`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MASSACHUSETTS
`
`U.S. SECURITIES AND EXCHANGE
`COMMISSION,
`
`
` Plaintiff,
`
`v.
`
`
`VLADISLAV KLIUSHIN
`(a/k/a VLADISLAV KLYUSHIN),
`NIKOLAI RUMIANTCEV
`(a/k/a NIKOLAY RUMYANTCEV),
`MIKHAIL IRZAK,
`IGOR SLADKOV, and
`IVAN YERMAKOV
`(a/k/a IVAN ERMAKOV),
`
`
`Defendants.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Civil Action No. 21-CV-12088
`
`COMPLAINT
`
`Jury Trial Demanded
`
`Plaintiff Securities and Exchange Commission (“SEC”) alleges as follows against
`
`
`
`Vladislav Kliushin, a/k/a Vladislav Klyushin (“Kliushin”), Nikolai Rumiantcev, a/k/a Nikolay
`
`Rumyantcev (“Rumiantcev”), Mikhail Irzak (“Irzak”), Igor Sladkov (“Sladkov,” and together
`
`with Kliushin, Rumiantcev, and Irzak, the “Trader Defendants”), and Ivan Yermakov, a/k/a Ivan
`
`Ermakov (“Yermakov”), and together with the Trader Defendants, “Defendants”).
`
`SUMMARY
`
`1.
`
`This action involves Defendants’ fraudulent scheme to deceptively obtain
`
`material nonpublic pre-release earnings announcements of companies with shares of stock
`
`publicly traded on U.S. securities exchanges by hacking into the computer systems of two
`
`
`
`1
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 2 of 39
`
`service-provider firms, and to use the hacked information to profit by trading in advance of the
`
`public release of the earnings information.
`
`2.
`
`The service-provider firms that were hacked by Defendants, hereinafter referred
`
`to as the “Servicers,” assist publicly traded companies with the preparation and filing of periodic
`
`and other reports with the SEC, including reports containing the public companies’ earnings
`
`information. The Servicers help the public companies file the reports with the SEC through the
`
`SEC’s online Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system.
`
`3.
`
`Beginning no later than February 2018 and continuing until at least August 2020
`
`(the “Relevant Period”), Yermakov, a Russian hacker who is the subject of two pending federal
`
`criminal indictments, made material misstatements and used deceptive devices and contrivances
`
`to obtain material nonpublic information about securities issuers stored on the Servicers’
`
`computer systems. This included the use of compromised credentials of the Servicers’
`
`employees (e.g., usernames and passwords that did not belong to Yermakov), malware, and other
`
`computer hacking techniques.
`
`4.
`
`Yermakov hacked into the Servicers’ systems for the purpose of accessing and
`
`downloading corporate earnings announcements and then providing that information to other
`
`individuals to profitably trade securities based upon the hacked earnings announcements. The
`
`earnings announcements contained material information about the public companies’ earnings
`
`that had not yet been made public.
`
`5.
`
`Yermakov, directly or indirectly, provided and communicated the hacked,
`
`deceptively-obtained pre-release earnings announcements and/or access to those announcements
`
`through the Servicers’ systems, to the Trader Defendants.
`
`
`
`2
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 3 of 39
`
`6.
`
`Using these hacked, deceptively-obtained pre-release earnings announcements,
`
`the Trader Defendants made timely trades in the securities of the Servicers’ public company
`
`clients, collectively reaping unlawful profits of at least $82.5 million during the Relevant Period.
`
`7.
`
`As detailed more fully below, the Trader Defendants’ use of the hacked,
`
`deceptively-obtained, pre-release earnings announcements is reflected by, among other things,
`
`the fact that the trading occurred shortly after the hacking, images of pre-release earnings
`
`announcements in the possession of certain Trader Defendants, and the Trader Defendants’
`
`overwhelming focus on trading in the securities of the Servicers’ publicly-traded company
`
`clients, making it statistically almost impossible that their trading occurred by chance.
`
`8.
`
`The trades by the Trader Defendants were disproportionately focused around the
`
`earnings announcements of publicly-traded companies that used the Servicers to make their
`
`EDGAR filings, as compared to earnings announcements where the required EDGAR filings
`
`were not made through the Servicers. Indeed, statistical analysis shows that there is a less than
`
`one-in-one-trillion chance that the Trader Defendants’ choice to trade so frequently on earnings
`
`events tied to the EDGAR filings of the Servicers’ public company clients would occur at
`
`random.
