How a hacker network turned stolen press releases into $100 millionAugust 22, 2018
At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he’d been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits.
Oleksandr Ieremenko, one of the hackers at the club that night, had worked with Turchynov before and decided he wanted in on the scam. With his friend Vadym Iermolovych, he hacked Business Wire, stole Turchynov’s inside access to the site, and pushed the main Moscovite ringleader, known by the screen name eggPLC, to bring them in on the scheme. The hostile takeover meant Turchynov was forced to split his business. Now, there were three hackers in on the game.
Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.
The case exemplifies the way insider trading has been quietly revolutionized by the internet. Traders no longer need someone inside a company to obtain inside information. Instead, they can turn to hackers, who can take their pick of security weaknesses: a large corporation or bank may have good in-house security, but the entities it works with — such as financial institutions, law firms, brokerages, smaller investment advisories, or, in this case, newswires — might not.
As one person involved in the press release scheme pointed out, it doesn’t matter what level of security a company has, “you’ve always got the human factor: that one employee who will click on the phishing email or is happy to exchange their password for money.”
“Just about every organization that compiles financial data that could be useful for traders has, at some point, been hacked,” says Scott Borg, director of the US Cyber Consequences Unit, a nonprofit research institute that does consulting for the US government. “All the bureaus of economic analysis from major countries in the world have almost certainly been hacked.”
For the most part, Borg says, these hacks fly below the radar. They tend to be “sophisticated and targeted,” and companies often refrain from reporting them, whether to avoid liabilities and reputational damage or because they don’t even know what information has been stolen.
In the last eight years, the US Securities and Exchange Commission has added three new teams to enhance its cybercrime detection capabilities and pushed companies to bolster their own security and quickly disclose breaches. The measures have had some success, as evidenced by a recent case involving law firms infiltrated by three Chinese hackers, but it’s a cat and mouse game. Even the SEC isn’t safe: in 2016 the commission was hit. The attack was not made public until the following year, generating accusations of hypocrisy.
The international nature of trading hacks makes enforcement particularly difficult. Shortly before Turchynov was bragging about the scheme, the US Secret Service, whose mission includes protecting the country’s financial infrastructure, started taking an interest in what he was up to.
From the beginning of 2012 onward, the three newswires — Business Wire, PR Newswire, and Marketwired — were endlessly patching holes and uninstalling malware in an effort to block the hackers’ access, court documents show. Askari Foy, a cybersecurity expert formerly with the SEC, explained that it would be standard practice for one of these firms to contact the FBI to launch a criminal investigation, which would give authorities access to their systems for forensic analysis.
After authorities alerted PR Newswire to a potential breach, the wire hired the private cybersecurity firm Stroz Friedberg in March 2012 to investigate further. Turchynov’s malware was detected and uninstalled, according to court documents. He sent a panicked message to the Moscovites on March 27th, presumably referring internal newswire emails he had access to:
When you get back here write to me right away, there are several problems. The first and largest is that PR is fucked up. They detected the module and removed all our shit there. They took away that temporary server. I haven’t gone on to the new one yet, I’m waiting. This happened on the 13th [March]. The second problem: your guys were detected. They were trading with very big money and there was a lot of fuss about them, about how it’s not the season and when it was the season they traded.
But by May 30th, 2012, thanks in part to their new co-worker Ieremenko, the hackers had regained access to PR Newswire and were back in business.
The US Secret Service decided to send an assistance request to Ukraine’s intelligence services, according to Ukrainian agent Oleksiy Tkachenko and US court documents. Their Ukrainian counterparts set to work following Turchynov about his daily life.
According to a peer who was also contacted by the Ukrainian agents, they noticed that Turchynov socialized with a group of 10 other men in their 20s, including his colleagues Ieremenko and Iermolovych, who had abundant cash and no discernible source of income. Turchynov is said to have owned a house in Koncha-Zaspa, Kiev’s equivalent to Beverly Hills. On social media, he displayed an extravagant gold clock collection, a gun, a luxury car, and pictures of him and his friends in Kiev nightclubs.
