Russian infosec boss gets nine years for $100M insider-trading caper using stolen data

Vladislav Klyushin, the Russian owner of security penetration testing firm M-13, was jailed for nine years in the US on Thursday for his involvement in a cyber-crime operation that stole top corporations' confidential financial information to make $93 million through insider trading.

Klyushin (sometimes spelled Kliushin), 42, hails from Moscow, Russia. He was arrested in Sion, Switzerland, in March 2021 after arriving on a private jet for a family holiday, and was then extradited to America to face trial. He was charged with securities fraud, wire fraud, gaining unauthorized access to computers, and conspiracy, and found guilty in February. His alleged Russian co-conspirators, Ivan Ermakov and Nikolai Rumiantcev, remain at large.

Essentially, Klyushin was part of a crew who broke into computer networks to steal companies' financial filings before they were made public so that stock could be illegally traded with that privileged info.

Ermakov, a former officer in the Russian Main Intelligence Directorate (GRU), was previously indicted in July 2018 with participating in a scheme to compromise the 2016 election in the United States. He was also indicted in October 2018 for participating in computer crimes and disinformation operations targeting anti-doping sports agencies and officials.

Two other Russians, Mikhail Vladimirovich Irzak and Igor Sergeevich Sladkov, were charged separately for allegedly participating in the stock-gaming scheme. They too remain at large.

"Klyushin hacked into American computer networks to obtain confidential corporate information that he used to make money illegally in the American stock market," said Acting US Attorney Joshua Levy for the District of Massachusetts, in a statement.

"He thought he could get away with his crimes by perpetrating them from a foreign base, hidden behind layers of fake domain names, virtual private networks, and computer servers rented under pseudonyms and paid for with cryptocurrency."

According to the US Justice Department, Klyushin, Ermakov, and Rumiantcev worked at Moscow-based penetration testing firm M-13, which claimed various Russian government ministries as clients.

• US, UK sanction more Russians linked to Trickbot
• Big Tech has failed to police Russian disinformation, EC study concludes
• Kremlin-backed Sandworm strikes Android devices with data-stealing Infamous Chisel
• Meta reckons China's troll farms could learn proper OpSec from Russia's fake news crews

It's alleged that from about January 2018 through September 2020, the three men broke into the networks of Donnelley Financial Solutions (DFIN) and Toppan Merrill – hired by public companies to handle their SEC financial filings – and deployed malware to capture employee credentials. With these credentials, the defendants are said to have accessed corporate financial reports that had not yet been made public.

They allegedly traded on this information to buy and sell the stock of firms such as Tesla, Snap, Roku, Avnet, and Capstead Mortgage. In doing so, they made about $93 million.

Klyushin, according to court documents [PDF], personally made about $21 million from the insider trading scheme, and to cover the amount made by his company and through sharing in the profit of investor trades, the government asked for forfeiture on the order of $36.6 million. The sentencing order indicates that the judge approved the forfeiture proposal.

Klyushin's attorney Maksim Nemtsev argued for a sentence of no more than 36 months in a memorandum [PDF] to the judge, considering his "admirable traits." The memo cites various letters from acquaintances attesting to Klyushin's character. And it argues that Klyushin himself did not direct the network intrusion, which is said to have involved the use of the Empire exploit framework and Mimikatz, a credential-dumping utility.

According to the memo, the DFIN network had been compromised several months prior to the commencement of the alleged scheme. It says, "Daron Hartvigsen, a cybersecurity specialist for DFIN, testified that his team located Empire PowerShell activity (activity that he associated with unauthorized intrusions) on their systems as early as September of 2017." Nemtsev's memo says, citing the court record, that further Empire malware activity was detected in November 2019.

DFIN did not immediately respond to a request to confirm that account and to provide further detail about the network intrusion. ®