`
`9.
`
`The Trader Defendants (as set forth in the details for each Trader Defendant
`
`throughout this complaint) provided substantial assistance to the fraudulent scheme, among other
`
`ways, by monetizing the hacked information through unlawful, illicit, and profitable securities
`
`trading based on the hacked pre-release earnings announcements, and by participating in
`
`transactions and business dealings that enabled them to share their trading profits with
`
`Yermakov. In this way, both Yermakov and the Trader Defendants were essential participants in
`
`
`
`3
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 4 of 39
`
`the fraudulent scheme, and all the Defendants acted with intent to deceive, manipulate, or
`
`defraud.
`
`10.
`
`By engaging in the misconduct described herein with the requisite scienter,
`
`Defendants violated, and, unless enjoined, will continue to violate and are likely in the future to
`
`violate the federal securities laws.
`
`NATURE OF PROCEEDING AND RELIEF SOUGHT
`
`11.
`
`The SEC brings this action pursuant to Section 20 of the Securities Act of 1933
`
`[15 U.S.C. §§ 77t(b)] (the “Securities Act”) and Sections 21(d) and 21A of the Securities
`
`Exchange Act of 1934 [15 U.S.C. §§ 78u(d) and 78u-1] (the “Exchange Act”) to enjoin the
`
`transactions, acts, practices, and courses of business in this Complaint, and to seek orders of
`
`disgorgement, civil money penalties, and further relief as the Court may deem appropriate.
`
`JURISDICTION AND VENUE
`
`12.
`
`This Court has jurisdiction over this action pursuant to Sections 20(b) and 22(a)
`
`of the Securities Act [15 U.S.C. §§ 77t(b) and 77v(a)] and Sections 21(d), 2l(e), 21A and 27 of
`
`the Exchange Act [l5 U.S.C. §§ 78u(d), 78u(e) 78u-l and 78aa].
`
`13.
`
`Each Defendant, directly or indirectly, made use of the means or instrumentalities
`
`of interstate commerce, or of the mails, or the facilities of a national securities exchange in
`
`connection with the transactions, acts, practices, and courses of business alleged herein.
`
`Yermakov provided hacked, deceptively-obtained, material nonpublic information to the Trader
`
`Defendants, who used the information to make securities trades that were cleared through U.S.-
`
`based brokerage firms and placed on multiple U.S. securities exchanges, and to purchase or sell
`
`certain derivatives that resulted in securities trades on multiple U.S. securities exchanges, in a
`
`manner that used the instrumentalities of interstate commerce.
`
`
`
`4
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 5 of 39
`
`14.
`
`Venue is proper in this Court pursuant to Section 22(a) of the Securities Act [15
`
`U.S.C. § 77v(a)] and Section 27 of the Exchange Act [15 U.S.C. § 78aa]. Certain of the acts,
`
`practices, transactions, and courses of business constituting the violations alleged in this
`
`Complaint occurred within the District of Massachusetts, and were effected, directly or
`
`indirectly, by making use of the means or instruments or instrumentalities of transportation or
`
`communication in interstate commerce, or of the mails, or the facilities of a national securities
`
`exchange. Specifically, numerous instances of unauthorized access to one of the Servicers’
`
`systems containing material nonpublic information originated from IP addresses leased to a
`
`virtual private network provider that had servers located at a data center in Boston,
`
`Massachusetts. Also, at least one of the public companies whose material nonpublic information
`
`was unlawfully obtained by Yermakov and then provided to the Trader Defendants, who
`
`unlawfully traded on the hacked information, is headquartered in Massachusetts. Furthermore,
`
`venue is proper because the Defendants, as foreign nationals residing outside the United States,
`
`may have suit brought against them in any district.
`
`
`
`DEFENDANTS
`
`15.
`
`Vladislav Kliushin, age 41, is a Russian citizen who resides in Moscow, Russia.
`
`Kliushin is the founder of a Russian media/information technology company (the “IT
`
`Company”) and serves as a director of IT Company. Kliushin traded securities, alone and in
`
`collaboration with Rumiantcev, using material nonpublic information hacked from the Servicers.
