An international web of hackers and traders was charged by U.S. authorities Tuesday with making $100 million by breaking into the computers of business newswire services, reading corporate press releases before they came out, and then trading on that information ahead of the pack on Wall Street.
Federal authorities said it was the biggest scheme of its kind ever prosecuted, and one that demonstrated yet another way in which the financial world is vulnerable to cybercrime.
Nine people in the U.S. and Ukraine were indicted on federal criminal charges, including securities fraud, computer fraud and conspiracy. And the U.S. Securities and Exchange Commission brought related civil charges against the nine plus 23 other individuals and companies.
The case "illustrates the risks posed for our global markets by today's sophisticated hackers," SEC chief Mary Jo White said. "Today's international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated."
The nine charged with criminal offenses include two people described as Ukrainian computer hackers and six stock traders, all but one of them in the United States. Prosecutors said the defendants made $30 million from their part of the scheme.
At the same time, the SEC brought a lawsuit that lays out a sprawling network of hackers and traders stretching from the U.S. to Russia and Ukraine, France, Malta and Cyprus, all accused of using the stolen advance information to make illegal trades.
Authorities said that starting in 2010 and continuing as recently as May, the hackers gained access to more than 150,000 news releases that were about to be issued by Marketwired of Toronto; PR Newswire in New York; and Business Wire of San Francisco. The news releases contained earnings figures and other information from a multitude of corporations. The defendants then used roughly 800 of those news releases to make trades before the information came out, exploiting a time gap ranging from hours to three days, prosecutors said.
In one day in 2013, for example, the group traded more than 75,000 shares of Panera Bread Co. stock in a little over an hour and made $900,000, authorities said.
On another occasion, according to court documents, Caterpillar Inc. provided a draft press release to PR Newswire on Jan. 25, 2012, in which it announced that after-tax profits were up 36 percent over the previous year. Using that information, traders in on the scheme bought more than $8.3 million worth of Caterpillar shares. When the news became public, they closed out their trades, making a profit of more than $1 million, according to the indictment.
Similarly, the group made more than $1.4 million trading stock in San Jose, California-based Align Technology in 2013 ahead of a press release that said annual revenue was up more than 20 percent, the indictment said.
"This is the story of a traditional securities fraud scheme with a twist."
A strong earnings report or other positive news can cause a company's stock to rise, while disappointing news can make it fall. The conspirators typically used the advance information to buy stock options, which are essentially a bet on the direction in which a stock will move, authorities said.
The hackers were paid based on how much profit the traders made, prosecutors alleged.
"This is the story of a traditional securities fraud scheme with a twist — one that employed a contemporary approach to a conventional crime," said Diego Rodriguez, head of the FBI's New York office.
Five defendants were arrested on Tuesday, and arrest warrants were issued for four in Ukraine.
Paul Fishman, U.S. attorney for New Jersey, said the case exemplified the "intersection of hacking and securities fraud" and called the defendants "relentless and patient."
At various times, the indictment alleges, the hackers were locked out of the news services' computer systems. According to Fishman, they eventually managed to get back in, often using simple "phishing," or sending bogus emails with links that, if clicked on, can eventually lead a hacker to a computer user's login and password.
The thefts show how hackers are expanding their efforts beyond typical moneymaking information such as credit card and Social Security numbers.
It's also another example of how companies are often at the mercy of those they do business with. Many major hackings have been pulled off through third-party companies that have access to sensitive information.
Business Wire said it has hired a cybersecurity firm to test its systems and make sure they are secure. Marketwired and PR Newswire did not immediately return emails seeking comment.
The most serious charges in the indictment, wire fraud and securities fraud, carry up to 20 years in prison.
The SEC lawsuit named 17 individuals living in the U.S., Russia and Ukraine, and 15 companies in Georgia, Pennsylvania, Russia, France, Cyprus and Malta. The SEC is seeking unspecified fines and restitution against the 32 defendants.
NBC News Justice Correspondent Pete Williams contributed to this report.