Wishlist CART: (0)
(818) 298-3292 (818) 298-3292‬ (Text) Life-Time Warranty!

SALES, RENTALS & LAYAWAYS

PROTECTING EVERYTHING THAT HAS EVER BEEN OF VALUE TO YOU

Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

(818) 298-3292 (818) 298-3292‬ (Text)
Product Categories

SEC Hack Proves Bitcoin Has Better Data Security

Gabriel Benincasa is expected to help identify and mitigate risks following 2016 breach of filings database. SEC Hack Proves Bitcoin Has Better Data Security

SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)


 

SEC Names Its First Chief Risk Officer

The Securities and Exchange Commission on Thursday said Gabriel Benincasa would become the regulator’s first chief risk officer.

The role was created to strengthen risk management and cybersecurity efforts at the regulatory agency, whose public online database of filings was hacked in 2016.


SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)
Cybersecurity For You & Your Business

SEC Chairman Jay Clayton said he planned to establish the position in a hearing at the U.S. House Financial Services Committee in October 2017, a month after the SEC disclosed the breach.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Mr. Clayton said in a written statement in 2017. “We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Hackers exploited a software vulnerability in the system’s test filing component, which resulted in access to nonpublic information, the agency said. The SEC said the hack might have led to illicit gains from trading.

Mr. Benincasa is expected to help coordinate work to identify, monitor and mitigate key risks the agency faces, as well as serve as an adviser on enterprise risks and controls issues, the regulator said Thursday.

Mr. Benincasa previously worked in risk and compliance positions in the financial sector, including at CIT and Quad Capital, according to his LinkedIn profile.


SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)
CyberSecurity Newsflash!: (Youtube)

Julie Erhardt, who had been serving in the role in an acting capacity, will return to her role as deputy chief accountant for technology and innovation in the office of the SEC’s chief accountant, the regulator said.

 

Updated: 6-6-2025

Ukrainian-Born Olga Kuprina Hacked SEC, Citigroup, JetBlue Airways, Nasdaq, Dow Jones And NASA!





“There were so many vulnerabilities there you cannot f—ing imagine”, says Olga.





The system that was hacked remains in place. And the Trump administration is cutting cybersecurity budgets, effectively undermining the ability of government agencies to defend themselves.

The SEC’s Electronic Data Gathering, Analysis and Retrieval system—Edgar—is both a marvel of information technology and a wheezing Frankenstein’s monster.

Created in 1993 as a way for companies to make filings online and for investors to search them, Edgar processes 3,000 new filings and millions of downloads a day, using cobbled-together code, outdated software and a row of dusty servers installed in a basement in Virginia.

Meanwhile, whenever a software patch or new functionality was needed, it was bolted on to the existing system. Edgar’s jerryrigged construction was a dream for hackers, who hunt for chinks they can exploit. Sure enough, in October 2016, the SEC’s IT department noticed IP addresses from eastern Europe in parts of the system that should have been off-limits.





The team quickly identified a software vulnerability and patched it up. The question then was whether to disclose it. The SEC’s own rules require companies to announce any “material” cybersecurity incident, but IT managers hadn’t found any evidence that nonpublic information had been accessed. So the agency didn’t go public.

Edgar’s jerryrigged construction was a dream for hackers, who hunt for chinks they can exploit.

Between 2010 and 2014, Russian-speaking cybercriminals had infiltrated three US newswires—Business Wire, PR Newswire and Marketwired—and stolen thousands of unpublished earnings reports and press releases, which they disseminated to traders for 40% of any profits.

It was the most egregious example yet of a new criminal enterprise dubbed “hack-to-trade.” The ring made more than $100 million before it was busted by the DOJ, SEC and US Secret Service.





When a notorious gang of Ukrainian cybercriminals hit a crucial database, the regulator quickly downplayed the breach. One of the hackers says the system is still a soft target.

Chapter 1: Redemption

For the US Securities and Exchange Commission, Jan. 15, 2019, was a day of redemption. The agency filed one of its highest-profile enforcement cases in years, capping the work of two dozen staff across five divisions.

The case, recounted in a 43-page complaint, read like an airport potboiler: Ukrainian cybercriminals had infiltrated a vast computer network containing soon-to-be-published earnings reports for some of America’s biggest companies, then sold the information to a shadowy web of traders.

As well as being one of the investigating authorities, the SEC was the victim. Hackers had found a way into the agency’s Edgar database, perhaps the world’s biggest repository of corporate filings.

These cybercriminals were already wanted by the SEC for prior offenses. They were like fugitives robbing the police evidence room while the precinct was out looking for them.

The breach, disclosed by the agency 16 months earlier, had been a nightmare for the SEC. It’s the SEC, after all, that punishes companies for lapses in cybersecurity. “The SEC’s Cyber Embarrassment,” ran an op-ed in the Wall Street Journal.

Senators grilled Jay Clayton, the agency’s then-chairman, about what had happened and whether the SEC could be trusted with sensitive financial data.

An SEC press release accompanying the civil complaint offered some reassurance. The hack’s take was a few million dollars. The flaw that allowed it to happen had been quickly patched. While the traders took “multiple steps to conceal their fraud,” the SEC’s “sophisticated analysis” cracked the case open.

“Today’s action shows the SEC’s commitment and ability to unravel these schemes and identify the perpetrators even when they operate from outside our borders,” the agency’s head of enforcement said.

Both the SEC and the Department of Justice charged the hackers in absentia with securities and wire fraud. The SEC also charged seven traders, including two Americans, with participating in the conspiracy, describing the evidence against them as “overwhelming.”

That’s the official SEC version of events. But, when someone involved suggested I take another look, I set about trying to find out exactly what happened, and whether it could happen again.

I interviewed people from the DOJ, Secret Service, SEC and the Cyber Police of Ukraine; talked to defendants under gag orders; and reviewed evidence seized during raids.

What I uncovered challenges the very foundation of the SEC’s case and signals danger ahead. After being easily breached, the SEC expended investigative resources on low-level scapegoats who were hardly criminal masterminds, if they were financial criminals at all.