In November 2012, the Ukrainians, accompanied by US Secret Service agents now working in tandem with the FBI, carried out raids on nine properties around Kiev tied to the hackers. They confiscated Ieremenko and Turchynov’s laptops, uncovering hundreds of press releases as well as chat logs relating to the scheme. A few months later, US Secret Service Special Agent Alexander Parisella arrived in Ukraine to question Turchynov, Ieremenko, and others at interviews organized by Ukrainian intelligence agents, according to court documents.
From there, the case went cold. Ukraine does not extradite its own citizens, so Special Agent Parisella could do little more than try to get the hackers to talk about the press releases and other stolen payment card data they had found.
None of the hackers were charged in Ukraine, either. Ukrainian law enforcement said they never received the required request from the US to do so, a fact confirmed by a US agent at trial. It seems Ukraine’s intelligence services had something else in mind for Turchynov, the Americans’ key suspect.
“Back then, he paid the mentiy [Russian slang for cops]. Well, not paid. He gave them his collection of clocks worth half a million. He handed over his house. He handed over his Bentley, and then they said, ‘Ok now you are working for us or you’ll go to America’,” said a person in close contact with Turchynov at the time.
From US Special Agent Parisella’s visit onward, Turchynov continued to hack press releases, but now at the behest of elements within Ukraine’s intelligence services, Ukraine’s Cyber Police Chief Serhii Demedyuk told The Verge. The intelligence agents began running a parallel operation to the Moscovite middlemen, using Turchynov’s access and sourcing their own traders, according to Demedyuk.
“That’s what, in fact, happened, and that needs to be admitted,” said Demedyuk of the way Ukrainian intelligence agents allegedly profited from illegal trades.
Ukraine’s intelligence services did not respond to requests for comment about their involvement.
The origins of the trading hack are murky. In court, a government witness identified a man known only as “Valerie” as the “main guy.” Witnesses and documents also identified someone named Roman Vishnevsky as his point of contact with the traders, who, based on a shared Skype name and social contacts, is likely the trader who at age 26 was featured by Forbes Russia for his success. (Vishnevsky has not returned repeated requests for comment.) Neither person has been charged, despite Vishnevsky traveling to the US as recently as November 2017. Online, according to multiple sources who spoke to The Verge, the purported ringleader was known only by the screen name eggPLC.
Demedyuk and others who spoke on the condition of anonymity believe eggPLC is a Moscow-based stock trader originally from St. Petersburg, who since at least 2008 had been hiring hackers to work for him. On a number of dark web forums, where exploits, stolen login data, and personal details are bought and sold, The Verge reviewed instances of eggPLC advertising for hackers to help him access brokerage accounts. According to a person connected to the scheme, he would then use the brokerages to drive share prices up and down while making trades from his own accounts. This variation of the old-school stock scam known as pump and dump was revived in the mid-2000s by traders using hackers to manipulate prices.
Based on what Demedyuk and those with knowledge of the scheme say, it would have been around 2009 that eggPLC recruited Turchynov to hack the newswires. Turchynov would send the stolen press releases to eggPLC and two other Moscow-based middlemen, who would pass them on to traders; the hackers would take a 40 percent cut of profits, and the middlemen took 10 percent. From his inactive ICQ numbers, a messenger service once popular in Russian-language hacking circles, it appears that eggPLC was running a full-fledged business through the dark web. One number he advertised was his personal number; another bore the name “eggPLC support.”
In St. Petersburg, Moscow, Kiev, and the US, the stolen press releases attracted growing groups of traders, some employed at investment companies and others working independently. Friends approached friends, and circles grew.
Two of the traders, the brothers Pavel and Arkadiy Dubovoy, come from one of Ukraine’s most well-known and wealthiest evangelical Baptist families, several members of which got rich privatizing Ukrainian factories in the 1990s. Arkadiy, who owns an ice cream factory in Odesa, immigrated to the Atlanta suburbs in the mid-1990s, thanks to a law offering refugee status to persecuted religious minorities from the Soviet Union. Pavel studied for a while in the US near Arkadiy. But together with a large contingent of the Dubovoy family, they moved to Kiev when their cousin Oleksandr was elected to parliament in 2007.
While living in Ukraine in November 2010, according to court documents, Pavel Dubovoy sent Arkadiy’s partner in the construction business an email containing instructions on how to access the stolen press releases.
After the Christmas holidays, Arkadiy and his business partner, Alexander Garkusha, traveled from their homes in Alpharetta, Georgia, to the Atlanta airport where they met a Philadelphia-based Slavic Baptist pastor and trader named Vitaly Korchevsky.
