Skip to content
Securities Fraud

Illustration by Security Management, iStock

The Bull and Millionaire Mike: A Look at Darknet and Securities Fraud

Criminals have long leveraged information and communications technology to commit crimes that pose significant threats to public safety, economic security, and national security.

Illegal goods and services are marketed on websites accessible through traditional search engines (i.e., clearnet) and non-indexed websites that cannot be identified and accessed through traditional clearnet search engines such as Google or Bing (i.e., Deep Web). The Deep Web, which includes Intranets, websites that are password-protected, and websites accessible only using specialized browsers (e.g., Tor, “The Onion Router”), are part of what is known as the Dark Web. Within the Dark Web, the term darknet has been used to describe spaces used to facilitate criminal activities, such as the trade of illicit goods and services (Maras, 2016). 

Academic research and media coverage of darknet marketplaces (DNMs) have predominately focused on cryptocurrencies, the sale of illegal drugs, firearms, stolen data (e.g., personal, financial, and medical information), counterfeit money and goods, child sexual exploitation material, and malware.

A crime not commonly associated with the darknet is securities fraud—a criminal offense under 18 USC § 1348, which involves the use of deceptive practices to influence or manipulate financial markets and/or others’ financial investment decisions. Nevertheless, two recent criminal cases drew attention to the use of darknet to commit securities fraud—Apostolos Trovias (“The Bull”) and James Roland Jones (“Millionaire Mike”).

Apostolos Trovias, aka “The Bull”

In July 2021, darknet vendor Apostolos Trovias, “The Bull,” was charged with securities fraud and money laundering. He engaged in insider trading by selling information on AlphaBay, Dream Market, Nightmare Market, and ASAP about securities based on non-public company information. The information was purportedly obtained from an insider in a publicly traded company.

Specifically, the insider trading information—trading tips, including single tips, and weekly and monthly plans, and pre-release publicly traded company earnings reports—was sold in exchange for the cryptocurrency Bitcoin.

The U.S. Securities and Exchange Commission (SEC) complaint provided caveats that the insider information offered for sale on darknet listings could be:

"…materially false and misleading insofar as Trovias did not actually obtain information concerning institutional trading data from an insider at a trading firm, or if his statements were true, Trovias offered to sell, for securities trading purposes, material, nonpublic information that he knew, recklessly disregarded, or had reason to know was obtained in violation of a duty of trust and confidence for a personal benefit based on the allegations."

Trovias came to the attention of authorities when he offered to sell information to—unbeknownst to him—undercover agents of the Internal Revenue Service (IRS) and the FBI.

Trovias also planned and began to develop an “inside information auction site” where non-public company insider information would be traded.

Behind “the veil of the Dark Web, using encrypted messaging applications and emails, Trovias created a business model in which he sold—for profit—proprietary information from other companies, stock trading tips, pre-release earnings, and other inside information,” said Michael J. Driscoll, the assistant director-in-charge of the FBI’s New York Field Office, in a statement.

Trovias also planned and began to develop an “inside information auction site” where non-public company insider information would be traded.

When darknet fraud-related research is undertaken, it is improbable that a darknet vendor like The Bull would be considered anything other than an outlier or unimportant. The only red flags The Bull presented were his length of time as an active vendor and his moniker’s multi-homing on several DNMs (i.e., The Bull being a registered vendor on several DNMs). The Bull’s extended and uninterrupted presence on darknet marketplaces (due to multi-homing) shows that white-collar crime can also thrive and operate under the radar until an investigator with special training and expertise can identify it and—in the case of insider trading—access and examine the vendor’s insider information. However, the latter is only possible on active sites. At the same time, evidence of a vendor under investigation or other vendors’ existence before a successful transition to a more secure communication platform or voluntary withdrawal from the marketplace may be hidden in historical data of defunct DNMs.

This case highlights the availability of information that could allow individuals to illegally profit from insider information, while potentially costing companies millions depending on the users of this information. The evidence from the SEC’s complaint shows that the most valuable information The Bull advertised was available at select times of the year when the insider information provided was cross-checked with market behavior. Trovias was a uniquely dangerous criminal actor given his access to non-public company information and provision of daily or weekly tips and financial statements during periods where it was most beneficial to buy, sell, or short the company’s stock.

James Roland Jones, aka “Millionaire Mike”

Around the same time that Trovias was active on darknet in 2016, another vendor, James Roland Jones, “Millionaire Mike,” a SpaceX engineer, offered false insider trading tips defrauding customers.

On 18 March 2021, the U.S. Attorney’s Office of the Middle District of Florida released a statement announcing that Jones “pled guilty to conspiracy to commit securities fraud.”

Jones “purchased personally identifiable information on the Dark Web, including names, addresses, dates of birth, and Social Security numbers,” according to the press release. “He used this information, in part, to open and/or operate accounts for the purpose of conducting financial transactions based on material, non-public information related to publicly traded securities, more commonly known as ‘insider trading.’”

