U.S. authorities today announced multiple indictments and arrests in connection with separate hacking incidents that resulted in the theft of more than 100 million customer records from some of the nation’s biggest financial institutions and brokerage firms, including JP Morgan Chase, E*Trade and Scottrade.
Prosecutors in Atlanta and New York unsealed indictments against four men and one unnamed alleged co-conspirator in connection with a complex, sprawling scheme to artificially manipulate the price of certain publicly traded U.S. stocks.
The defendants are accused of hacking into JPMorgan Chase in 2014, stealing the names, addresses, phone numbers and email addresses of the holders of some 83 million accounts at the financial institution –a breach that the Justice Department has dubbed the “largest theft of customer data from a U.S. financial institution in history.” Scottrade announced a similar breach of 4.6 million customer records in October 2015. Etrade last month warned 31,000 customers that their contact information may have been breached.
The men allegedly laundered hundreds of millions of dollars from the scheme via a vast cybercrime network that included illegal online pharmacies, fake antivirus or “scareware” schemes, Internet casinos and even a Bitcoin exchange.
Indictments from Atlanta U.S. Attorney John Horn name Gery Shalon, 31, a resident of Tel Aviv and Moscow, who was arrested by Israeli law enforcement in Savyon, Israel in July 2015 and remains in custody there pending extradition proceedings. Another man, Joshua Samuel Aaron, also 31, is a U.S. citizen and resident of Israel, but currently a fugitive. The Atlanta indictments referenced a third, as yet-unnamed accomplice.
Separately, the U.S. Attorney’s Office for the Southern District of New York unsealed its own charges against Shalon and Aaron, as well as a third Israeli citizen, 40-year-old Ziv Orenstein. In addition, prosecutors there announced indictments against Anthony R. Murgio, alleging he fraudulently operated the Florida-based Coin.mx Bitcoin exchange along with Shalon and through it further helped the conspiracy launder its illicit proceeds. Murgio was arrested in July 2015 and is facing prosecution in New York.
According to the Justice Department, between approximately 2007 and July 2015, Shalon owned and operated unlawful internet gambling businesses in the United States and abroad, and that he owned and operated multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software (“malware”) distributors. The government further alleges that Shalon owned and controlled Coin.mx, an illegal United States-based Bitcoin exchange that operated in violation of federal anti-money laundering laws.
“Through their criminal schemes, between in or about 2007 and in or about July 2015, Shalon and his co-conspirators earned hundreds of millions of dollars in illicit proceeds, of which Shalon concealed at least $100 million in Swiss and other bank accounts,” reads a statement issued by Preet Bharara, the United States Attorney for the Southern District of New York.
The government alleges that Shalon, Aaron and Orenstein operated their criminal schemes and laundered their criminal proceeds through at least 75 shell companies and bank and brokerage accounts around the world. “The defendants controlled these companies and accounts using aliases, and by fraudulently using approximately 200 purported identification documents, including over 30 false passports that purported to be issued by the United States and at least 16 other countries,” the Justice Department wrote.
The indictments charge that the defendants orchestrated a complex scheme to acquire substantial stakes in targeted companies, buying up large amounts of (low-priced) stocks. The government says the conspiracy tried to capitalize on price changes in those stocks prompted by events allegedly set in motion by the accused — such as so-called “reverse mergers” with shell companies that the men alleged set up, or via spam email blasts to customer lists stolen from the hacked brokerage firms that falsely touted the stocks in a bid to trick others into buying it.
Authorities say Murgio and Shalon tricked banks and credit card issuers into authorizing debit and credit card payment transactions to purchase Bitcoins through Coin.mx, by deliberately miscoding customer transactions as something else — such as purchases for wedding dresses and pet supply stores. Prosecutors also allege that Murgio and Shalon paid a small credit union in New Jersey $100,000 to install one of his co-conspirators on the bank’s board of directors.
If all of this sounds like the script of a Hollywood movie, it should be a familiar script by now. The cybercrime kingpins whose work I detailed in my 2014 book Spam Nation were involved in all of the crimes alleged today by prosecutors in Atlanta and New York, including spamming rogue pharmaceutical sites, running scareware rackets, conducting pump-and-dump stock scams, and laundering illicit profits through huge networks of shell companies.
The indictment against Shalon et. al is available here (PDF). Murgio’s indictment is here (PDF).