As a former Morgan Stanley portfolio manager and vice president, Korchevsky had a strong reputation for financial planning advice among the new immigrant community, many of whom arrived with little English and understanding of life in America. Korchevsky was a prominent religious figure in the US-based Slavic Baptist community as well and was often invited to preach around the US and the former Soviet Union.
In the early 2000s, Korchevsky would finish work at Morgan Stanley in New York and make the almost two-hour journey back to South Philadelphia, where he would spend the evening driving around the suburbs visiting Slavic Baptists he hoped to attract to his small evangelical Christian gatherings. He later organized a union of 28 Russian-speaking churches and spent much of his large income to establish his own church in Philadelphia. He also sponsored many of his own congregation to emigrate from the former Soviet Union, as he had done in the late 1980s. They would often live at his house until they found work and housing.
“He was very religious… but when I met him, I saw in him a businessman as well. He is a man of ambitions. He is a man who loves himself and ambitions,” said a Slavic Baptist leader who has known Korchevsky for three decades. “He loves being in a position of a leader… and being a persona that people look up to.”
Arkadiy and Garkusha met Korchevsky to discuss the scheme at an airport restaurant while he had a layover in Atlanta. It was a tough sell at first. The financially astute pastor was unimpressed, saying that the printed releases they were showing him were publicly available. Arkadiy left the meeting thinking it was just another one of his younger brother’s bad ideas. A second meeting was stymied by technical difficulties. It was only on the third attempt, when the group finally got proper access to the server to show Korchevsky, that the pastor declared the scheme was workable.
Arkadiy began opening brokerage accounts. Arkadiy’s English is so limited he would ask others, like his son Igor, to write emails on his behalf, he said. He also claimed in court to have no knowledge of stocks and a limited ability to use computers. Consequently, he gave Korchevsky permission to trade with his money from his accounts and paid him about 10 percent of the profits. Korchevsky, who was setting up a Philadelphia fund at the time, secretly made trades from his own accounts, a move that would later lead to the group being cut off by the middlemen for not paying their full commission.
Arkadiy was also running his own side game. His brother Pavel had introduced him to another former Wall Street trader, Vladislav Khalupsky, who split his time between Odesa and Brooklyn. Arkadiy opened accounts for Khalupsky to trade with. He later testified that he wanted to see who was better: Pastor Korchevsky or Khalupsky. Arkadiy also sent his son Igor to learn how to trade at Khalupsky’s Odesan firm.
The scheme continued to grow in this way, with friends, family, co-workers, and fellow congregants roping one more person into a seemingly foolproof way to get rich. Two managers at Arkadiy’s Ukrainian firms opened accounts, and two of his relatives in Odesa joined as well. (The Dubovoy family is very large, and only five members have been implicated in the case.) A year later, Arkadiy’s accountant and fellow churchgoer Leonid Momotok got involved. Momotok, who had some knowledge of the stock market, opened more accounts to trade with, including one under the name of his brother. The more unrelated the entities and accounts, the harder it is for the regulators to detect and investigate.
For someone like Korchevsky, a registered US investment adviser with over a decade of experience, the stolen press releases were easy money.
On August 3rd, 2011, a press release from Dendreon Pharmaceuticals was uploaded on PR Newswire at 3:34PM and published less than 30 minutes later at 4:01PM, just after the markets closed. The release announced the company’s new drug would not meet its forecasted sales target. At 3:56PM, when it had yet to be published and four minutes before the markets closed, Korchevsky purchased 1,100 put options, a contract giving the ability to sell the stock at a specific price within a specific time period. The next day, Dendreon’s stock fell 67 percent and Korchevsky sold his put options for a profit of more than $2.3 million. Phone records have Korchevsky calling Arkadiy’s office twice before the release was published and twice again after he sold the put options.
There were also times when the traders lost money. Despite a positive release, internet company Verisign’s stock price unexpectedly dropped on April 26th, 2013. Arkadiy’s son Igor Dubovoy emailed Korchevsky: “Arkadiy asked me to sell all the stocks if you do not have Internet can you please let me know if I should do it or if you have the service to do it.” Shortly after, Igor closed out the Dubovoy group’s positions for a loss of $114,038. Igor then sent Korchevsky another email: “I already sold everything and just saw your email not sure if i sold it the way you had it planned.” Korchevsky responded to Igor: “its ok … not the last day … it was strange anyway … got the numbers right … reaction mixed.”