Meanwhile, the most culpable, and dangerous, players remain at large.

At the center of the story is a figure largely airbrushed from the official account.

Chapter 2: The Hack

In a run-down apartment building outside the Ukrainian city of Cherkasy, Olga Kuprina, an elite hacker known as the Ghost in the Shell, sat before three laptops. It was Dec. 22, 2016, a clear, frigid night along the Dnieper River, but Kuprina, 34, hadn’t been outside in weeks.

She was being held captive by a gangster named Artem Radchenko, who, between lines of cocaine, barked at her to keep working, she would later tell authorities and me. In another room, a second hacker typed frantically. Henchmen with handguns stood guard.

Radchenko, who was 26 and favored designer tracksuits by day and crocodile-skin shoes at night, had recruited Kuprina two months earlier to break into the SEC and find unpublished filings. He expected to sell them for $200,000 or more apiece, and he offered her half the take.

When Kuprina asked for her cut, she says, he broke her nose and refused to let her go. (Radchenko declined to answer questions from Bloomberg Businessweek.)

Now, three days before Christmas, Kuprina worked through the night, gathering documents and transferring them onto a thumb drive. At 5 a.m., Radchenko departed with the haul, in time for a new day’s trading.

After he left, Kuprina told me, she furtively copied the files into a folder of her own. Then she crashed on a mattress on the floor and thought about how she was going to get back to her 7-year-old daughter.

By 2016, there was consensus that the system needed to be replaced, a plan referred to internally as the Big Bang. “The challenge was how do you make this massive change when we’re flying a jumbo jet across the sky that can’t stop without disrupting the markets,” recalls Rick Heroux, the SEC official who was responsible for the planned modernization. “There was always a reason to put it off.”

Chapter 3: Revelation

Elsewhere at the SEC’s Washington headquarters, a huge glass structure designed to represent the agency’s ethos of transparency, surveillance specialists were monitoring markets for signs of insider trading.

Members of the Market Abuse Unit had noticed brokerage accounts in Russia, Ukraine and the US placing prescient bets in the hours and days before companies published earnings.

In early 2017 the head of the unit contacted one of the cyberprosecutors at the US attorney’s office in New Jersey and told him: It’s happening again.

Some US-based members, including a Baptist pastor, were arrested. But with no extradition treaty between the US and Ukraine, the lead hacker, a heavyset, baby-faced 25-year-old named Oleksandr Ieremenko, aka Lamarez (an ironic riff on “lame”), remained at large, cruising around Kyiv in an orange Lamborghini Huracán. And now, based on what investigators were observing, it looked like he was back in action.

The Secret Service contacted the newswires, but they insisted they hadn’t been hacked again. Then where, the authorities wondered, are they getting the information?

Kuprina was released in April 2017 after members of Radchenko’s entourage persuaded him to let her go. Before leaving, Kuprina stashed in her bag a red and blue notepad with a picture of the Statue of Liberty on the front, along with a handful of thumb drives.

One of Radchenko’s bodyguards drove, and Kuprina spent the three hours back to Kyiv, through miles of snow-dusted woodland, terrified she would be taken out and shot. Instead, she was dumped on the city’s outskirts at dawn.

When she made it to her apartment, she hugged her mother, crept into bed with her daughter and passed out.

In the days that followed, Kuprina’s fear morphed into anger. She typed a Skype message to Rich LaTulip, a Secret Service cybercrime specialist who had been trailing her for so long they were practically friends. Somebody has been hacking the SEC, she told LaTulip, and she had proof.

The SEC has invested heavily in data analysis tools to detect improbably successful trading. At this effort’s heart is a system called Artemis, a nod to the Greek goddess of the hunt, which parses trading records and account-holder data for signs of suspicious activity.

As investigators looked for potential recipients of inside information, they landed on Sungjin Cho and David Kwon, a pair of party-loving day traders who lived a couple of miles from each other in Koreatown, Los Angeles.

Over four months in 2016, Cho (who was 36 and also owned an apartment in Bangkok) had traded ahead of earnings more than a hundred times, making $1.2 million.

Kwon had made in excess of $400,000. Their buying and selling lined up closely with that of a Ukrainian named Ivan Olefir, who along with two friends earned more than $800,000.

The investigators found Cho and Olefir had also enjoyed a hot streak between 2012 and 2014, trading in many of the companies whose filings were stolen by Ieremenko during the newswires hacks.

Cho co-owned CY Group, a small trading firm in LA that provided capital and cheap access to US exchanges to independent traders around the world, including Olefir and several others in Kyiv. The firm was already under investigation by another SEC unit for acting as a broker without a license.

In May 2017, at the Hyatt Regency in Kyiv, Kuprina met with LaTulip, some other Secret Service agents and a member of Ukraine’s cyberpolice. In broken English, she told the story of the Edgar hack.

After Ieremenko’s newswires ring was broken, he’d joined with Radchenko, a wealthy farmer’s son he knew from Kyiv’s nightlife. Radchenko had big ambitions but limited technical skills. “He’s a script kiddie,” Kuprina scoffed.

According to Kuprina, the pair concocted a plan for Ieremenko to hack the mother lode, the SEC itself, and for Radchenko to monetize it via his connections in Russian and Ukrainian politics and organized crime.

They rented an office in Kyiv and registered a firm in the UK with the legitimate-sou nding name Benjamin Capital to attract outside investors.

Ieremenko discovered an area of Edgar where companies could upload test filings to check for formatting errors ahead of publication. Some used fake figures, but many didn’t. Soon Ieremenko was downloading hundreds of test filings a week.

Radchenko sold the filings and splurged on bottle service and a Bentley. By the time the SEC patched up the vulnerability in October 2016, the pair had fallen out.

At that point, Radchenko recruited Kuprina. In less than two weeks, she broke into Edgar, she told the agents. She hijacked authorized users’ temporary access to the network. She launched phishing attacks, sending emails with infected links to administrators that appeared to come from their SEC colleagues.

