Two Sigma Insider Threat Case Study
ケーススタディ
A quantitative researcher manipulated 14 algorithmic investment models over 21 months. No detection system, compliance tool, or code review caught it. He was caught because of an anonymous social media post.
A security engineering portfolio project by Vyshyvka Studio
How Quant Models Work
From hypothesis to live trading
Firms like Citadel, DE Shaw, Jane Street, and Two Sigma run hundreds or thousands of algorithmic models simultaneously, each making independent trading decisions. Every model follows the same lifecycle before it touches real capital.
The Pipeline
Research
A quantitative researcher identifies a statistical edge — a pattern in earnings data, order flow, sentiment, or market microstructure that might predict future price movements.
Backtest
The hypothesis is tested against years of historical data via simulation. Does the signal survive transaction costs, different market regimes, and out-of-sample periods?
Decorrelation Check
Verify the model's predictions are not redundant with models already running. When a firm runs hundreds of models, each one must contribute something the others don't — otherwise the fund is concentrating risk while believing it's diversified.
Model Validation
The model goes through formal review: methodology, parameters, risk characteristics, and expected behavior are documented and approved. The researcher attests the submission is accurate and complete.
Deployment
The model's code and its configuration are deployed — typically to separate systems. Code goes to a secure, version-controlled repository. Tunable parameters go to a configuration store.
Live Trading
The model generates real buy and sell signals within assigned risk limits. Its performance is tracked, and at most firms, researcher compensation is tied directly to how their models perform.
The Scheme
Model Parameter Manipulation (November 2021 – August 2023)
Jian Wu was a quantitative researcher at Two Sigma Investments, one of the world's largest quantiative hedge funds. His job was to develop algorithmic investment models that generated forecasts for securities. Instead, he quietly manipulated them.
How It Worked
Decorrelation Parameters
Each investment model at Two Sigma uses decorrelation parameters to ensure models generate independent alpha. Wu reduced these parameters to near-zero across at least 14 models.
Mirror Effect
With decorrelation disabled, Wu's models began mirroring the positions and returns of other profitable models at the firm. His models appeared to generate independent alpha when they were actually copying.
Compensation Fraud
Modelers are compensated based on the independent alpha their models generate. By faking independent alpha, Wu inflated his 2022 compensation to over $23.5M — up from $2.75M the prior year.
No single parameter change triggered an alert. The decorrelation coefficients were legitimate configuration values stored in celFS, a database with known vulnerabilities that allowed modelers to bypass the approval process. The manipulation was not a hack. It was a slow, deliberate behavioral drift.
The Timeline
Twenty-one months. Fourteen models. One anonymous post.
Compensation Arc
Wu begins secretly altering decorrelation parameters
Reduces Model A's decorrelation parameter to less than 1% of its approved value, then to zero by December 25
Manipulation expands — at least 10 models altered directly in celFS
Wu reduces decorrelation parameters to zero or near-zero, bypassing the PAM (Productionalize a Model) approval process
Two Sigma introduces ticket system for celFS changes
Engineers implement requests without substantive review. Wu uses the ticket system to manipulate 4 more models, adding two zeros to parameter values to reduce them by 100x
Wu demands a significant compensation increase
Wu's 2022 compensation reaches $23.5M — over 3x his total pay since joining in 2018. Consists of a $16M cash bonus and $7.25M in performance grants
Anonymous social media post reveals $23M+ compensation
An anonymous post on Xiaohongshu reveals a TSI employee received over $23M for 2022, prompting Two Sigma to investigate Wu's models
Two Sigma finds unusually high model correlations
Investigation reveals Wu's models exhibit unusually high correlations. When questioned, Wu blames market conditions and other models' performance
Wu attempts to cover his tracks
On July 29, Wu reverts decorrelation parameters for Models A, B, D, and E to their originally approved values, attempting to conceal his manipulation
Wu admits to manipulation, placed on administrative leave
Wu confesses to his supervisor that he reduced decorrelation parameters without approval. Two Sigma places him on leave, terminates him effective this date (formalized January 2024)
Wu flees to China
Leaves the United States before formal charges can be filed
Two Sigma settles with SEC for $90M
SEC finds Two Sigma failed to adopt policies addressing known model vulnerabilities. Firm voluntarily repays ~$165M to affected clients
SEC complaint and federal indictment filed against Wu
Charged with securities fraud, wire fraud, and money laundering. SEC seeks disgorgement and civil penalties
Compensation Arc
What Failed
Every detection layer. Every compliance system.
Two Sigma had world-class security and compliance infrastructure. None of it detected Wu's scheme. Here is what was in place and why each system missed it.
