How Does the SEC Detect Insider Trading?

After you spend time reading Form 4 filings and learning what legal insider trading looks like, a natural question follows: how does the SEC detect the people doing it illegally? They use shell companies. Coded messages. Trades routed through relatives’ accounts. Yet the cases keep coming.

The answer is a surveillance infrastructure that is far more sophisticated than most people assume. It has been quietly expanding for fifteen years. Understanding how the SEC detects insider trading also helps explain why the legal disclosure system exists in the form it does, and why the signals in public filings carry the weight they do.

Why Detection Matters for Investors Who Read Form 4

The Form 4 disclosure system and the insider trading surveillance apparatus are two sides of the same coin. The SEC requires insiders to publicly file every transaction within two business days precisely because it can then cross-reference those disclosures against the trading record. A late filing, an undisclosed trade, or a transaction that precedes a major announcement by an unusual margin are all data points the agency can investigate.

For retail investors, this creates a useful framing. The same patterns the SEC flags as potentially suspicious—heavy options activity ahead of announcements, cluster buying before earnings surprises, sudden position changes by senior executives—are also the patterns that legal insider-activity research shows carry a predictive signal. Understanding the enforcement infrastructure helps explain why the legal data is trustworthy enough to act on: it exists within a system designed to detect manipulation.

The Starting Gun: How Unusual Trading Gets Flagged

Most insider trading investigations do not start with a tip. They start with an algorithm noticing something odd. Surveillance systems flag abnormal price or volume movements before a material announcement (an earnings surprise, a merger, an FDA decision), and those flags land in a queue for human review.

The SEC’s Market Abuse Unit, formed in 2010, shifted the agency from a “security-based” approach to a “trader-based” one. Rather than waiting for a specific corporate event and then reviewing the trading around it, the unit now proactively identifies traders who show suspicious patterns across multiple securities over time. A trader who consistently makes profitable options bets ahead of deal announcements in unrelated companies is a pattern the algorithm can surface even before prosecutors know which insider was the source.

ARTEMIS: The SEC’s 10-Billion-Record Trading Database

ARTEMIS—the Advanced Relational Trading Enforcement Metrics Investigation System—is the SEC’s central analytical tool for insider trading detection. It holds approximately 10 billion equity and options trade records, drawn from both SEC and FINRA data sources, and performs what the agency calls “longitudinal, multi-issuer, and multi-trader” analysis.

What that means in practice: ARTEMIS can connect accounts the trader does not know are linked in the SEC’s records. A trader using their spouse’s brokerage account, a shell company with a nominee director, and a personal account at a different firm can all appear as separate entities, but the system can correlate trading patterns, timing, and identity metadata to surface the connection. It then ranks trades by suspiciousness and hands the highest-risk cases to analysts in the Market Abuse Unit for human review.

One enforcement example involving nine defendants who collectively gained over $6.8 million through illegal trading was traced entirely through ARTEMIS analysis—despite the defendants’ use of shell companies, encrypted messaging, and coordinated account structures to obscure their activity.

MIDAS, SONAR, and the Broader Surveillance Stack

ARTEMIS is the centerpiece, but it sits within a layered system.

MIDAS(Market Information Data Analytics System) is the SEC’s real-time market-monitoring platform. It processes approximately one billion records per day from the thirteen national equity exchanges, with microsecond timestamp resolution. The agency receives the same raw data feeds used by high-frequency trading firms, which means MIDAS can detect the kind of order-flow manipulation that ordinary surveillance would miss.

SONAR, operated by NASDAQ and FINRA, takes a different angle. It monitors more than 25,000 securities across 100% of U.S. markets, combining standard trading-data feeds with news wires and social media analytics. When a stock starts moving in a way that correlates with social chatter or news articles that have not yet appeared publicly, that correlation can trigger a flag. SONAR also runs geographic proximity analysis, mapping whether traders are physically located near a company’s headquarters or a deal’s law firms.

Behind the scenes, the SEC’s Center for Risk and Quantitative Analysis (CRQA), established in 2013, has applied quantitative tools across more than one hundred enforcement cases. Its NEAT (National Exam Analytics Tool) allows examiners to analyze years of trading data in minutes rather than months. The SEC also runs a High-Frequency Analytics Lab that evaluates market behaviors at microsecond intervals to catch algorithmic manipulation.

The Paper Trail: Electronic Blue Sheets and the Consolidated Audit Trail

Surveillance systems flag suspicious patterns. But to build a case, investigators need the underlying account-level data—the actual records of who traded what, when, and through which broker. Two mandatory data sources make that possible.

Electronic Blue Sheets are records the SEC can compel from any broker-dealer. They contain every transaction by every account at the firm in a given security over a given period—names, account numbers, transaction sizes, timestamps, and prices. Once a preliminary investigation is opened and a formal order issued, the SEC can pull bluesheet data from every broker in the country that touched the security in question. The scope is total.

The Consolidated Audit Trail (CAT) goes further. Launched in phases starting in 2020, the CAT captures every order, modification, cancellation, and execution across all U.S. equity and options markets in real time—from the moment the order is entered to the moment it is filled or cancelled. Every participant in the order-flow chain is identified, including the ultimate beneficial owner of the account. Anonymous trading across U.S. markets is, in practice, not anonymous.

FINRA Referrals and the Whistleblower Pipeline

The automated systems generate volume. The human pipeline generates the cases that are hardest to build algorithmically: the ones where personal relationships and private communications are the key evidence.

FINRA generates more than 450 insider trading referrals to the SEC every year, more than one per business day. These come from FINRA’s own surveillance of member broker-dealers. When FINRA’s systems flag something it cannot fully investigate on its own, it passes the referral to the SEC’s enforcement staff.

