When Insider Trading Meets Prediction Markets: What the Google Case Means for E&C Teams

Prediction markets This is our fourth prediction market episode of 2026. Which, yes, means prediction markets have made the news in a material way at least four times this year. As I said on air: it’s the gift that keeps on giving, and not in a good way.

The latest story broke in late May, and it traces back to something that happened last December. A Polymarket user going by the handle “AlphaRaccoon” made nearly $1 million after winning 22 of 23 bets on what topics would appear on Google’s annual year-in-search list. That’s a hit rate that raised eyebrows in the Polymarket community pretty quickly. The user, according to a complaint filed by the Commodity Futures Trading Commission, is alleged to be Michele Spagnuolo, a Google information security engineer who had access to internal search trend data.

The CFTC’s complaint says Spagnuolo “misappropriated confidential and valuable nonpublic information from his employer and used that information to place a series of Google-related bets on Polymarket.” He now faces charges of commodities fraud, wire fraud, and money laundering. The DOJ filed a criminal indictment. The FBI was involved in the investigation. This is not a slap on the wrist.

What the coordinated enforcement response tells us

The DOJ, CFTC, and FBI all getting involved in one case is worth pausing on. It signals that regulators are taking the misuse of inside information in prediction markets seriously, and they’re coordinating to do it. The CFTC is pursuing civil penalties and disgorgement. The DOJ is pursuing this criminally. That combination is not accidental.

There’s something else worth noting. Part of what put AlphaRaccoon on the radar in the first place wasn’t just regulators. It was other Polymarket users. The community noticed that this one account had an almost perfect hit rate on the specific contracts it traded. People raised flags. We saw something similar in the Paris weather station case we covered previously, where it was local weather enthusiasts who first noticed the data looked wrong. Prediction market platforms have a degree of self-policing built in, because people betting real money have very strong incentives to spot anomalies. That eventually becomes a referral to the FBI.

So the enforcement ecosystem here isn’t just government agencies. It’s also the users of these platforms, who are watching the data closely.

What Google did right, and why it matters for the case

This is the part that every E&C professional should consider carefully, because the CFTC complaint specifically cites Google’s information controls. Not as a defense for Google, but as evidence against Spagnuolo. The reasoning is essentially: this person knew exactly what he was doing. He couldn’t claim ignorance.

According to the complaint, the search trend data he accessed was clearly marked in red as “Google Confidential.” It wasn’t ambiguous. He had completed training on confidential company information multiple times. He had signed certifications. Google did the work — proper marking, required training, documented certifications — and that documentation trail became the basis for establishing that Spagnuolo acted with intent.

That’s an important shift in how to think about your information controls program. Preventing misuse is important, but so is building a record that makes enforcement possible when prevention fails.

That said, what Google had in place was step one. Step two is monitoring who is actually accessing that confidential information, and whether they have a legitimate business reason to be doing so. There’s a related case involving law firms where people were logging into deal systems, and one of the factors the enforcement actions called out was that read-only access wasn’t being tracked. Nobody knew the wrong people were looking at things. So you can have excellent labeling and training and still have a gap if you’re not watching the access logs.

The question every E&C professional should be asking is: do I know who’s looking at our most sensitive data, and does their access make sense?

Your version of “year in search”

Here’s the more practical question this case surfaces. Google’s year-in-search release is a major annual event, which makes it predictable, which makes it bettable. Spagnuolo had access to the underlying data and knew the results before they went public. That’s the version of this risk that applied to Google. What’s yours?

Every company has some version of year-end data that matters — headcount numbers, earnings results, product launch timing, survey outcomes. Prediction markets are already trading contracts on how many employees major companies will have at the end of a given quarter. They trade on earnings. They trade on regulatory decisions. The specific bet format will differ from company to company, but the underlying risk is the same: you have people with access to sensitive information, and there’s now a financial market where that information has value.

The platforms aren’t hidden. Kalshi and Polymarket are public-facing and easy to navigate. If there are contracts trading that relate to your company, you can see them. And if you can see them, you can ask yourself who internally might have an incentive to act on information that would move those contracts.

That monitoring doesn’t have to be complicated. I’d suggest starting by looking at what’s actively trading that’s related to your organization, then cross-referencing with what internal information would give someone an edge on those contracts, then asking: who has access to that data, and are we watching how it’s being accessed?

Kalshi, to its credit, has a well-built section of its website specifically on insider information and reporting. If something suspicious is happening on a contract related to your company, you’d much rather find out by actively monitoring than by getting a call from a journalist or a regulator.

Where does ownership sit?

Right now, a lot of organizations are wondering who exactly owns prediction market risk. Is it compliance? Legal? InfoSec? HR? The truth is, we’re still in the early stages of seeing practices settle out, so let’s split this into two parts.

The policy piece clearly sits with ethics and compliance, probably with legal involved. This isn’t technically insider trading in the securities law sense, but it lives comfortably in your confidential information policy, your conflicts of interest policy, and your code of conduct. That’s E&C territory. Communications on the topic and employee training on it also live there.

The monitoring piece is going to require partnerships. If your external communications team is already tracking what’s being said about your company’s brand and reputation online, go ask them whether they’re looking at prediction market data. They may already have the infrastructure. If not, it might be the easiest lift to add it to their scope. On the systems side, you’ll need to work with InfoSec and IT to think about which internal data sources present the most risk, and how to build the access monitoring that makes it possible to detect anomalies.

The key move is sequential. Identify the risk. Figure out which contracts, if any, trade on information your employees might have access to. Then figure out who can help you monitor the markets and who can help you monitor internal access. Then communicate proactively to the teams most likely to have that exposure.

The fraud triangle and what prediction markets do to it

There’s a framework I keep coming back to when I think about this. The fraud triangle: opportunity, pressure, rationalization. Controls work on the opportunity leg. But the thing that’s worrisome about prediction markets, and Polymarket specifically, is how directly they attack rationalization.

The CEO of Polymarket has stated publicly that the platform “creates a financial incentive for people to go and divulge new information” — and that insider trading is a feature, not a bug. That’s not a neutral stance. It’s an invitation to rationalize. When a platform is designed to make you feel like you’re participating in information discovery rather than stealing from your employer, the rationalization piece of the triangle gets very soft, very quickly.

That’s where proactive communication inside your organization matters. If you’ve told your employees that you’re watching the markets, that you’ve identified contracts that trade on information your people might have access to, and that using that information to trade would have serious consequences, then that changes the rationalization calculus. It’s similar to the deterrent effect of a T&E audit. Most people don’t pad their expense reports when they know someone’s checking. Not because the policy changed, but because the opportunity feels much smaller.

Finding out there’s a prediction market contract tied to your company’s data is a communications moment, not just a compliance moment. You can use it to address both the controls piece and the culture piece at the same time.

Don’t worry, E&C professionals, you’ve got this

I’ve been in E&C long enough to know that this field is very good at one thing in particular: rapid evolution in response to novel risk. Prediction market insider trading sounds new and complicated and it is, a little. But at its core, it’s the same problem we’ve been solving for decades. Someone had access to material nonpublic information and found a way to profit from it. The mechanism is new. The risk profile is familiar.

You know how to do risk assessments. You know how to write policy. You know how to communicate with employees. You know how to monitor. You know how to investigate. Everything old is new again.

If your program doesn’t yet address prediction markets, now is the right time to look at it. The regulatory expectation is going to move in this direction — what Google documented in terms of labeling, training, and certification was cited approvingly by the CFTC. As enforcement in this space continues, the bar for what counts as “taking this seriously” will go up. Better to build ahead of that than react to it.

---