Hacking for Fun, Profit—and Now, Wagers
The next generation of hacking may not be about stealing the money. It may be about creating the event on which the money is wagered.
For decades, cybercrime monetization has been brutally simple. Hackers stole credit cards and sold them. They stole credentials and used them. They stole personal data and enabled identity fraud, account takeover, business email compromise, tax refund fraud, health care fraud, SIM swaps, wire transfers and synthetic identity schemes. Then came ransomware: encrypt the data and demand payment. Then came extortionware: Steal the data first, threaten publication later, and collect whether or not the victim can restore from backup. The Vastaamo psychotherapy breach in Finland was an early warning sign of where this could go: when the company did not pay, the extortionists turned directly to patients and threatened to publish mental health records unless individuals paid.
Who Could Have Predicted This?
But cybercrime needs liquidity. Stolen data has to be fenced. Ransom has to be negotiated. Cryptocurrency has to be laundered. Extortion depends on the victim’s willingness and ability to pay. Prediction markets and event contracts present a darker possibility: The attacker need not sell the stolen data, or even successfully extort the victim. The attacker can simply bet that the data will be stolen, released, confirmed, denied, remediated, paid for, investigated, disclosed, or priced into the market.
That changes the cybercrime business model. The criminal no longer needs to monetize the stolen thing. The criminal can monetize the knowledge of the crime, the timing of the crime, or, worse, the power to make the event happen.
This is not entirely theoretical. We already have public proof of the adjacent model: “hack-to-trade.” In SEC v. Dubovoy, the SEC alleged that hackers stole pre-release corporate press releases from newswire services and that traders used the stolen information to generate more than $100 million in illicit profits. SEC v. Dubovoy, No. 2:15-cv-06076 (D.N.J. filed Aug. 10, 2015), SEC Press Release No. 2015-163. In SEC v. Ieremenko, the Commission alleged that hackers compromised SEC EDGAR systems, extracted nonpublic earnings-related filings, and traded before public release. SEC v. Ieremenko, No. 2:19-cv-00505 (D.N.J. filed Jan. 15, 2019), SEC Litigation Release No. 24956. In United States v. Klyushin, DOJ obtained a conviction in what it described as a $90 million hack-to-trade conspiracy involving stolen pre-release earnings information. United States v. Klyushin, No. 1:21-cr-10104 (D. Mass. 2023), DOJ Press Release. Information – particularly stolen or hacked information – has direct value in the marketplace.
Those cases involved securities and options trading on stolen information. Prediction markets make the concept more direct. A market can ask, in effect, “Will X happen?” If the hacker can make X happen, or knows X has already happened before the market does, the market becomes an instrument of monetization.
Betting on the Crime Itself
The most obvious version is a cyber event contract: “Will Company X be hacked by June 30?” “Will Company X disclose a data breach this quarter?” “Will more than 10 million records from Company X be posted online?” “Will the ransomware group publish Company X’s files?” “Will Company X pay ransom?” “Will the SEC open an investigation?” “Will the CEO resign?” “Will the stock fall by more than 10% after disclosure?”
A hacker who already has access to Company X can buy “Yes.” A hacker who has stolen data and controls the timing of release can buy “Yes.” A hacker who plans to extort the victim can trade on whether the victim pays. A hacker who knows that the breach has occurred, but that the victim has not yet detected or disclosed it, can trade on disclosure timing. The attacker’s edge is not merely informational. It is causal.
We have already seen prediction markets tied to cyber incidents. Polymarket hosted a market asking whether the Bybit hacker would return at least 50% of the exploited ETH by a specified date after Bybit confirmed a hack. The market resolved based on official information from Bybit or credible reporting. See Polymarket, “Will Bybit hacker return stolen ETH before March?” . That does not prove the hacker traded. It proves something narrower but important: prediction markets can and do create tradable contracts around post-hack conduct. Once there is a market on the hacker’s next move, the hacker can become both the actor and the bettor.
