A US court has sentenced a Russian businessman to nine years in prison for an elaborate corporate hacking scheme that defrauded American businesses to the tune of approximately $93m.
Vladislav Klyushin, 42, from Moscow, Russia, was also ordered to forfeit $34,065,419 and pay restitution in an amount that will be determined at a later date by the federal court in Boston, Massachusetts.
This followed Klyushin’s conviction for securities fraud, wire fraud, gaining unauthorized access to computers, and conspiracy to commit those crimes by a jury in February 2023.
The jury found that Klyushin hacked into the computer networks of two US-based filing agents that publicly-traded companies used to make quarterly and annual filings through the US Securities and Exchange Commission (SEC).
To do so, he deployed “malicious infrastructure” capable of harvesting and stealing employees’ login information. To conceal the origins of the attacks, Klyushin used proxy computer networks outside of Russia.
This gave him access to non-public information, such as quarterly and annual earnings reports of hundreds of companies that had not yet been filed with the SEC. Klyushin used this information to make trading decisions – knowing ahead of time whether a company’s share price would likely rise or fall following its public earnings announcement.
Many of the illegally obtained earnings reports were downloaded through a computer server located in downtown Boston.
In total, Klyushin netted around $93m from roughly $9m investment in earnings trading between January 2018 and September 2020.
It is alleged that he conspired with four other Russians to commit the offenses – Ivan Ermakov, Nikolai Rumiantcev, Mikhail Vladimirovich Irzak and Igor Sergeevich – all of whom remain at large.
Klyushin, along with alleged co-conspirators Ermakov and Rumiantcev, worked at M-13, a cybersecurity company offering penetration testing and Advanced Persistent Threat (APT) emulation services. The same techniques advertised by M-13 to customers were utilized in the attacks the attacks.
M-13’s website also indicated that its “IT solutions” were used by numerous Russian government agencies.
Acting United States Attorney Joshua S. Levy commented: “[Klyushin] thought he could get away with his crimes by perpetrating them from a foreign base, hidden behind layers of fake domain names, virtual private networks, and computer servers rented under pseudonyms and paid for with cryptocurrency. He found out otherwise, and will now spend nearly a decade of his life in a US prison.”
Levy said the case should send a message to criminals around that world that their location does not provide anonymity and the reach of American law enforcement is long.
“Anyone who defrauds American companies, markets or investors, will be found and prosecuted, regardless of where they hide, or how long it takes,” he added.
Klyushin was arrested in Switzerland in March 2021 and extradited to the US in December 2021.