In the hyper-competitive world of algorithmic trading, milliseconds matter. So do the models and codebases that power them. For quantitative trading firms, proprietary trading engines and predictive signals are not just tools, they are the business.

That’s why what allegedly happened inside Chicago-based Headlands Technologies should concern every firm operating in a high-value intellectual property environment and serves as a sharp reminder that Zero Trust controls are no longer optional.

Headlands, a global quantitative trading firm, developed a proprietary high-frequency trading platform known internally as “Atoms,” along with a suite of predictive models called “Alphas.” According to publicly available records, one of the developers who helped build that system—a senior developer named Cheuk Fung Richard Ho—allegedly gathered those assets while he was still employed at Headlands and later converted that intellectual property (IP) into a startup blueprint for a new business.  

The allegations don’t stop at simple misappropriation. Records suggest that:

• Internal chat systems were reconfigured to auto-delete messages.

• WhatsApp communications were erased.

• Version history for source code was wiped out.

• Sensitive materials may have been moved to personal cloud accounts.

Ho was arrested earlier this year, and his criminal case is progressing through pretrial motions and hearings in the Southern District of New York. But regardless of what the courts eventually decide, the facts outlined in discovery describe what appears to be a methodical, insider-led exfiltration of proprietary trading IP conducted from within the walls of the firm by someone who had legitimate access and deep institutional knowledge.

The limits of trust

The developer didn’t break in. He didn’t bypass authentication. He was already inside, doing the job he was hired to do. That’s what makes insider threats uniquely dangerous: They exploit trust.

In many environments, access is treated as binary: Either you’re in or you’re out. Once inside, few guardrails remain. That’s where the opportunity for misuse begins.

But Zero Trust architecture assumes that every user, application, and process must be continuously monitored, and that access must be narrowly defined and strictly enforced. That’s exactly what ThreatLocker enables.

Missing controls and what Zero Trust would have cured  

Storage Control

The alleged IP theft relied on the ability to move files freely within and potentially outside of internal systems. ThreatLocker Storage Control would have allowed Headlands to:

• Block source code from being copied to external drives or personal folders

• Restrict access to code repositories by time of day, user role, or specific machines

• Apply audit-only or read-only permissions for developers not actively working on the code

With those controls in place, sensitive files would have stayed where they belonged.

Ringfencing™

Even if development tools like Git, Python, or an IDE were allowed to run, ThreatLocker Ringfencing™ could have prevented them from accessing network shares, launching system processes, or opening outbound web connections. The developer may have been able to work, but not move code elsewhere or interact with external scripts.

Network Control

Transferring proprietary data to cloud platforms — like personal AWS buckets or third-party file-sharing sites—is a common insider tactic. ThreatLocker Network Control could have blocked:

• All outbound traffic by default

• Specific connections to unapproved cloud services

• VPN tunnels or CLI-based upload tool connections

Only pre-approved destinations (such as internal CI/CD pipelines) would have been reachable.

Detect Endpoint Detection and Response

Deleting version history and messaging logs isn’t normal user behavior. ThreatLocker Detect EDR would have:

• Flagged unusual file system activity

• Detected messaging apps running outside of corporate tools

• Alerted on bulk file access or anomalous privilege elevation

Security teams could have been alerted in real time—potentially before the damage was done.

Building friction into insider risk

Intellectual property is not protected by employment agreements or intent. It’s protected by architecture.

Quantitative trading firms, biotech labs, design studios, engineering firms—any business whose value depends on proprietary data—can’t afford to assume that authorization equals safety. As the Headlands incident demonstrates, even the most trusted user can become a risk when controls are loose, oversight is manual, and assumptions go unchallenged.

ThreatLocker provides the guardrails that prevent misuse, before it becomes misconduct.

100 days to secure your environment, a ThreatLocker webinar, is now available for viewing.

This tactical series will walk you through fully securing your environment, step by step.

Check it out here.

‍