She located a flaw in the webpage for making complaints. She found a log listing headlines for unpublished filings. “There were so many vulnerabilities there you cannot f—ing imagine,” she told me. Between October 2016 and March 2017, Kuprina downloaded dozens more documents containing material nonpublic information.

After the meeting, LaTulip relayed what he’d heard to the DOJ, which passed it along to the SEC. But, according to sources who worked on the investigations, attorneys at the SEC’s enforcement division struggled to believe the agency was a target: The SEC scrupulously avoids retaining price-sensitive information, they insisted.

A week later, DOJ prosecutors flew to Kyiv to question Kuprina themselves. This time Kuprina brought her red-and-blue notepad and thumb drives. They revealed not just what filings she’d obtained and how, but also what Ieremenko had been up to before she got involved.

It took the SEC’s IT staff four months to corroborate Kuprina’s account. “We kept going back to them and saying, ‘You need to look again,’” one prosecutor recalls.

When they finally found the hackers’ fingerprints, the truth was inescapable: The source for the suspicious trading the SEC had been tracking for months was the SEC itself.

Jay Clayton had been in the SEC’s top job for only three months when he was briefed on the information coming out of Kyiv. Instead of sitting on it while prosecutors built a case, Clayton, a polished attorney from the law firm Sullivan & Cromwell, was adamant the agency come clean.

“I’m like, ‘Look, guys, let’s look where we sit in the ecosystem, we’re in the disclosure business, this is an issue that all companies are facing, we need to do this in the same way that any well-run organization would,’” he told me.

On Sept. 26, 2017, Clayton appeared before the Senate Banking Committee to answer why the SEC had failed to protect Edgar and hadn’t disclosed the breach a year earlier. None of that was Clayton’s fault, the lawmakers conceded, but it was down to him to find the culprits.

“This is a big deal,” said Jon Tester, a Democratic senator from Montana at the time. The SEC didn’t disclose exactly how it learned about the hack, so no one thought to ask what would have happened if Kuprina hadn’t blown the whistle.

Chapter 4: Investigation

On Nov. 28, 2018, Kuprina boarded a plane at Boryspil International Airport outside Kyiv with LaTulip and one of his Secret Service colleagues. That morning, she’d said goodbye to her mother and daughter, unsure when she would see them again.

After Kuprina had come forward the previous year, the Justice Department offered her a deal: Come to America, confess, help us investigate cybercrime, and we’ll do all we can to limit your sentence and help you build a new life.

Having few options, Kuprina had agreed. During meetings with government officials at the US Embassy in Kyiv, she’d recounted her criminal career.

She started stealing credit card data and selling it on forums, choosing the moniker the Ghost in the Shell because she avoided leaving a trace.

Born in Kyiv in 1982, Kuprina was the daughter of scientists and the niece of a KGB general. The Soviet Union’s collapse thrust the family into poverty. Kuprina took apart electronic devices on the kitchen table, read dense manuals cover to cover and tinkered on pre-internet messaging boards, where she was introduced to hacking.

She started stealing credit card data and selling it on forums, choosing the moniker the Ghost in the Shell (a cyberpunk manga and anime), because she avoided leaving a trace. One of her favorite movies was 1995’s Hackers. She identified with the Angelina Jolie character, a glamorous, self-possessed woman in a world of socially inept, impulsive men.

In 2007, after obtaining a double master’s degree in computer science and IT engineering, Kuprina married a fellow hacker. Not long after, she became pregnant. Elite cybercrime is often a cooperative enterprise, and between 2007 and 2017, Kuprina played a role in a number of headline-grabbing hacks: Citigroup, JetBlue Airways, Nasdaq, Dow Jones, Business Wire. Even NASA.

She took up rally car driving and bought a riverside apartment. Sometimes she let her daughter skip elementary school to keep her company when she drove to meet contacts, techno music blaring.

But what started as a thrilling and lucrative adventure had grown increasingly dark. Her husband left. And she lost access to her technology and passwords in a raid, forcing her to work day and night while her mother provided child care.

Boarding the plane, Kuprina was a divorced mother with a drinking problem and dangerous enemies.

After touching down in the US, Kuprina was booked into a jail in Newark, New Jersey, and given orange overalls. In the weeks that followed, prosecutors pressed her on Edgar’s vulnerabilities, how she’d established wormholes and why she believed other hackers had been inside before her or Ieremenko.

After Clayton’s Senate hearing, the SEC’s Office of Inspector General started interviewing staff. Its focus was less on the details of the cyberheist and more on why the vault door was so flimsy—and why nobody had said anything when they saw it had been jimmied.

Those who read the OIG report describe it as highly critical, but the document was never published, because it contained sensitive information about the SEC’s cybersecurity. (The SEC denied my requests for even a redacted copy. It also declined to make anyone available for interviews about the hack or the Edgar system.)

Instead, on Sept. 21, 2018, the OIG put out a bland, one-page summary saying “the Edgar system lacked adequate governance” and the agency’s “incident handling process” needed improving. The release barely made a ripple in the media. Ditto the departures, in the weeks that followed, of the agency’s chief information officer and senior cybersecurity adviser.

After disclosing the breach, the SEC asked Congress for additional funds to improve its cybersecurity. However, rather than replacing Edgar, the director of the newly formed Edgar Business Office wanted to shore up the existing system.

It was a remarkable about-face: Since 2014 the SEC had paid two contractors $10.6 million to design a new network that would be easier to use, less prone to outages and, most important, safer from intruders. Now, Big Bang was shelved.

The decision enraged Heroux, the SEC official overseeing the overhaul. In October 2018 he told the agency he was leaving. In a scathing letter seen by Businessweek, he described Edgar as “old and brittle” and liable to collapse. “The SEC is engaged in an extremely important footrace to stave off disaster,” he wrote.

During the newswires investigation, authorities found extensive evidence linking the hackers to the traders, including emails and financial records. A participant also flipped and was prepared to testify in court.

