U.S. Attorney for the Southern District Preet Bharara.
U.S. Attorney for the Southern District Preet Bharara. (Photo: Rick Kopstein/ALM)

Three Chinese nationals face federal charges for allegedly hacking into two major U.S. law firms in a scheme to trade on information about imminent mergers and acquisitions.

U.S. Attorney Preet Bharara of the Southern District of New York announced Tuesday that Iat Hong, Bo Zheng and Hung Chin have been charged with infiltrating the servers of two law firms in 2014 and 2015 and accessing nonpublic information about pending deals. According to Bharara’s office, the information was used in trades that reaped roughly $4 million in illegal profits.

The indictment unsealed Tuesday does not name the law firms, which are referred to as Law Firm 1 and Law Firm 2. According to the charges, Law Firm 1 advised Intel Corp. on its 2015 acquisition of Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMune Inc., which sold to Roche AG in 2014 for $8.9 billion.

The second major law firm advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-commerce company Borderfree, the indictment states.

Based on those details the two firms appear to be Weil, Gotshal & Manges and Cravath, Swaine & Moore, firms where cyberbreaches previously were reported. Weil represented Intel in the Altera buy and Cravath is identified in securities filings as Pitney Bowes lead deal counsel.

Representatives of both firms, reached Tuesday, declined to comment.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” Bharara said.

In addition to infiltrating the two firms, Bharara said the defendants went after at least five other law firms between March and September 2015, trying to get unauthorized access to the firms’ networks and servers on over 100,000 occasions.

On the successful hacks, once the defendants obtained access to the law firm networks, Bharara said, they focused on email exchanges between law firm partners and associates as momentum built toward the culmination of the deals.

Hong, 26, was arrested on the charges on Dec. 25 in Hong Kong and is now facing extradition to the United States. He was charged in a 13-count indictment along with co-defendants Hung, 50, also of Macau, and Zheng, 30, of Changsha, China. Both Hung and Zheng remain at large.

The defendants also went after inside information on at least 10 additional contemplated M&A transactions, some of which never came to pass.

Last January, Bharara said in a speech at New York University that one area “we’ll be talking about in the future” is the “vulnerability on the part of law firms and consultants.”

In March, reports emerged that his office was probing a series of breaches at Cravath, Swaine & Moore; Weil, Gotshal & Manges and other firms by individuals believed to be pursuing insider information on pending mergers and acquisitions.

Cravath at the time confirmed only that there had been a “limited breach” of its IT systems in the summer of 2015. A firm representative did not immediately respond on Tuesday to a phone call and email about the new criminal charges.

The Securities and Exchange Commission filed a parallel civil enforcement action Tuesday that seeks an asset freeze to prevent the three from cashing out on other stocks they may have purchased as part of the scheme.

According to federal authorities, Hong emailed Hung on July 29, 2014 with the names of 11 partners in the New York, Washington D.C., Silicon Valley and Hong Kong offices of Law Firm 1.

Two days later, according to the SEC, the hackers used malware to obtain “broad access” to the firm’s network, breached the user account of a firm IT employee, and used that access to infiltrate all email accounts—all the while using deceptions to make it appear to be normal network activity.

In all, the defendants allegedly pilfered more than 59 gigabytes of data, or the equivalent of nearly 6 million printed pages.

The second firm was hacked on April 6, 2015, again with the use of malware on the firm web server, the indictment alleges. Between April 28 and July 31, the defendants stole seven gigabytes of compressed data, according to the charges.