There is also now public enforcement proof that event contracts can be used for insider trading. On April 23, 2026, the CFTC charged U.S. Army service member Gannon Ken Van Dyke with insider trading in Nicolás Maduro-related event contracts, alleging that he used classified nonpublic information about a U.S. operation to trade on Polymarket. CFTC v. Van Dyke, CFTC Press Release No. 9217-26. DOJ simultaneously announced criminal charges for unlawful use of confidential government information, theft of nonpublic government information, commodities fraud, wire fraud, and an unlawful monetary transaction, alleging that Van Dyke profited more than $400,000 by wagering on the timing and outcome of the operation. United States v. Van Dyke, S.D.N.Y. indictment announced Apr. 23, 2026, DOJ Press Release.
That case is not a hacking case. It is more important than that. It is a template. It shows that event contracts can be used by someone with secret knowledge of a future event, that the CFTC views such trading as insider trading under the Commodity Exchange Act, and that DOJ can charge the conduct criminally. If a soldier can allegedly use classified knowledge of an operation to bet on the operation, a hacker can use unlawful knowledge of an intrusion to bet on the intrusion.
Do Prediction Markets Prohibit Betting on Crimes?
For CFTC-regulated prediction markets, the answer is yes at the product-listing level, at least as to contracts that involve, relate to, or reference unlawful activity. The governing language is in Commodity Exchange Act § 5c(c)(5)(C), codified at 7 U.S.C. § 7a-2(c)(5)(C). The statute gives the CFTC authority to determine that event contracts are contrary to the public interest if they involve “activity that is unlawful under any Federal or State law,” “terrorism,” “assassination,” “war,” “gaming,” or similar activity determined by the Commission to be contrary to the public interest. 7 U.S.C. § 7a-2(c)(5)(C).
The implementing CFTC rule is even more direct. CFTC Regulation 40.11 provides that a registered entity “shall not list for trading or accept for clearing” an event contract that “involves, relates to, or references terrorism, assassination, war, gaming,” or unlawful activity. 17 C.F.R. § 40.11(a)(1). It also bars contracts involving similar activity if the CFTC determines by rule or regulation that the activity is contrary to the public interest. 17 C.F.R. § 40.11(a)(2).
That language matters. A contract asking “Will Company X be hacked?” would almost certainly “relate to” or “reference” unlawful activity if the relevant hacking would violate the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, state computer crime statutes, extortion statutes, trade secret laws, privacy laws, or wire fraud statutes. A contract asking “Will stolen personal data from Company X be released?” likewise references conduct that may involve unauthorized access, trafficking in stolen data, extortion, identity theft, or other unlawful activity. Under the plain text of Rule 40.11, a CFTC-registered exchange should not list it.
The CFTC’s own public description says the same thing. The Commission describes an event contract as a derivative whose payoff is based on a specified event, occurrence, or value, and states that Regulation 40.11 prohibits event contracts that reference terrorism, assassination, war, gaming, unlawful activity, or similar activity that the CFTC determines to be contrary to the public interest. CFTC, Contracts & Products: Event Contracts.
Enforcement occurs in several ways. First, designated contract markets self-certify new contracts or request CFTC approval, and the CFTC can review event contracts that may fall within Rule 40.11. CFTC rules allow a 90-day review, during which the Commission requests suspension of listing or trading, followed by an approval or disapproval order. 17 C.F.R. § 40.11(c). Second, registered exchanges have surveillance and rule-enforcement duties. The CFTC states that DCMs must maintain audit trails, conduct surveillance, and enforce rules against prohibited practices under the CEA’s core principles. CFTC Press Release No. 9185-26, “CFTC Enforcement Division Issues Prediction Markets Advisory,” Feb. 25, 2026. Third, the CFTC can bring civil enforcement actions for fraud, manipulation, insider trading, wash trades, disruptive trading, and other prohibited practices. Id.