The Edgar case proved harder going. After obtaining warrants for the hackers’ emails and iCloud accounts, the DOJ compiled a list of suspects it believed had received the stolen earnings reports.

Separately, after tapping Radchenko’s phone, Ukraine’s cyberpolice identified six businessmen in Russia and Ukraine who were buying the filings.

In transcripts described to me, Ieremenko and Radchenko complain about their customers making tens of millions of dollars while they got a few hundred thousand.

But the authorities couldn’t find proof of this illicit trading. According to informants, the buyers had learned to avoid US markets, trading derivatives via foreign brokers.

There were two exceptions, known associates of Radchenko’s who made $1.4 million almost entirely from trading hacked companies in US markets, then cashed out. But, given the lack of extradition treaties with Ukraine and Russia, it was unlikely this pair would be brought to account.

Then there were Cho, Kwon and Olefir, the day traders picked up by the SEC’s surveillance system. These men regularly placed trades between the time a company’s filing was stolen and when its earnings were released. And their win rate was far beyond what might be expected from educated guesses.

A preliminary search of the trio’s communications produced little that linked them to the hack. There was one 2016 email from Cho to a friend in Thailand whose $5,000 account he was managing.

“Any outside account … has to pay a cut to the coding team,” Cho wrote, adding that the fee was 45%. Maybe “coding team” was a reference to the hackers, who’d demanded 40% of any profits during the newswires phase?

The investigators also found a tantalizing 2010 exchange between Ieremenko and a young Ukrainian entrepreneur, whom the SEC dubbed Individual 4. He was part of Olefir’s circle and had an account with Cho’s firm during the newswires hack.

The emails were unrelated—the entrepreneur was looking for a developer for a crypto project—and predated the hacks, but they hinted at a connection.

Armed with the trading data and emails, the SEC felt confident enough to start writing a complaint against Ieremenko, whose digital fingerprints it had found inside Edgar, and half a dozen or so traders.

There was pressure inside the agency to land the case. And besides, who knew what the authorities would find once they managed to crack into the traders’ phones? Or searched their homes? Maybe they’d get a witness to talk.

The DOJ, which was running a parallel investigation, was more circumspect. Criminal authorities, who have the power to jail people, must meet a higher burden of proof than civil bodies like the SEC, and, beyond the trading records, nothing concrete connected the traders to the crime.

Unlike Radchenko’s two friends, who’d bet big then gotten out, Cho’s group had neither cashed out nor disguised their activity; they’d traded in US brokerage accounts in their own names and, in Cho’s case, in the name of his mother.

Prosecutors started working up an indictment focused solely on Ieremenko and Radchenko. They would conduct a raid of the traders and add them to the indictment depending on what they found.

Chapter 5: Raid

Cho was awoken at 4:30 a.m. on Jan. 8, 2019, by banging from the patio of his newly pimped-out townhouse in downtown LA. After stumbling down the staircase in his boxer shorts, he was shocked to find armed FBI and Secret Service agents waiting outside the glass doors.

Open the f—ing doors, one mouthed.

Cho did as ordered and a dozen agents burst inside, he recounted to me later. They handcuffed him and a woman he’d been dating for three weeks, leading her to the karaoke room in the basement. An agent in an FBI windbreaker demanded Cho’s mobile phone.

Then he handed him a warrant and started firing questions: Where is the HP laptop you used between 2012 and 2014? Where are your MacBooks? How many phones do you have?

The agents set up a trestle table, on which a forensics expert began going through Cho’s devices.

What’s your password? the expert asked.

The number 1, Cho recalls replying.

Can you spell that? asked the expert, looking confused.

Literally the number 1, Cho said.

By now, Cho was shivering and asked if he could put on some pants. An hour or so later, an agent led him upstairs to a neon-lit bedroom where a safe was fitted into a wall. What’s the code? the agent demanded. Cho stalled, reluctant to give it up.

Do we need to drill it? the agent asked. Cho acquiesced and tapped in the digits. Inside was some ecstasy and a giant bag of magic mushrooms.

I’m having a housewarming party tonight! he said.

The agent was stone-faced. We’re not here for that, he said. Are you a trader? Yes, I have a trading firm, Cho replied. Do you know Oleksandr Ieremenko? No, Cho said. What about Artem Radchenko? Cho said no.

Ivan Olefir? He’s my partner in Ukraine, Cho said. Why? Have you ever traded based on hacked information? Never, Cho said.

“I don’t know what we were expecting to find, but he didn’t seem like a high-rolling criminal at all,” remembers one agent on the search. “He was this goofy young guy freaking out that we’d found his stash.”

Two miles away, David Kwon shivered in the corridor outside his own apartment while FBI agents turned the place upside down. After they left, he cursed the day he met Cho. Within a fortnight, both their names would be plastered over CNBC and the New York Times.

Later that month, the SEC filed its detailed, 43-page complaint. However, it told only part of the story. For one thing, Kuprina had been erased.

Anyone reading the document and accompanying press release would have concluded that the attack on Edgar had lasted only from May to October 2016 and been carried out by Ieremenko alone.

After October 2016, the complaint said, “other people” made “other efforts,” but those efforts did not appear to have been successful.

Yet, according to more than half a dozen investigators from the DOJ, the Secret Service and the Cyber Police of Ukraine, as well as Kuprina herself, Kuprina had downloaded valuable documents for an additional six months, up until March 2017.

The evidence, they say, is in her notepad and thumb drives. The SEC, which filed charges before talking to Kuprina, declined to comment on this discrepancy.

The truth about almost every aspect of the Edgar hack, from the size of the ill-gotten gains to Kuprina’s role in blowing the whistle, has never been disclosed

Beyond that, the SEC’s complaint failed to reflect the enterprise’s true scale, making no allusion to the eastern European businessmen who were Radchenko’s principal customers. Instead, the SEC focused on Cho, Kwon, Olefir and a handful of other mostly small-time players.