`
`Kliushin traded through eight brokerage accounts held in his name and a brokerage account held
`
`in the name of IT Company. Kliushin also traded through six other brokerage accounts that he
`
`and Rumiantcev controlled, as reflected by, among other evidence, (a) screen shots of
`
`information for these accounts in Kliushin’s possession; (b) electronic communications in which
`
`
`
`5
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 6 of 39
`
`Kliushin reported on trading in certain of the six accounts and provided passwords to two
`
`account holders so they could view the accounts; and (c) an IP address associated with IT
`
`Company that accessed these six other accounts as well as the accounts in Kliushin’s name.
`
`Twelve of the brokerage accounts that Kliushin held in his name or that he controlled were held
`
`at either a Cyprus-based brokerage firm or a United Kingdom-based brokerage firm, both of
`
`which cleared their trades through U.S. brokerage firms. The other three accounts that Kliushin
`
`held in his name or that he controlled were held at a Danish brokerage firm and used by Kliushin
`
`primarily to trade “contracts for difference” (a type of security), which resulted in hedging
`
`transactions in U.S. markets.
`
`16.
`
`Nikolai Rumiantcev, age 33, is a Russian citizen who resides in Moscow, Russia.
`
`Rumiantcev is a director of IT Company along with Kliushin. Rumiantcev traded securities,
`
`alone and in collaboration with Kliushin, using material nonpublic information hacked by
`
`Yermakov from the Servicers. Rumiantcev traded through a brokerage account held in his own
`
`name and had power of attorney and/or trading authority over eight brokerage accounts held in
`
`Kliushin’s name and a brokerage account held in the name of IT Company. The accounts held in
`
`Rumiantcev’s name and the name of IT Company were held at a Cyprus-based brokerage firm,
`
`which cleared its trades through a U.S. brokerage firm. Rumiantcev and Kliushin also controlled
`
`trading in six other brokerage accounts, as described above in paragraph 15. Between at least
`
`July 2018 and August 2020, Kliushin and Rumiantcev used the above-described accounts to
`
`trade based on material nonpublic information hacked by Yermakov from the Servicers in
`
`advance of more than 300 earnings announcements.
`
`17. Mikhail Irzak, age 43, is a Russian citizen who resides in Saint Petersburg,
`
`Russia. Irzak holds himself out as a marketing manager for a Russian telecommunications
`
`
`
`6
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 7 of 39
`
`company. Beginning no later than April 2018 and continuing until at least August 2020, Irzak
`
`traded securities based on material nonpublic information hacked by Yermakov from the
`
`Servicers in advance of more than 400 earnings announcements. Irzak used three brokerage
`
`accounts held in his name to engage in the trading. Irzak held one of these accounts at a Cyprus-
`
`based brokerage firm and another account at a Portugal-based brokerage firm, both of which
`
`cleared their trades through a U.S. brokerage firm. Irzak held his third account at the same
`
`Danish brokerage firm used by Kliushin; like Kliushin, Irzak used his Danish account primarily
`
`to trade contracts for difference, which resulted in hedging transactions in U.S. markets.
`
`18.
`
`Igor Sladkov, age 42, is a Russian citizen who resides in Saint Petersburg,
`
`Russia. In correspondence with his broker, Sladkov represented that he worked in the
`
`information technology and media services business from approximately 2012 through 2017.
`
`Beginning no later than February 2018 and continuing through at least August 2020, Sladkov
`
`used an account in his name to regularly trade securities based on material nonpublic information
`
`hacked by Yermakov from the Servicers in advance of more than 200 earnings announcements.
`
`Sladkov held this account at a Cyprus-based brokerage firm, which cleared its trades through a
`
`U.S. brokerage firm. As early as 2018, Sladkov knew that Yermakov was sought by the Federal
`
`Bureau of Investigation for his role in hacking conspiracies for which he was indicted that year.
`
`19.
`
`Ivan Yermakov, age 35, is a Russian citizen who resides in Moscow, Russia.
