2018R013-+7 /DS UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY UNITED STATES OF AMERICA Hon. Crim. No. 19- V. 18 u.s.c. § 371 18 U.S.C. § 1030 18 U.S.C. § 1343 18 u.s.c. § 1349 18 U.S.C. § 2 ARTEM RADCHENKO and OLEKSANDRIEREMENKO INDICTMENT The Grand Jury in and for the District of New Jersey, sitting at Newark, charges: Count One to Commit Securities (Conspiracy Fraud) Overview From in or about February 1. the defendants sophisticated networks and others conspired securities fraud scheme that involved hacking quarterly before the reports of the stolen reports in or about March 2017, to enrich themselves of the United States Securities and stealing annual, companies 2016 through and Exchange and current reports were disseminated contained material among other things, the earnings through into the computer Commission of the companies. ("SEC") of publicly traded to the investing non-public a information public. Many concerning, The defendants and others sought to profit illegally from their scheme by selling access to the material non -public information contained in these as-y et undisclosed reports and by trading learned in the securities of the companies before the investing public the information. Relevant 2. Individuals and En ti ties At all times relevant to this Indictment: a. Defendant ARTEM RADCHENKO ("RADCHENKO") resided in b. Defendant OLEKSANDR IEREMENKO ("IEREMENKO") was a Ukraine. computer hacker who was a Ukrainian national. From 2010 to 2015, IEREMENKO engaged in a scheme to hack certain newswire services that edit and disseminate companies press releases Hacking Scheme"). employed for publicly traded In carrying out the scheme charged some of the same techniques and methods (the "Newswire herein, IEREMENKO that he had used in the Newswire Hacking Scheme. exchange c. Co -conspirator 1 ("CC-1 ") resided in Ukraine. d. The New York Stock Exchange in the United States based on market ("NYSE") was the largest stock capitalization. trade processing and data services were performed around New Jersey. Mahwah, e. The NYSE's at its data center in or The NASDAQ Stock Market ("NASDAQ") was the second largest stock exchange in the United States based on market capitalization. The NASDAQ did not have a central trading floor. computer servers to facilitate all trading activity. computer servers in or around Carteret, Instead, The NASDAQ maintained New Jersey. 2 it relied on Companies f. whose shares were registered traded on the NASDAQ or the NYSE were subject requirements designed their financial to keep investors condition and operations. filed annual and quarterly respectively, as well as current These Required earmngs. condition This information information reports changes in such public companies filed on Form 8-K ("Required Filings"). detailed information and operations about, among other of the companies, was treated as highly confidential prior to its release to the public. Disclosure, prohibiting their business to SEC Regulation them from making selective disclosures information including ln fact, publicly traded making Required Filings were subject non-public about material As a result, companies material to ongoing disclosure reports with the SEC on Forms 10-K and 10-Q, Filings contained things, the financial informed with the SEC and before disclosing Fair of such the information to the public generally. g. The SEC was an agency of the United States government whose duties included SEC operated maintaining the Electronic known as "EDGAR." fair, orderly, and efficient markets. Data Gathering, The EDGAR computer The Analysis and Retrieval system, servers relevant to this Indictment were located in New Jersey. h. Required Filings. days in advance EDGAR was used by public companies EDGAR also allowed companies of the public release of the Required Test Filings often contained information to electronically to make test filings hours or Filings ("Test Filings"). that was the same or substantially 3 file similar to the material the Required information that was eventually Filings, and, as a result, they often contained material non-public At all times relevant a. accessed information. to this Indictment: by a web browser which identified b. particular internet Terms A "user agent string" was information being used and the operating connection. connection the version of the web browser was a series of numbers Computers which was assigned sent from and directed sent to a computer system of the computer. An "IP address" internet to the public in at the time the Test Filings were made, Relevant 3. released attached to the Internet an IP address to that computer assigned to a used an so that Internet could be directed traffic properly from its source to its destination. c. unauthorized A "directory access to a restricted d. attack" was a method of gain ing area of a web server. "Malware" was malicious cause the victim computer intention traversal computer to behave in a manner software intended inconsistent of the owner or user of the victim computer, usually to with the unbeknownst that person. e. A "phishing attack" was a fraudulent sensitive information such as usernames malware by posing as a trustworthy a t tempt t o obtain and passwords entity in an electronic 4 and / or to install communication. to "Bitcoin" was a type of virtual currency, f. Internet as a form of value. or company, g. via a decentralized, "Bitcoin addresses" sensitive and was represented address's of a password computer virtua l locations was analogous as a 26-to-35-character-long Each Bitcoin address to to a case- was controlled private key, a cryptographic needed to access the address. private key could authorize bank, network. A Bitcoin address the use of a unique corresponding equivalent through were the particular string of letters and numbers. through another number and controlled peer-to-peer which Bitcoin were sent and received. bank account over the Bitcoin was not issued by any government, but rather was generated software operating circulated a transfer Only the holder of an of Bitcoin from that address to Bitcoin address. The Conspiracy 4. From in or about February in Middlesex County, 2016 through in or about March 2017, in the District of New Jersey and elsewhere, the defendants, ARTEM RADCHENKOand OLEKSANDRIEREMENKO, did willfully and knowingly conspire others to, directly and indirectly, interstate exchanges, securities, commerce, and agree with each other, CC-1, and by the use of means and instrumentalities and of the mails, and of facilities of national use and employ, in connection manipulative and deceptive Title 17, Code of Federal Regulations, with the purchase 5 securities and sale of devices and contrivances, Section 240. l0b-5, of in violation of by: (i) employing devices, schemes material and artifices to defraud; (ii) making untrue fact and omitting to state material the statements facts necessary made, in the light of the circumstances made, not misleading; which operated persons, contrary of in order to make under which they were and (iii) engaging in acts, practices business statements and courses of and would operate as a fraud and deceit upon to Title 15, United States Code, Sections Title 17, Code of Federal Regulations, 78j(b) and 78ff, and Section 240. l0b-5. Goal of the Conspiracy 5. It was the goal of the conspiracy CC-1, and others, to unlawfully computer networks enrich themselves of the SEC through stealing Test Filings containing business information by: (a) hacking into the a variety of deceptive techniques; confidential constituting profiting by selling the material for RADCHENKO, IEREMENKO, material non-public and economically non-public information (b) valuable information; and (c) and trading ahead of its public disclosure. Manner and Means of the Conspiracy 6. It was part of the conspiracy unauthorized access to the computer variety of hacking methods, including that the defendants and others gained networks of the SEC by employing a directory traversal attacks. The co-conspirators identities to illegally gain access to information attacks and phishing took steps to conceal and misrepresent SEC and to avoid detection. 6 on the internal their networks of the 7. It was further others employed phishing part of the conspiracy attacks that were made to falsely appear employees. number to send malicious their identities, of SEC computers with malware. infected, the co-conspirators steal information phishing the co-conspirators and emails to SEC employees as though they originated As a result of the co-conspirators' misrepresented that the defendants from actual SEC attacks, which successfully infected a Once these computers were used them to probe the SEC's network and to to use in their ongoing efforts to gain unauthorized access to Test Filings. 8. It was further others employed part of the conspiracy some of the same methods For example, that IEREMENKO controlled (the "Romanian associated Scheme. In addition, networks and that IEREMENKO had used in the they used an IP address Newswire Hacking Scheme. previously that the defendants in Romania IP Address") and that had been with a server IEREMENKO used in the Newswire Hacking the defendants' of the SEC frequently unauthorized employed access of the computer the same uncommon user agent string used by IEREMENKO in the Newswire Hacking Scheme. 9. It was further unauthorized traversal access to the SEC's computer attacks, confidential part of the conspiracy the defendants business networks stole and exfiltrated information, including material from the SEC's network to servers they controlled, Lithuania (the "Lithuanian that, after gaining Server"). pursuant to the directory Test Filings containing non-public including information, a server in From in or about May 2016 through 7 in or about October 2016, the defendants exploited the unauthorized had gained to the SEC and the EDGAR system by extracting Filings from the EDGAR servers to the Lithuanian 10. It was further deceptive methods via the Lithuanian information Server, the co-conspirators other co-conspirators that, by employing obtained publicly traded companies, monetize It was further profitable conspirators. trades that information non-public available to the investing traders in brokerage accounts was designed information It was further material non-public trading. that the defendants provided for the purpose controlled for the traders of by these other coto use the stolen to trade before the information was made public. part of the conspiracy to join the conspiracy SEC's role in financial network. these with the goal of having through part of the conspiracy The conspiracy material 12. of Test Server. access to the stolen Test Filings to other co-conspirators executing thousands to steal Test Filings and extract them from the United States of numerous 11. part of the conspiracy access they and maintained reporting that RADCHENKO recruited notes for himself describing and the co-conspirators' The notes provided in substance access to the SEC's and in part as follows: SEC is a resource where all quarterly and annual performance reports of U.S. companies are avai lable. SEC regulates the stock market. Every company is required to report to the SEC its financial results in the form of annual and quarterly reports. 