White Collars & Black Hats: Bitcoin, Dark Nets and Insider Trading

hello my name is Ken Weston thanks for having me here today I'm gonna be talking about some research that I did a while back regarding some things I was finding with regards to hackers actually collaborating with white-collar criminals basically the target was non-public information so information that like earnings reports or information that can be used for an advantage when you're trading stock actually found some these folks collaborating in some underground markets they actually exchanged some of this information some of these groups were actually trying to get anyone that maybe worked at some of these companies to also share this intelligence and so as a result of that I actually dug a little bit deeper and I actually found

that there were a few cases of this and some of them actually were able to generate quite a bit of money one group in particular generated around 30 million dollars I'll talk a little bit about that and how they did it so there might be two different groups here either might be you know one side of it is you may learn some things about why you want to be protecting this information if you're on the criminal side you'll be learning some things about how not to get caught because these guys they tend to do some kind of stupid things and that's what ends up getting them busted so I just little bit about me I've been in security

technology for the last 20 years I've been with Splunk for about almost three and a half years now I'm now staff security strategist based in Portland Oregon I'm trained in both defensive and offensive security and I've actually put bad people in jail with data before I was actually at Splunk I was actually developing various tools and technologies that were tracking criminals I actually worked with a law enforcement and actually put some various organized crime groups away I am also a guitar and record hoarder so I really like music so let's come on my hobby I'm also a technical tech editor for a pretty good book if anyone out there maybe your family or someone at your

work that wants to understand Bitcoin it was a book called that Bitcoin for non mathematicians it's kind of interested in this too I actually found that there was a lot of a cryptocurrency that was being utilized for some of these trades so they would give Bitcoin and in exchange they would get some of stolen earnings reports for example so a lot of people ask me why this particular topic I think it's fascinating because it touches on a lot of different disciplines so we're talking about criminal hacking and you'll see elements of fraud insider trading insider threat cryptocurrency darknets a lot of international intrigue you'll see that there's a lot of this activities actually happening internationally it's

also a significant threat to our economy some of these folks that did get caught they got caught because they did they got greedy or they did something stupid I've actually found that in these guys some of them did we're doing this for four to five years before they actually got caught so I think that there's a lot more of this actually happening and so a lot of folks are actually generating quite a bit of money as a result of that there's I think it's just the tip of the iceberg and I really like this too from from where I'm it's plunk we do get to deal with a lot of different data this is where I get to actually work with a

lot of different disparate data sets not just your traditional security data sets but also looking at stock trades and you sort of inconsistencies there or anomalies or some other ideas where you can actually correlate log sources across different organizations right then maybe they don't have before I really like this concept this is Edmond Locard so he was sort of the grandfather of forensic science they used to call him the French Sherlock Holmes he actually developed the first forensic crime lab in France before DNA before fingerprints or anything like that but there was this concept that he he devised called every contact leaves a trace of course he was referring to physical crimes the idea is that when

you commit a murder you leave something there and you also take something with you right I believe this carries over into the cyber world as well it's just a matter of ensuring we actually have the right tools in place to to log that or if we know where to look so there's two key vulnerabilities for criminals and what how they get caught we always talk about vulnerabilities of systems but criminals themselves what do you guys think are the two vulnerabilities that leads to criminals being caught particularly in the cyber space yeah bragging mm-hmm bragging exactly arrogance right arrogance and greed those are the two things that usually end up getting them caught for typically if they find

something that's lucrative they they make some money and then they extend themselves and they do it a little bit further and it puts them a little bit more risk so you'll see a pretty good example of that in a bit here so one thing I have found is that what's really interesting is that a lot of financial folks have been interested in cryptocurrency particularly when Bitcoin was was fairly high we actually had a lot of like traders that were actually trading in Bitcoin as well so I actually believe that when you see the stock market fall you also are gonna see a Bitcoin fall because people are selling to cover some other other investments but I actually