`
`Yermakov served as a Russian military intelligence officer in the Russian Federation’s Main
`
`Intelligence Directorate of the General Staff (“GRU”). Yermakov is a director of IT Company
`
`founded by Kliushin and for which Kliushin and Rumiantcev serve as directors. Yermakov is
`
`also a long-time friend of Sladkov. In July and October 2018, the Department of Justice charged
`
`Yermakov in federal indictment numbers CR 18-215 in the U.S. District Court for the District of
`
`
`
`7
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 8 of 39
`
`Columbia and CR 18-263 in the U.S. District Court for the Western District of Pennsylvania for
`
`his alleged roles in a hacking conspiracy involving gaining unauthorized access into the
`
`computers of U.S. persons and entities involved in the 2016 U.S. presidential election and
`
`hacking operations targeting anti-doping agencies, sporting federations, and anti-doping officials.
`
`Yermakov also had access to at least one of the accounts held in Kliushin’s name that traded on
`
`information hacked from the Servicers.
`
`THE HACKED SERVICERS
`
`20.
`
`Servicer A is a Delaware corporation headquartered in Chicago, Illinois that,
`
`among other things, assists companies with the preparation and filing with the SEC of periodic
`
`and other reports, including reports containing earnings information.
`
`21.
`
`Servicer B is a division of a foreign company, which has offices in various U.S.
`
`locations. Servicer B assists companies with preparation and filing with the SEC of periodic and
`
`other reports, including reports containing earnings information.
`
`
`
`
`
`TERMS USED IN THIS COMPLAINT
`
`Short-Selling
`
`22.
`
`“Short-selling” is the sale of a security not owned by the seller and is a technique
`
`used to take advantage of an anticipated decline in the price of the security. An investor borrows
`
`stock for delivery at the time of the short sale. If the seller can buy that stock later at a lower
`
`price, then a profit results; if, however, the price of the stock rises, then a loss results.
`
`Contracts for Difference
`
`A contract for difference, or “CFD,” is a stock derivative, which is an agreement
`
`23.
`
`between two parties to exchange the difference in value of an underlying stock between the time
`
`that the contract is opened and the time that it is closed. If the share price of the underlying
`
`
`
`8
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 9 of 39
`
`security increases, then the seller pays this difference to the buyer. If, however, the share price
`
`of the underlying security declines, then the buyer must pay the seller the difference. Generally,
`
`an investor who anticipates an increase in the price of a security will buy a CFD; an investor who
`
`anticipates a decrease in the price of the referenced security will sell a CFD. A CFD typically
`
`mirrors the movement and pricing of its underlying stock on a dollar-for-dollar basis, such that
`
`any fluctuation in the market price of the underlying security is reflected in the unrealized gain or
`
`loss of the CFD position.
`
`24.
`
`The trading at issue in this action includes the Trader Defendants’ purchases and
`
`sales of CFDs referencing the stock of the Servicers’ public company clients based on the
`
`hacked earnings announcements. The CFD provider that facilitated the Trader Defendants’
`
`trades at issue in this action generally hedged the Trader Defendants’ CFD trades by entering
`
`into transactions with U.S.-based broker-dealers, which resulted in those broker-dealers
`
`executing trades in the securities underlying the CFDs in the U.S. equity markets.
`
`
`An “internet protocol address,” or “IP address,” is a unique number required for
`
`IP Address
`
`25.
`
`online activity conducted by a computer or other device connected to the internet. Computers
`
`use the unique identifier to send data to specific computers on a network.
`
`26.
`
`Often, IP addresses can be used to identify the geographic location of the server
`
`through which a computer accessed the internet. Thus, in simple terms, an IP address is like a
`
`return address on a letter.
`
`27.
`
`An individual can conceal the IP address from which he or she is accessing the
`
`internet through a number of different techniques and tools, such as a “virtual private network”
`
`
`
`9
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 10 of 39
`
`or “VPN.” Such means enable individuals to assume and use IP addresses different than their
`
`own, including IP addresses associated with different geographical regions.
`
`
`A “domain” is an identifier that refers to a group of internet resources under
`
`Domain
`
`28.
`
`common administration, authority, or control. For example, “sec.gov” is a domain for which the
`
`United States government has authority and that is administered by the SEC.
`
`Virtual Machine
`
`A virtual machine is a resource created by software, instead of a physical
`
`29.
`
`computer, in order to run an operating system like Microsoft Windows. A relatively powerful
`
`physical computer, such as a server in a datacenter, is loaded with a host operating system and
`
`runs one or more virtual machines with their own operating systems, each isolated from the
`
`activities of the other.
`
`Malware
`
`“Malware” is software that is intended to damage or disable computers or
`
`30.
