’ names;
• once inside the filing agent networks, viewing or downloading material, nonpublic financial information;
• trading in the securities of those companies while in possession of material, nonpublic information concerning their financial performance;
• distributing their trading across accounts they opened at banks and brokerages in several countries including Cyprus, Denmark, Portugal, Russia and the United States; and,
• misleading brokerage firms about the nature of their trading activities.

The indictment also claimed forfeiture to the United States of any real and personal property that constituted or was derived from proceeds traceable to the offences.

4. The SEC Complaint

The SEC complaint mirrors the indictment which is common in cases that give rise to parallel proceedings as I discussed in my last post to On The Wire about the FTX collapse. (here) Mr. Ermakov (aka “Yermakov” and referred to by that spelling in the complaint) is named as the “Russian hacker” and Mr. Klyushin and Mr. Rumiantcev as “trader defendants”. The filing agents are identified as “service-provider firms” and referred to as “servicers”. The SEC alleges that Mr. Ermakov used deceptive devices and contrivances to obtain the nonpublic information stored on the servicers computer systems. This included the use of compromised credentials of the servicers’ employees, malware and other hacking techniques. Mr. Ermakov then provided the hacked nonpublic information to the trader defendants, Mr. Kliushin and Mr. Rumiantcev. The complaint asserts that the trader defendants use of the hacked information to make timely trades in the securities of the servicers’ clients collectively harvested profits of $82.5 million.

The complaint alleges that the trader defendants’ use of the hacked nonpublic information is reflected by: (a) the fact that the trading occurred shortly after the hacking; (b) images of pre-release earnings announcements in the possession of certain trader defendants; and, (c) the trader defendants’ overwhelming focus on trading in the securities of the servicers’ publicly traded company clients make it statistically almost impossible that their trading occurred by chance. The SEC asserts that statistical analysis shows there is less than a one-in-a-trillion chance that the trader defendants’ choice to trade so frequently on earnings events tied to the EDGAR filings of the servicers’ public company clients would occur at random. The trader defendants provided assistance to the scheme by monetizing the hacked information through unlawful securities trading based on the hacked information and participated in transactions that enabled them to share the trading profits with Mr. Ermakov.

5. Conclusion

On February 14, 2023, in a press release following the jury’s verdict, U.S. Attorney Rachael Rollins said Mr. Klyushin and the co-conspirators repeatedly hacked into U.S. computer networks for nearly three years “to obtain tomorrow’s headlines today” and reaped enormous financial gains with stolen inside information. (here) Defence attorney Maksim Nemtsev told CyberScoop his client was disappointed but respected the jury’s verdict. “We intend to appeal the various issues including the admissibility of prejudicial statistical evidence, as well as the novel theories of stock fraud and venue that have never before been reviewed or adopted by the First Circuit or the Supreme Court”, he said. (here) U.S. District Court Judge Patti B. Saris scheduled the sentence hearing for May 4, 2023. Of the five Russian nationals charged with carrying out the scheme, only Mr. Klyushin has been arrested and brought to trial.