A Ukrainian hacker who was held at gunpoint by a gang of cocaine-sniffing cybercriminals helped the Securities and Exchange Commission blow the lid of of a high-profile breach case that had wrongly accused American day traders, according to a report.
Olga Kuprina, known by her online persona “Ghost in the Shell,” became a whistleblower for the federal agency in the shocking cyberattack that infiltrated the SEC’s Edgar filing system in 2016, Bloomberg News reported on Monday.
Surrounded by cocaine, laptops and armed men, Kuprina was trapped by a local crime boss, Artem Radchenko, in her Kyiv apartment and ordered to hack perhaps the world’s biggest repository of corporate filings, according to the outlet.
Radchenko allegedly hoped to sell unpublished filings for $200,000 apiece.
But as the doped-up Radchenko barked commands at Kuprina, she plotted her escape — desperate to return to her 7-year-old daughter and expose the cybercrime, according to Bloomberg News.
When she demanded payment for the hack, Radchenko allegedly broke her nose and refused to allow her to leave, according to Bloomberg News.
Kuprina, 34, later fled, contacted US authorities, and turned over hard drives and handwritten notes proving how she had accessed the SEC data.
“There were so many vulnerabilities there you cannot f–king imagine,” she told investigators. Edgar, she said, was an outdated, patched-together system that hadn’t been properly secured in years.
Kuprina, who had also hacked Citigroup, Nasdaq, Dow Jones and NASA, signed a plea deal with the feds and fled to the US in 2018, leaving her mother and daughter behind.
In 2019, the SEC wrongfully scapegoated American day traders who were accused of pocketing $4.1 million from insider trades linked to the massive cyberattack that breached the Edgar filing system.
It turns out those Americans may have simply been guilty of making smart, lucky bets.
“Today’s action shows the SEC’s commitment and ability to unravel these schemes and identify the perpetrators even when they operate from outside our borders,” the agency’s head of enforcement said in a press release.
Sungjin Cho, a Los Angeles-based day trader, was startled to find federal agents banging on his door before dawn. They confiscated his devices, grilled him about foreign hackers, and accused him of profiting off stolen data.
“I don’t know what we were expecting to find, but he didn’t seem like a high-rolling criminal at all,” one FBI agent told Bloomberg News.
Kuprina’s cooperation with US authorities would reveal a months-long breach of the SEC’s core system — and upend the agency’s narrative.
What the SEC didn’t say in its official version of events was that the breach of Edgar had lasted far longer than publicly acknowledged — and had been exposed not by agency sleuthing but by Kuprina.
Despite her central role in exposing the breach — and continuing to download documents as late as March 2017 — Kuprina wasn’t mentioned in the SEC’s complaint.
Instead, the commission zeroed in on Cho and his associates: David Kwon, a friend who traded through Cho’s accounts, and Ivan Olefir, a Ukrainian client connected to Cho’s trading firm.
While the three made trades that aligned with earnings announcements, investigators found no direct evidence they had been in contact with the hackers, nor that they ever knowingly received stolen documents.
Still, the SEC charged them, citing high win rates on earnings trades and circumstantial connections.
The Department of Justice, which was conducting a parallel criminal probe, ultimately declined to prosecute the traders — a move that signaled doubts about the strength of the case, Bloomberg News reported.
Cho maintained that he and his colleagues were simply tracking unusual trading activity — looking for signs that others had inside information, then piggybacking on their bets.
“Any earnings or any market-moving announcement…there will always be some leak,” Cho told investigators.
“And if you could detect that movement, that’s the strategy.”
Critics say the SEC needed a win — and chose easy targets. The agency faced pressure to respond after being hacked itself, and rather than focus on the Ukrainian masterminds still at large, it trained its firepower on traders who were within reach.
In the end, Cho settled for $175,000 — a fraction of what the SEC claimed he made. He did not admit wrongdoing, but under SEC rules, he is not allowed to publicly say he’s innocent either.
“I’m not allowed to say I’m innocent, but I’ll give you all the facts and people can decide for themselves,” he later said.
In 2020, Kuprina pleaded guilty to federal charges related to Edgar and five other hacks, according to Bloomberg. She served a short jail stint before being released as she cooperated with investigators.
A judge sentenced her to time served in 2023 in recognition of her cooperation, according to Bloomberg.
The skilled hacker now works for cybersecurity company Recorded Future Inc. — and was reunited with her mother and daughter, who were flown out of war-torn Ukraine by the US government.
Meanwhile, hackers like Radchenko are still at large. And the SEC’s Edgar system, though updated in parts, remains vulnerable according to cybersecurity experts.
The Post has sought comment from the SEC, Kuprina, Cho and Kwon.
Credit: Source link