8 the Every company is required to report important issues, such as bankruptcies or CEO replacements to the SEC. There is plenty of additional information available, such as database access information, initial codes, networks access, etc. 13. It was further by executing part of the conspiracy trades in the securities the public disclosure results non-public of the material was uploaded information non-public information. associated 121,000 relating to Public Company l's second quarter At approximately to be used the 1 Test Filing that had just been uploaded Between approximately with CC-1 (the "CC-1 Trading Account") purchased shares of the stock of Public Company At approximately 1 released to 3:42 p.m. and 3:59 p.m., a trading account its second quarter to deliver record earnings to the investing earnings approximately 1 for more than approximately 4:02 p.m., the material in the Test Filing was made available expected 3:38 Server to access the SEC's EDGAR servers, without authorization, $2.4 million. Company on 3:32 p.m., a Test Filing containing to the SEC's EDGAR servers. and steal the Public Company EDGAR. prior to For example, p.m., RADCHENKO, IEREMENKO, and others used and caused Lithuanian profited of the publicly traded companies or about May 19, 2016, at approximately material that co-conspirators non-public information public when Public report and announced in the 2016 fiscal year. that it By the end of the next day, the CC - 1 Trading Account had sold the position it a cq uired the day before for a profit of more than $270,000 . 9 Overt Acts 14. In furtherance of the conspiracy and to effect the unlawful object thereof, RADCHENKO, IEREMENKO, and others, committed to be committed and caused the following overt acts, among others, in the District of New Jersey and elsewhere: a. On or about May 6, 2016, RADCHENKO, IEREMENKO, and others, accessed authorization, and caused to be accessed from the Romanian b. IP Address. On or about May 10, 2016, RADCHENKO, IEREMENKO, and others, purchased Bitcoin address and caused to be purchased, controlled c. to be used the Lithuanian 1 that had been uploaded material d. non-public Server to access the SEC's in order to steal a Test Filing for Public to EDGAR minutes earlier which, at the information. On or about July 22, 2016, RADCHENKO, IEREMENKO, and others, used and caused to be used the Lithuanian EDGAR servers, without authorization, Company 2 that had been uploaded contained material e. Server using a by RADCHENKO. EDGAR servers, without authorization, time, contained the Lithuanian On or about May 19, 2016, RADCHENKO, IEREMENKO, and others, used and caused Company the SEC's EDGAR servers, without Server to access the SEC's in order to steal a Test Filing for Public to EDGAR hours earlier which, at the time, non -public information. On or about July 29, 2016, RADCHENKO, IEREMENKO, and others, used and caused to be used the Lithuanian 10 Server to access the SEC's EDGAR servers, Company without 3 that had been uploaded time, contained material f. and others, g. to be used the Lithuanian without material non-public used and caused in order to steal a Test Filing for to EDGAR minutes earlier which, at information. to be used the Lithuanian without authorization, 5 that had been uploaded the time, contained h. material non-public On or about August used and caused SEC's EDGAR servers, Public Company authorization, Server to access the On or about August 8, 2016, RADCHENKO, IEREMENKO, SEC's EDGAR servers, and others, earlier which, at the information. 4 that had been uploaded the time, contained Public Company to EDGAR minutes non-public used and caused Public Company in order to steal a Test Filing for Public On or about August 4, 2016, RADCHENKO, lEREMENKO, SEC's EDGAR servers, and others, authorization, material to EDGAR hours earlier which, at information. 17, 2016, RADCHENKO, IEREMENKO, authorization, 1 that had been uploaded the time, contained in order to steal a Test Filing for to be used the Lithuanian without non-public Server to access the Server to access the in order to steal a Test Filing for to EDGAR minutes earlier which, at information. All in violation of Title 18, United States Code, Section 371. 11 Count Two (Conspiracy to Commit Fraud and Related Activity in Connection with Computers) 1. through The allegations contained in paragraphs 14 of Count One of this Indictment 1 through are re-alleged 3, and 5 and incorporated as though fully set forth in this paragraph. 