Hackers who targeted JPMorgan, Wall Street Journal and other 13 firms last year, indicted
Four hackers who breached JPMorgan Chase’s systems last year and were involved in a large theft of data that targeted 14 other companies, including The Wall Street Journal and several online brokerages were indicted on Tuesday. The data of 100 million of people that included names, email addresses and telephone numbers was compromised by the hackers in order to earn themselves hundreds of millions of dollars.
On Tuesday, one indictment charged three people in the computer breach, as they led a “sprawling cybercriminal enterprise” which affected at least a dozen firms including banks and other organizations. The fourth person was charged in an indictment for running a bitcoin scheme to launder the proceeds of the hackers.
According to the Justice Department, more than 100 million customers had personal information stolen or compromised from the 12 companies. Even though JPMorgan Chase was not mentioned in the indictment, the bank confirmed the investigation was linked to the breach disclosed last year.
“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” bank spokeswoman Patricia Wexler said in a statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
Other firms previously identified as victims included the Dow Jones media group and online brokers Scottrade and ETrade.
Manhattan U.S. Attorney Preet Bharara said that the hackers — two Israeli residents and one U.S. citizen — were busted after a year-long investigation that spanned 11 countries.
Mastermind Gery Shalon, 31, is charged with arranging massive computer hacking crimes, including the largest theft of customer data from a U.S. financial institution in history — the hack of 83 million customer records from JP Morgan Chase, prosecutors said.
“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said.
Shalon, Ziv Orenstein and Joshua Samuel Aaron were charged with targeting 12 companies, including nine financial services companies and media outlets including The Wall Street Journal, and using the info for an array of scams.
They used the stolen data to send emails in an effort to artificially pump up the prices of certain “penny” stocks – a so-called “pump and dump”
The hackers operated a wide range of other criminal activities including an unlawful bitcoin exchange, an Internet gambling scheme, and an illicit payment processing operation for shady online pharmaceutical sellers and others. Bharara said “The defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds.”
“We have exposed a cybercriminal enterprise that for years successfully and secretly hacked into the networks of a dozen companies, allegedly stealing personal information of over 100 million people, including over 80 million customers from one financial institution alone,” said Bharara.
“The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
Shalon and Aaron executed the JP Morgan Chase hacking using a computer server in Egypt that they had rented under an alias, said prosecutors.
Bharara credited the bank with coming forward to investigators as soon as they found out about the breach in August of last year, saying that helped them track down the hackers.
All three men were charged in July with related crimes, and have been now charged with computer hacking, securities fraud, conspiracy to commit computer hacking and conspiracy to commit securities fraud.
Authorities said Aaron, a 31-year-old U.S. citizen believed to be living in Moscow and Israel, was a fugitive while Shalon, of Savyon, Israel, and Orenstein, 40, of Bat Hefer, Israel, were in custody in Israel pending an extradition proceeding. The indictments include some 30 criminal charges carrying penalties of between five and 20 years each.
Another defendant, Anthony Murgio, 31, of Tampa, Florida, was charged separately over the bitcoin exchange, Coin.mx. He was originally charged in July along with the others, and faces an arraignment on Friday. A co-defendant in that case, Yuri Lebedev, is in “discussions” with prosecutors, Bharara said.
Lawyers for the defendants were not immediately available for comment.
On Tuesday, JPMorgan confirmed that the latest charges are linked to the 2014 attack, and said it continues to cooperate with law enforcement efforts to fight cybercrime.
It also said that only contact information such as names, addresses and emails was accessed, and that account information, passwords or Social Security numbers were not compromised.