SEC and DOJ Charge 21 in BigLaw M&A Insider Trading Ring — What the Document Management Trail Tells You

TL;DR

• On May 6, 2026, the SEC charged 21 defendants and the DOJ indicted 30 in connection with a decade-long M&A insider trading scheme that allegedly netted tens of millions in profits across roughly 30 corporate transactions.
• The lead defendant, Nicolo Nourafchan, worked at three top-tier M&A firms — Sidley Austin, Latham & Watkins, and Goodwin Procter — and allegedly used document management access at firms employing him to misappropriate MNPI he was not staffed on.
• The case did not crack open because of code words like “How’s the rabbi?” or the “Brothers in the Market” WhatsApp group. It cracked because the SEC’s Market Abuse Unit ran pattern analytics that flagged improbable trading timing across linked retail accounts.
• Practitioner takeaway: this is a supervision-failure case dressed up as a fraud case. Document management logs, employment history monitoring on brokerage accounts, and conflict check completeness are the controls that examiners will start asking about.

The most striking thing about the SEC’s May 6 complaint is not the code words. It is not the ten-year timeline, the seven Big Law firms named, or the $6.9 billion SailPoint deal sitting at the center of one count. It is paragraph 47 of the complaint — the part that says Nicolo Nourafchan accessed deal files on his law firm’s document management system while he was on leave from the firm.

That single fact tells you everything you need to know about why this case is going to reshape compliance program expectations across both Big Law and the broker-dealer side of the wall. Document management systems were supposed to be the supervisory record. The Nourafchan complaint suggests they were never read.

What the Complaint Alleges

The SEC’s press release and accompanying litigation release describe a scheme that ran from approximately 2014 to August 2024 and generated tens of millions of dollars in profits across nearly 30 M&A transactions. The structure was simple:

• Tier 1 — the source. Nicolo Nourafchan, an M&A associate who worked at Sidley Austin, Latham & Watkins, and Goodwin Procter at various points between 2013 and 2023, allegedly accessed material nonpublic information about pending corporate transactions through his employer’s document management system — including deals he was not staffed on. A second attorney, Gabriel Gershowitz, was later recruited and added more deals to the pipeline.
• Tier 2 — the orchestrator. Robert Yadgarov, based in Long Beach, New York, allegedly took the tips from Nourafchan and distributed them through a network of family members, friends, and longtime associates connected through religious community ties. Yadgarov and Nourafchan reportedly split a portion of downstream trading profits.
• Tier 3 — the traders. Eighteen additional defendants — including Lorenzo Nourafchan (Nicolo’s brother), Mark Alperin, Miakel Bishay, David Bratslavsky, three Fensterszaubs, Fernando Grinberg, Boruch Hatanian, Yisroel Horowitz, Joseph Izsak, Daniel and Eliyahu Kavian, Nowel Milik, David Ostrov, Gavryel Silverstein, Joseph Suskind, and Seth Winslow — placed trades in their own retail brokerage accounts and, in some cases, tipped others further down the chain.

Three deals appear repeatedly in the SEC’s count-by-count analysis: Johnson & Johnson’s $6.5 billion acquisition of Momenta Pharmaceuticals in 2020, Thoma Bravo’s $6.9 billion acquisition of SailPoint in 2022, and Amazon’s proposed $1.7 billion acquisition of iRobot announced in 2022. Latham & Watkins represented Momenta. Goodwin Procter represented iRobot. The complaint alleges Nourafchan accessed the iRobot files while on leave from Goodwin.

The Code Words Are Not the Story

Press coverage has fixated on the religiously-themed code words pulled from the WhatsApp group “Brothers in the Market” — pending deals referred to as a “rabbi” (“How’s the rabbi?”, “when is the rabbi’s surgery”), tips described as “flights,” “mitzvahs,” or “learning,” and trading instructions framed around “coffee.” The Forward’s coverage walks through the language in detail.

That is a colorful detail. It is not what cracked the case.

According to the SEC’s filings, the case originated with trading-pattern analytics at the Division of Enforcement’s Market Abuse Unit. The MAU’s analytics flag trades whose timing is statistically improbable given the trader’s prior behavior — particularly clusters of options or call spreads opened days before an unannounced acquisition. Once the timing flagged, the network was reconstructed by walking outward from the trading accounts through shared addresses, phone numbers, employment records, and family relationships.

The lesson for compliance functions is the same one SEC v. Reign Financial International and the Parmar Constellation Healthcare sentencing reinforced earlier this month: enforcement now starts with the data, not the tip. Surveillance built on keyword scanning or post-hoc tips has been overtaken by relationship graph analytics. Programs that still rely on the former will be outpaced by the regulator using the latter.

The Five Supervisory Controls This Case Tests

Strip away the personalities and you can read the complaint as a checklist of supervisory controls that did not function. For any compliance officer working a Big Law engagement or a broker-dealer surveillance desk, these are the five places the complaint quietly says “no one was looking.”

1. Document Management Access on a “Need-to-Know” Basis

Every Am Law 100 firm uses iManage or NetDocuments. Every firm has access controls. Almost no firm restricts those controls to a true need-to-know baseline. The default is open access across the office or practice group, with the deal team having edit rights and everyone else having read rights.

That default is what the Nourafchan complaint exploits. If access were restricted to staffed attorneys plus designated supervising partners — with documented exceptions logged for review — Nourafchan could not have reached the iRobot, Momenta, and SailPoint folders without leaving an unexplained access record. The technology exists. It is not deployed because tightening access creates friction for legitimate users.

Expect that to change. The first wave of post-Nourafchan policy updates will require deal-tagged document management permissions, periodic access certifications by deal-team partners, and audit trail reviews on a sample of completed deals. Anything less leaves the same supervisory hole the complaint exploits.

