On Tuesday, a federal court charged three men with having hacked JP Morgan Chase back in 2014, a breach that resulted in the theft of 83 million people’s personal information.
The 23-count indictment unsealed by the United States District Court Southern District of New York indicts three men–two Israeli citizens and an American citizen–on charges of identity theft, computer fraud, and other crimes. According to The New York Times, these new charges are the first to directly link the accused with the JP Morgan hack.
Gery Shalon and Ziv Orenstein, the Israeli citizens, remain in custody and are currently awaiting extradition to the United States from Israel following their arrest back in July of this year.
Meanwhile, federal authorities presume that the American, Joshua Samuel Aaron, is currently in Russia. The FBI has issued a warrant for Aaron’s arrest.
Together, the three men made a total of $100 million via the use of 75 shell companies that employed hundreds of people. For three years, they relied on 30 passports from 17 countries to keep their activities a secret.
The indictment explains how Shalon orchestrated a “pump-and-dump scheme” in which the accused would buy up penny stock, blast out misleading emails to others that encouraged them to buy stock, and then sold their shares before the crash inevitably followed.
As reported by CNN Money, the men once made $2 million on a single exit.
To obtain the emails of potential investors, Shalon hired a hacker to steal the contact information of customers of some of the country’s most prominent financial institutions. These included Dow Jones, Scottrade, and JP Morgan.
Reports reveal that the hackers gained entry to the lattermost organization by exploiting a vulnerability in JP Morgan’s website. They then used custom-made tools specifically designed to exploit the institution’s environment to eventually gain access to customers’ accounts.
The three men ultimately made off with the names, addresses, phone numbers, and email addresses of some 83 million accounts at the JP Morgan, an incident which the Justice Department has since dubbed the “largest theft of customer data from a U.S. financial institution in history,” according to Brian Krebs.
“The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate,” said U.S. attorney Preet Bharara in a statement released by the Department of Justice. “This was hacking as a business model. The alleged conduct also signals the next frontier in securities fraud – sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise. Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds. Even the most sophisticated companies – like those victimized by the hacks in this case – have to appreciate the limits of their ability to uncover the full scope of any cyber-intrusion and to stop the perpetrators before they strike again. If they have been hacked, most likely others have been as well, and even more will be. The best bet to identify, stop and punish cybercriminals is to work closely, and early, with law enforcement. That happened here, and today’s charges are proof of that.”
Commenting on the indictment of Shalon, Orenstein, and Aaron, Tim Erlin, Director of IT Security and Risk Strategy at Tripwire, told SCMagazine.com the following:
“While we tend to focus on the technical tools to prevent these types of cyberattacks, these indictments are a good reminder that partnership with law enforcement can provide more traditional tools for fighting cybercrime. If cybercriminals aren’t likely to get away with their crimes, they’ll be forced to change their tactics.”
The prosecution of this case will now proceed under the oversight of the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Nicole Friedlander, Eun Young Choi, and Sarah Lai are in charge of the prosecution.