That same day, the SEC charged Jones with “perpetrating a fraudulent scheme to sell what he called insider tips on the Dark Web.” This made him the first darknet vendor to be the target of an SEC enforcement action involving securities violations.

The SEC complaint alleged that Jones used the same moniker on DNMs he frequented. Therefore, like The Bull, Millionaire Mike also engaged in multi-homing on several DNMs.

Before selling fake insider trading information, Jones gained access to a darknet insider trading forum (ITF) by way of deception—claiming that he had insider information. The forum was supposedly exclusively for use by select individuals trading material non-public information (MNPI). ITF had security measures in place to limit fraudulent access and use of the forum.  These measures, like other clearnet and darknet sites, are designed to prevent fraudsters, law enforcement officers, and other government agents from accessing, infiltrating, and/or retaining access to the site if, for example, they are arrested or identified as a police officer or fraudster.

ITF required prospective members to provide valid MNPI to join the forum. Jones made several unsuccessful attempts to access ITF by guessing MNPI, using different monikers with each attempt, before he guessed correctly and gained access to the forum.I

Jones made an estimated $27,000 in Bitcoin selling fraudulent material non-public information to darknet customers.

Like other restricted-access clearnet and darknet sites, ITF members were required to continue to engage in the illicit trade of goods and services to maintain access to the forum. For Jones, this meant providing new valid MNPI after an estimated three months on the forum. Due to his inability to provide this information, a moderator revoked his access to the forum.

Instead of seeking to regain access to the forum, Jones became a DNM vendor, whose listings advertised the sale of insider information. The information provided was not valid MNPI from an insider source as Jones claimed in his listings, but fraudulent MNPI. The buyers of his “insider tips” used the information they bought to “purchase and sell stocks of various publicly traded companies,” according to court documents.

Jones made an estimated $27,000 in Bitcoin selling fraudulent MNPI to darknet customers. Like Trovias, Jones came to the attention of authorities when he unwittingly engaged in illegal transactions with an undercover FBI agent.  

Beyond the DNMs discussed in both Jones’ and Trovias’ cases, other DNMs were identified as offering and/or specializing in goods and services that facilitated securities fraud. One such platform was the members-only darknet KickAss marketplace, which charged subscription fees for insider information.

Studying the Darknet

Despite these identified instances and cases of securities fraud on darknet, research in this area remains very limited. The above cases point to the fact that government agencies are monitoring the darknet. Private companies and financial institutions are also known to monitor darknet sites and identify, collect, analyze, and aggregate relevant information to their organizations.

These cases further illustrate the need to expand darknet research to include studies on securities fraud on DNMs. This research will help academics, researchers, practitioners, and government agencies better understand the nature and extent of securities fraud in the darknet. A wealth of information can be gleaned from darknet sites, including: the goods and services bought and sold; the quality and quantity of goods and services; the tactics, targets, tools, techniques, and modus operandi of criminals and cybercriminals; and the methods criminals and cybercriminals use to evade detection by authorities and bypass existing security and cybersecurity measures deployed by public and private sectors around the world. The information collected from these sites can be used to inform government, company, and security practices. 

Dr. Marie-Helen (Maria) Maras is an associate professor at the Department of Security, Fire, and Emergency Management and the Director of the Center for Cybercrime Studies at John Jay College of Criminal Justice. She holds a DPhil in Law and an MPhil and MSc in Criminology and Criminal Justice from the University of Oxford. Her academic background and research cover cybersecurity, cybercrime, and the legal, political, social, cultural, and economic impact of digital technology. She is the author of numerous peer-reviewed academic journal articles and books, the most recent of which is Cybercriminology (Oxford University Press), and serves as a consultant and subject matter expert on cybercrime and cyber organized crime at the United Nations Office on Drugs and Crime.

Dr. Jana Arsovska is an associate professor of Sociology at John Jay College of Criminal Justice and the Program of Doctoral Study in Criminal Justice at The Graduate Center, City University of New York. She is the former director of the Master of Arts Degree Program in International Crime & Justice and the Certificate in Transnational Organized Crime at John Jay College. She holds a PhD degree in International Criminology from Leuven University in Belgium where she studied organized crime. She is the recipient of various prestigious grants and awards and has published extensively on organized and transnational crimes.

Kenji Logie is a second-year student in the Criminal Justice Ph.D. program at John Jay College of Criminal Justice. He has been an adjunct lecturer at CUNY for the last seven years, teaching courses in programming, database design, digital forensics, and system analysis and design. Logie holds a B.S./M.P.S. in Business Information Systems from Brooklyn College (CUNY), and an M.S. in Digital Forensics and Cybersecurity from John Jay College of Criminal Justice (CUNY).