2. From in or about February in Middlesex County, 2016 through in or about March 2017, in the District of New Jersey and elsewhere, the defendants, ARTEM RADCHENKO and OLEKSANDRIEREMENKO, did knowingly and intentionally others, to intentionally obtain information the Securities the purpose from a department of commercial Code, Sections and agree with each other, and access computers and Exchange such information conspire without authorization, and thereby and agency of the United States, Commission, advantage and from a protected and private financial being in excess of $5,000, contrary namely computer for gain, the value of to Title 18, Uni te d States 1030(a)(2)(B), (a)(2}(C), (c)(2)(B)(i), and (c}(2)(B)(iii). Goal of the Conspiracy 3. It was the goal of the conspiracy and others, to gain unlawful commercial advantage access for RADCHENKO, IEREMENKO, to the computer and private financial networks of the SEC for gain. Manner and Means of the Conspiracy 4. To carry out the conspiracy and to effect its unlawful RADCHENKO, IEREMENKO, and others, 12 engaged in a number objects, of means and methods, including those referred to in paragraphs 6 through 13 of Count One, among others. Overt Acts 5. thereof, In furtherance of the conspiracy RADCHENKO, IEREMENKO, committed a number and to effect the unlawful and others of overt acts, including committed those referred and caused of Title 18, United States 13 to be to in paragraph of Count One, among others. All in violation objects Code, Section 371. 14 Count Three to Commit Wire Fraud) (Conspiracy 1. through though The allegations contained in paragraphs 14 of Count One of this Indictment 1 through are re-alleged 3, and 5 and incorporated as fully set forth in this paragraph. 2. From in or about February in Middlesex County, 2016 through in the District of New Jersey in or about March 2017 , and elsewhere, defendants, ARTEM RADCHENKO and OLEKSANDRIEREMENKO, did knowingly and intentionally conspire and agree with ea ch other, CC-1, and others to devise a scheme and artifice to defraud traded companies whose Test Filings they stole (the "Public Companies"), to obtain money and property, business information public information, representations, including confidential of the Public Companies by means of materially and promises, and artifice to defraud, wire communications did transmit and economically that constituted false and fraudulent and, for the purpose in interstate signs , signals, pictures, Section the SEC and the publicly and va luable material non- pretenses, of executing such scheme and cause to be transm itted by means of and foreign commerce, and sounds, contrary certain writings, to Title 18, United States Code, 1343. Goal of the Conspiracy 3. It was the goal of the conspiracy CC-1, and others, computer networks to unlawfully for RADCHENKO, IEREMENKO, enrich themselves of the SEC through by: (a) hacking into the a variety of deceptive techniques; 14 (b) stealing Test Filings containing business information confidential constituting profiting by selling the material and economically material non-public non-public valuable information; information and (c) and trading ahead of its public disclosure. Manner and Means of the Conspiracy 4. To carry out the conspiracy and to effect its unlawful RADCHENKO, IEREMENKO, and others, methods, including among others, 5. deprived those referred to in paragraphs and those described the Test Filings, including should be disclosed writings, interstate 13 of Count One, valuable and others of their right to control the use of business information contained the decision of when and how the information to the public. Throughout their fraudulent 6 through that the defendants the SEC and the Public Companies and economically of means and below. It was part of the conspiracy the confidential 6. engaged in a number objects, scheme, signs, signals, the course of the conspiracy and in furtherance RADCHENKO, lEREMENKO, and others, pictures, and sounds to be made and received in and foreign commerce. All in violation of Title 18, United States Code, Section 15 caused 1349. of in Counts Four through (Wire Fraud) 1. through The allegations contained Nine in paragraphs 14 of Count One of this Indictment 1 through are re-alleged 3, and 5 and incorporated as though fully set forth in this paragraph. 2. From in or about February 2016 through in or about March 2017, in Middlesex County, in the District of New Jersey and elsewhere, defendants, ARTEM RADCHENKO and OLEKSANDRIEREMENKO, did knowingly and intentionally devise a scheme and artifice to defraud, namely, the scheme described in Count Three, and to obtain money a n d property, including Companies, by means of materially representations, attempting transmit interstate the confidential and promises, Four information false and fraudulent and, for the purpose of the Public pretenses, of executing to execute such scheme and artifice to defraud, and cause to be transmitted and foreign commerce, Approximate Date May 19, 2016 and did knowingly by means of wire communications certain writings, as set forth below, each constituting Count business a separate in signs, signals, and sounds, count of this Indictment: Description Us ed and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middl esex County, New Jersey , without authorization, in order to access a Test Filing associated with Public Company 1. 