In Ukraine, Pavel, who held a joint account with his brother Arkadiy, was responsible for paying the hackers their commission. He did so through his British shell company, using account numbers provided by an unidentified individual, likely Roman Vishnevskiy who was mentioned several times at the trial as being the Dubovoy’s point of contact. (Vishnevskiy did not return repeated requests for comment.) In one of several emails from February 2012, confirming payments to Arkadiy, Pavel stated he had paid $95,000 into Turchynov’s Estonian bank account next to which he wrote “the guys.” It was disguised as a payment for building equipment from Arkadiy’s property development company, a common vocation of Soviet Baptists who were often denied access to state-gifted accommodation. The email also included a note that $160,000 had been paid to “Vlad” aka Khalupsky, the Ukrainian-US trader who provided investment advice. Pavel would also email wish lists of expected company announcements to Arkadiy in Georgia and to the hackers via the Moscow ringleaders.
It is not clear how Pavel first became acquainted with Roman, who introduced Pavel to the scheme and worked for its main ringleader, according to testimony. It is also not fully apparent what Pavel does for a living. His politician cousin Oleksandr described him in an interview with The Verge as a “technical specialist” and “freelancer” who also dabbled in property development, though said he was unsure of his trading capabilities.
Reached over the phone in March, Pavel denied being involved in insider trading or in trading generally. “I honestly had very little to do with it. My relatives were much more involved,” said Pavel of the press release scheme and his indictment by the US authorities. “I had absolutely nothing to do with it,” he went on. “I have never had any broker accounts or conducted any trades. I don’t even know how it’s done…I don’t know what is going on in the case…I don’t know why [they have connected me].”
Pavel subsequently declined repeated requests to meet, and didn’t respond to specific questions about the hacking scheme.
In November 2014, almost two years after Agent Parisella’s visit to Kiev, the third hacker, 27-year-old Iermolovych arrived at a luxury resort on the sunny shores of Cancun, Mexico, on vacation from Ukraine’s freezing winter. Just after midnight, as he sat relaxing in the hotel restaurant, a group of Mexican law enforcement officers approached, according to a source with knowledge of the event. The officers told him that he was not welcome in Mexico and that they were taking him to the airport. The Ukrainian consulate had agreed to fly him back to Ukraine, they said. Meanwhile, the police searched the room upstairs, waking his wife and confiscating his laptop. When Iermolovych arrived at the airport in darkness, he was hustled onto the back of a commercial passenger plane and told he would have one stop in Dallas, Texas.
However, as the plane touched down in Dallas, the source said, the passengers in the front four rows stood up and announced they were US Secret Service agents. Iermolovych did not proceed to Ukraine. The Mexicans had handed him over to US law enforcement. There were no extradition proceedings.
Iermolovych was initially charged with selling data from over 300 stolen corporate payment databases based on information found on his laptop in the Kiev 2012 raids. Law enforcement then found evidence of press releases on the laptop the Mexican authorities confiscated. After being transferred to the Hudson County Correctional Facility in New Jersey, the US authorities presented Iermolovych with a choice of serving two to three years or 20, and encouraged him to accept a plea agreement.
Even with one of the hackers in custody, uncovering the entire the network was difficult. Iermolovych denied knowing any of the traders and claimed to have only chatted with the Moscow ringleaders online, according to a source with knowledge of the investigation. Moreover, the traders would access and read the press releases on an offshore server, minimizing traces of evidence.
Experts say getting caught for this type of insider trading often depends on the lengths a trader will go to to avoid detection. Identifying a trader who is using inside information is almost impossible if they keep changing where they’re trading from, even with cooperation from multiple countries, according to Borg, the director of the US Cyber Consequences Unit. Traders can further cover their tracks by establishing credit ratings at brokerages anonymously through cryptocurrencies or shell companies that they then shut down.
