Federal authorities on Tuesday filed charges accusing eight people, including individuals from Russia and Ukraine, of hacking into a government database holding corporate secrets in a scheme that led to at least $4.1 million in illegal trading profits.

In a civil complaint, the Securities and Exchange Commission alleged that the defendants launched a sophisticated cyberattack against the agency starting in 2016. Once they penetrated the SEC’s system, the hackers stole thousands of documents with sensitive, confidential information about corporations' financial conditions. They used that information to make a profit from illegal trading, prosecutors said.

“These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion,” SEC Chairman Jay Clayton said in a statement.

The U.S. Attorney’s Office for the District of New Jersey filed related criminal charges against two people it says were involved in the scheme. The 16-count indictment charges Artem Radchenko, 27, and Oleksandr Ieremenko, 27, both of Kiev, Ukraine, with securities fraud conspiracy, wire fraud conspiracy and other crimes. Neither are believed to be in the United States or in custody, according to the U.S. attorney’s office.

The hackers and traders compromised “the integrity of the market” and deprived “honest investors of a level playing field,” said Brian Benczkowski, an assistant U.S. attorney in New Jersey.

The system that was breached, known as Edgar, serves as a clearinghouse for public filings companies must make to the agency, including reports on periodic financial results and newsworthy developments. There can be a lapse between the time when reports are electronically filed with the agency and when they can be viewed by the public, making the system a lucrative target for hackers hoping to learn sensitive information before the rest of the market.

The breach of a system so integral to the financial markets immediately raised questions about the government’s ability to protect sensitive information. In the wake of the hack, the SEC hired more cybersecurity experts, started a cybersecurity unit and launched an internal review.

SEC ignored years of warnings about cybersecurity before massive breach

The case “illustrates that the SEC faces many of the same cyber security threats" that confront publicly traded companies, Clayton said in a statement. “We recognize that we must continuously use the resources available to us efficiently and effectively bolster our cybersecurity defenses.”

According to the criminal complaint, the hackers sent emails to SEC employees that appeared to be from others inside the agency. The employees' computers were then infected with a malware that allowed the hackers to probe the SEC’s network and steal the corporate information.

In one case, an unnamed company submitted a document to the SEC at 3:32 p.m. that included unreleased quarterly financial results, according to the criminal complaint. About six minutes later, the release was stolen from Edgar. Between 3:42 p.m. and 3:59 p.m. that day, the hackers bought about 121,000 shares of the company’s stock, worth about $2.4 million. The company released the financial statement to the public at 4:02 p.m. announcing “record earnings.” The hackers sold the stock the next day after pocketing more than $270,000 in profit, according to the complaint.

The SEC initially discovered the breach in 2016 but didn’t make it public until 2017 after realizing the cyber intrusion may have led to illegal trading.

Its complaint names Sungjin Cho and David Kwon, both of Los Angeles; Igor Sabodakha, Victoria Vorochek and Ivan Olefir, all of Ukraine; and Andrey Sarafanov of Russia. It also names Capyield Systems and Spirit Trade as corporate defendants.

Some of the defendants named in the SEC complaint were involved in a similar scheme to steal more than 150,000 news releases scheduled to be delivered to investors, prosecutors said. In that 2015 case, federal prosecutors said the hackers pocketed more than $100 million from illicit trades.

In the most recent case, the SEC complaint portrays Ieremenko as the mastermind. The hacking began in May 2016 and continued until October, when the SEC patched Edgar software after detecting an intrusion, the complaint states. The group continued to try to penetrate Edgar into early 2017, according to the complaint, including attempting to infect SEC computers with malware.

Then in the summer of 2018, Ieremenko took credit for hacking both the SEC and the news wires, the SEC says. The apparent admission came in response to an online communication, which the SEC did not describe in its complaint.

An attorney for Ieremenko and most of the other defendants could not be reached or identified. Cho’s attorney declined to comment.

There has long been disagreement within the SEC and by legal scholars about whether the agency has the authority to pursue these types of charges, said John Reed Stark, who worked for the SEC’s enforcement division for nearly 20 years and founded its former Office of Internet Enforcement. The defendants could argue that they are not company executives who had a duty not to trade on confidential corporate information and therefore are outside of the SEC’s jurisdiction, he said. This is a case of “outsider” trading rather than insider trading, said Stark, who now teaches cybersecurity law at Duke University.

“These cases are not only challenging forensically but legally as well,” Stark said. “The SEC must have felt an extraordinary amount of pressure to bring this case. They are getting aggressive, and I think they are spot-on.”