The ring allegedly also hacked other financial companies, including E-Trade and Scottrade, as well as financial news organization Dow Jones, and ran illegal Internet casinos and illicit payment processors.
The victims of the alleged cybercrime spree included financial-services companies in New York, Boston, St. Louis, Omaha and Charlotte, according to a newly unsealed 23-count indictment.
The JPMorgan customer data was used, prosecutors charge, to further a “pump and dump” scheme by which the three men allegedly artificially inflated the prices of penny stocks and then sold them to reap huge profits.
Gery Shalon, Joshua Aaron and Ziv Orenstein allegedly sent millions of spam e-mails to JPMorgan customers touting the penny stocks. Then, after the stocks’ value rose, they allegedly sold their shares, realizing millions of dollars while exposing unsuspecting investors to losses, prosecutors say.
“Today we have exposed a cybercriminal enterprise that for years successfully and secretly hacked into the networks of a dozen companies, allegedly stealing personal information of over 100 million people,” said Preet Bharara, the U.S. attorney for the Southern District of New York. “The charged crimes showcase a brave new world of hacking for profit.”
He said the defendants’ schemes generated hundreds of millions of dollars in illicit proceeds.
Shalon, an Israeli citizen, was the leader of the sprawling criminal enterprise, which had hundreds of employees and co-conspirators in more than a dozen countries, the indictment alleges. It says he orchestrated hacks against U.S. financial firms from 2012 through mid-2015. Those intrusions included the breach of JPMorgan. Shalon, arrested in Israel in July, was charged with crimes including computer hacking, securities fraud, wire fraud and money laundering.
At one point, the indictment alleges, Shalon boasted to a co-conspirator that his sale of the penny stocks for large profits was “a small step towards a large empire.” Asked whether buying such stocks was popular in the United States, Shalon allegedly responded: “It’s like drinking freaking vodka in Russia.”
Aaron, a U.S. citizen who remains at large, was similarly charged. Orenstein, an Israeli citizen, also was arrested in Israel in July. His charges include securities fraud, wire fraud, running an unlawful Internet casino, running an illicit payment processor and money laundering.
Lawyer Alan Futerfas, who represents Orenstein in the United States, declined to comment.
JPMorgan Chase confirmed that some of the new charges are related to the 2014 hack, which resulted in a breach of information on 83 million people. “We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” JPMorgan Chase spokeswoman Patricia Wexler said in an e-mail. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
According to prosecutors, the hack was carried out using a computer server based in Egypt that was rented from a third party under an alias.
Dow Jones spokeswoman Colleen Schwartz confirmed in an e-mail that the company also was among the group’s alleged victims. Dow Jones, a publisher of news and other information, disclosed last month that it had suffered a breach of its systems that exposed payment card and contact information for 3,500 individuals.
The publisher said it had not uncovered any “direct evidence” that information was stolen, though.
In April 2014, the indictment alleges, Shalon and his ring hacked the network of a financial-services firm in Boston by exploiting a major encryption-software security flaw called Heartbleed. Shortly after the hackers gained access, the firm repaired the Heartbleed vulnerability in its systems, the government said.
In a separate indictment unsealed Tuesday in Atlanta, Shalon, Aaron and an unidentified third individual face charges related to an alleged scheme to hack into E-trade and Scottrade that breached databases with information about more than 10 million people.
The hackers’ plan appeared to be to start their own financial-services company using stolen data, according to the indictment.
Shalon and the unidentified hacker discussed a plan to use customer contact information stolen in the scheme to build their own brokerage database for marketing stocks, the indictment alleges. In an online chat that occurred as the hacker was stealing information from E-Trade, Shalon said he hoped to collect information on customers’ trading positions so his organization could “know [the investors’] plans and take them there,” the indictment alleges.
Prosecutors say they are pursuing extradition of Orenstein and Shalon.
The Securities and Exchange Commission is also pursing separate civil charges against the three men related to the “pump and dump” scheme.