saw a lot more of this happening where financial folks not only were they interested in cryptocurrency but they also started under going into tor going into some of these underground markets and forums now what happens here is that some of these folks that are really savvy on the financial side are now able to collaborate almost anonymously with people that are more technical on the hacker side and those that's kind of what the perfect storm has resulted of this I actually found one forum and on the darknet where it was actually trying to get information on non-public data they would actually share some of the profit they would actually pay you for it so if you work for a particular

company and you have some earnings reports and you provide it to this group and they trade on that they'll actually give you a cryptocurrency in return right again it's all anonymous it's very very difficult to track this type of activity so I deal a lot with insider threat I do a hands-on workshop around that it's Blunk I'm actually a certified insider a program manager as well so this has been something I started to research a little bit deeper as well I actually see this one post this guy seems like he really was knew what he was doing he also had some connections this was actually a foreign post in one of these these dark net forums maybe I'm

coming of it late to the post anyway I work inside a major Wall Street company that does millions of trades a day I have access to DMS high clearance and access to all North America Europe and Brazil I won't disclose anything else if you have good infer in foe I offer 50/50 and I can give you a hard cash or Bitcoin no paper trail so kind of proves my theory here only relevant information please I found another forum and this one in order for you to join you actually have to commit a crime you have to provide them with non-public information that they can trade on once they successfully trade on that then they'll let you in I

think this was a honeypot set up by law enforcement I just have this theory this weird feeling about it it's great way to do it but but but there's a number of these out there if you look on the darknet forms you'll actually find a lot of these sort of insider trading types of communications that are happening so it's interesting is that when you think about insider trading and it was by definition of the SEC there's a lot of things that go into that and order for it to be insider trading at least this is the way it used to be you have to have some sort of fiduciary duty to that organization now if you're a hacker and

you're targeting this type of information do you have a fiduciary duty to that organization no this is a situation where the law did not keep up with the times right so Keith there is a fiduciary duty so the first case I actually saw was this was the SEC versus jours o KO as his fellow doors o KO he ended up getting caught because he did a really stupid thing he got greedy he took basically he wasn't he's in the eastern europe basically took an entire year's salary never traded stocks before in his life and he opened up a brokerage account and he did a put for $42,000 right this is one of those things that will raise the

flag with the SEC there's all sorts of triggers and this is one of them he was able to then make over two hundred and eighty six thousand dollars because there was a flag this got held up they did some more research and what actually he was doing is he was targeting an app by web application that it Thompson financial now at Thompson financial what they'll do is they provide a platform for companies to share with investors like the one they're gonna do their earnings reports this is where they would do it sort of like a webcast type of thing so what he actually found was a vulnerability and he was monitoring a particular directory and once this happened then he was able

to download that information before anyone else and it was actually from this IMS health incorporated company now he took that information and the timestamps all fit this perfectly and he did the trade and that's how I was able to generate that much money so quickly so he also tried to spoof his IP address but a few times he actually connected from his actual real IP address right so if you are doing any sort of this activity make sure that you you're you're covering your tracks a little bit better so the summary judgement was for the $286,000 and then $7,000 he never actually appeared in court you know they actually just took the money out of that

brokerage account I think he still owes them seven thousand dollars but he didn't know any sort of fiduciary duty to the source of the information so he wasn't actually liable for insider trading and that's something that could have actually got him he would have been assigned jail time as a result of this they actually put a new rule in it was a rule 10 5 10 B 5 2 and actually says it clarifies this so even if you are not you know officer of the company and you have the access to this information this can now be considered insider trading they've even now refer to this as outsider trading so this was a really big case this we got really interesting

though is a group of hackers that actually started to specifically target this kind of information what they wanted to go after was a PR firms so PR firms have access to this type of information if there's gonna be earning reports things like that companies they have it so they have early access to this data before they actually get delivered so there was a group of hackers and then there was also a group of traders and it's really interesting how they were able to actually communicate it was actually exactly what I just mentioned they actually found each other in a forum and they started actually discussing it some people got rich off of this and then they extended