This group made a modest $3.6 million. That’s a fraction of the tens of millions the criminal authorities in the US and Ukraine understand to be the real take, based on the hackers’ communications and phone conversations.

The SEC’s presentation of the facts spared it some embarrassment. To this day, the truth about almost every aspect of the Edgar hack, from the size of the ill-gotten gains, to how long it lasted, to the identity of all the perpetrators, to Kuprina’s role in blowing the whistle, has never been disclosed.

The SEC’s narrow version placed Cho in the conspiracy’s center. That email he wrote to his Thai friend, asking for commission to pay coders? The SEC called that a reference “to compensation to Ieremenko and others working with him.”

Under “web of connections,” the SEC’s complaint depicted Olefir’s associate, Individual 4, as the conduit between the hackers and traders, referencing, but not quoting, the crypto email he’d sent Ieremenko in 2010.

The SEC’s case was light, but the agency was optimistic that laptops and other items seized in the raids, once analyzed, would yield more.

Chapter 6: Holes

On an overcast Wednesday in April 2019, Cho and his lawyer, an ex-SEC prosecutor named Sean Prosser, touched down in New Jersey ahead of a meeting with the Justice Department. For Cho, the past few weeks had been stressful. Friends doubted him.

Business associates steered clear. His father, a finance professor who advised Korea’s equivalent of the SEC, refused to pick up the phone.

After dinner that night, Prosser told Cho to stop drinking and get an early night. Even if I had the worst hangover in history, my story wouldn’t change, because it’s the truth, Cho replied. Please don’t be hungover, Prosser said.

At the FBI’s Newark field office the next morning, Cho and his lawyer sat at a boardroom table facing representatives from the DOJ and the SEC. This was a proffer meeting, which wouldn’t be recorded and couldn’t be used as evidence in court.

But if Cho lied he could be charged with a felony. Conscious of Cho’s tendency to ramble, Prosser told him to stop talking if he felt a tap on the leg.

Cho told the group that the case against him was a mistake, with a straightforward explanation, according to multiple attendees. For years, Cho said, he and Olefir’s group had been monitoring companies about to publish earnings for buying and selling that might indicate someone had inside information.

They purchased obscure data feeds, tracked darkpools and developed an algorithm to identify when participants were trying to build positions unnoticed. Seeing suspicious trading, they would piggyback, adjusting their bets according to how confident they felt.

So it was no surprise their activity sometimes aligned with the hacks—that was their strategy. In messages, they referred to insider traders, whose identities Cho swore they never knew, with the catchall moniker “the super fund.”

Was that the behavior, Cho asked, of a man in receipt of a near-sure thing?

Cho and Olefir had become acquainted in 2007, when the Ukrainian and his friends signed up as CY Group clients. Unlike most retail traders, Olefir, an introverted policeman’s son with a science Ph.D., proved consistently profitable.

In 2009, Cho visited Olefir and his team in Kyiv and ended up staying a month. When Cho bought his pad in Bangkok, Olefir came for a vacation.

Cho backed Olefir with steadily more money in exchange for a cut of his winnings, then gave him access to his friends’ accounts to trade. (To his friends, Cho claimed to be the one doing the trading, with input from a team of “coders” in Ukraine.) The two took to calling each other tovarich, Russian for comrade.

When prosecutors pressed Cho on what he really knew about Olefir’s strategy, Cho acknowledged that, after the SEC’s complaint, he’d been suspicious. Olefir lived in the same city as the hackers. He made most of the trading decisions.

But Cho said he’d cast his doubts aside when he remembered how cautious Olefir was, almost always hedging his positions and rarely staking more than a few tens of thousands of dollars despite having millions in buying power. Was that the behavior, Cho asked, of a man in receipt of a near-sure thing?

To prove this wasn’t some after-the-fact excuse, Cho produced a 2013 email from Olefir to their broker, who wanted to know how they’d gotten half a dozen picks in a row right.

Our “strategy is based on getting into earnings after a hedge fund or market mover gets into very big bets one direction that is unusual,” Olefir wrote in the message seen by Businessweek.

Among other things, they looked at “spikes in put or call volumes,” an acceleration of buying or selling, and whether a stock had a history of predictive trading.

Then there was the SEC’s investigation of CY Group, from 2015 to 2017, for collecting commissions without a license, which resulted in a $35,000 penalty. The firm had been forced to hand over reams of documents, including trading records.

Cho recalls telling the assembled investigators: What kind of moron would knowingly insider trade, in their own name, when the SEC was crawling all over it? My balls aren’t that big!

On Cho’s devices and cloud services, authorities did find evidence.

Of recreational drug purchases. Of trading in other people’s brokerage accounts. Of money transfers tagged to projects that didn’t exist. Cho had even forged a Social Security card for a girlfriend and saved the template on his hard drive.

What authorities didn’t find, in Cho’s voluminous instant-chat conversations or anywhere else, was evidence linking him to the serious crime they were investigating. There were no earnings reports. And nothing suggesting he knew or had been in contact with the hackers in the Edgar or newswires cases.

On top of that, Ukrainian and US cyberpolice, who had been monitoring Ieremenko, Radchenko and Kuprina for years, had never heard of Cho, Olefir or their friends. If Cho really was a member of an insider trading ring, he’d managed to leave no trace.

On April 19, the day after the meeting in Newark, the DOJ notified Prosser that it wouldn’t be pursuing an investigation against Cho. It also sent the lawyer an email, seen by Businessweek, saying it was withdrawing its subpoena for Cho to appear before the grand jury in its ongoing case against Ieremenko and Radchenko.

Cho, the DOJ concluded, had no more useful information to offer.

Chapter 7: Conviction

Any hope Cho and his friends had that the SEC would make a similar decision was soon extinguished. In January 2020, an SEC economist, Thomas Dunn, filed a declaration containing statistical analysis underpinning the agency’s case. It made for perplexing reading.

