Skip to main content

Two Sigma Insider Threat Case Study

ケーススタディ

A quantitative researcher manipulated 14 algorithmic investment models over 21 months. No detection system, compliance tool, or code review caught it. He was caught because of an anonymous social media post.

A security engineering portfolio project by Vyshyvka Studio

Scroll

How Quant Models Work

From hypothesis to live trading

Firms like Citadel, DE Shaw, Jane Street, and Two Sigma run hundreds or thousands of algorithmic models simultaneously, each making independent trading decisions. Every model follows the same lifecycle before it touches real capital.

The Pipeline

1

Research

A quantitative researcher identifies a statistical edge — a pattern in earnings data, order flow, sentiment, or market microstructure that might predict future price movements.

2

Backtest

The hypothesis is tested against years of historical data via simulation. Does the signal survive transaction costs, different market regimes, and out-of-sample periods?

3

Decorrelation Check

Verify the model's predictions are not redundant with models already running. When a firm runs hundreds of models, each one must contribute something the others don't — otherwise the fund is concentrating risk while believing it's diversified.

4

Model Validation

The model goes through formal review: methodology, parameters, risk characteristics, and expected behavior are documented and approved. The researcher attests the submission is accurate and complete.

5

Deployment

The model's code and its configuration are deployed — typically to separate systems. Code goes to a secure, version-controlled repository. Tunable parameters go to a configuration store.

6

Live Trading

The model generates real buy and sell signals within assigned risk limits. Its performance is tracked, and at most firms, researcher compensation is tied directly to how their models perform.

The Scheme

Model Parameter Manipulation (November 2021 – August 2023)

Jian Wu was a quantitative researcher at Two Sigma Investments, one of the world's largest quantiative hedge funds. His job was to develop algorithmic investment models that generated forecasts for securities. Instead, he quietly manipulated them.

How It Worked

1

Decorrelation Parameters

Each investment model at Two Sigma uses decorrelation parameters to ensure models generate independent alpha. Wu reduced these parameters to near-zero across at least 14 models.

2

Mirror Effect

With decorrelation disabled, Wu's models began mirroring the positions and returns of other profitable models at the firm. His models appeared to generate independent alpha when they were actually copying.

3

Compensation Fraud

Modelers are compensated based on the independent alpha their models generate. By faking independent alpha, Wu inflated his 2022 compensation to over $23.5M — up from $2.75M the prior year.

No single parameter change triggered an alert. The decorrelation coefficients were legitimate configuration values stored in celFS, a database with known vulnerabilities that allowed modelers to bypass the approval process. The manipulation was not a hack. It was a slow, deliberate behavioral drift.

The Timeline

Twenty-one months. Fourteen models. One anonymous post.

Compensation Arc

$415K
2018
$500K
2019
$4.2M
2020
$2.75M
2021
$23.5M
2022
8.5xincrease in one year
November 2021

Wu begins secretly altering decorrelation parameters

Reduces Model A's decorrelation parameter to less than 1% of its approved value, then to zero by December 25

Early 2022

Manipulation expands — at least 10 models altered directly in celFS

Wu reduces decorrelation parameters to zero or near-zero, bypassing the PAM (Productionalize a Model) approval process

June 2022

Two Sigma introduces ticket system for celFS changes

Engineers implement requests without substantive review. Wu uses the ticket system to manipulate 4 more models, adding two zeros to parameter values to reduce them by 100x

Late 2022

Wu demands a significant compensation increase

Wu's 2022 compensation reaches $23.5M — over 3x his total pay since joining in 2018. Consists of a $16M cash bonus and $7.25M in performance grants

January 2023

Anonymous social media post reveals $23M+ compensation

An anonymous post on Xiaohongshu reveals a TSI employee received over $23M for 2022, prompting Two Sigma to investigate Wu's models

Mid 2023

Two Sigma finds unusually high model correlations

Investigation reveals Wu's models exhibit unusually high correlations. When questioned, Wu blames market conditions and other models' performance

July 2023

Wu attempts to cover his tracks

On July 29, Wu reverts decorrelation parameters for Models A, B, D, and E to their originally approved values, attempting to conceal his manipulation

August 2023

Wu admits to manipulation, placed on administrative leave

Wu confesses to his supervisor that he reduced decorrelation parameters without approval. Two Sigma places him on leave, terminates him effective this date (formalized January 2024)

After termination

Wu flees to China

Leaves the United States before formal charges can be filed

January 2025

Two Sigma settles with SEC for $90M

SEC finds Two Sigma failed to adopt policies addressing known model vulnerabilities. Firm voluntarily repays ~$165M to affected clients

September 2025

SEC complaint and federal indictment filed against Wu

Charged with securities fraud, wire fraud, and money laundering. SEC seeks disgorgement and civil penalties

What Failed

Every detection layer. Every compliance system.

Two Sigma had world-class security and compliance infrastructure. None of it detected Wu's scheme. Here is what was in place and why each system missed it.

</>

Source Code Review

All code changes went through standard review processes

Parameter changes were configuration values, not code changes. Config files often bypass code review entirely.