that that trading network as well the interesting thing here is this happened over the course of four years right so these guys is this for four years before anything got caught and again it was because someone got greedy actually one of the guys one of the hackers he was doing a lot of other hacking actually there's two guys that are involved in this you'll see but one of them he was getting involved in stolen credit cards and he the Ukrainian police actually worked with US law enforcement to go in and they they confiscated his laptop now this whole trading scheme would never have been discovered if that laptop was not confiscated because that's when they

actually went into that particular laptop that they were actually able to find all the stuff that was actually happening because what this guy actually made videos of how to go about and collect some of these this information from this server that he'd set up and it's it's pretty funny so the first one that they targeted was Market Market wired they actually did a sequel injection we were able to establish some reverse shells they were able to get some of the internal login credentials what's interesting is that market wired had no idea they didn't have the right logging in place so even when law enforcement came to them they couldn't tell them a lot of the information they

were able to get to get this mostly from again from one of the hackers laptops they downloaded over a hundred thousand press releases over the course of you know four years then what they did is they uploaded this to a server and they actually did it as a hidden server and then they started marketing the wares and they said I think was like six thousand dollars of to get to get access to this data and there were traders that were watching this and they got on they paid for it your Bitcoin and they suddenly had access to all these press releases then the they kept doing this for over four years and then the traders

also started creating a brokerage accounts for the hackers because the the hackers wanted in on this as well so they did this through a bunch of shell companies they were doing all sorts of interesting things on the white-collar crime side again they would have avoided detection if it wasn't for that one laptop getting caught and then they got greedy again they targeted another firm this was PR Newswire and this one they actually were in three different times they were able to get in once they got booter doubt they got in again and they actually installed some malware and then they got booted out again and then this time they actually bought a huge trove a

password from social media and they were actually able to map some of the people that work for that company to the social media accounts and I know this never happens but apparently they were using the same password right so this stuff actually happens in real life right so that's how they were able to get in and then they were doing it for quite a while before they were detected then they chart went to a business news wire and some of these underground forums these guys were making a lot of a big bit of a name for themselves because they were generating I'm making a lot of money and one guy actually approached him he said look I actually have access

to one of these news wires I'll just sell the access to you because I don't want to get involved in any of this trading stuff and so they just basically bought access to another news wire so they had access to three different news wires and that's what we're they're downloading all these different press press releases as a result of that now the traders were really smart too these guys were savvy in fact one of them was actually a former VP at Morgan Stanley right so I really knew what they were doing they knew how to do trades and how to make it so that it wouldn't trigger any sort of sec flags they were doing small micro trades they created

multiple accounts that created shell companies that would be tied to some of these accounts as well so it was very difficult for them to track they made over 30 million dollars in trades right so if you're a criminal hacker and you're messing with ransomware and stolen credit cards and things like that that is not where you're gonna be making the money if you want to make the big bucks start targeting this kind of data I'm just kidding don't go under crime what's interesting too is that some of the hackers they actually were logging into some of these brokerage accounts as well and they actually would they would forget to turn off some of their proxies

VPNs so they would actually see the same IP addresses on the news wires that they were actually seen in some of the brokerage accounts so this is a really interesting case when they're actually doing the investigation where they're actually correlating logs from all these different organizations and putting this puzzle together which that's the kind of investigation I'm always really interested find that kind of thing to be rather fascinating this is sort of a ledger of their actual trades that they were making so you'll see that again they're not really huge ones maybe $42,000 I've you know here and there they're not you know make placing any sort of big bets this wouldn't raise any sort of