Dunn calculated there was up to a “1-in-1 trillion” chance that the men had randomly alighted on so many companies whose filings were stolen. But earlier, in Newark, Cho had told authorities, including an SEC representative, that his group wasn’t picking targets at random: They deliberately tried to identify leaky companies.

A section of Dunn’s report was devoted to proving that Cho, Kwon, Olefir and Olefir’s friends often traded in unison. But the traders, all part of the same small firm, freely admitted as much.

The analysis would have been more damning if it demonstrated their activity mirrored that of Radchenko’s two friends, who the traders insisted they didn’t know. The SEC was highlighting information that aligned with the defense’s version of events and presenting it as a smoking gun.

Between May and October 2016, Cho had traded 66 times in hacked companies in his own account, according to Dunn’s analysis. His win rate was 89%, and he made around $650,000.

Over the same period, Kwon placed 18 trades and was right 78% of the time, while Olefir placed 95 trades and had a 70% win rate. An entity Cho and Olefir shared called Capyield Systems Ltd. enjoyed a similar rate of success.

Dunn produced another table showing the men’s performance when trading companies that hadn’t been breached. Of the 150 such trades Cho placed, only 39% were profitable, and he lost $18,000. Olefir’s win rate was about the same and he also lost money. Kwon came out just ahead after 63 trades, and was right about half the time.

The SEC’s argument was that the traders made money only on hacked companies, ergo they must be cheating. But why trade blindly at all if you have access to inside information, their lawyers asked. Why place three times as many trades on the earnings of companies in which they had zero advantage?

If it was an attempt at misdirection, traders in the newswires case weren’t recorded as having done anything similar.

Neither were Radchenko’s two friends (who, unlike Olefir, had simply ghosted the SEC). And if the CY Group traders’ strategy really was to identify and piggyback insider trading, as they claimed, wouldn’t their returns look something like they did—blowouts when they’d correctly found nefarious activity and somewhere around break-even when the signals turned out to be phantoms?

The SEC’s reliance on statistics was especially significant because, a year after filing charges, it hadn’t found any fresh evidence to bolster its case.

It was also strangely coy about a central piece of evidence—the email sent to Ieremenko by Individual 4. Cho’s lawyer threatened to complain to the judge because the SEC had failed to hand it over.

The SEC also denied me a copy of the email. In 2024, I tracked down Individual 4 in northern Europe. He agreed to answer questions via a messaging app on condition he remain anonymous. Individual 4 said he’d sent “one or two messages” to Ieremenko when he was trying to get a crypto project off the ground.

“For me he was a programmer, just like any other one. I never had any business with him.” Individual 4 described the suggestion that he and Olefir were part of an insider trading ring as “bullshit.” He added that he’d never been interviewed by the SEC or any other US authorities.

When Cho finally sat down with the SEC for a videotaped deposition in February 2020, in a short-sleeved shirt, his hair buzzed on the sides and messy on top, he was feeling confident. Representing the SEC was Christopher Bruckmann, a trial attorney with a goatee and dark suit.

Bruckmann asked Cho about his reaction to reading the complaint. “It was shocking to me,” Cho said. “I have no idea who these hackers are. … In my mind, I was like, ‘You guys can look at any computer, anything you want, please. This is a big mix-up.’”

Asked to explain his approach to trading earnings, Cho replied: “Any earnings or any market-moving announcement, there will always be some leak. And if you could detect that movement, that’s the strategy.” He was vague on the specifics, saying Olefir usually monitored the feeds and made the calls. “I’m not much of a technician,” Cho said.

Before he became a trader, Cho studied computer science at Carnegie Mellon University. “That’s a tough major,” Bruckmann remarked.

“I had smart lab partners,” Cho replied, breaking into a smile. “I kind of winged it … to keep my parents happy.”

“You say you winged it, you had smart lab partners. Did you cheat?” asked Bruckmann.

“I might have cheated a bit,” said Cho, now grinning.

Cho’s real skill seemed to be harnessing other people’s talent. That became clear when he explained how he’d made most of his money during the period when Edgar had been hacked.

Cho was frustrated that Olefir was placing such small bets in their joint trading account.

But Cho’s buddy Kwon had a separate account. So Cho instructed Kwon to place trades that mirrored Olefir’s, without telling Kwon they were piggybacking on the Ukrainian.

It was this act, in the summer of 2016, that had dragged Kwon into the case. The revelation came as a shock to Olefir, Cho’s tovarich, who was watching the deposition via Zoom.

In September 2020, Kuprina entered the SEC’s headquarters in Washington for the first time. The previous month she’d pleaded guilty to DOJ charges relating to Edgar and five other hacks. Her case was kept under seal and her sentencing put on hold while she continued cooperating with the government.

She’d been irritated to learn that the catalogue of her greatest hits would stay secret, depriving her of props in the hacking community, but she understood why it was necessary.

She credits her success to family—“I was raised in a family of spies”—and to necessity

She’d been consistently underestimated by men, Kuprina would tell me later. She remembers looking for a teacher when she was young. “This one guy, prominent, said, ‘You’ll never be a hacker.’ That pissed me off.” She credits her success to family—“I was raised in a family of spies”—and to necessity.

Opportunities were scarce, and hacking, in Ukraine at the time, wasn’t really thought of as criminal, she says. It was respected. She credits her drive and her range. Growing up, she excelled at math, but she also had art school.

She played piano. She wrote songs. Hacking is itself an art, she once told her mom. It’s abstract thinking, creative thinking, putting the puzzle together.

The trip to the capital was a reprieve for Kuprina, whose life had become a kind of suburban purgatory in New Jersey. After leaving jail, she was holed up in a Candlewood Suites long-stay hotel, where she had no phone, no internet and a 7 p.m. curfew. Every few days, a Secret Service agent would drive her to a Wegmans cafe, where they would talk for hours about her exploits.

Other than that, she did yoga in the space by the door; drew dragons; read books about social engineering; and watched 90 Day Fiancé or Dr. Phil with the subtitles on to improve her English. Sometimes she missed her daughter and mother so much she couldn’t get out of bed.

