Trading strategies·manipulation

Spoofing & layering

†dead

Reviewed 4 June 2026. As of 2026: competed away, structurally closed, or unlawful. Of historical or detection interest.

Placing orders you intend to cancel to fake supply or demand (layering stacks them across levels). Illegal under Dodd-Frank §747 and the EU MAR. We teach the statistical tell, not the technique.

See it move

Spoofing detectorsurveillance viewIX-SPOOF

Order-to-trade ratio–

Cancel rate (large, far)–

Verdictrun detector

What to notice (detection only). The tell is large orders placed away from the touch, cancelled at near-100% rates just before opposite-side fills, and an order-to-trade ratio far above peers. This is the surveillance signature regulators prosecute, shown so you can recognise it, never run it.

Legal posture. Spoofing and layering are illegal. They are criminalised in the US by Dodd-Frank §747 (CEA §4c(a)(5)(C)) and prohibited under EU/UK MAR Article 12. This section teaches how the conduct is defined and caught, never how it is done; the worked example is a surveillance reconstruction, not a recipe. Educational only, not legal or investment advice.

What is spoofing, and what makes it illegal?

Spoofing is entering a bid or offer with the intent to cancel it before execution: a non-bona-fide order whose only purpose is to deceive other participants about supply or demand and nudge the price, so that a genuine order on the other side fills at a better level. The fake order is then pulled. The crucial feature, the one the law turns on and surveillance hunts for, is that the displayed order was never meant to trade. A legitimate quote is an offer you are willing to honour; a spoof is a lie expressed as an order.

Layering is the same offence with a different footprint: multiple non-bona-fide orders stacked across several price levels on one side, building a convincing wall of apparent interest rather than a single block. The intent is identical (no intent to execute, create a false impression, move the price) but the tell is the coordinated cancellation of the whole stack the instant the genuine order on the contra side fills. The distinction is descriptive, not legal: both fall under the same provisions.

The statute is unusually explicit. Dodd-Frank §747 (2010) inserted CEA §4c(a)(5)(C), making it unlawful to engage in "spoofing (bidding or offering with the intent to cancel the bid or offer before execution)". The offence is defined by intent. For securities the same conduct is reached through Exchange Act §9(a)(2) and §10(b)/Rule 10b-5. In the EU and UK, MAR Article 12 prohibits orders that "give, or are likely to give, false or misleading signals as to supply, demand or price" where there is no legitimate reason; layering and spoofing sit squarely inside Article 12(1)(a) and the Annex I indicators. See the market-abuse regimes for how each prohibition bites.

How does surveillance recognise the footprint?

Because the offence is intent, and intent is invisible, regulators reconstruct it from the account's full order lifecycle (including every cancelled order) pulled from the exchange message log. Trades alone reveal nothing; the manipulation lives entirely in the orders that never traded. Four statistical tells, none decisive alone, combine into the fingerprint a case is built on.

The first is a high order-to-trade ratio concentrated on the deceptive side, with displayed size that dwarfs anything that actually executes. The second is the cancel-to-fill timing: the gap $\Delta t$ between the genuine fill and the cancellation of the large order, which in a spoof is near-zero because the cancel is conditioned on the fill. The third is displayed-size asymmetry: a wall on one side against a sliver on the other. The fourth is post-cancel price reversion: once the wall vanishes the price drifts back, demonstrating the move was artificial.

The single most damning quantity is the conditional cancel: the large order disappears within microseconds of the small genuine fill on the opposite side. A cancel that fast, that reliably triggered by the contra fill, is hard to explain as anything but a dependency designed into the strategy.

\Delta t \;=\; t_{\text{cancel(large)}} - t_{\text{fill(genuine)}} \;\to\; 0, \qquad \frac{\text{orders placed}}{\text{orders traded}} \;\gg\; 1

▸ How the four tells are combined into a flag optional

Any one signal is explainable; legitimate strategies cancel constantly. Surveillance therefore scores them jointly over a window, looking for the conjunction repeated across sessions. A schematic flag fires when the order-to-trade ratio, the cancel-conditioning, the size asymmetry and the reversion all clear threshold together:

\text{flag} \;=\; \mathbb{1}\!\left[\,\text{OTR} \gt \tau_1\,\right]\cdot \mathbb{1}\!\left[\,\Delta t \lt \tau_2\,\right]\cdot \mathbb{1}\!\left[\,\tfrac{Q_{\text{disp}}}{Q_{\text{genuine}}} \gt \tau_3\,\right]\cdot \mathbb{1}\!\left[\,|\text{revert}| \gt \tau_4\,\right]

Tighten the thresholds and you catch more spoofs but flag honest cancellations too, the false-positive trade-off real surveillance lives with, which is why intent evidence beyond the pattern still matters. Modern systems learn the conjunction directly with machine-learning classifiers trained on labelled episodes rather than hand-set thresholds.