The Dubovoy group was somewhat less careful. Since 2010, the SEC’s Analysis and Detection Center has joined Wall Street’s self-regulator, the Financial Industry Regulatory Authority (FINRA), in monitoring the markets for signs of insider trading. Their algorithms are designed to pick up on stock prices fluctuating before major corporate announcements, indicating that those buying or selling have insider knowledge, said Janet Austin, a professor at the University of New Brunswick and author of the book Insider Trading and Market Manipulation: Investigating and Prosecuting Across Borders. The SEC’s Center for Risk and Quantitative Analytics then looks at the entity making the flagged trades to see if they can find links to the company, like a relative or a past employer. If they cannot find any immediate link, they store the data in case the entity does it again. The volume of trades to sort through still makes detection difficult.
FINRA aided the SEC in its investigation of the press release case. Both declined to comment for this story. What likely happened, according to Austin, was that, armed with the knowledge that stolen press releases were being used on the markets, the regulators looked at logs of suspicious trades and gradually discovered that some of the entities were associated.
The Dubovoys used the same brokerage accounts repeatedly, and they owned some of them directly or through immediate family members with shared surnames. Their association could also be easily confirmed through the fact that they were part of the same church community.
In 2014, the middlemen discovered the Dubovoy group was trading from many more accounts than they were declaring. They started threatening Pavel, according to court testimony. Arkadiy made a trip to Ukraine in January 2015 where he even met Valerie, the “main guy.” Roman, their middleman contact, made different proposals as to how the group could make good and regain access: paying $50,000 a day for continued access to the server, or $100,000 a week, plus a $300,000 deposit. (The sums were indicative of how valuable the releases had become on the black market.)
It didn’t work out. Eventually, the group found a new way to get the releases through the husband of Arkadiy’s cousin, Valery Pychnenko who was able to meet the middlemen through his own channels. Pychnenko would send the releases to himself using a nondescript email account, which Igor would access and then forward to Vitaly.
But just as the newswires did not always inform their clients that they were having security problems, the middlemen appear to have chosen not to tell the traders that one of their hackers was arrested.
Nine months after Iermolovych’s arrest, in August 2015, FBI agents led pastor Vitaly Korchevsky, with graying slicked-backed hair, out of his upscale suburban home in Philadelphia. The same day, Arkadiy, Igor, Garkusha, and Momotok were also arrested at their homes in Georgia.
Korchevsky was accused of making $17.5 million in illicit gains, Arkadiy over $11 million, and Igor $249,000. Momotok and Garkusha made approximately $1.3 million and $125,000, respectively.
The news shocked the US Slavic Baptist community and Korchevsky’s fundamentalist congregation, in particular, many of whom refused to believe he was guilty. The persecution Baptists suffered at the hands of the Soviet Union has left many suspicious of the authorities and the media, according to Olena Panych, an academic on post-Soviet Baptists.
His supporters alleged that the case was a US government plot aimed at persecuting the Christian leader. Korchevsky’s defense argued, and US prosecutors have admitted to the court, that they found no press releases on Korchevsky’s computers or evidence that he was in contact with the hackers.
Korchevsky was careful, according to witness testimony. He often traveled to Ukraine to trade and used computers that Arkadiy had paid for. He would also be careful to delete the evidence and leave whatever technical equipment he could behind in Kiev. An FBI forensic specialist testified that they were unable to reconstruct deleted attachments, which they believed were press releases. In the indictments, the prosecutors instead pointed to Korchevsky’s trading patterns, which in many instances mirrored those of other defendants accused of trading on the releases, as well as presenting emails and chats between Korchevsky and other members of the Dubovoy group discussing trades.
Several Slavic Baptist leaders told churchgoers not to discuss the issue publicly and to pray. After his arrest, his supporters created a Pray for Vitaly Korchevsky Facebook page and sometimes prayed outside the courthouse during his hearings.
“I ask you please not to rush to conclusions,” said pastor Konstantin Likhovodov in Portland, Oregon, speaking a week after Korchevsky’s arrest. “He is a god-fearing man. And it even surprises me brothers, that we would so quickly agree with non-believers to the detriment of what we know about our own brother… I am embarrassed to say that there are members of this church who have allowed themselves on the internet…to say he is a wolf in sheep’s clothing. I have a question: What right do you have to judge another? Who do you think you are?”