Source Code Review
All code changes went through standard review processes
Parameter changes were configuration values, not code changes. Config files often bypass code review entirely.
celFS Parameter Database
Two Sigma's database for model parameters stored outside the secure Jar
celFS had known vulnerabilities that allowed modelers to alter parameters without review. Before June 2022, modelers could modify values directly. Even after a ticket system was introduced, engineers implemented changes without substantive review.
PAM (Productionalize a Model) Process
Two Sigma's model approval process requiring decorrelation testing and management review
PAM gated new model approval but not post-approval parameter changes. Wu submitted models with correct parameters for approval, then secretly altered them in celFS afterward. The approval process had no ongoing enforcement.
Model Performance Monitoring
Standard metrics for P&L, Sharpe ratio, drawdown
Wu's models performed well. They were profitable because they mirrored other profitable models. Performance monitoring confirmed the scam, it did not detect it.
Compliance & Trading Surveillance
Regulatory compliance monitoring and trade surveillance
Surveillance systems look for prohibited trading patterns (wash trading, spoofing). Wu's scheme was not a trading violation - it was a parameter manipulation that produced legitimate-looking trades.
Post-Deployment Drift Detection
Monitoring for model behavior changes after deployment
This system did not exist. There was no monitoring for parameter drift between deployment and ongoing operation. This is the gap.
Every system asked the same question: 'Is this event bad?' Each parameter write went to a database Wu could access. Each model had been approved. Each trade was compliant. No single event looked bad. The behavioral arc was incoherent. But the paradigm does not look at arcs.
How He Was Caught
Not by any detection system. By social media.
Wu's scheme began to unravel in January 2023, when Two Sigma discovered an anonymous social media post on Xiaohongshu revealing that a TSI employee had received over $23 million in compensation for 2022. The post prompted an investigation into Wu's models.
Anonymous post revealing a TSI employee received over $23M in 2022 compensation
How it spread
Anonymous post
Screenshots shared
Cross-posted and discussed
Post discovered, investigation launched into Wu's models
The Fallout
The cost of narrative blindness
Jian Wu
- Administrative leave August 2023, terminated January 2024
- Fled to China before charges filed
- Federal indictment: securities fraud, wire fraud, money laundering
- Currently a fugitive
Two Sigma
- $90M SEC fine
- $165M+ returned to affected clients
- Reputational damage in institutional investor community
- Forced review of all model parameter governance
Broader Impact
- SEC increased scrutiny of systematic fund model governance
- Other funds audited decorrelation and parameter controls
- Case became a textbook example in quant compliance programs
The Lesson
The right level of abstraction
How would you build a system to catch Jian Wu? You could try to detect anomalous parameter values — learn that a decorrelation coefficient should be 0.006, not 0.00006. But that means understanding the semantics of every configurable value in every system across the organization. Every normal config change, every deploy, every tuning adjustment becomes a candidate alert. It is per-event classification with infinite domain surface area. It is the paradigm again. There is another way. You don't detect the value. You read the sequence.
What Sequence Detection Actually Sees
Not parameter values. Behavioral patterns.
celFS write → model deploy, repeated
Normal. celFS had no substantive review process. Each write and each deploy individually authorized. No alert.
Same identity writing to celFS immediately before model deployments, in a tight temporal pattern, repeated across multiple models. This write-deploy sequence diverges from the user's historical baseline and from their peer group of modelers.
Same behavioral pattern across 14 models
Each access authorized. Each deployment approved. No single event suspicious.
One identity repeating the same sequence across 14 models over months. The scope and repetition has extremely low probability given historical behavior. The story does not make sense for independent model development.
Behavioral frequency shift over 21 months
Volume within normal bounds. No rate-limit triggered. No threshold breached.
The identity's rate and pattern of parameter writes shifted from their pre-November 2021 baseline. The model does not know what decorrelation means. It knows that this identity's story changed.
Why Not Detect the Values?
You could try to build a model that learns 0.006 is normal and 0.00006 is not. But decorrelation parameters are one of thousands of configurable values across an organization's systems. To detect anomalous values you need domain-specific knowledge of every parameter in every system — and every normal config change becomes a false positive candidate. You have rebuilt the paradigm: high-volume, per-event classification with an unbounded surface area. Sequence detection sidesteps this entirely. It does not need to understand what the values mean. It reads the behavioral arc of an identity and asks: does this story make sense?
The system does not know what a decorrelation parameter is. It does not need to. It knows that this identity's behavioral sequence — the temporal pattern of writes and deploys across 14 models — stopped making sense. That is the signal.
The best threats operate through legitimate credentials.
They tell a story that sounds right on any given day.
But over weeks, the story stops making sense.
You just have to be reading it.