What do the landmark prosecutions establish?

Two cases define the modern law. United States v. Coscia (2015, affirmed 7th Circuit 2017) was the first criminal conviction under the Dodd-Frank anti-spoofing statute. Coscia's algorithms placed large orders to move the price, then cancelled them once a small genuine order on the opposite side filled: the canonical classic spoof. The Seventh Circuit upheld the conviction and rejected a vagueness challenge, establishing both that the statute is enforceable and that a cancel-on-fill design is powerful evidence of intent: code that automatically pulls the large order the instant the small order fills is close to a confession.

United States v. Sarao (guilty plea 2016) is the canonical layering-at-scale case. Navinder Sarao ran automated layering in E-mini S&P 500 futures (stacking large sell orders he repeatedly modified and cancelled) and his activity was implicated in the conditions around the 6 May 2010 Flash Crash. He pleaded guilty to spoofing and wire fraud and was extradited from the UK, making the case the landmark for both layering and cross-border enforcement reach. Subsequent CFTC and DOJ actions against major bank desks then established that liability extends to large institutions, and that surveillance can reconstruct intent from order records years after the fact.

How does a legitimate strategy avoid the footprint?

This matters because legitimate strategies cancel constantly: market making, quote updating and iceberg refreshes all generate high order-to-trade ratios. Surveillance, and your own algo controls, see the footprint, not your private intent. A cancel-on-fill dependency between a large displayed order and a small genuine one on the other side is the single most dangerous pattern to produce by accident.

The way to stay clear is to ensure large orders are genuinely executable (you would be content to trade them) and are not systematically cancelled the instant a contra-side order fills, and to document them as bona-fide in design and controls. A legitimate maker re-quotes because the price moved; a spoofer cancels because its genuine order filled. The first is symmetric and value-driven; the second is conditioned, one-sided and reverting, which is exactly what the metrics above are built to separate.

Worked example

A synthetic, checkable detection walkthrough, as of 2026, framed as a surveillance reconstruction, showing how it is caught, not how it is done. An account places a genuine buy for $10$ lots at the bid, 100.00. It then layers $400$ lots of sell orders across 100.03, 100.04 and 100.05, a wall of apparent supply. Over the next ~120 ms the displayed pressure pushes the best bid down, and the account's 10-lot buy fills at 99.99. Within ~5 ms of that fill, all 400 lots are cancelled, and the price reverts toward 100.01.

From the message log, four quantities cross threshold together in the same window, and each on its own is benign, which is why it is the conjunction, repeated across sessions, that opens a case.

\text{OTR}_{\text{sell}} = \frac{400}{0} \to \infty, \quad \Delta t \approx 5\,\text{ms}, \quad \frac{Q_{\text{disp}}}{Q_{\text{genuine}}} = \frac{400}{10} = 40\times, \quad \text{revert} \approx 2\ \text{ticks}

Read the four tells in order. The order-to-trade ratio: 400 lots placed on the sell side, zero traded, an infinite ratio in this window, the hallmark of size that was never meant to execute. The cancel-to-fill timing: the 400 lots vanish within ~5 ms of the contra fill, so the cancel is conditioned on the genuine fill, not on any change in the market. The displayed-size asymmetry: 400 displayed against 10 genuine, a 40× imbalance favouring the deceptive side. The post-cancel reversion: the price moves back ~2 ticks once the wall disappears, demonstrating the move was artificial.

The lesson the numbers teach is structural: the manipulation is invisible if you only look at trades, and obvious once you look at the full order lifecycle, which is exactly what regulators keep and replay. Any one signal is explainable; all four together, repeated across sessions, is the statistical fingerprint that opens a case, which is then proven with the algorithm's cancel-on-fill logic and the trader's communications. The figures here are synthetic and illustrative; a real case rests on the message record and the intent evidence, not on round numbers. See market manipulation for where this sits among the related conduct.

Where this fits

↑ Up · building block of Market manipulation ↔ Across · composes with Momentum ignition ↔ Across · composes with Order types ↔ Across · composes with Market-abuse regimes → Apply · makes money in Measuring HFT risk → Apply · makes money in Crypto market making ⤓ Build / Buy · tool needed Datasets & tools

Common questions

What is spoofing and layering?

Spoofing is placing orders you intend to cancel before execution, to create a false impression of supply or demand and move the price; layering is spoofing with multiple orders stacked across price levels. Both are illegal market manipulation, explicitly banned by the US Dodd-Frank Act §747 (2010) and the EU Market Abuse Regulation. This site covers them for recognition and detection only.

How is spoofing detected?

Surveillance looks for the statistical fingerprint of intent: large orders placed away from the touch and cancelled at very high rates just before opposite-side executions, an order-to-trade ratio far above peers, and a recurring pattern of fills following one-sided pressure. Venues, regulators and firms run automated pattern detection over full order-book history. We teach the tell, not the technique.