Contrarian Corpus
⌘K
Corpus / Muddy Waters St. Jude Medical, Inc.
short seller research note initial thesis
2016-08-25 · 34 pages

St. Jude Medical, Inc. STJ

St. Jude's $23B cardiac-device franchise rests on a Merlin ecosystem so insecure that hackers can crash pacemakers from 50 feet — a recall and two-year remediation imply 50%+ downside and likely covenant breach.

N 5 Narrative
V 2 Visual
C 2 Craft
Source URL unavailable

Thesis

Muddy Waters is short St. Jude Medical (STJ), arguing that 46% of the $23B company's revenue — pacemakers, ICDs and CRTs — is exposed to an imminent cybersecurity-driven recall. Working with cybersecurity firm MedSec, the firm demonstrates two catastrophic attacks on STJ's implantable cardiac devices: a 'crash' attack that forces dangerous pacing and a battery-drain attack, both executable within a 50-foot radius using the hundreds of thousands of $35 Merlin@home monitors STJ has distributed and which are readily sold on Ebay with unencrypted SSH keys. Muddy Waters argues remediation requires a full two-year RF protocol rewrite, triggering a sales moratorium, a likely 3Q16 bank-covenant breach, $6.4bn of product-liability exposure, and ratings downgrades. DCF sensitivity on network-shutdown and market-share-loss scenarios implies roughly 50-90% downside from $82 per share.

SCQA

Situation

St. Jude Medical is a $23B medical device company whose pacemakers, ICDs and CRTs — 46% of 2015 revenue — depend on a Merlin@home and Merlin.net ecosystem for RF-based remote patient monitoring.

Complication

MedSec found STJ's cardiac ecosystem is grossly negligent on security: hundreds of thousands of $35 Merlin@home units hold unencrypted SSH keys and can be weaponized to crash or battery-drain patients' implants from 50 feet.

Resolution

STJ must recall the pacemakers, ICDs and CRTs, disable RF as a compensating control, and rewrite the RF communication protocol — a two-year remediation that imposes a product sales moratorium.

Reward

DCF sensitivity under network-shutdown and share-loss scenarios implies roughly 50-90% downside from $82; a likely 3Q16 covenant breach, $6.4bn litigation exposure and rating downgrades compound the decline.

The three reasons

  1. 1

    STJ cardiac devices (46% of 2015 revenue) can be remotely crashed or battery-drained within a 50-foot radius

  2. 2

    Hundreds of thousands of Merlin@home units ship with unencrypted SSH keys and are sold on Ebay for ~$35

  3. 3

    A mandated recall and 2-year RF rewrite likely trigger a 3Q16 covenant breach and $6.4bn litigation exposure

Primary demands

  • STJ should recall its pacemakers, ICDs and CRTs
  • Immediately disable the RF capability of patients' implanted devices as a compensating control
  • Rebuild the RF communication protocol and harden the Merlin ecosystem (estimated two-year remediation)
  • Patients unplug their Merlin@home monitors until remediation is complete

KPIs cited

Cardiac Devices share of revenue
46% of STJ 2015 revenue ($2,485M across CRM pacemakers/ICDs and CRT portion of Heart Failure)
Merlin@home installed base (US)
~260,000 active units in US homes; 490,000 US Cardiac Device users without Merlin@home
Market cap / stock price
Stock $81.88, market cap $23.3bn, float 97.5% at report date
Attack radius
Crash and battery-drain attacks demonstrated within ~50 foot RF radius of a Merlin@home unit
Merlin@home resale price on Ebay
Used units typically $10-$35; Merlin programmer seen at $3,499
Estimated product-liability damages
$6.4bn (assumes $15,000 per Merlin@home user x 260,000 plus $5,000 per 490,000 non-Merlin users)
Consolidated Leverage Ratio
Calculated at 4.45x vs 4.25x covenant for 2015; covenant steps down to 4.0x in 2016
Secured debt at risk
~$3.8bn of secured debt (revolver + term loan) potentially re-priced after covenant breach
Remediation timeline
Estimated 2 years to develop new RF protocol (10-15 person team) plus 3-6 months FDA approval
DCF inputs
WACC sensitized 6%-11% (Bloomberg 6.5%, peers 7.7%+); perpetuity growth -5% to +3%; assumes $1bn litigation settlement in 4 years

Pattern membership

Where this document fits across the library's 12 rhetorical / structural patterns.

