U.S. prosecutors on Tuesday announced expanded charges against two men that link them to a 2014 cyberattack against JPMorgan Chase that affected tens of millions of customers, as well as hacks against other companies and financial news organizations.
The case represents one of the most significant crackdowns on cybercrime in the financial sector to date.
Israeli citizen Gery Shalon and U.S. citizen Joshua Aaron now face computer hacking charges. Another alleged co-conspirator, Israeli citizen Ziv Orenstein, was listed on a newly unsealed 23-count indictment that also includes charges of security fraud and identity theft but was not specifically tied to computer hacking charges.
Two indictments, unsealed Tuesday, tied three of four suspects to previously reported hacks of JPMorgan Chase, ETrade Financial Corp., Scottrade Financial Services Inc. and Dow Jones & Co., a unit of News Corp.
The indictment also listed eight other unidentified corporate victims, including a “financial services corporation, providing online stock brokerage and other services, with headquarters in Charlotte, North Carolina.”
The U.S. Attorney’s Office in Manhattan would not identity the company but one possibility is TradeKing Group, an online brokerage with a significant presence in Charlotte but with headquarters in Fort Lauderdale, Fla.
TradeKing has cooperated with authorities in the matter but “there is no evidence that the company or its clients were impacted,” Sue Parente, a spokeswoman for the company, told the Observer. She said TradeKing can’t comment on whether it was the “Victim-7” identified in the indictment.
Charlotte-based Bank of America is not Victim 7, bank spokesman Dan Frahm said.
According to the indictment, Shalon “caused the unauthorized access to,” and theft of customer data from, Victim 7’s computer network from about September 2013 to November 2013.
Shalon was the leader of a “sprawling cybercriminal enterprise” that operated “through hundreds of employees, co-conspirators and infrastructure in over a dozen countries,” the indictment alleges. It said that Shalon orchestrated “massive hacking crimes” against U.S. financial institutions from 2012 through mid-2015, “including the largest theft of customer data from a U.S. financial institution in history.”
The group used information gleaned from the hack for sophisticated financial schemes, prosecutors allege. “The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate,” Manhattan U.S. Attorney Preet Bharara said in a press statement. “Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds.”
JPMorgan Chase confirmed that some of the new charges were related to a 2014 hack that resulted in the breach of information on 83 million people. “We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” JPMorgan Chase spokesperson Patricia Wexler said in an emailed statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
According to the indictment, that attack was carried out using a computer server based in Egypt that was rented from a third party under an alias.
Dow Jones spokesperson Colleen Schwartz confirmed that the publisher was also among the group’s alleged victims. “The indictment unsealed Tuesday refers to the public disclosure we made on Oct. 9. The government’s investigation is ongoing, and we continue to cooperate with law enforcement,” she said in an emailed statement.
One of the attacks against another financial institution relied on exploiting Heartbleed, a major security flaw in a widely used encryption system revealed in 2014, according to the indictment.
Although this is the first time the trio have been publicly linked by the government to the JPMorgan hack, it’s not their first run-in with the law. Over the summer, Shalon and Orenstein were arrested in Israel after the trio faced fraud charges related to an alleged scheme to artificially inflate the prices of penny stocks and then dump them for profit. Prosecutors say they are pursuing extradition. Aaron remains at large.
The Securities and Exchange Commission is also pursuing separate civil charges against the three men related to the “pump and dump” scheme.
Additionally, Anthony Murgio, who was arrested in Florida in July, was indicted separately for crimes related to a Bitcoin-exchange service and the takeover of a New Jersey credit union to further the business.
Staff writers Rick Rothacker, Deon Roberts and Bloomberg News contributed.