`
`computer networks or installed security and access controls, usually installed using deception
`
`and without the computer or network user’s knowledge.
`
`FACTS
`
`Overview of the Hack-to-Trade Scheme
`
`The Hacking and Trading
`
`The Servicers provide proprietary, cloud-based software platforms to facilitate
`
`31.
`
`public companies’ filing of periodic and other reports with the SEC. The Servicers’ public
`
`company clients’ filings include, among other things, Forms 8-K and related exhibits, which
`
`consist of press releases containing the public companies’ earnings announcements. The
`
`
`
`10
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 11 of 39
`
`Servicers’ public company clients can use the Servicers’ software platforms to create, edit, and
`
`submit their filings to the SEC via the SEC’s EDGAR filing system.
`
`32.
`
`Information contained in pre-release earnings announcements was nonpublic
`
`because it had not yet been disseminated to the public through publication or filing designed to
`
`achieve a broad dissemination to the investing public generally and without favoring any special
`
`person or group. In addition, information contained in pre-release earnings announcements was
`
`material. The issuers’ earnings information would have been important to the reasonable
`
`investor, and viewed by the reasonable investor as having significantly altered the total mix of
`
`information made available. Earnings information is material because it relates, among other
`
`things, to an issuer’s financial condition, solvency, and profitability. For example, public
`
`disclosure of earnings information frequently leads to a change in the price of a company’s stock.
`
`It is common for financial analysts to estimate and/or model a given company’s quarterly or
`
`annual earnings. The market reaches a consensus expectation based in part on these different
`
`estimates. When a company releases its earnings announcements, the price at which shares of
`
`that company’s stock trade often increases (if earnings exceed market expectations) or decreases
`
`(if earnings fall short of market expectations).
`
`33.
`
`Typically, the Servicers’ public company clients begin the filing process for an
`
`earnings announcement by loading a draft earnings announcement onto the Servicer’s platform.
`
`Once loaded, the public company client can edit the draft earnings announcement on the
`
`Servicer’s platform, before finalizing the earnings announcement and releasing the final version
`
`to the public via a newswire, and filing the announcement with the SEC as an attachment to a
`
`Form 8-K called “Exhibit 99.1.” There is generally a window of several hours or days between
`
`the time that the public company client uploads the pre-release earnings announcement onto the
`
`
`
`11
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 12 of 39
`
`Servicer’s platform and the time at which the client publicly disseminates the final earnings
`
`announcement through a newswire and the filing of the Form 8-K with the SEC. The
`
`Defendants exploited this window by deceptively acquiring draft earnings announcements and
`
`placing trades based on material nonpublic information contained in draft earnings
`
`announcements before that information was made public.
`
`34.
`
`Beginning no later than February 2018 and continuing until at least August 2020,
`
`Defendants engaged in an unlawful scheme in which:
`
`a. Yermakov made material misstatements, used deceptive means, and
`
`engaged in deceptive acts to gain unauthorized access into the Servicers’
`
`systems. These included use of compromised credentials of the Servicers’
`
`employees, malware, and other computer hacking techniques;
`
`b. Once Yermakov gained unauthorized access into the Servicers’ systems,
`
`Yermakov targeted and unlawfully accessed and downloaded pre-release
`
`earnings announcements of the Servicers’ public company clients;
`
`c. Yermakov, directly or indirectly, provided and communicated the
`
`deceptively-obtained, pre-release earnings announcements and/or access to
`
`the announcements through the Servicers’ systems for trading purposes to
`
`the Trader Defendants;
`
`d. Before the public dissemination of the earnings announcements, the Trader
`
`Defendants placed trades in the securities of the Servicers’ public company
`
`clients on the basis of what they were aware was deceptively-acquired,
`
`material nonpublic information provided by Yermakov. If the pre-release
`
`earnings announcement indicated that the public company client’s stock
`
`
`
`12
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 13 of 39
`
`price was likely to increase, then the Trader Defendants bought stock in the
`
`company or CFDs referencing the company. If the pre-release earnings
`
`announcement indicated that the public company client’s stock price was
`
`likely to decline, then the Trader Defendants sold short shares of the
`
`company’s stock or sold CFDs referencing the company; and
`
`e. Once the earnings announcements were made public and the public
`
`company clients’ stock prices moved (as the market learned the previously
`
`undisclosed material nonpublic information), the Trader Defendants closed
`
`out their trading positions, reaping substantial profits.
