Full Report
Michele Spagnuolo allegedly placed multiple trades on the prediction marketplace, abusing internal access to Google’s nonpublic data on the most searched people in 2025. The post Google security engineer accused of turning confidential search trends into $1.2M win on Polymarket appeared first on CyberScoop.
Analysis Summary
# Incident Report: Insider Trading via Unauthorized Confidential Data Access
## Executive Summary
A senior Google security engineer, Michele Spagnuolo, allegedly utilized his internal access to nonpublic "Year in Search" trends to place successful bets on the Polymarket prediction platform. The scheme resulted in a profit of over $1.2 million, leading to federal charges including wire fraud and money laundering. Google has placed the employee on leave and is cooperating with the DOJ and FBI.
## Incident Details
- **Discovery Date:** Early December 2024 (via public speculation); May 2026 (Unsealing of charges)
- **Incident Date:** May 2024 – December 2024
- **Affected Organization:** Google
- **Sector:** Technology / Information Security
- **Geography:** Switzerland (Resident), New York (Prosecution), Italy (Citizenship)
## Timeline of Events
### Initial Access
- **Date/Time:** May 2024
- **Vector:** Authorized Internal Access (Insider Threat)
- **Details:** Spagnuolo created a Polymarket account under the pseudonym “AlphaRaccoon” and began using an internal Google marketing tool to view confidential 2025 search trends.
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; the subject used legitimate credentials to access a tool available to employees, though the data was explicitly marked "Google Confidential."
### Data Exfiltration/Impact
- **Details:** Nonpublic search trend data was extracted and used to inform 25 high-risk trades on Polymarket. Spagnuolo risked approximately $2.75 million based on this insider information.
### Detection & Response
- **December 2024:** Users on X (formerly Twitter) and Discord began speculating that “AlphaRaccoon” was a Google insider following the release of the "Year in Search" results.
- **December 2024:** Spagnuolo attempted to evade detection by changing his username to an alphanumeric wallet address.
- **May 28, 2026:** DOJ unsealed the complaint; Spagnuolo arrested and charged with wire fraud, money laundering, and Commodity Exchange Act violations.
## Attack Methodology
- **Initial Access:** Valid employee credentials (Insider).
- **Persistence:** Long-term employment (since 2014) provided stable access.
- **Privilege Escalation:** None; utilized existing permissions to access marketing tools.
- **Defense Evasion:** Use of pseudonyms (“AlphaRaccoon”), username changes, and cryptocurrency swapping services to obscure the money trail.
- **Credential Access:** Authorized access to internal Google systems.
- **Discovery:** Internal search for "Year in Search" trend data.
- **Collection:** Manual or automated gathering of nonpublic search metrics.
- **Exfiltration:** Transfer of knowledge from a secured corporate environment to a personal trading account.
- **Impact:** Misuse of corporate intellectual property for personal financial gain ($1.2M profit).
## Impact Assessment
- **Financial:** $1.2 million in illicit gains; potential massive legal penalties and restitution.
- **Data Breach:** Exposure of "Year in Search" confidential trend data.
- **Operational:** Diversion of security and legal resources to investigate a high-level trusted insider.
- **Reputational:** Significant public embarrassment as a *security engineer*—tasked with defending the company—was the perpetrator of the breach.
## Indicators of Compromise
- **Account Identifiers:** User "AlphaRaccoon" (Polymarket).
- **Behavioral indicators:** Large, high-risk bets on search-related outcomes coinciding with internal data availability; sudden changes in cryptocurrency mixing/swapping behavior.
## Response Actions
- **Containment:** Employee placed on administrative leave; internal access revoked.
- **Eradication:** Removal of the subject's company bio and internal profiles.
- **Recovery:** Cooperation with the DOJ, FBI, and CFTC for criminal and civil prosecution.
## Lessons Learned
- **Key Takeaways:** Even tools available to "all employees" can contain highly sensitive, tradable information.
- **Gap Analysis:** Monitoring for "broad" access tools may be less stringent than for "restricted" databases, creating a blind spot for insider trading.
## Recommendations
- **Least Privilege:** Re-evaluate if "all employees" truly require access to specific search trend forecasting tools.
- **Behavioral Analytics:** Implement User and Entity Behavior Analytics (UEBA) to flag employees accessing sensitive "Year in Search" data shortly before or during related high-stakes market events.
- **Enhanced Disclosure:** Require security staff with access to sensitive data to undergo more rigorous financial disclosure and ethics training regarding prediction markets/crypto-assets.