After initially pleading not guilty, Garkusha, followed by Momotok, Arkadiy, and Igor all plead guilty before the trial. They are currently awaiting sentencing. When a person in the Pray for Vitaly Korchevsky Facebook group posted about them pleading guilty in 2016, the admin responded:
How do you know these other guys didn’t get paid off by the govt to lie to the judge? Watch, they will get off with a slap on the wrist, and a few million each. I think you underestimate the governments abilities to create a situation when they need one, and their ability to get whatever they want. I recommend you really search inside yourself and ask yourself who the real criminal is here.
Korchevsky’s church has suffered immensely because of the case. After the US government froze his funds, the congregation began pooling its resources to pay for his lawyers. Korchevsky allegedly used some of his trading proceeds to purchase nine properties in the Philadelphia suburbs, a strip mall, and a 9 percent stake in a Georgia apartment complex. At least five of the houses, according to those who know him, were purchased on behalf of new immigrant families who had yet to establish credit ratings: “Yes, it is true actually all of them…I did not buy anything for myself,” wrote Korchevsky via email when asked about some of the properties. Korchevsky did not respond to further questions about his role in the scheme.
“It really shocked people because they did not think that he could do anything wrong because he had done so much good for them,” said a Baptist leader who has known Korchevsky for three decades. “He is really heartbroken because everything that he built has been crushed.”
“If he doesn’t admit the guilt, I almost positively think that it’s church related. He has the image of a man who cannot do that. As long as people think he’s innocent he can continue to be a star,” said the Baptist leader, who believes Korchevsky is guilty.
The only stolen release the US was able to obtain before the arrests in 2015 was one that was screenshotted by Khalupsky on Viber, a mobile application that doesn’t retain data. He emailed the release to his Yahoo account, which the government likely searched. Placed together with the emails and trading windows, the screenshot was a key piece of evidence against the Dubovoy group, the only traders to be criminally indicted. After the arrests, Igor gave the FBI access to an email account containing over 200 releases, which he said he had forwarded to Korchevsky.
Khalupsky, the Wall Street trader who resided in Brooklyn and ran an Odesa trading firm, was detained hiding out in Odesa in February 2017. After placing him under nightly house arrest, Ukrainian authorities granted an American extradition request, as Khalupsky is a US citizen.
The group turned on itself over the course of the proceedings. Khalupsky, like Korchevsky, plead not guilty, claiming he had been mislead by the Dubovoys. Arkadiy, Igor, and Garkusha testified against them at the trial. In turn, Khalupsky’s defense attorneys attacked their credibility by linking them to past cases involving a drug scheme stretching from Panama to Europe and money laundering in Latvia.
A jury found Khalupsky and Korchevsky guilty on all counts on July 6th. Korchevsky’s supporters were twice scolded by the judge for praying outside the courthouse during the trial. As the verdict was read, his family broke down in tears, according to Bloomberg. The pair has yet to be sentenced.
Free on bond, after the verdict, Korchevsky addressed his Philadelphia congregation to thank them for their support. With a smile of a man vindicated, he said he would appeal the verdict:
The Lord showed with certainty that they could not present a single piece of evidence that I ever held any information. It doesn’t exist. Of course a story was told that I destroyed the computer, though they found a 17-year-old computer in my house. But God knows and we can express it bravely before him: that there was nothing of the sort. Not a single computer or cell phone was ever destroyed.
Two related SEC civil cases were brought against traders at investment and trading companies in Moscow and Kiev as well as individuals in St. Petersburg. They have argued their innocence based on the lack of evidence that they possessed the unpublished releases or had contact with the hackers. Unlike in Korchevsky’s case, where there were dozens of emails to US-based servers and one stolen release, the mainstay of evidence in the SEC civil cases is the trading patterns.
In dozens of instances, the traders and entities named in the civil case would trade within hours, sometimes minutes, of each other, and before a release became public. The traders’ choice of stock would also follow the hackers’ fluctuating access to the newswires.
One defendant in the civil case, David Amaryan, whose company Copperstone Capital won an award for best Russian hedge fund in January 2015, claimed that one of his employees devised an algorithm to pick up early trades occurring on the market and mimic them. The logic being that the early trades were made on the basis of someone else’s insider information. After an uncomfortable round of questioning, during which prosecutors proved to the court that he knew other defendants in the case he had previously denied knowing, Amaryan and his three companies agreed to pay $10 million to the SEC. He neither admitted nor denied wrongdoing as part of the settlement. Similar settlements have been made by other Russian and Ukrainian defendants, including one of Ukraine’s most prominent investment firms. In total, the SEC has recouped $53 million in ill-gotten gains from investment firms, traders, and brokerages.