That enforcement is no longer theoretical. In February 2026, the CFTC Division of Enforcement issued a prediction markets advisory after two KalshiEX matters involving the misuse of nonpublic information and fraud. In one matter, a political candidate allegedly traded on his own candidacy in violation of Kalshi rules barring trading by persons with direct or indirect influence over the outcome. Kalshi imposed disgorgement, a $2,000 penalty, and a five-year suspension. In another, a person affiliated with a YouTube channel allegedly traded based on advance knowledge of video content; Kalshi imposed disgorgement, a $15,000 penalty, and a two-year suspension. CFTC Press Release No. 9185-26. But that was not betting on crime. That was simple insider trading.
. Polymarket’s market-integrity policy states that insider trading is prohibited; users may not trade on confidential information about an event outcome where using the information would violate a preexisting duty of trust or confidence; users may not trade on illegal tips; and users may not trade if they hold a position of authority or influence sufficient to affect the outcome. Polymarket, Market Integrity Policy. Polymarket also says it can ban wallets, take legal action, refer matters to law enforcement, monitor trading in real time, and use on-chain transparency and outside specialists for enforcement. Id. In theory, betting on whether a company will disclose a data breach when you performed the data breach yourself would likely be prohibited insider trading. The hacker has an informational advantage. But, to what person or entity is the hacker an “insider”? This is much like the person who bets that a streaker will run across the court in the Knicks/Cavaliers game. For the price of a ticket and a day in jail (and possibly an NBA ban), that fan and his friends can make a killing on Kalshi.
That last prohibition is the key cyber rule. A hacker who controls whether data will be leaked has influence over the outcome. A hacker who controls whether a system will be disrupted has influence over the outcome. A ransomware group deciding whether to post stolen files has influence over the outcome. Under ordinary market-integrity principles, that actor should not be permitted to trade. Under criminal law, the trade may be evidence of intent, motive, proceeds, concealment, wire fraud, commodities fraud, money laundering, extortion, computer intrusion, or conspiracy. The government has the ability to claw back ill-gotten gains under relevant forfeiture statutes – but only if the hacker is caught and successfully prosecuted, and the money is still liquid or accessible.
Futures Markets: The Same Problem, With Different Plumbing
Traditional futures markets may not list a contract that says “Will Company X be hacked?” But cyberattacks can move futures, swaps, and commodities markets. A pipeline attack can affect energy prices. A port or logistics attack can affect shipping and supply chains. An attack on securities lending, clearing, settlement, payment systems, cloud infrastructure, or a major exchange can affect liquidity and volatility. A cyberattack on a food processor, hospital system, airline, casino operator, cloud provider, or defense contractor can move equities, sector ETFs, volatility products, credit spreads, and event-linked contracts.
Reuters reported, for example, that the 2024 EquiLend ransomware incident disrupted securities-lending workflows and increased costs for traders. That report does not show that the hackers traded on the disruption. It shows the market-impact surface: A cyberattack on financial plumbing can create tradable dislocations. Reuters, “EquiLend hack raised costs as traders flew blind, sources say,” Feb. 26, 2024.
For futures and swaps, the legal hook is not merely product prohibition. It is anti-fraud and anti-manipulation. Commodity Exchange Act § 6(c)(1), 7 U.S.C. § 9(1), and CFTC Rule 180.1, 17 C.F.R. § 180.1, prohibit manipulative or deceptive devices in connection with swaps, futures, and commodity contracts. The CFTC has expressly taken the position that misappropriation of confidential information in breach of a duty of trust and confidence can constitute insider trading in prediction markets and other CFTC-regulated markets. CFTC Press Release No. 9185-26.
So, if a hacker compromises a natural gas pipeline and trades natural gas futures before launching the disruptive payload, the question is not whether the futures contract itself is unlawful. Natural gas futures are lawful. The question is whether the trader used fraud, manipulation, deceptive conduct, misappropriated information, or a scheme to create or profit from artificial market conditions. That is a CFTC problem, a DOJ problem, a sanctions problem, and potentially a national security problem.
