U.S. prosecutors on Tuesday unveiled criminal charges against three men accused of running a sprawling computer hacking and fraud scheme that included a huge attack against JPMorgan Chase & Co and generated hundreds of millions of dollars of illegal profit.
Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein, all from Israel, were charged in a 23-count indictment with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including The Wall Street Journal.
Prosecutors said the enterprise dated from 2007, and caused the exposure of personal information belonging to more than 100 million people.
"By any measure, the data breaches at these firms were breathtaking in scope and in size," and signal a "brave new world of hacking for profit," U.S. Attorney Preet Bharara said at a press conference in Manhattan.
The alleged enterprise included pumping up stock prices, online casinos, payment processing for criminals, an illegal bitcoin exchange, and the laundering of money through at least 75 shell companies and accounts around the world.
Tuesday's charges expand a case first announced in July, and according to U.S. Attorney General Loretta Lynch target "one of the largest thefts of financial-related data in history."
The charges are also the first tied to the JPMorgan attack, which prosecutors said involved the stealing of records belonging to more than 83 million customers, the largest theft of customer data from a U.S. financial institution.
Authorities said Shalon and Aaron executed that hacking, using a computer server in Egypt that they had rented under an alias that Shalon often used.
E*TRADE, TD AMERITRADE, NEWS CORP
A separate indictment unveiled in Atlanta against Shalon, Aaron and an unnamed defendant said the brokerages E*Trade Financial Corp and Scotttrade Inc were also targets, and personal information of more than 10 million customers was compromised.
TD Ameritrade Holding Corp and News Corp's Dow Jones unit, which publishes The Wall Street Journal, said they were also targets. Fidelity Investments was also a target, a person familiar with the matter said.
Other targets could not be immediately verified.
Shalon, 31, of Savyon, Israel, and Orenstein, 40, of Bat Hefer, Israel, were arrested in July. Aaron, 31, a U.S. citizen who lives in Moscow and Tel Aviv, remains at large and is the subject of an FBI "wanted" poster.
Another defendant, Anthony Murgio, 31, of Tampa, Florida, was charged separately over the bitcoin exchange, Coin.mx. He was originally charged in July, and faces an arraignment on Friday. A co-defendant in that case, Yuri Lebedev, is in "discussions" with prosecutors, Bharara said.
Lawyers for the defendants were not immediately available for comment.
JPMorgan on Tuesday confirmed that the latest charges relate to the 2014 attack, and said it continues to cooperate with law enforcement efforts to fight cybercrime.
It also said that only contact information such as names, addresses and emails was accessed, and that account information, passwords or Social Security numbers were not compromised.
E*Trade said it has contacted 31,000 customers who may have been affected. News Corp said the indictment relates to a breach that targeted subscribers, and which was disclosed on Oct. 9.
LIKE DRINKING VODKA
The new charges portray Shalon as the ringleader, having orchestrated hackings since 2012 against nine companies, and along with Orenstein having since 2007 run at least 12 illegal Internet casinos.
Prosecutors said Shalon and Orenstein also ran payment processors IDPay and Todur, through which they collected $18 million of fees to process hundreds of millions of dollars of transactions for criminals.
Shalon was also accused of running the illegal bitcoin exchange Coin.mx with Murgio, and concealing at least $100 million in Swiss and other accounts.
Prosecutors said the illegal proceeds included tens of millions of dollars from manipulating the prices of stocks sold to customers whose information had been stolen, and who the defendants arranged to be cold-called.
According to prosecutors, Shalon was sure this would work because Americans liked buying stocks. "It's like drinking freaking vodka in Russia," he allegedly told an accomplice.
Meanwhile, the Atlanta indictment said that after Scottrade's computers were breached in late 2013, Shalon expressed a desire in an online chat to see credit card and trade data for customers, so "they will know that we know info about them for real, and they will trust us more."
Aaron was identified in the FBI poster as the "front-man" in the scheme where, using the alias "Mike Shields," he conspired to drive up stock prices and dump shares at inflated prices.
"Securities fraud on cyber steroids," as Bharara put it.
The indictment against Shalon, Orenstein and Aaron includes counts of computer hacking, securities and wire fraud, identity theft, illegal Internet gambling and conspiring to commit money laundering. Not all counts were brought against all defendants.
Murgio faces seven counts including wire fraud, money laundering and operating an unlicensed money transmitter.
The U.S. Securities and Exchange Commission previously filed civil charges against Shalon, Aaron and Orenstein.
The cases are U.S. v. Shalon et al, U.S. District Court, Southern District of New York, No. 15-cr-00333; U.S. v. Murgio in the same court, No. 15-cr-00769; and U.S. v. Shalon et al, U.S. District Court, Northern District of Georgia, No. 15-cr-00393. (Reporting by Jonathan Stempel and Nate Raymond in New York; Additional reporting by Jim Finkle and Ross Kerber in Boston, and David Henry, Olivia Oran and Jessica Toonkel in New York; Editing by Chizu Nomiyama and Meredith Mazzilli)