Iermolovych, the hacker removed from Cancun, is the only defendant to be sentenced so far in the case, in May 2017. He received a 30-month prison sentence.
In all, the case would later be described by the FBI as the largest known computer hacking and securities fraud in the world. The combined total of profits made public by the SEC stands at over $100 million, but that represents only a fraction of the money authorities believe was made off the stolen press releases. Several of the people currently charged, including Pavel, have not had their profits established and therefore aren’t included in the total. Furthermore, during pre-trial, a defense attorney referred to a sealed affidavit saying that the FBI has identified more than 100 individuals who traded on the hacked information. So far, the authorities have only initiated proceedings against 42 entities, including 20 individual traders.
Safe from US hands under Ukrainian law, and likely safe from Ukrainian law because of his connections, Arkadiy’s younger brother Pavel, the person who introduced the group to the releases, is the only one of the criminally charged traders still at large.
Pavel has amassed high-profile ties, especially after his and Arkadiy’s cousin Oleksandr Dubovoy entered Ukrainian politics. The Dubovoy group associates with figures from the Kremlin’s evangelist for healthy living to Russia’s most decorated singer, who was personally congratulated by Putin on his 80th birthday during a party held at the Kremlin. One of their most significant connections is the former deacon of the Dubovoy’s church in Kiev: Oleksandr Turchynov (no relation to the hacker Ivan Turchynov). Oleksandr Turchynov is the former head of intelligence services and one-time acting president, and he currently oversees the police, intelligence services, and army. That makes him one of the most powerful politicians in Ukraine.
Oleksandr Turchynov and the Dubovoys were known among congregants at Word of Life for their shared love of the number seven, says their now former pastor Volodymyr Kunets. Kunets says they chose the number because it signifies completeness in the Bible, the day God rested. Pavel and Oleksandr Dubovoy have cell numbers with at least four sevens, and Oleksandr Turchynov and Oleksandr Dubovoy have customized car license plates with four sevens, said Kunets. (There is no indication that Oleksandr Turchynov was associated with Pavel’s trading scheme, and his representative denied the politician is acquainted with Pavel, but said he is close to Pavel’s cousin Oleksandr Dubovoy.)
Pavel and Oleksandr Dubovoy fell out with their pastor Kunets after they, along with Oleksandr Turchynov, paid millions of dollars to help construct a new church for the Word of Life congregation, located next door to the original church. The trio then de facto took it over from an aggrieved Kunets in July 2017. He had been their pastor for over 10 years.
Speaking in general terms about the community and the case, Panych, the researcher studying post-Soviet Baptists, said that due to scarce finances, churchgoers have learned to accept politicians and wealthy parishioners, preferring to leave it up to God to judge their actions.
“You understand, the church also needs rich people. They donate money. They build prayer houses. But where they get the money, it’s not always clear,” said Panych.
Kunets told The Verge that when news broke of the US case in August 2015, Pavel left for Belarus to stay with relatives, where he remained for around a year before returning under a different passport. Ukraine’s police say that Pavel is living in Ukraine under a fake Russian passport. He seems to be living quite openly since returning. Just before Christmas in 2017, The Verge saw Pavel at a Sunday service, which, according to churchgoers, he has been attending regularly in the past year. He has also traveled abroad, checking in on Facebook in Tehran, Iran, a country where arrest by the waiting FBI is almost impossible.
Ukraine’s police say they have questioned Pavel, yet their American colleagues have not handed over the necessary information to arrest him. Ukraine’s intelligence services say they have no information regarding Pavel.
The press release case received little attention from the Ukrainian media and the Ukrainian evangelical Baptist community, but Pavel cropped up in one of Ukraine’s biggest corruption cases of 2017, which was featured in a BBC Panorama program. Ukraine’s National Anti-Corruption Bureau accused Pavel of attempting to bribe one of their agents to shut down an investigation into his cousin’s Odesan factory and Odesa’s notorious mayor, who the BBC alleged is part of a mafia ring. According to leaked documents from Ukraine’s prosecutor general office, Pavel offered the agent $100,000 to lift a freeze on his cousin’s bank account, an additional $200,000 to be paid once the freeze was lifted and a further $200,000 to close the case entirely.