In an SEC meeting room, Kuprina recalls, prosecutors pressed her on the defendants in their complaint. Having her testify to knowing Cho, Olefir and the rest would be invaluable. Radchenko had tried to keep the hacking and trading sides separate, she told them.

Even so, she had come across some of the uncharged businessmen on the DOJ’s list. But she insisted she didn’t know the day traders the SEC had identified. She’d never even heard their names.

David Kwon first got to know Cho in 2015 at a party in a mansion in Beverly Hills. Kwon liked trading stocks, but he’d taken some hits, accumulating millions in losses, meaning any profits from future trades would effectively be tax-free. One night, Cho suggested they use one of Kwon’s old accounts to trade together.

Not long after, in August 2016, Kwon received a call from Cho telling him to stop whatever he was doing and buy options in FireEye Inc., an American cybersecurity company that was about to publish its earnings.

Over the next two months, Cho called him a dozen or so more times, always at the end of the US trading day. When the calls dried up, Kwon didn’t give it much thought until the FBI broke down his door with a battering ram.

Convinced he was going to prison, Kwon spiraled into heavy drinking and depression. During one meeting with the SEC, he was given dispensation to take Xanax for stress.

Then the agency offered a lifeline: If Kwon signed a declaration implicating Cho, paid back $165,000 in trading profits (less than half his alleged gains) and agreed to testify against his friend at trial, he could avoid a fine and carry on trading.

On his lawyers’ advice, Kwon agreed to the SEC’s deal despite his insistence that he had no knowledge of the conspiracy at hand.

Kwon’s declaration, filed on March 11, 2020, attacked Cho’s character. Cho borrowed Kwon’s belongings without asking, it said, and lived in Kwon’s home rent-free while renovations on his place dragged on for months.

Cho had sometimes used Kwon’s bank accounts to make client transfers, stating it was because his lender, FBME Bank, was shut down. Now, Kwon wrote, he’d “come to believe” the transactions were related to the hack-to-trade scheme.

Beyond the innuendo, however, the declaration largely chimed with Cho’s testimony. Kwon wrote that Cho said he’d “discovered a super fund” which had been inactive for several years and traded infrequently but successfully. “Cho stated that he did not know the identity of the super fund,” Kwon wrote.

In truth, Kwon had never suspected his friend of being part of an insider trading ring until after they were both charged, he later told me. But if the government said Cho was working with Ukrainian hackers, who was he to argue?

On April 9, the SEC announced Kwon’s settlement. (One of Olefir’s friends, who was accused of making $58,000, settled at the same time. He declined to be interviewed.) Kwon used the money in his and Cho’s trading account to pay his lawyers and the SEC.

Chapter 8: Settlement

Of the roughly 700 cases the SEC brings each year, about 98% end in settlement. This reflects the power dynamics and incentives baked into the system. The government is keen to avoid the expense and uncertainty of going to trial; prosecutors are motivated to clear cases; and for most individual defendants, mounting a strong legal defense is prohibitively expensive.

Settlements minimize cost, risk and disruption for both sides. They can also save the SEC the indignity of having to admit when it’s wrong.

By the fall of 2020, Cho had run out of money. His business had ground to a halt and his girlfriend was pregnant. To help pay legal fees, Cho had put his LA townhouse on the market, the karaoke room barely used. Going to trial, Prosser told him, would cost at least a million dollars more.

Prosser had tried to persuade the SEC to drop the case, but the agency was steadfast. Unable to connect Cho’s group with the hackers, it had pivoted to a legal theory called “scheme liability,” which essentially says a defendant should have known there was some kind of deception going on.

On Sept. 21, Prosser wrote to the regulator: “In a nutshell, discovery has demonstrated that the actual facts specific to Mr. Cho’s culpability are very different from … what the Staff alleged in its original Complaint.”

After almost two years, the government had failed to produce “any evidence showing that Mr. Cho knew about the Edgar hack at any point … or ever received even a single piece of material non-public information from the hack (even indirectly).”

Prosser proposed a token settlement of $150,000, a fraction of the $1.2 million the SEC alleged Cho made, and nowhere near the $4 million it had hoped to get with penalties. Within a week, the agency came back with a counteroffer of $200,000.

“Why don’t someone offer me some f—ing Vaseline so I can get f—ed more,” Cho wrote to his lawyer, indignant he had to pay anything at all. When the agency proposed $175,000, Cho reluctantly agreed.

The outcome, Prosser consoled him in an email, would “give you a way to explain to others that, despite allegations that you profited a million dollars, the SEC agreed to settle for a penalty of just one-fifth of that.”

Like almost everyone who settles with the SEC, Cho signed an order stating he could “neither admit nor deny” the charges. He was also prohibited from saying anything that might suggest the SEC’s complaint was inaccurate.

Introduced in 1972 to stop defendants from settling and then proclaiming their innocence, the SEC’s so-called gag orders have attracted controversy. Some critics say they allow corporations to avoid owning up to misconduct. Others call them an affront to transparency and free speech.

Last year the SEC denied a petition to limit their usage, with the outgoing chairman defending them as an essential tool.

Hester Peirce, a Republican commissioner, published a dissenting opinion, writing, “Freedom to speak against the government and government officials is essential in a free society committed to the preeminence of the people.”

In November 2020, the gag order silenced Cho as the SEC trumpeted its latest win in the Edgar case.



Chapter 9: Aftermath</p>

By the time I connected with Cho in late 2023, he was living in an apartment in Seoul with his girlfriend and their baby. He was glad to be closer to his mother, who’d forgiven him for dragging her into the case by trading in her account. His father still wasn’t speaking to him.

The case had affected Cho’s business, relationships, finances and health. He agreed to share his story despite concerns that the government could go after him for breaching the gag order.

“I’m not allowed to say I’m innocent, but I’ll give you all the facts and people can decide for themselves,” he says.