Villain named

St. Jude Medical management (product...

CEO quote contradiction

Before / after framing

Peer-gap chart

Present
Sum of parts

Fraud exposé

Yes
Break-up / spinoff

Governance / board

Management change

Proxy fight

Top visual craft

2/5
Masterclass

N:5 V:2

Precedents cited

  • Hospira Symbiq infusion pump recall (Billy Rios / FDA advisory 2015)
  • Guidant pacemaker/defibrillator recall (J&J acquisition collapse, 2005)
  • Boston Scientific defibrillator recall (2010, 13% overnight share drop)
  • Thoratec HeartMate II LVAD blood-clot defect (2012-2015 market share loss)

Notable slides (6)

Notes

Filename '_2' suffix and page 2 note ('This version has been updated state that Dr. Nayak speaks for himself, and not his employer') indicate this is an updated version of the original 25-Aug-2016 Muddy Waters short report on STJ — not a later follow-up, hence classified as initial_thesis. Format is a long-form Word-style research note (34pp, Times Roman body, footnotes) rather than a designed pitch deck — classified research_note. Unusual collaboration: Muddy Waters licensed research from cybersecurity firm MedSec and paid it via fund profits; MedSec's medical advisor Dr. Hemal Nayak provides a signed patient letter in the appendix. Novel short thesis mechanism: product-safety/cybersecurity exposure driving forced recall, covenant breach and ratings downgrade rather than accounting fraud. Abbott was in the process of acquiring STJ at the time, which raises the MAC-clause parallel the report implicitly invokes via the Guidant/J&J case study. No stake disclosed — short position held by funds MW manages; disclaimer explicitly reserves right to change position.

More from Muddy Waters

Muddy Waters 2026-03-17

SoFi Technologies, Inc. SOFI

SoFi's $1,054M reported 2025 EBITDA is ~90% inflated via manipulated charge-off rates, off-balance-sheet VIEs and subsidized seller-financed sales that feed CEO Noto's comp — real EBITDA is ~$103M.

N5 V3 C3
Muddy Waters 2025-01-15

FTAI Aviation Ltd. FTAI

FTAI is a dressed-up engine-leasing business posing as a high-margin MRO — whole-engine sales counted as three modules and intra-segment depreciation transfers fabricate the aerospace-aftermarket story.

N5 V3 C3
Muddy Waters 2024-11-20

e.l.f. Beauty, Inc. ELF

ELF's imports collapsed while inventory and revenue kept soaring; reconciling the two suggests $138-188mm of overstated sales and a likely fraud.

N5 V3 C3
Muddy Waters 2021-12-16

KE Holdings BEKE

BEKE is systemic fraud: platform scraping and field work show new-home GTV inflated ~126%, revenues inflated 77-96%, with ghost stores, clone stores, and a sham acquisition masking the deception.

N5 V2 C2
Muddy Waters 2021-03-03

XL Fleet Corp XL

XL Fleet is SPAC trash: salespeople were paid to fabricate pipeline, most touted customers are inactive, ROI is actually negative, and the stock is worth a fraction of its billion-dollar SPAC valuation.

N5 V3 C3
Muddy Waters 2020-11-18

Joyy Inc. YY

JOYY is a multibillion-dollar fraud: ~90% of YY Live and ~80% of Bigo revenue is fabricated via bots and gift roundtripping, and Baidu's pending $3.6bn acquisition is buying air.

N5 V2 C2