suspicion but if you do this in a lot of different brokerage accounts and you have shadow companies and things like that you're able to hide some of your identity so one of the traders he ended up getting arrested he was sort of the leader he this is Vitaly he's the one that was actually former VP at Morgan Stanley so he really knew what he was doing again they think he netted 17.5 million it could be even more than that and he said he was innocent he was also a minister at a church right so yeah his church actually did a fundraiser for him for to help with his legal bills was great they even showed up in court for

him you know we're good we believe you you're innocent he actually just got tried this last summer and he was found guilty on all accounts I'm still not sure what he's being sentenced for but he's going to be in jail for a long time so just on the summary of this is that you know this is really interesting those you know some of the data sources that we're available you have some of the online brokerage accounts you have application logs you know looking at user data IP stuff like that some of the bank records business registry data newswire user authentication of VPN logs the forensic image of ulema digits computer was huge because he actually

did have a video there that he was giving to the trader showing them how to download the files from the server and it had all the information right there so again if you're committing these types of crimes try not to keep the evidence on your laptop right yeah so and then some of the tools to or compromised credentials it's interesting a lot of these PR firms it looks like they didn't have multi-factor authentication at the time malware sequel injection some of the organizations had lack of appropriate logging and the hackers took advantage of that of course torn proxies but what's really interesting about this is it goes even deeper do you think they stopped with PR

firms when you're making millions of dollars off this right are you gonna stop there no they got arrogant and greedy right so again remember that from I said earlier right vulnerable criminals what gets caught arrogance and greed before I did this presentation once another case I had was that though the SEC themselves they have a database where they actually have come you have to file some information they actually got hacked what what and it happened though they were really quiet about it there wasn't a lot of information about how that particular hack happened so this is basically the slide I kind of talked a little bit about it you know they just they did disclose that some non-public

information was I was compromised and it was probably being used for legal trades the organization actually had some prior issues some security issues with some encryption but what really is interesting is one of the hackers that was actually involved in the PR firm is actually the one of the guys that was involved in this he kind of went off on his own this was actually just announced about a few months ago he actually went on his own his name Eremenko he's his hacker name is Lamar Eze so he does a lot of other interesting things but he was able to actually send just any phishing emails to SEC employees he made it look like he was coming from the

security team these documents had malware in them he was able to then compromised his credentials and get access to these systems he was able to get quite a few credentials one of them was to the SEC and it's actual the test database so what he did done is he was doing this he did it was a few trades where he's gathering some of this information and then what do you do when you find some tool that you know a process that you know it's gonna generate a lot of revenue for you you want to automate that right so he actually automated this whole process he actually hadn't what he referred to as the exfiltration machine and that was it

would actually be a server that would log in to keep checking for any new posts that were sent and then he would automate the process of sending that information to some of these traders they do is working with some of the traders that were involved in some the PR Newswire were also involved in one as well as some additional lengths there was like three or four other folks that were actually brought into this particular scheme as well they didn't make quick quite as much money this is kind of what the they they announced it's probably around four million dollars or so but you know that's that's not too bad for you know about a year's

worth of work this happened around 2016 - which I was kind of surprised to hear there was a lot of connections that he was making coming from a server in Romania a lot of the infrastructure that he was using for the PR Newswire was also being utilized for the sec what's interesting is you know why didn't they kind of tie some of this together but it took them a little while to be able to do that if you have a Romanian IP address logging in repeatedly into a sensitive database that might be something that you want to pay attention to right and this is kind of what their their trades look like it was interesting just looking at their kind

of what their their trading patterns look like before they had access to the data right because they wanted to be able to show that hey if they were in court and they say well I'm actually I didn't to use that data I'm just really know what I'm doing they actually were able to go back historically to look at how well they were doing on their other stock trades and most of them were not doing very well and then when they started getting access to this data and now all of a sudden they started winning and getting a lot of revenue so that's another anomaly right it's another data source that we can leverage for an

