In late December, the U.S. Attorney for the Southern District of New York announced the arrest of a Macau resident and unsealed an indictment against him and two others for hacking U.S. law firms for information related to pending U.S. mergers and acquisitions transactions and insider trading on that information. At the same time, the U.S. Securities and Exchange Commission filed a civil securities law complaint against those individuals, seeking injunctive relief and disgorgement of wrongful gains.
According to the charges in the indictment, the defendants were Chinese nationals Iat Hong (the Macau resident who was arrested in Hong Kong), Bo Zheng (a resident in Changsha City, Hunan Province, who had studied at the University of Tulsa), and Chin Hung (who was associated with addresses in Hong Kong and Macau).
The three allegedly conspired to “infiltrate” the networks and servers of two unnamed New York-based law firms to steal inside information about pending M&A deals that the firms were handling. Over a period from April to 2014 to late 2015, the conspirators obtained nonpublic information on at least 13 deals and traded on it through brokerage accounts in Hong Kong and online accounts with U.S. brokers. The unlawful gains exceeded $4 million.
In the case of one of the two compromised law firms, the SEC complaint alleges that the conspirators allegedly installed malware, leading to the compromise of the user account of an information technology employee and resulting in unauthorized access to nonpublic email accounts, including nonpublic information on pending M&A deals.
For the other firm, the complaint alleges that the conspirators compromised the user account and password of an information technology employee, then placed malware on the firm’s server to download files, and also hacked a separate administrator account for managing the email server, all the while concealing the breach by disguising the malware and renaming stolen files to appear benign.
The indictment also alleges that the conspirators attempted (apparently unsuccessfully) to compromise the networks and servers of five other law firms, through remote access websites and the credentials of an internetworking supervisor.
In allegations that appear designed to establish the identity of the conspirators, the indictment and SEC complaint also charge that, during the same time, the defendants improperly obtained confidential information from a U.S. robotics business. The SEC complaint alleges the same internet protocol (IP) address associated with that hack was associated with several of the law firm hacks.