On Tuesday, a little known security company claimed to have found vulnerabilities and backdoors in some AMD processors. Within some parts of the security community, the story behind the researchers’ discovery quickly became more interesting than the discovery itself.
The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an “obituary” for AMD.
“We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries,” Viceroy wrote in its report.
CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock.
“We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS Labs wrote in the legal disclaimer section of its report.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD’s share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock?
Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook’s chief security officer Alex Stamos warned against a future where security research is driven by short selling.
Yaron Luk, co-founder of CTS Labs, told Motherboard that "Viceroy is not a client of CTS, and CTS did not send its research to Viceroy." When asked about the company's financial motivations, Luk said that "we are a for-profit company that gets paid for its research by a variety of research clients."
"We do not discuss our research clients," he wrote in an email sent after publication of this article. "In addition, we are driven by the desire to make products more secure, and to protect users, as we hold companies responsible for their security practices."
Viceroy’s founder, Fraser Perring, was adamant about its company's intentions.
“We haven’t hidden the fact that we short the stock," Perring said in a phone call with Motherboard. "Where does a company with these serious issues go? For us you can’t invest in it."
Read more: The Motherboard Guide To Not Getting Hacked
Perring also said that Viceroy has never had any financial relationship with CTS Labs. An anonymous tipster shared CTS Labs’ report with Viceroy last week, Perring said. And once Perring and his colleagues started looking at it, he said they realized the flaws would put AMD’s financial health in danger. Hence, they bought a “short position” in the stock. Translation: they’re betting AMD stock falls, and they will make money if that happens.
In January, Viceroy got a lot of attention for shorting a South African holding company after writing a damning report on its financials. Just this week, the German financial regulators accused Viceroy of breaching laws with a critical report on a German media company that sent its share price down 9 percent. Until recently, Viceroy didn’t even disclose who was working for the firm, and its site’s about page still only says “A group of individuals that see the world differently.”
So far, it doesn’t look like AMD was really hurt by the disclosures. As of this writing, AMD’s stock price has barely changed since before the announcement of the vulnerabilities, going from $11.51 to $11.40. The company has seen worse drops in value in the past 12 months, and while it's possible that price will continue to trend downward, writing an 'obituary' for AMD at this point is a reach. An investor at Seeking Alpha, a crowd-sourced financial analysis site, wrote that the stock price movement is just “noise.”
There’s no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical’s stock.
For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn’t make much sense.
While it could work in theory and could become more common in the future, he said in a phone call, “I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue."
Sanabria said that it would make much more sense to do that if someone had prior knowledge of a serious data breach, rather than just vulnerabilities. After all, researchers find vulnerabilities within the software or hardware of major companies all the time.
Before Equifax revealed its massive data breach last year, four of its executives sold their shares. Four days after news of the breach hit the press, the stock had plunged 18.4%. (One of those executives, Jun Ying, was charged on Wednesday for insider trading.)
Earlier this year, researchers revealed critical vulnerabilities in Intel processors that according to Sanabria were far worse than the AMD Vulnerabilities CTS Labs reported on Tuesday.
Intel's stock went down 9 percent in a week, but two weeks later it had already recovered.
Viceroy’s take that AMD is doomed is just “propaganda manufactured to hurt confidence in AMD,” Sanabria told me.
“It’s a ridiculous piece. It’s beyond exaggerated,” he added.
And, for now, it doesn’t seem like investors are heeding its advice.
This piece has been updated to include a comment from CTS Labs's Yaron Luk.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.