16 Count Five Approximate Date July 22, 2016 Six July 29, 2016 Seven August 4, 2016 Eight August 8, 2016 Nine August 17, 2016 Description Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 2. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Companv 3. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 4. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 5. Us ed and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 1. In violation of Title 18, United States Code, Section 17 1343 . Counts Ten through Sixtee n (Fraud and Related Activity in Connection with Computers) 1. through The allegations contained in paragraphs 14 of Count One of this Indictment 1 through are re-alleged 3, and 5 and incorporated as though fully set forth in this paragraph. 2. On or about the dates set forth below, in the District of New Jersey and elsewhere, the defendants, ARTEM RADCHENKO and OLEKSANDRI EREME NKO, did knowingly and intentionally without authorization, access and cause to be accessed and thereby obtain information agency of the United States, namely the Securities and from a protected computer for the purpose computers from a department and Exchange of commercial and Commission, advantage and private financial gain, the value of such information being in excess of $5,000, in violation of Title 18, United States Code, Sections 1030(a)(2)(B), (a)(2)(C), (c)(2)(B)(i), and (c)(2)(B)(iii), each constituting a separate count of this Indictment: Count Ten Approximate Date May 6, 2016 Eleven May 19, 2016 Description Accessed and caused to be accessed the SEC's EDGAR servers in Middlesex County , New Jersey, without authorization, from the Romanian IP Address. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR serv ers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associat ed with Public Company 1. 18 Count Twelve Approximate Date July 22, 2016 Thirteen July 29, 2016 Fourteen August 4, 2016 Fifteen August 8, 2016 Sixteen August 17, 2016 Description Used and caused to be used the Lithuanian Server to access the SEC 's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 2. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 3. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 4. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 5. Used and caused to be used the Lithuanian Server to access the SEC's EDGAR servers in Middlesex County, New Jersey, without authorization, in order to access a Test Filing associated with Public Company 1. In violation of Title 18, United States Code, Sections (a)(2)(C), (c)(2)(B)(i), and (c)(2)(B)(iii), and 2. 19 1030(a)(2)(B), FORFEITURE ALLEGATION AS TO COUNTS ONE AND THREE THROUGH NINE 1. As a result of committing Counts Three through respective the offenses charged Nine of this Indictment, the defendants count shall forfeit to the United States, States Code, Section 98l(a)(l)(C) in Counts pursuant charged in each to Title 18, United and Title 28, United States Code, Section 2461, all property, real and personal, that constitutes proceeds to the commission of the offense, and all property traceable One and or is derived from traceable thereto. FORFEITURE ALLEGATION AS TO COUNTS TWO AND TEN THROUGH SIXTEEN 2. As a result of committing Counts Ten through respective the offenses charged Sixteen of this Indictment, in Counts Two and the defendants charged in each count shall forfeit to the United States a. pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(i), any property, real or personal, constituting, or derived from, proceeds obtained directly or indirectly as a result of the offenses charged in Counts Two and Counts Ten through Sixteen of this Indictment; and b. pursuant to Title 18, United States Code, Section 1030(i), all right, title, and interest in any personal property that was used or intended to be used to commit or to facilitate the commission of the offenses charged in Counts Two and Counts Ten through Sixteen of this Indictment. 20 SUBSTITUTE ASSETS PROVISION {Applicable to All Forfeiture Allegations) 3. If any of the above-described act or omission as a result of any of the defendant: a. cannot be located upon the exercise of due diligence; b. has been transferred or sold to, or deposited c. has been placed beyond d. has been substantially e. has been commingled without the jurisdiction diminished with a third party; of the court; in value; or with other property which cannot be divided difficulty; the United States shall be entitled, incorporated forfei table property, by 28 U.S.C. § 246l(c) forfeiture of any other property described forfeitable pursuant to 21 U.S.C. § 853(p) (as and 18 U.S.C. §§ 982(b) and 1030(i) ), to of the defendants up to the value of the above- property. A True Bill, Foreperson c~ United States Attorney 21 CASE NUMBER: ______ _ United States District Court District of New Jersey UNITED STATES OF AMERICA v. ARTEM RADCHENKO and OLEKSANDRIEREMENKO INDICTMENT FOR 18 u.s.c. §§ 371, 1030, 1343, 1349, 2 A True Bill, Foreperson CRAIG CARPE NITO UNITED STATES ATTORNEY FOR THE DISTRICT OF NEW JERSEY DANIEL SHAPIRO, JUSTIN HERRING, AND NICHOLAS GRIPPO, ASSISTANT U.S. ATTORNEYS LYNN O'CONNOR, SPECIAL ASSISTANT U.S. ATTORNEY AARASH HAGHIGHAT, CCIPS TRIAL ATTORNEY NEWARK, NEW JERSEY (973) 353-6087