`
`35.
`
`The Trader Defendants used the information hacked and deceptively-obtained
`
`from the Servicers’ systems by Yermakov to realize at least $82.5 million in illicit profits
`
`between February 2018 and August 2020.
`
`Yermakov’s Relationships and Profit-Sharing
`with the Trader Defendants
`
`
`Yermakov had ongoing professional and personal relationships with each of the
`
`36.
`
`Trader Defendants, including through Yermakov’s role as a co-director of IT Company (along
`
`with Kliushin and Rumiantcev). Yermakov’s ongoing relationships and business dealings with
`
`Kliushin and Rumiantcev provided opportunities to funnel profits from their illicit trading to
`
`Yermakov as compensation for providing them access to the hacked earnings information.
`
`Together with Kliushin and Rumiantcev, Yermakov also had access to at least one of the
`
`accounts held in Kliushin’s name that traded based on hacked, deceptively-obtained, pre-release
`
`earnings announcements that Yermakov provided and communicated, directly or indirectly, to
`
`Kliushin and Rumiantcev.
`
`
`
`13
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 14 of 39
`
`37.
`
`Yermakov also had ongoing professional and personal relationships with Irzak
`
`and Sladkov, including through a long-time friendship with Sladkov. Yermakov engaged in
`
`various business activities with Irzak and Sladkov, through which they were able to funnel
`
`profits from their illicit trading to Yermakov as compensation for providing them access to the
`
`hacked earnings information.
`
`38.
`
`Yermakov, directly or indirectly, shared in the profits of the Trading Defendants’
`
`unlawful and illicit trading. This is demonstrated through Yermakov’s access to a brokerage
`
`account in which some of the illicit trading occurred (as alleged above in paragraph 36), his
`
`communications, and other evidence. For example, Yermakov communicated with Kliushin
`
`about the trading profits realized from their illicit trading on hacked, deceptively-obtained, pre-
`
`release earnings announcements provided by Yermakov. Specifically, on May 25, 2019,
`
`Yermakov and Kliushin exchanged text messages, in Russian, about Kliushin’s trading success.
`
`Kliushin told Yermakov that he counted 198 percent profitability in one account and 69 percent
`
`profitability in another. Kliushin then commented, “They don’t even ask why so anymore.”
`Yermakov responded with thumbs up 👍👍 and tears of joy 😂😂 emojis. An emoji is a small image
`or symbol used in text fields in electronic communications, such as text messages, to convey
`
`information or the emotional attitude of the writer.
`
`39. Moreover, in a June 2020 text message exchange, Yermakov remarked to
`
`Kliushin, in Russian, that they needed to go to work to make money to buy an apartment.
`
`Kliushin responded that there was no need to do that, because they just had to “turn on the
`
`computer” to make money, an apparent reference to Defendants’ illicit hacking and trading
`
`activities. Meanwhile, emails from the second half of 2019 and early 2020 indicate that
`
`Yermakov and Irzak were jointly communicating with a management company relating to an
`
`
`
`14
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 15 of 39
`
`apartment, and that Irzak agreed to purchase real estate from a relative of Yermakov for the
`
`equivalent of approximately $1 million.
`
`40.
`
`As directors of IT Company, Yermakov, Kliushin, and Rumiantcev all potentially
`
`stood to share in trading profits made by IT Company through the trading account held in IT
`
`Company’s name, or directed to IT Company from other trading accounts in the names of or
`
`controlled by Rumiantcev and Kliushin. A September 2020 communication between
`
`Rumiantcev and Kliushin states that IT Company was to receive 60 percent of the profits from
`
`one of the trading accounts controlled by Rumiantcev and Kliushin. An image in Kliushin’s
`
`possession included a list, in Russian, of balances in multiple accounts that were in Kliushin’s
`
`name or controlled by Kliushin, and one of these accounts was held in the name of IT Company.
`
`41.
