The US Securities Exchange Commission has settled charges today with two of the nine people it suspects have been involved in hacking its EDGAR database in 2016.
David Kwon and Igor Sabodakha agreed to pay fines and restitution, the SEC said in a press release. The two were two traders that benefited from insider trading after receiving data hacked from the SEC’s EDGAR server.
EDGAR, or the Electronic Data Gathering, Analysis, and Retrieval, is an SEC system where companies submit official company filings, future announcements, and past financial records.
The SEC claims that in February 2016, a Ukrainian hacker named Oleksandr Ieremenko breached a test EDGAR server operated by the SEC.
The SEC said it used the test server to let companies verify file uploads before submitting the data to the actual EDGAR database. While some companies used non-sensitive files to test the SEC filing system, some uploaded final versions of their files, or documents containing sensitive information.
In a criminal complaint [PDF] filed last year, the SEC said that Ieremenko took files from this test server and shared the data with eight co-conspirators, who then made market transactions in the short interval before the stolen files became broadly available.
The US securities regulator said it believes that Ieremenko’s eight trading partners acted on 157 files stolen from hacked EDGAR server and made over $4.1 million in illegal profits.
The SEC discovered the hack in May 2017, secured the server in March 2017, disclosed the incident in September 2017, and filed a complaint in January 2019.
Yesterday, Kwon, of California, and Sabodakha, of Ukraine, agreed to a settlement for their role in the scheme.
Kwon agreed to pay $165,474 in disgorgement, representing the profits from his illegal trades, and $16,254 in prejudgment interest.
On the other hand, Sabodakha agreed to disgorge $148,804 in profits from his illegal trades, including trades he conducted in the account of his wife, Victoria Vorochek, with prejudgment interest of $20,945. Sabodakha also agreed to pay a civil penalty of $148,804.
The SEC also moved to dismiss the charges it filed against Sabodakha’s wife, Vorochek, as part of the plea agreement.
Ieremenko was also previously involved in hacking three press release newswire services between February 2010 and November 2014, from where he similarly stole unreleased announcements, and shared it with co-conspirators who then engaged in insider trading, making more than $100 million in profits.
The hacker, Ieremnko, and Artem Radchenko, believed to be the mastermind behind both schemes (the EDGAR hack and the newswire hacks), are still at large.
Both are believed to be located in Russia, according to a post-mortem of the newswire hacks published by Ukrainian journalist Isobel Koshiw in The Verge.