The Regulatory Gap
The formal rule is strong. The practical gap is harder.
A regulated U.S. DCM such as Kalshi is subject to CFTC oversight, exchange rules, audit trails, surveillance, disciplinary authority, and CFTC enforcement. The CFTC’s February 2026 advisory emphasizes that DCMs must police illegal trading practices and that the Commission retains full authority to investigate and prosecute violations. CFTC Press Release No. 9185-26.
But cybercriminals do not need a compliant U.S. account if offshore, DeFi, proxy, wallet, VPN, mule, synthetic identity, or nominee channels exist. Polymarket’s own terms page states that Polymarket US is CFTC-regulated, while the international platform “is not regulated by the CFTC and operates independently.” Polymarket Terms of Use page. The Van Dyke indictment alleged that the defendant used a VPN and foreign geolocation to access Polymarket and then moved proceeds through cryptocurrency accounts.
That is the cybercrime monetization problem in miniature. The market may prohibit the trade. The law may criminalize the trade. The platform may detect the wallet. But the attacker’s goal is to get in, place the wager, move the proceeds, and disappear before attribution catches up.
Why This is Different From Ordinary Insider Trading
Traditional insider trading involves informational advantage. This new model involves operational control. The hacker is not merely trading on the fact that a breach occurred. The hacker can decide whether to release the data, when to release the data, how much to release, which victim to target, which executive to embarrass, which system to disrupt, whether to send the extortion note, and whether to post proof on a leak site.
That means prediction markets can create perverse incentives not merely to predict crime, but to commit it. A market on whether a celebrity’s medical records will leak creates an incentive to steal them. A market on whether a public company will disclose a ransomware event creates an incentive to create one. A market on whether a hospital will cancel surgeries due to a cyberattack creates an incentive to attack the hospital. A market on whether personal data from a dating site, addiction clinic, genetic testing company, abortion services provider, or psychotherapy provider will be released creates a bounty for privacy invasion.
This is why the “unlawful activity” language in 17 C.F.R. § 40.11 matters. It is not moralism. It is market design. Some events should not be commoditized because the existence of the market can fund or incentivize the event.
The Next Generation of Hacking
The next generation of hacking is not “ransomware plus AI.” It is crime as a tradable event. The attacker no longer has to ask, “Who will buy these credentials?” The attacker can ask, “Who will take the other side of my bet?” The attacker no longer has to ask, “Will the victim pay?” The attacker can create a market position that pays whether or not the victim pays. The attacker no longer has to leak the entire database. The attacker can leak just enough to resolve a market, move a price, trigger disclosure, or force a regulator’s hand.
The defensive response has to change accordingly. Companies should treat suspicious prediction-market activity as a cyber threat indicator. Exchanges should treat sudden concentrated positions in cyber-sensitive contracts as possible evidence of compromise. Incident response teams should monitor not only dark web forums and ransomware leak sites, but also public prediction markets, crypto wallets, short interest, options activity, futures positions, and social media chatter. Regulators should view cyber incidents not only as privacy or operational failures, but as possible market-manipulation events.
The law already has tools. The Computer Fraud and Abuse Act reaches unauthorized access. Extortion statutes reach ransom demands. Wire fraud reaches schemes to obtain money by deception. The securities laws reach hack-to-trade schemes in public company securities. The Commodity Exchange Act reaches fraud, manipulation, and insider trading in futures, swaps, and event contracts. CFTC Rule 40.11 prohibits regulated event contracts that involve or reference unlawful activity. Platform rules prohibit trading on stolen confidential information and trading by those who can influence the outcome.
The problem is not absence of law. The problem is speed, attribution, jurisdiction, and liquidity.
Hackers have always followed the money. First, they stole data. Then they encrypted it. Then they extorted victims with it. Now the money may come from wagering on what the hackers themselves are about to do. That is not a prediction. That is arson with a side bet.
