US federal prosecutors, on Tuesday, unveiled criminal charges against three men accused of orchestrating the biggest theft of customer data from financial institutions in the country’s history – encompassing personal data belonging to more than 100 million people.
Unsealing a 23-count indictment in Manhattan, the Justice Department charged Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein with computer hacking crimes against JPMorgan, as well as other financial institutions, brokerage firms and financial news reporters, including The Wall Street Journal. The trio stand accused of stealing as many as 83 million customer records.
Speaking at a press conference, US Attorney Preet Bharara said:
The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate.
This was hacking as a business model. The alleged conduct also signals the next frontier in securities fraud – sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise.
The news finally puts to bed long-standing rumours of Russian shenanigans, instead painting a picture of good, old-fashioned greed. The scam centred around the tried and tested pump-and-dump stock scam that’s still very much alive and kicking, as we learned on Monday, when Lisa told us about James Alan Craig who had been using Twitter to manipulate stock prices.
This case is unusual though – pump-and-dumpers usually just spread misinformation in order to drive stock prices in which ever direction serves their needs; they don’t hack their way into systems to steal business data.
That’s exactly what happened in this case though and the reasons for it are simple. Not only were the alleged hackers able to glean more intel on the companies they were targeting, which would have given them additional insight into future stock values, they were also able to pick up personal information on specific individuals – a useful tactic in tailoring attacks against them.
And both avenues proved to be extremely lucrative for them, as prosecutors claim they made upwards of $100m through hacking 7 large banks, running their own illegal Bitcoin trading operation and from an online casino.
In fact, according to law enforcement, the operation was so successful that it employed hundreds of people across 75 shell companies created in a number of countries via fake passports.
Prosecutors claim Shalon was the mastermind of the whole operation, saying he was the owner of US-based Bitcoin exchange Coin.mx which he operated with fellow Israeli, Orenstein.
With the help of Aaron, an American, the group allegedly bought up the type of penny stocks so often used in pump-and-dump scams. They then blasted out emails to dupe the unwary into jumping on a bandwagon so full of hype that they reportedly walked out of one deal alone with $2m.
It’s here that the information stolen from JPMorgan, Dow Jones, Scottrade and others came in useful – client and subscriber lists offered up a long line of potential marks.
As for how the trio allegedly broke into JPMorgan and other banks, the indictment says very little. However, it did reference a mutual fund in Boston whose tardiness left the doors to its network wide open in April 2014, when it failed to install a patch for the Heartbleed bug in good time.
According to Attorney Bharara, the sophisticated nature of the scheme was such that many companies could yet be unaware that they have also been targeted:
Even the most sophisticated companies – like those victimized by the hacks in this case – have to appreciate the limits of their ability to uncover the full scope of any cyber-intrusion and to stop the perpetrators before they strike again.
If they have been hacked, most likely others have been as well, and even more will be. The best bet to identify, stop and punish cybercriminals is to work closely, and early, with law enforcement. That happened here, and today's charges are proof of that.
JPMorgan – which confirmed it was “Victim 1” in the superseding indictment – agreed that strong cooperation with law enforcement had been essential “in bringing the criminals to justice” with Scottrade, which had 4.6 million client accounts compromised, and Dow Jones both nodding in mutual agreement.
Shalon and Orenstein were arrested by Israeli Police in July 2015 on an indictment that charged the underlying securities fraud, and both remain in custody in Israel as prosecutors continue to negotiate their extradition to the US.
Aaron, meanwhile, remains at large, with prosecutors declining to confirm or deny whether they know where he is currently hiding.