Prosser, his lawyer, is more forthright. “Unlike the DOJ, I’ve found the SEC often refuses to close investigations or withdraw filed litigation when they cannot develop facts to support their original theory,” he says.

“They’ll insist on a settlement because of internal pressures, or when they know the individual lacks the resources to go to trial. That’s not a proper way for an agency to operate.”

Cho still talks to Olefir, who also settled, agreeing to a fine of $250,000 compared with the $800,000 the SEC alleged he made. During discovery, the agency didn’t find any evidence linking the Ukrainian to the hackers or the hacked earnings reports.

Olefir had provided the regulator with access to his bank accounts, communications and the software program he’d developed to drill down into trading activity ahead of earnings. In the end, it wasn’t enough to dissuade the SEC.

Olefir declined to be interviewed, citing the gag order. “I thought if I handed everything over and told them what happened, this would have ended differently,” he told me. “I can’t say any more.” Olefir continues to trade using his earnings strategy. “It’s going very well,” he says.

Kwon, for his part, wrestles with his decision to settle. “I feel very wrongly treated with the whole process,” he says. “It took up years of my life to get through, and it greatly affects me to this day.” Kwon and Cho no longer speak. “I have mixed feelings about Sung,” Kwon says.

“If everything he said was true, then I feel really sad that’s what happened to our relationship.”

Ieremenko and Radchenko, the Edgar hack’s architects, are still at large, as are their principal customers, the Russian and Ukrainian businessmen who the criminal authorities say made off with the bulk of the money. Ieremenko and one of Radchenko’s trader friends were fined a combined $16 million by the SEC in absentia, money the agency is unlikely to ever see.

In 2024, I contacted Radchenko via social media to request an interview. Despite having a million-dollar bounty on his head, he replied, asking me to send a list of questions.

We exchanged messages for a while, but when he asked what was in it for him, and I told him I couldn’t pay him, he went cold. “Liam, what you’ve heard about me” is not true, Radchenko wrote in Ukrainian. “You have been misinformed by people with a vested interest in this and probably continue to be.”

Of the 22 SEC staff name-checked in the 2019 Edgar press release, none agreed to talk with me on the record. Jay Clayton, the former SEC chairman, spoke to me about his response to learning of the hack, but declined to comment on the specifics of the case.

Clayton was recently appointed by President Trump as US Attorney for the Southern District of New York, historically the preeminent office for prosecuting white-collar crime.

The SEC declined to comment for this story or provide documents about its work when I submitted requests under the Freedom of Information Act.

After the hack, the agency stepped up its cybersecurity efforts, upgrading software and hardware and hiring “penetration-testers” to expose potential vulnerabilities.

Like many government agencies, though, the SEC is now being downsized. Around 600 staff, or 15% of the workforce, are reported to be leaving as part of Elon Musk’s slashing of government regulation and regulators.

It’s not yet clear how many will come from IT functions. The Trump administration is also proposing deep cuts at the Cybersecurity and Infrastructure Security Agency, the body that oversees cybersecurity across all government agencies.

A lot is at stake for the SEC. Last year, the agency heralded the completion of the Consolidated Audit Trail, a controversial new database that stores moment by moment trading data from thousands of firms.

The system is designed to help identify wrongdoing, but, even before the job cuts, critics argued the agency wasn’t equipped to supervise it. In the wrong hands, they say, the data could be used to reverse-engineer trading strategies worth billions.

In January, I sat down with Kuprina at a pizza and beer joint in the quiet neighborhood where she now lives. In 2023 a judge sentenced her to time served in recognition of her assistance to the Secret Service.

The same year, the SEC issued a short order instructing her not to commit any more offenses and acknowledging, in minimal detail, her involvement in the Edgar hack.

Kuprina told me about her job at cybersecurity company Recorded Future Inc., where she monitors dark web forums and gives talks at conferences. With one of her first paychecks she put down a deposit for an old car with a big engine and a custom plate that spelled ELEET, a hacking term.

“I just want to say that, besides that my mum was a criminal, she really loved me and I really loved her”

We were joined by her mother and daughter, who the government brought to the US when Russia started bombing Ukraine. The three shared a dessert while they laughed about some of Kuprina’s childhood antics. When Olga was around 10 she would catch fish in the Dnieper River with her hands.

Her friends didn’t believe her, her mother recalled, so to prove it she waded out and did it, and everybody came to watch. Afterward, fishermen started to do the same.

Kuprina said that when she arrived in the US, she was terrified she would lose her connection to her daughter. She remembers holding the child’s hand when she was going to sleep, just as her mother had done with her. Very quietly, her daughter, now 16, interjected.

“I just want to say that, besides that my mum was a criminal, she really loved me and I really loved her.” Then she added: “Our bond never went anywhere. It’s like, I’ve been with her all those years.”

I once asked Kuprina whether she thought Edgar was still vulnerable. She told me about a meeting she’d had with the SEC’s IT team. Kuprina recalled detailing the many ways she’d infiltrated Edgar, with its antiquated software and bolted-together code.

The SEC has tightened up who can make filings and removed the function allowing companies to review test filings ahead of publication.

But the network will always contain information that’s appealing to hackers. The staffers looked indignant, Kuprina remembered, when she told them the only way to keep people like her out would be to rip up the system and start again. —By Lydia Beyoud

 

Related Articles:

Hack Alert! Buca Di Beppo, Owned By Earl Enterprises Suffers Data Breach Of 2M Cards (#GotBitcoin?)

Equifax, FICO Team Up To Sell Your Financial Data To Banks (#GotBitcoin?)

SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)

Thieves Can Now Nab Your Data In A Few Minutes For A Few Bucks (#GotBitcoin?)

Maxine Waters (D., Calif.) Rises As Banking Industry’s Overseer (#GotBitcoin?)

FICO Plans Big Shift In Credit-Score Calculations, Potentially Boosting Millions of Borrowers (#GotBitcoin?)

Your Questions And Comments Are Greatly Appreciated.

Monty H. & Carolyn A.

Go back

Leave a Reply