The SEC’s whistleblower program adds a second channel that is structurally incompatible with tip-chain secrecy. Anyone with knowledge of a securities violation can submit a tip to the SEC and receive between 10% and 30% of sanctions collected in cases exceeding $1 million. As of fiscal year 2024, the program has awarded nearly $2.2 billion to approximately 444 whistleblowers. The financial incentives are large enough that every person in a tip chain has a rational economic reason to turn on the others.

April 2026 enforcement actions illustrate what the referral pipeline looks like in practice. In a single month, the SEC settled charges against a former investment advisory employee who traded through a relative’s account ($65,000 disgorgement and penalty), a CPA at Canoo Inc. who purchased call options on confidential contract information ($54,965 disgorgement), and a former company president who traded acquisition information through his ex-wife’s account. These are not headline cases; they are the steady maintenance enforcement that happens between the major schemes.

From Flagged Trade to Courtroom: The Investigation Timeline

The gap between a suspicious trade and an SEC phone call is longer than most people assume. Formal investigations typically span 18 months to three years from the initial flagged trade to first contact with the subjects. Many traders assume they are in the clear because nothing has happened. They are not.

The SEC prioritizes cases involving “egregious” breaches of duty by corporate officers and public company executives—but the Market Abuse Unit’s analytics do not filter by title. A hair stylist four steps removed from the source who makes consistent profitable options trades ahead of M&A announcements is just as detectable as the M&A attorney who originated the tips.

Case Study: The Nourafchan Scheme and What Detection Looks Like in Practice

The May 2026 Nourafchan case is the clearest recent illustration of every detection layer operating together. On May 6, 2026, the SEC filed civil charges against 21 individuals while the DOJ simultaneously unsealed criminal indictments against 30 people in the District of Massachusetts. The scheme traced back to approximately 2014, though the SEC civil complaint covers conduct from 2018 to 2024.

The alleged architect, Nicolo Nourafchan, was a Yale Law graduate who passed through four major law firms—Sidley Austin, Latham & Watkins, Cleary Gottlieb, and Goodwin Procter—over the course of a decade, mining deal files at each for material nonpublic information about approximately thirty M&A transactions. Target companies included iRobot, SailPoint, Citrix, Qualcomm, Express Scripts, and Tim Hortons, among others.

Nourafchan allegedly passed tips to Robert Yadgarov, a personal injury attorney who organized a downstream network of traders and kickback recipients. Participants used elaborate coded language to avoid detection: deal announcements were called “flights,” transaction dates were encoded as the dates for a “rabbi’s surgery,” and passing information was described as “religious learning.” Kickbacks were delivered in cash and through routed bank transfers. Nine defendants, including Gabriel Gershowitz, pleaded guilty and began cooperating with authorities before the indictments were unsealed. Two defendants reportedly fled: one to Russia, one to Israel.

How was the scheme detected? The investigation appears to have originated with external market surveillance flagging unusual options activity ahead of announced transactions, consistent with ARTEMIS and SONAR operations. Once the pattern was identified across multiple deals, network analysis mapped the tip chain from the downstream traders back toward the law firm access logs. The coded communications, while imaginative, did not conceal the underlying trading patterns that triggered the initial flag.

Network Science: The Emerging Frontier of Detection

The surveillance tools described above are institutional. But academic research is building the next generation of detection methodology, and it is already being noticed by regulators.

A December 2025 paper from researchers at the University of Oxford, “Needles in a Haystack: Using Forensic Network Science to Uncover Insider Trading” (Jaeger, Yeung, and Lambiotte), analyzed 2.9 million trades reported to the SEC by company insiders between 2014 and 2024. The methodology constructs weighted network edges between insiders based on the temporal similarity of their trades across the full dataset, then analyzes the resulting graph for suspicious clusters and central nodes.

The algorithm flags pairs or clusters of insiders whose behavior suggests coordinated trading or market manipulation, automatically, across a decade of records. The researchers validated the approach using synthetic null models to confirm it distinguishes genuine suspicious patterns from random trading coincidences.

The paper’s core observation is that “detecting insider trading remains a unique challenge, partly due to the limited availability of labelled data.” Most schemes are never publicly identified, making supervised machine-learning approaches difficult. The network science approach sidesteps this by looking for structural anomalies in the graph itself, rather than requiring a training set of confirmed cases. It is an extension of what ARTEMIS already does with cross-account correlation, applied to the entire disclosed-insider-trading dataset as a graph.

What This Means for Investors Who Track Legal Insider Transactions

The same infrastructure that catches illegal insiders is what makes the legal disclosure system reliable. Every Form 4 filing exists within a framework the SEC can cross-reference against actual trading data. Late filings, undisclosed transactions, and patterns that look inconsistent with an insider’s stated position are all detectable anomalies, which is why they are relatively rare in the public data you can access on EDGAR.

For investors using Form 4 data as a signal, the enforcement architecture provides a useful floor: the transactions in the public record exist precisely because insiders know they are being watched. An executive filing a Code P open-market purchase is making a public commitment, backed by the knowledge that the SEC can see every other trade they make across every account connected to their identity.

The detection arms race is also accelerating. The SEC now operates with the ability to move far beyond isolated transaction review and instead develop a multi-dimensional view of market activity and relationships. Location data, consumer transactions, messaging metadata, and social media interactions are all fair game once a formal investigation is opened. The practical upshot for investors is straightforward: the only clean source of insider-activity intelligence is the public disclosure record, and the surveillance infrastructure is what keeps that record honest.