Two Ukrainian men are facing charges over their roles in an international stock-trading scheme that began with the pair’s breaking into the computer systems of the US Securities and Exchange Commission’s (SEC), according to complaints unsealed by the US Department of Justice (DOJ) and the SEC this week.

Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both of Kiev, Ukraine, spent six months roaming the SEC’s corporate-filing system, ransacking sensitive information that they then used for illegal stock trading, as well as selling it to others for similarly illicit trades, said the prosecutors.

The scheme is thought to have led to illegitimate gains worth US$4.1 million. Radchenko and Ieremenko face hacking- and fraud-related criminal charges, while the rest – including two US citizens and one Russian national – face civil charges filed by the SEC.

The DOJ said that, between May-October 2016, Radchenko and Ieremenko extracted thousands of files from the SEC’s EDGAR (Electronic Data Gathering, Analysis, and Retrieval) system, where publicly traded companies upload their financial filings before the documents are released to the public and can affect the companies' stock prices.

Most of the stolen filings were “test filings”, i.e. documents that are usually left blank and only serve to check that everything works as intended. However, in many cases, the companies uploaded actual disclosures. “Armed with the stolen information, the traders profited by executing various trades in brokerage accounts they controlled,” said the DOJ.

According to the Wall Street Journal (may be paywalled), the hacking duo used at least two techniques to bore into the SEC’s computer networks. First, they exploited a vulnerability in EDGAR that enabled them to access the non-public information without entering login credentials. Second, they sent emails to SEC staff that were spoofed to appear as though they had been sent by SEC security personnel. The emails contained attachments that, once opened, compromised the workstations with malware and enabled the attackers to dig deeper into the SEC’s network. Several workstations are believed to have been compromised that way.

All stolen reports were uploaded to a server in Lithuania. As per the SEC’s complaint, this was initially done manually, but two weeks after Ieremenko first invaded the agency’s systems on May 3, 2016, he deployed a tool that exfiltrated the data automatically.

In addition, Ieremenko is facing charges that go back to 2015 and are related to the theft of 150,000 corporate press releases from three financial wire firms. That operation is believed to have involved no fewer than 32 people, who allegedly pocketed more than US$100 million in illicit gains from stock trading over a period of more than five years. The Verge ran a gripping long-form article on that case last year.