investigation like this so another type of organization that could it's it was targeted is legal firms so this kind of might start seeing a pattern here it's not necessarily the organization's themselves that are going to be targeted you think about some of the service providers like think about supply chain so legal firms you're gonna see like PR firms these sort of satellite folks that have access to some of this data so there was another one this was some folks that were actually in China these guys were really interesting because they actually had a full business plan when they actually were working on this case they got their laptop there was actually a PowerPoint deck where they're

actually walking through how how they're gonna conduct this type of fraud

yeah it was a number of different emails to and that they were exchanging so that's another thing if you're committing this type of crime don't have a powerpoint deck explaining how you're going about and committing a crime it's bad news so the first one they did there was a target a law firm in frontiers in 2014 they were targeting the email systems and that's where they were able to get access to they were able to see what emails the lawyers were sending they were looking for any sort of information that might help them looking for things like mergers and acquisitions in particular most of the law firms that were targeted were in New York they

really knew how who is the target and in some of these law firms were actually representing very large companies that's how they were able to get access to this so one was the Rhodes acquisition of interim UHN another one was the Intel acquisition of a company called altaira they were actually to take able to take this information and trade on it and make quite a bit of money they did another one in April 2015 this time another a lot different law firm it's when it was the Pitney Bowes acquisition of a borderline and then they actually created a number of brokerage accounts and they netted about three million dollars and that's it's quite a bit of

money I mean to make over two years right so that's really helpful and then this is their their trades and how much they made you'll see that there's one person this is how much they made and then they also charge them interest on that and there's a civil penalty that goes along with that as well and you'll see one of them didn't have a civil penalty associated with it so the reason for that is because that is actually one of the other guys mom he actually created a brokerage account for his mom and he invested in it and so she can make a lot of money luckily she didn't get a criminal record because she had no

idea that her son was involved in the crime but when that sucked that you you all of a sudden you have all this money and you come to find out you don't get to keep it there was another group that was targeting it was the fin 4 group primarily spearfishing campaigns and the goal again was to compromise like red chose for email accounts it did that time this woman they were targeting pharmaceutical companies what they were looking for is information maybe on like FDA approvals and things like that if a particular drug is going to be approved that's going to increase that company's revenue and of course the stock is going to skyrocket so that's what they were

really looking for so some of the things I was looking at I'm how some of these traders actually get are they monitored so if you are trading stocks on during the day there's a lot of monitoring that takes place um though they'll even monitor and need your Skype conversations and things like that but they don't necessarily monitor anything outside of that so when you go home they're not monitoring your cell phone or anything like that so some of these groups some of these folks are actually pretty savvy about using some clandestine communications there was a case where a guy named Daniel Revis now he actually worked at Bank of America he's working on IT project and he

basically had access to this huge database of information about these companies particularly things that were around mergers and acquisitions now he's not a trader himself didn't really know anything about that but he had a new girlfriend what she did and her father was a huge trader he really really knew what he was doing he actually managed a huge fund so what he actually did is they started writing sort of that they look like love notes to his girlfriend but it actually it was kind of a code and he was able to send that she was then sent get that to her father and then her father would be able to say yes I need to buy this stock at this time

right as a result of that pretty pretty good set up you know he actually they would not have gotten caught like there was no way because there was no no real digital trail but guess what happened got greedy and arrogant James Moody he also got one of his other buddies involved in this and he was helping them I get got gave him some of this data but then one of Daniels friends he actually was having some financial difficulties so he helped him out so he started giving him some of this information they started trading on it this time they started using a it was a kit members didn't say specifically what chat app but it was like a time Bob

encrypted chat app my problem is one of them a Daniel would delete those messages but his friends didn't so on the police compensated the felony I was actually able to see some of those communications and they were able to identify the whole scheme so kind of thinking about this is you know what is the target of this if you're targeting non-public data so you're looking at things like earnings reports can be patent information any sort of M&A activity FDA status that's that's like an we saw with the pharma vulnerabilities I think votive if you identify a vulnerability in the iPhone or a system and you know that before anyone else that might have an impact on the stock

