Indictment Issued in Law Firm Hacks

In what New York’s top federal prosecutor called a “wake-up call for law firms around the world,” three Chinese citizens have been charged with hacking into the servers of two prominent – but unidentified – international law firms to steal confidential client information in connection with pending M&A deals.

Preet Bharara, the U.S. Attorney for the Southern District of New York, announced the unsealing of a 13-count superseding indictment yesterday, charging Iat Hong, Bo Zheng and Chin Hung with computer intrusion, insider trading, wire fraud and conspiracy. According to the indictment, the three men unlawfully obtained an employee’s log-on credentials at each firm and then accessed the firms' servers, making off with 52.8 gigabytes of confidential data from one law firm and 7 gigabytes of confidential data from the second law firm. The confidential information was allegedly used to purchase securities ahead of formal deal announcements.

It’s unclear how the intrusions were detected.

Prosecutors charge that, once the law firms’ system was compromised, malware was installed to provide access to the email traffic of the firms’ lawyers.  By doing so, prosecutors allege, the defendants were privy to material non-public information and traded in securities before the deals were announced. The indictment estimates profits from the alleged insider trading scheme at $4 million.

The three are also charged with making repeated attempts to hack into five other law firms using similar means. In a 7-month period in 2015, the indictment alleges that the three defendants tried to access the servers of other law firms “on more than 100,000 occasions."

U.S. Attorney Bharara warned that law firms “are and will be targets of cyber hacking … because you [law firms] have information valuable to would-be criminals.”