blue wooden abstract detail
Market Surveillance

There are Many Ways to Detect Spoofing, and Then There’s the Most Effective Way

Spoof Detection_Cup half full

Is this glass half full or half empty? Depends on your perspective.

What matters is knowing the size of the glass and the relative depth of the water in the glass.

What has that got to do with spoofing detection?

Well, if your spoofing detection models do not know the state of the order book at the time of each order entry (or deletion), it’s a bit like not knowing whether you’re tipping a few ounces of water into, or out of, a glass or the Amazon River.

Spoofing is complex. From a sequence of orders, entered and deleted, to an alert, the person analysing the alert must deduce intention. What was the intent of the entity that entered those orders? Was their intent to mislead the market?

To construct intent, an analyst needs to pull together a lot of information, and much of that information is market context. What was the state of the order book – was it thin, was it deep? Was that order entered near the touch, or so far away you would need to catch a train to get there?

There is not necessarily a right way or wrong way to detect spoofing, but Nasdaq’s view is that you’re at a disadvantage if your spoofing alerts do not track order book state. Without it, you can’t know the impact of an order on market depth and perceptions—and from that flows intent.

We have observed alternative approaches to spoofing detection. For example, some systems identify the sequence of new Enters over a period, followed by a trade and then followed by a sequence of Deletes. The algorithm applies a time weighting and seeks to identify that a proportion of the entered volume was deleted.

However, this method does not track that the orders entered are the same orders that are deleted. It is a bit like the Cups and Ball trick where there are 3 cups + 1 ball, and you need to track where the ball ends up.

Market Spoofing_Cup and Ball

If the alert does not know the position and state of each order at a point in time and is highlighting entered orders that are not related to the deleted orders, the alert has basically lost track of the ball.

When reviewing or choosing a surveillance system, it’s important to validate how the spoofing detection model works. Confirm whether it tracks the state of the order book and be comfortable that the approach taken is more likely to identify spoofing and, at the same time, will reduce false positive alerts.

It’s also worth looking at how the surveillance system presents the spoofing alert. Nasdaq’s experience is that it greatly assists the analyst if the data is presented in a form that captures the sequence of events and the arc of the story:

  • There is a beginning, a status quo.
  • Followed by the intervention of the manipulator(s) who introduces change.
  • Then there is impact and consequences and typically a cost borne by the victim(s).

Does the surveillance system present the spoofing alerts as a dump of data points that are just indicators of order anomalies? Does your analyst need to find out if its spoofing on their own? Or does it capture the sequence of events and how the event unfolded and why it is potentially misleading, while supporting that information with intuitive visualizations. This is important because it empowers your analysts to understand what has occurred and why, and to then be able to convey that story internally to colleagues, or to a regulator via a STR.

For more information on spoofing and Nasdaq Trade Surveillance, contact us at

Michael O'Brien


Michael O'Brien is the Head of Product Management for the Sell-side & Buy-side Technology business at Nasdaq.

Read Michael's Bio