The drama in Pavel’s life has not stopped there. He was shot at three times in February, according to his cousin Oleksandr Dubovoy. The injuries, said Oleksandr, were sustained during a meeting in a cafe when Pavel attempted to rescue an unknown woman from being beaten by a group of men. Interviewed by phone from a hospital, Pavel said the conflict with Pastor Kunets over the church they had built together had been “exhausted.” He denied involvement in the press release case, though did not respond to further detailed questions.
His cousin Oleksandr Dubovoy explained, when asked, that the group did not see the scheme as a contradiction of their faith: “As much as I have read, listened and heard from his relatives and I know him well too, they, and he, in particular, don’t see it as stealing something.” Pavel was a tool or link who passed on an instrument and didn’t know how it was going to be used, said Oleksandr.
The FBI declined to give an official comment about the press release case or the alleged involvement of the Ukranian intelligence services.
The hacker Turchynov has so far escaped consequences of the scheme collapsing as well. He went on to hack Ukraine’s fiscal services database in 2016 for a different Ukrainian business group, according to Demedyuk, Ukraine’s cyber police chief, and stole information and altered taxes on the group’s behalf. When the police began investigating in January 2017, Turchynov fled through Ukraine’s war-torn eastern territories to Russia, a country out of reach to the US and Ukrainian authorities.
For Ieremenko, the press release indictment signaled the beginning of a rocky new stage in his hacking career. When the US indictments were announced in August 2015, some “not very good people” at Ukraine’s intelligence services together with the hacker Turchynov, used Ieremenko’s ignorance of Ukrainian extradition law to blackmail him, according to Demedyuk. Ieremenko was told if he paid them, he would be safe from extradition, which, legally speaking, he was anyway. Turchynov, acting as the go-between, further toyed with Ieremenko by telling him the blackmail sum was twice as much. Ieremenko paid up. The pair fell out when Ieremenko discovered he had been duped.
Ieremenko’s skills were subsequently sought out by Artemy Radchenko, a slickly dressed ambitious 23-year-old with wayward connections. In October 2015, two months after Ieremenko was indicted by the US for the press releases, they set up Benjamin Capital Group, a UK-registered investment bank in Ukraine’s capital city. According to Ukraine’s cyber police chief and a source with knowledge of the project, Benjamin Capital was set up to look like a legal trading and investment firm. Radchenko attracted investors who were paying for Ieremenko’s proven technical abilities to hack inside information. They hired employees and rented servers and two floors of office space.
On employee forums, workers complained about the company’s management and salary delays. In winter 2017, Ieremenko realized Radchenko had used all the investors’ money as well as their operation’s profits to buy himself apartments abroad and luxury cars, said Demedyuk.
Radchenko continued to keep Ieremenko at the company under threat of violence. Before things began to fall apart, Ieremenko had been struck with the idea of hacking the SEC’s EDGAR filing system and was having some success in his new project, according to Demedyuk and a source familiar with the attempts. EDGAR is used by every company trading on US stock exchanges to file financial reports, which are then published online. When Ieremenko finally decided to leave, Radchenko was enraged.
“Radchenko hired thugs to beat up or, I don’t know, even kill Ieremenko. He has a vendetta. Because from what we know about Radchenko..he’s very aggressive,” said Demedyuk.
In addition to failing to pay his employees, Radchenko made the decisive mistake of not paying his own bodyguards. As the more mainstream business people had walked away from Benjamin Capital, they had been replaced by an unsavory crew, which included Ukrainian organized crime figures. The investors banded together with Radchenko’s own bodyguards and beat him up “pretty well,” according to Demedyuk. They then went after Ieremenko. Instead of punishing Ieremenko, some of the investors made him an offer to move to Russia to work for them while paying off Radchenko’s debt.
Breaches of the SEC, including of its EDGAR filing system, occurred from October 2016 to April 2017, Reuters reported, citing an unnamed source, though the SEC’s statements issued in September mentioned only a 2016 intrusion without elaborating on a timeline. The SEC says it is still investigating what happened.