A Ukrainian hacker who was held at gunpoint by a gang of cocaine-sniffing cybercriminals helped the Securities and Trade Fee blow the lid of of a high-profile breach case that had wrongly accused American day merchants, in response to a report.
Olga Kuprina, identified by her on-line persona “Ghost in the Shell,” turned a whistleblower for the federal company within the stunning cyberattack that infiltrated the SEC’s Edgar submitting system in 2016, Bloomberg Information reported on Monday.
Surrounded by cocaine, laptops and armed males, Kuprina was trapped by an area crime boss, Artem Radchenko, in her Kyiv condo and ordered to hack maybe the world’s largest repository of company filings, in response to the outlet.
Radchenko allegedly hoped to promote unpublished filings for $200,000 apiece.
However because the doped-up Radchenko barked instructions at Kuprina, she plotted her escape — determined to return to her 7-year-old daughter and expose the cybercrime, in response to Bloomberg Information.
When she demanded fee for the hack, Radchenko allegedly broke her nostril and refused to permit her to depart, in response to Bloomberg Information.
Kuprina, 34, later fled, contacted US authorities, and turned over laborious drives and handwritten notes proving how she had accessed the SEC knowledge.
“There were so many vulnerabilities there you cannot f–king imagine,” she instructed investigators. Edgar, she stated, was an outdated, patched-together system that hadn’t been correctly secured in years.
Kuprina, who had additionally hacked Citigroup, Nasdaq, Dow Jones and NASA, signed a plea take care of the feds and fled to the US in 2018, leaving her mom and daughter behind.
In 2019, the SEC wrongfully scapegoated American day merchants who have been accused of pocketing $4.1 million from insider trades linked to the huge cyberattack that breached the Edgar submitting system.
It seems these Individuals could have merely been responsible of creating sensible, fortunate bets.
“Today’s action shows the SEC’s commitment and ability to unravel these schemes and identify the perpetrators even when they operate from outside our borders,” the company’s head of enforcement stated in a press launch.
Sungjin Cho, a Los Angeles-based day dealer, was startled to search out federal brokers banging on his door earlier than daybreak. They confiscated his units, grilled him about international hackers, and accused him of profiting off stolen knowledge.
“I don’t know what we were expecting to find, but he didn’t seem like a high-rolling criminal at all,” one FBI agent instructed Bloomberg Information.
Kuprina’s cooperation with US authorities would reveal a months-long breach of the SEC’s core system — and upend the company’s narrative.
What the SEC didn’t say in its official model of occasions was that the breach of Edgar had lasted far longer than publicly acknowledged — and had been uncovered not by company sleuthing however by Kuprina.
Regardless of her central position in exposing the breach — and persevering with to obtain paperwork as late as March 2017 — Kuprina wasn’t talked about within the SEC’s grievance.
As an alternative, the fee zeroed in on Cho and his associates: David Kwon, a good friend who traded by means of Cho’s accounts, and Ivan Olefir, a Ukrainian shopper linked to Cho’s buying and selling agency.
Whereas the three made trades that aligned with earnings bulletins, investigators discovered no direct proof that they had been involved with the hackers, nor that they ever knowingly obtained stolen paperwork.
Nonetheless, the SEC charged them, citing excessive win charges on earnings trades and circumstantial connections.
The Division of Justice, which was conducting a parallel prison probe, finally declined to prosecute the merchants — a transfer that signaled doubts concerning the power of the case, Bloomberg Information reported.
Cho maintained that he and his colleagues have been merely monitoring uncommon buying and selling exercise — searching for indicators that others had inside info, then piggybacking on their bets.
“Any earnings or any market-moving announcement…there will always be some leak,” Cho instructed investigators.
“And if you could detect that movement, that’s the strategy.”
Critics say the SEC wanted a win — and selected straightforward targets. The company confronted strain to reply after being hacked itself, and relatively than give attention to the Ukrainian masterminds nonetheless at massive, it educated its firepower on merchants who have been inside attain.
Ultimately, Cho settled for $175,000 — a fraction of what the SEC claimed he made. He didn’t admit wrongdoing, however below SEC guidelines, he’s not allowed to publicly say he’s harmless both.
“I’m not allowed to say I’m innocent, but I’ll give you all the facts and people can decide for themselves,” he later stated.
In 2020, Kuprina pleaded responsible to federal fees associated to Edgar and 5 different hacks, in response to Bloomberg. She served a brief jail stint earlier than being launched as she cooperated with investigators.
A choose sentenced her to time served in 2023 in recognition of her cooperation, in response to Bloomberg.
The expert hacker now works for cybersecurity firm Recorded Future Inc. — and was reunited together with her mom and daughter, who have been flown out of war-torn Ukraine by the US authorities.
In the meantime, hackers like Radchenko are nonetheless at massive. And the SEC’s Edgar system, although up to date in components, stays weak in response to cybersecurity consultants.
The Submit has sought remark from the SEC, Kuprina, Cho and Kwon.
