Hackers Break Into M&A Firms, Make Millions on Insider Trades

Federal prosecutors have charged three Chinese citizens with insider trading that netted them more than $4 million in illegal profits.

But these weren't your typical tippees. The men didn't get their insider scoops from their family, friends, or colleagues. They got it from hacking into at least two New York law firms, stealing the emails of M&A partners, and trading on the information they found.

Trading on Hacked Insider Information

The three men, Iat Hong, Bo Zheng, and Chin Hung, are charged with "devising and carrying out a scheme to enrich themselves by obtaining and trading on material, nonpublic information." Here's how the scheme allegedly went down. From April 2014 to late 2015, the men "caused the networks" of the firms "to be hacked" according to a DOJ release announcing the charges.

In both cases, the men used unlawfully obtained credentials from law firm employees to access the firms' servers. They then peaked into M&A partners' emails and relied on the information they found there when purchasing stock in at least five companies that were about to be acquired. The men then dumped their shares after the acquisitions were made public.

Because shares of target companies in such acquisitions often jump when the deal is announced, the men were able to make over $4 million off their trades.

A Wake-Up Call to Law Firms

The men made it into two firms, but their hack-and-trade scheme targeted at least seven. Between March and September of last year, the DOJ says, the group tried to break into the networks and servers of the five other law firms more than 100,000 times.

The names of the firms haven't been made public, nor has the way the hackers obtained the firm employees' information that they used to break into the servers. We'll have to wait and see how the men gained access, and what the five other firms did to keep them out. In the meantime, however, the case is an important reminder of how firms can be targeted by hackers and other criminals.

"This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world," United States Attorney Preet Bharara said. "You are and will be targets of cyberhacking because you have information valuable to would-be criminals."

Related Resources:

• 3 Men Made Millions by Hacking Merger Lawyers, U.S. Says (The New York Times)
• 5 Types of Law Firm Data Breaches, From Human Error to Hacktivism (FindLaw's Technologist)
• 3 Tech Lessons for Lawyers, From 2016 (FindLaw's Technologist)
• Pres. Obama's Twitter Account Hacked: Is Anyone Completely Safe? (FindLaw's Technologist)