Russian pleads guilty in massive JPMorgan hacking scheme

Preet Bharara – former US attorney for the Southern District of New York – has called the 2012-2015 cyberattacks that targeted a dozen American companies, including JPMorgan Chase, “securities fraud on cybersteroids.”

On Monday, Andrei Tyurin, 35, of Moscow, became the first person to be convicted in the case, which involved the theft of data from as many as 83 million customers of JPMorgan, the biggest bank in the US.

The Department of Justice (DOJ) says that makes it one of the largest thefts of customer data from a single US financial institution in history.

In a statement released on Monday, the US Attorney’s Office for the Southern District of New York said that Tyurin pleaded guilty in Manhattan federal court to six felony counts, including wire fraud, bank fraud and conspiracy to commit computer hacking.

He could face a term of up to life in prison when he’s sentenced on 13 February, though maximum sentences are rarely handed out.

The massive hacking campaign started around 2012 and was carried out up until 2015. The network of crooks Tyurin was working with targeted other financial institutions besides JPMorgan, including brokerage firms. It also went after financial news reporters, including The Wall Street Journal, along with other American companies.

In November 2015, the US indicted three men for the hack and fraud scheme: Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein. All three are now in custody in the US, with charges pending.

According to the indictment unsealed at the time, Shalon was the mastermind of the whole operation, which prosecutors dubbed “hacking as a business model.” Shalon was the owner of US-based Bitcoin exchange, which he operated with Orenstein. Both are Israelis.

With the help of Aaron, an American, the group allegedly bought up the type of penny stocks so often used in pump-and-dump scams. Then, using the customer data allegedly stolen from JPMorgan, Dow Jones, Scottrade and others, they blasted out emails to dupe the financial organizations’ customers and subscribers into buying the junk.

It worked like a charm: they allegedly pocketed $2m from one deal alone. Prosecutors said the scheme generated “tens of millions of dollars in unlawful proceeds.”

According to Monday’s indictment, Tyurin took his marching orders from Shalon. The New York Times reports that Tyurin’s lawyer, Florian Miedel, said in a statement that his client was “hired by the originators and brains of the scheme to infiltrate vulnerable computer systems at their direction.”

From that statement:

He has now accepted responsibility for his particular and limited role in this far-reaching conspiracy, and hopes to return to his wife and young daughter as soon as possible.

Miedel declined to tell the Times whether Tyurin would be cooperating in the prosecution of the other men who’ve been indicted in the scheme, as did prosecutors.

Prosecutors said that Tyurin’s cyberattacks did more than just get customer details used in the pump-and-dump aspect of the criminal business: they were also used to support other illegal businesses, including unlawful internet gambling businesses and international payment processors.

Overall, the illegal businesses were a goldmine: Tyurin, Shalon, and their co-conspirators allegedly obtained “hundreds of millions of dollars in illicit proceeds,” prosecutors said.

So much for the hacking that fueled that money machine: Monday’s guilty plea spells an end to Tyurin’s years-long cyberattacking spree, said Manhattan US Attorney Geoffrey S. Berman:

With today’s plea, Tyurin’s global reign of computer intrusion is over and he faces significant time in a US prison for his crimes.