Russian hackers target embargoed news releases

Russian cybercriminals are turning their attention to embargoed news releases to either drive trading activity or extort payments from the companies concerned.

In a recent article, I explored a worrying trend for cybercriminals to use insider information to blackmail organizations with the threat that failure to do so will either result in the stock of the company being shorted or news of a breach being leaked involuntarily. Such attacks were first initiated by the Darkside ransomware group, but they are by no means the only cybercriminals looking to capitalize on information that isn't in the public domain in order to extract money from victims.

Research from the Rotman School at the University of Toronto reveals that between 2010 and 2015, cybercriminals managed to gain access to around 9,000 press releases from just three of the largest newswire companies. These releases were then made available to specifically chosen traders who had contracted the hackers to secure advanced information on a select group of companies.

Early access

"From 2010 to 2015, a group of Russian and Ukrainian hackers illegally breached the IT systems of several large newswire companies," the researchers explain. "The hackers accessed earnings announcements’ press releases several hours before their scheduled release to the public and sold them to a select group of traders."

This access allowed the unethical traders to trade based on this stolen information a number of hours before the markets officially closed and therefore, the information was placed into the public domain. The researchers explain that this criminal activity was highly lucrative, with the criminals believed to have earned over $100 million before prosecutors managed to call a halt to proceedings.

“This ring of traders aggressively traded in the hours before the news was publicly released in order to exploit this private, “inside” information, which only had value for a few hours,” the authors continue.

Inside the market

Traditionally, such information about insider trading is hidden and therefore it can be difficult to fully comprehend how it was used to move the market, but the researchers were able to take advantage of what they describe as a “phenomenal” resource to truly see what happened when news announcements were stolen ahead of their embargo date, and they could then compare this with firms whose releases were not stolen in this way.

“To examine the ability of informed (retail) investors to impact price formation, we must identify one set of firms for which the informed investors have access to material non-public information and one set of firms for which they do not have access to such information,” the researchers explain. “Moreover, we must be able to both observe the news and infer how the market would react to the news. Hacked newswires and earnings announcements can plausibly be used as such a setting.”

The researchers discovered that hackers and the criminal traders they partnered with tended to prefer large companies that often have extensive analyst coverage. Such firms also tend to extend a greater ability to convert shares into cash. The traders also targeted firms that provided both numbers-based earnings information and also text-based signals as to the future health of the firm. They were especially keen to trade in firms where a notable gap existed between the current trading price and the value likely to be achieved after the release went public.


The scale of the trading alerted market authorities to the activity, however, with the trading spikes prompted liquidity providers to adjust their prices. This resulted in higher charges when stocks were sold, and lower offerings when they were bought. As such, by the time the markets reopened again, complete with the official publication of the announcement and also after the illegal trades had taken place, the stock prices had already incorporated around 50% of the news in their prices.

This level of incorporation was something of a surprise to the researchers, who believe that their findings might also prove illustrative for honest traders who tend to follow the rules, as the findings remind us how important it is to incorporate both hard and soft signals when trying to understand how the market will respond to particular pieces of news.

They also illustrate the value inherent in getting access to information before everyone else and the lengths that hackers will go to facilitate the exchange of this information. News servers are not perhaps the first place one might look, but the study highlights just how valuable a bounty they can be.