as well right so the hackers out there you know you might might have a way to make some money or breaches remember when Equifax happened there was some interesting things that occurred there was a bunch of the executives had sold some stock before was actually announced right so what they actually found was that wasn't criminal because I was actually scheduled beforehand right they actually go through that process except for one guy that actually was he worked as one of the CTOs for the organization he found out about it and he actually went and he sold all of a bunch of his stock and he got busted for insider trading and he's spending some time in

jail so some of the organizations - I would also say like manufacturing yield so even on the factories so if I can tell how much product they're actually making that could give me an idea of revenues so if I target a factory think about IOT security any sort of formulas right maybe I want to get the coke formula right like that could be useful information but some of the organizations are gonna be targeted are your legal firms you're gonna have your M&A firms PR firms Investor Relations factories I even think the security teams right for the breaches and vulnerabilities and then also look at the company who has access to some of this data I would look

at HR legal marketing right they have access to a lot of this data and they might be targeted as well so I think it's really important show that we're actually logging all the things a lot of times organizations they may just be logging things in the firewall level but I believe that there is relevant security of a good reason to have security data for anything right so I think any sort of application web application or anything like that you at least want to be logging your authentication logs and keeping an eye on that IP addresses there's gonna be really valuable information and not just the technical data sources but really think about non-technical data sources

so it can be everything like personnel records and things like that I was actually on site with a customer this week and was working on an insider threat scenario and there was a situation that one of the employees you know he made maybe fifty five sixty thousand dollars a year and all of a sudden he pulled up in a brand new Tesla and you know his friends were really impressed with this he was trying to they're trying to figure out how he was making some of that money come to find out he was actually taking some data from the company and was actually selling it to a competitor so that's pretty brazen so if you were doing this

type of crime and you don't have that type of income level right hold on to your cash and don't go buy and Tesla's to raise red flags I think that's the how the guy from the Silk Road got caught - he ended up buying a Tesla he couldn't he shouldn't be able to afford it right so I do a lot with insider threat I actually stole this from it was actually a former CTO at the FBI you guys are probably familiar with the Lockheed Martin kill chain so that's a little bit different when you're dealing with insiders so so someone that might be one Sally's this sell this type of information so this is actually what

they used for actually investigating agents right this is kind of mindset because there's usually this sort of recruitment and tipping point and that can be a situation where it could be a financial situation you know a lot of times like marital status things like that that can trigger some of this stuff it can also be a situation where someone's mad at the organization maybe they got passed over for a promotion or maybe they've had disciplinary action right so I work with organizations to actually kind of facilitate the communication with HR and the security teams to at least start creating watch lists right and maybe have more verbose logging for those particular users in our environment just because you know

they're going through a hard time doesn't necessarily mean they're malicious but if they have escalated privileges I want to maybe keep a closer eye on those folks they're a higher risk to my organization than maybe some of the other ones then I'll actually conduct a search and recon so what data do I have actually have access to it can I actually get access to the Investor Relations server let me see maybe my my user credentials will give me access to that sometimes they won't any other information that might be able to access that I could sell then they'll actually do the acquisition and collection so this search and then recon side of it as well as the the acquisition collection

that's an area where a lot of times you can be you can detect this either using DLP or at least monitoring the authentication of some of these systems sorry getting over a cold

so yes and then before they can actually do some damage so I deal a lot with other weird cases to where you know it can be something where they exo-m's things like that or sabotage right there's other types of of actions that they might be able to take so and that's pretty much it I kind of went through this really quickly I apologize but so if you guys have any questions ideas or stock tips you know feel free to email me it's my contact information and do you guys have any questions questions cool well thanks again for having me Oh question back yeah Splunk publicly-traded we're doing pretty good that's here so great well thanks a lot for having me I really

appreciate it so this is it the first salt by salt lake city besides okay what's the first time I've been here so it's great thanks for having me I'm gonna go drink some hi west whiskey [Applause]