US Law Firms Hacked by Chinese Nationals for $4M in Insider Trading Profits

Written by

Three Chinese nationals face US federal charges for allegedly hacking into two major law firms in a bid for insider trading information.

Iat Hong, Bo Zheng and Hung Chin have been charged with infiltrating the servers of two law firms in 2014 and 2015 and accessing nonpublic information about pending mergers and acquisitions. The three allegedly pilfered gigabytes upon gigabytes of documents with the use of malware on the firms’ web servers.

According to the indictment, the three then traded on that information about imminent deals in order to make $4 million in illegal profits.

They were also apparently incredibly tenacious: The indictment also alleges that the defendants launched at least 100,000 attacks on at least five other law firms between March and September 2015, trying to get unauthorized access.

“The attacks against law firms to gain secretive M&A information are going to become the next frontier of revenue generation for cybercriminals,” said Nathan Wenzler, principal security architect at AsTech Consulting, in an email. “While credit-card account theft has been big news in the past few years because of how it affects individuals at a very personal level, attacks aimed against intellectual property and proprietary financial dealings are becoming more popular with hackers due to the lucrative nature of exploiting this information.”

The indictment does not name the law firms, but details that Law Firm 1 advised Intel Corp. on its 2015 acquisition of Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMune Inc., which sold to Roche AG in 2014 for $8.9 billion. Law Firm 2 advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-commerce company Borderfree.

This information indicates that the hacked firms are likely to be Weil, Gotshal & Manges and Cravath, Swaine & Moore, according to Both have so far had no comment on the situation.

Greg Reber, CEO at AsTech Consulting, said that the two have a history of security incidents.

“These two firms represent Wall Street banks and Fortune 500 companies—Pitney Bowes, Intel, Roche AG, etc.  In other words, very big deals are made with their counsel. The bad news that should be shouted from every rooftop garden on top of buildings inhabited by expensive M&A law firms is this: this is not the first time these firms have been breached,” he told us. “Earlier this year, Cravath told the Wall Street Journal that an incident involved a ‘limited breach; of its systems and that the firm was ‘not aware that any of the information that may have been accessed has been used improperly.’ They were wrong.”

He added, “Law firms that believe they are protected by those little disclaimers at the bottom of emails should take note: Hackers simply don’t care about contracts.”

US Attorney Preet Bharara of the Southern District of New York echoed the sentiment: “This case of cyber-meets-securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber-hacking, because you have information valuable to would-be criminals.”

Hong, 26, was arrested on the charges on Dec. 25 in Hong Kong and is now facing extradition to the United States. Both Hung and Zheng remain at large. Meanwhile, the Securities and Exchange Commission also filed a parallel civil enforcement action that seeks an asset freeze to prevent the three from cashing out on other stocks they may have purchased as part of the scheme.

Photo ©

What’s hot on Infosecurity Magazine?