Prosecutors have announced charges against 4 men, alleging they hacked into the computer systems of a dozen companies and swiped the personal data of millions of people. Among the victims was JPMorgan Chase & Co., which suffered “the largest theft of customer data from a U.S. financial institution in history.”
The hack, it seems, was the first in a multi-step process. After the men stole names, addresses, email addresses and phone numbers, they used that information to contact and deceptively market penny stocks in order to inflate their price and cash-in, according to a 68-page indictment that was unsealed Tuesday.
‘Hacking as a business model’
Prosecutors alleged that between 2012 and mid-2015, the men engaged in “massive computer hacking crimes against U.S. financial institutions, financial services corporations and financial news publishers,” including Chase, Fidelity Investments, E-Trade and Scottrade. Each of the breaches had been previously disclosed, although the number of impacted customers appears to have grown.
In the end, the group stole personal information from more than 100 million customers, prosecutors said.
“The charged crimes showcase a brave new world of hacking for profit,” Manhattan U.S. Attorney Preet Bharara said when announcing the charges. “It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
Named in the 23-count indictment were the alleged ringleader, Gery Shalon, 31; his deputy, Ziv Orenstein, 40; and purported hacker Joshua Aaron, 31. Charges include computer hacking, securities fraud and aggravated identity theft.
Another man, Anthony Murgio, 31,was named in a separate indictment and faces fraud and conspiracy charges. Shalon and Orenstein were arrested in July in Israel, where they remain pending extradition. Murgio, a U.S. citizen, was arrested in July. Aaron, also a U.S. citizen, remains at large, prosecutors said.
Americans seen as easy targets
After stealing the customer data, the men sent spam emails to “millions of recipients per day — that falsely touted the stock in order to trick others into buying it,” according to prosecutors. They also allegedly marketed the stock by mail and phone to the financial institutions’ customers.
Did the men who were indicted think their scheme would work? Prosecutors allege that an unnamed co-conspirator once asked if Americans really buy stock. Shalon is said to have responded: “It’s like drinking freaking vodka in Russia.”
In the end, the stock manipulation scheme generated tens of millions of dollars in illegal profits, prosecutors allege.
Online gambling, bitcoin enterprises
Outside of the financial services hacks, the men between 2007 and 2015 also are alleged to have hacked into numerous other company networks to help bring money into their other illicit firms, including Internet gambling businesses, payments processors for illegal pharmaceutical companies, malware distributors and an illegal U.S.-based bitcoin exchange.
Prosecutors said the group earned hundreds of millions of dollars, which they laundered through at least 75 shell companies and bank and brokerage accounts. “The defendants controlled these companies and accounts using aliases, and by fraudulently using approximately 200 purported identification documents, including over 30 false passports …”