`
`During the course of the hacking and trading scheme, Yermakov also
`
`communicated with Irzak and Sladkov, who illicitly traded based on hacked, deceptively-
`
`obtained, pre-release earnings announcements that Yermakov, directly or indirectly, provided,
`
`and/or to which Yermakov provided access through the Servicers’ systems. Evidence that Irzak
`
`and Sladkov obtained from Yermakov, directly or indirectly, pre-release earnings
`
`announcements that Yermakov hacked and deceptively obtained from the Servicers, and then
`
`illicitly traded based on this information, includes the following:
`
`a.
`
`In February 2018, Sladkov possessed a digital photograph of the pre-release
`
`earnings announcement of a U.S. publicly traded company, which was also
`
`a Servicer A client. This photograph was created one day after Yermakov
`
`deceptively hacked the announcement from Servicer A’s system and less
`
`than three hours before Sladkov traded in the securities of the company.
`
`
`
`15
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 16 of 39
`
`Sladkov took a position in the securities of this issuer after the photograph
`
`was created, but before public release of the earnings announcement.
`
`b.
`
`In October 2018, Sladkov possessed a digital photograph of the pre-release
`
`earnings announcement of a U.S. publicly traded company, which was also
`
`a Servicer A client. The Trader Defendants took positions in the securities
`
`of this issuer after the photograph was created, but before public release of
`
`the earnings announcement.
`
`c. Other photographs in Sladkov’s possession show Irzak and Sladkov together
`
`with a laptop that they used to view hacked earnings announcements like
`
`those referenced in paragraphs 41(a) and 41(b) above.
`
`d.
`
`In May 2019, one day after Yermakov deceptively hacked the pre-release
`
`earnings announcement of a U.S. publicly traded company from Servicer
`
`A’s system, Yermakov exchanged market information about the company
`
`with Sladkov. After the hack, but before public release of the final earnings
`
`announcement, the Trader Defendants took positions in the securities of this
`
`issuer.
`
`e.
`
`Sladkov possessed lists of dozens of ticker symbols associated with the
`
`Servicers’ public company clients alongside dates of the public company
`
`clients’ earnings announcements.
`
`42.
`
`Yermakov and the Trader Defendants expected to profit from unlawful trading
`
`based on pre-release earnings announcements hacked and deceptively obtained by Yermakov.
`
`Based on their relationships and communications with Yermakov (as set forth in paragraphs 36
`
`to 41 directly above) as well as the close temporal proximity of their unlawful trading and
`
`
`
`16
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 17 of 39
`
`Yermakov’s hacking of the Servicers’ systems (as set forth in paragraphs 71 to 121 below), the
`
`Trader Defendants, directly or indirectly, shared with Yermakov the illicit profits that they
`
`made from trading based on the pre-release earnings announcements hacked and deceptively
`
`obtained by Yermakov.
`
`Yermakov’s Deceptive Hacks of the Servicers’ Systems
`
`43.
`
`Yermakov intentionally made material misstatements and employed a variety of
`
`deceptive and fraudulent devices, contrivances, artifices, practices, means, and acts to gain
`
`unauthorized access into the Servicers’ systems and download pre-release earnings
`
`announcements, including use of compromised credentials of the Servicers’ employees and
`
`malware. Yermakov also used anonymized IP addresses designed to conceal his identity.
`
`Yermakov’s repeated hacks continued against Servicer A for approximately two years and
`
`against Servicer B for approximately one year, before the Servicers detected Yermakov’s
`
`intrusions into their systems and took steps to mitigate them.
`
`Yermakov’s Deceptive Hacks of Servicer A
`
`By at least February 2018, without authorization from Servicer A, Yermakov
`
`
`44.
`
`obtained the credentials of a Servicer A employee, which the employee used in the course of his
`
`or her employment to access Servicer A’s system. Without authorization from Servicer A,
`
`Yermakov subsequently obtained the credentials of at least two additional Servicer A employees,
`
`which the employees used in the course of their employment to access Servicer A’s system.
`
`45.
`
`Beginning no later than February 2018 and continuing until at least August 2020,
`
`Yermakov made material misstatements, affirmatively misrepresented himself and his identity,
`
`and deceptively used the credentials of these Servicer A employees to gain unauthorized access
`
`into the Servicer’s system and to unlawfully access and download numerous pre-release earnings
`
`
`
`17
`
`
`
`Case 1:21-cv-12088 Document 1 Filed 12/20/21 Page 18 of 39
`
`announcements of Servicer A’s public company clients. By using the deceptively-obtained
`
`credentials, Yermakov f