DB

celFS Parameter Database

Two Sigma's database for model parameters stored outside the secure Jar

celFS had known vulnerabilities that allowed modelers to alter parameters without review. Before June 2022, modelers could modify values directly. Even after a ticket system was introduced, engineers implemented changes without substantive review.

PAM

PAM (Productionalize a Model) Process

Two Sigma's model approval process requiring decorrelation testing and management review

PAM gated new model approval but not post-approval parameter changes. Wu submitted models with correct parameters for approval, then secretly altered them in celFS afterward. The approval process had no ongoing enforcement.

P&L

Model Performance Monitoring

Standard metrics for P&L, Sharpe ratio, drawdown

Wu's models performed well. They were profitable because they mirrored other profitable models. Performance monitoring confirmed the scam, it did not detect it.

CTS

Compliance & Trading Surveillance

Regulatory compliance monitoring and trade surveillance

Surveillance systems look for prohibited trading patterns (wash trading, spoofing). Wu's scheme was not a trading violation - it was a parameter manipulation that produced legitimate-looking trades.

!!DID NOT EXIST

Post-Deployment Drift Detection

Monitoring for model behavior changes after deployment

This system did not exist. There was no monitoring for parameter drift between deployment and ongoing operation. This is the gap.

Every system asked the same question: 'Is this event bad?' Each parameter write went to a database Wu could access. Each model had been approved. Each trade was compliant. No single event looked bad. The behavioral arc was incoherent. But the paradigm does not look at arcs.

How He Was Caught

Not by any detection system. By social media.

Wu's scheme began to unravel in January 2023, when Two Sigma discovered an anonymous social media post on Xiaohongshu revealing that a TSI employee had received over $23 million in compensation for 2022. The post prompted an investigation into Wu's models.

Xiaohongshu (小红书)|Anonymous compensation disclosure
$415K
2018
$500K
2019
$4.2M
2020
$2.75M
2021
$23.5M
2022

Anonymous post revealing a TSI employee received over $23M in 2022 compensation

How it spread

Xiaohongshu

Anonymous post

WeChat Groups

Screenshots shared

Twitter/X

Cross-posted and discussed

Two Sigma

Post discovered, investigation launched into Wu's models

The Fallout

The cost of narrative blindness

$23.5M
Wu's Fraudulent Compensation
$165M+
Client Losses (Correlated Risk)
$90M
SEC Fine (Two Sigma)
$278M+
Estimated Total Impact

Jian Wu

  • Administrative leave August 2023, terminated January 2024
  • Fled to China before charges filed
  • Federal indictment: securities fraud, wire fraud, money laundering
  • Currently a fugitive

Two Sigma

  • $90M SEC fine
  • $165M+ returned to affected clients
  • Reputational damage in institutional investor community
  • Forced review of all model parameter governance

Broader Impact

  • SEC increased scrutiny of systematic fund model governance
  • Other funds audited decorrelation and parameter controls
  • Case became a textbook example in quant compliance programs

The Lesson

The right level of abstraction

How would you build a system to catch Jian Wu? You could try to detect anomalous parameter values — learn that a decorrelation coefficient should be 0.006, not 0.00006. But that means understanding the semantics of every configurable value in every system across the organization. Every normal config change, every deploy, every tuning adjustment becomes a candidate alert. It is per-event classification with infinite domain surface area. It is the paradigm again. There is another way. You don't detect the value. You read the sequence.

What Sequence Detection Actually Sees

Not parameter values. Behavioral patterns.

celFS write → model deploy, repeated

“Is this event bad?”

Normal. celFS had no substantive review process. Each write and each deploy individually authorized. No alert.

“Does this behavior make sense?”

Same identity writing to celFS immediately before model deployments, in a tight temporal pattern, repeated across multiple models. This write-deploy sequence diverges from the user's historical baseline and from their peer group of modelers.

Same behavioral pattern across 14 models

“Is this event bad?”

Each access authorized. Each deployment approved. No single event suspicious.

“Does this behavior make sense?”

One identity repeating the same sequence across 14 models over months. The scope and repetition has extremely low probability given historical behavior. The story does not make sense for independent model development.

Behavioral frequency shift over 21 months

“Is this event bad?”

Volume within normal bounds. No rate-limit triggered. No threshold breached.

“Does this behavior make sense?”

The identity's rate and pattern of parameter writes shifted from their pre-November 2021 baseline. The model does not know what decorrelation means. It knows that this identity's story changed.

Why Not Detect the Values?

You could try to build a model that learns 0.006 is normal and 0.00006 is not. But decorrelation parameters are one of thousands of configurable values across an organization's systems. To detect anomalous values you need domain-specific knowledge of every parameter in every system — and every normal config change becomes a false positive candidate. You have rebuilt the paradigm: high-volume, per-event classification with an unbounded surface area. Sequence detection sidesteps this entirely. It does not need to understand what the values mean. It reads the behavioral arc of an identity and asks: does this story make sense?

The system does not know what a decorrelation parameter is. It does not need to. It knows that this identity's behavioral sequence — the temporal pattern of writes and deploys across 14 models — stopped making sense. That is the signal.

The best threats operate through legitimate credentials.

They tell a story that sounds right on any given day.

But over weeks, the story stops making sense.

You just have to be reading it.