2. Conflict Check Completeness for Attorney-Initiated Personal Trades

Big Law firms generally require partners and associates to disclose personal securities holdings and obtain pre-clearance for trades. The compliance gap in the Nourafchan complaint is not that the attorneys traded — it is that the tippees traded, and many of those tippees were family members and friends whose accounts were never in the conflict-check system in the first place.

This is the same governance pattern the OCC consent order playbook describes for bank-level supervision: documented controls fail when the population they cover does not match the population that actually creates the risk. A personal-trading policy that covers the attorney’s own account but not the household and immediate-family accounts of the attorney is a policy that is structurally blind to tipping schemes.

3. Broker-Dealer Surveillance Based on Employer and Household

The downstream traders in this case used personal retail brokerage accounts. Many of those accounts disclosed their account holder’s employer or known affiliations at account opening. The SEC’s analytics found the network. The broker-dealers who custodied the accounts could have — and arguably should have — found at least a slice of it first.

The supervisory question for any broker-dealer with retail clients: when an account positions itself in out-of-the-money calls on a single name three days before a transaction announcement, does your surveillance system pull the account holder’s employer, household relationships, and known associations into the alert? If the answer is no, you are at the same baseline that allowed this scheme to run for a decade.

4. Lateral Hire Information Risk Reviews

Nourafchan moved between three Am Law firms during the alleged scheme. Each move would have triggered a conflicts walk-through and an information barrier setup. None of those processes flag the risk that a lateral attorney is retaining access to a prior firm’s documents — or that a lateral attorney has built a tipping network whose downstream trades will continue regardless of which firm employs the source.

A more robust lateral hire information risk review would include attestations from the new firm’s IT team confirming severance of credentials at the prior firm, periodic post-hire monitoring for unexplained access patterns, and integration of lateral hire data into the firm’s personal trading and conflicts surveillance. The framework is similar to what the risk scoring techniques post describes for likelihood-times-impact prioritization — lateral hires with M&A practices score high on both axes.

5. Document Access on Leave

The single most damning factual allegation in the SEC’s complaint is that Nourafchan accessed Goodwin Procter’s document management system while he was on leave from the firm. Whether the leave was personal, parental, or pre-departure, an attorney who is not actively staffed should not have a business reason to open M&A deal files. That access pattern is the trip-wire compliance functions should be reviewing.

Most firms terminate or limit document management credentials on departure but not on leave. The Nourafchan complaint suggests this gap is exploitable and exploited. A simple policy change — automatic suspension of M&A document access during any leave longer than 14 days, with reactivation requiring practice group head approval — would have closed it.

Will This Settle or Litigate?

The SEC’s complaint seeks permanent injunctions, disgorgement plus prejudgment interest, civil penalties (potentially trebled under Section 21A of the Exchange Act for tipper-tippee liability), and officer-and-director bars. The DOJ’s parallel criminal case adds prison-time exposure and forfeiture.

With 21 SEC defendants and 30 criminal defendants, the realistic outcome is a wave of pleas and disgorgement settlements from the downstream traders, contested litigation from Nourafchan and Yadgarov given the scale of personal exposure, and parallel cooperation deals for any defendants who can credibly testify against the orchestrators. This is the same pattern the Sklarov-Astor $450M stock-loan fraud matter is working through — multiple-defendant schemes rarely produce coordinated settlements, and the disgorgement totals tend to climb as parallel discovery surfaces additional trades.

Sustainable civil penalties for the lead defendants are likely in the eight- to nine-figure range when treble damages are layered on top of disgorgement. The criminal exposure for Nourafchan and Yadgarov is multi-decade if the maximum statutory sentences apply.

What to Pull From the Filings Today

If you are a compliance officer at a law firm, a broker-dealer, or an investment adviser, the right move in the next two weeks is straightforward:

1. Pull your document management access logs for the last 24 months and run a sample audit for access events outside staffed-deal scope. If your system cannot report on access-outside-scope, escalate that as a control gap to your firm’s risk committee.
2. Re-test your personal-trading population to confirm it covers immediate-family and household accounts of attorneys, deal-team members, and registered representatives. Compare the policy population to the actual relationship population.
3. Refresh broker-dealer surveillance scenarios to include employer-and-household linkage on M&A timing alerts. Run a back-test of one quarter of historical alerts to see what would have flagged under the updated logic.
4. Update lateral hire onboarding to include prior-firm credential severance attestations and a post-hire access monitoring period of at least 90 days.
5. Review document access on leave. Implement automatic suspension during extended leaves, with reactivation requiring documented business justification.

The Nourafchan complaint is going to be cited in examiner letters by the end of the year. The compliance programs that get out ahead of it will be the ones whose document access trails, surveillance scenarios, and personal-trading populations already match the failure modes the SEC has now publicly mapped.

The case is a reminder that the most aggressive enforcement actions of 2026 are not breaking new legal ground. They are punishing the boring supervisory controls that everyone assumed were fine. The MRA remediation playbook lessons about documentation, sampling, and access certification are not paperwork — they are exactly the controls this case turned on.

Sources

• SEC Press Release 2026-44 — SEC Charges 21 Individuals With Alleged Wide-Reaching Insider Trading Scheme
• SEC Litigation Release LR-26551 — Nourafchan et al.
• Bloomberg Law — Big Law’s Alleged M&A Insider Traders Switched Firms With Ease
• The Boston Globe — Dozens charged in global insider trading ring that profited off deals involving Mass. tech companies, corporate law firm
• The Forward — ‘Torahs’ and ‘Mitzvahs’ were code in alleged insider trading scheme