U.S. prosecutors have charged three men in relation to the largest cyber-attack and theft of consumer data from a U.S. financial institution in history.
Three Israeli nationals have been charged with running a sweeping hack and fraud campaign that culminated in a massive breach of multiple financial institutions including JPMogran Chase & Co, the biggest bank by assets in the United States. The breach saw hackers gain access to the personal records of over 100 million people between 2012 and summer 2015.
Reuters reports that Israeli nationals Grey Shalon and Ziv Orenstein along with Joshua Samuel Aaron, a U.S. citizen living between Moscow and Tel Aviv, Israel have all been charged with computer hacking and identity theft among 21 other counts. Aaron is labelled a fugitive while Shalon and Orenstein are in custody in Israel after being arrested in July. The U.S. is looking to extradite the two charged.
The hacking spree is said to cover financial institutions and brokerage firms including Scottrade, JP Morgan Chase and ETrade.
Prosecutors also added the criminal enterprise existed from 2007, with U.S. federal prosecutor Preet Bharara noting “the single largest theft of customer data from a U.S. financial institution ever,” signaling a “brave new world of hacking for profit.”
Security Fraud on Cyber Steroids
According to investigators vested in the case, hackers with a prowess in technical skillsets and social engineering gained access to numerous banks’ networks to gain personal data which was then used to manipulate stock prices. The hacks also targeted financial news organizations, prosecutors said.
With a ‘pump and dump’ technique, the hackers didn’t even need to access bank details. Instead, here’s how the hackers profited:
- The hackers looked into the personal data of those investing in stocks. It’s a staggering effort, with the three hackers allegedly stealing personal information of over 100 million people over the course of several years.
- With these details, the hackers socially engineered a scam where information was sent to the email addresses of higher-ups to promote stocks that the hackers bought cheaply.
- With this manipulation, the stocks would eventually rise at which point the hackers would dump their stocks at a higher price.
To give an indication of the scope of the trio’s operation, the trio laundered their money to an overall haul of $100 million through 75 shell companies, bank accounts and brokerages from around the world. An excerpt from the Justice Department’s press release read:
The defendants controlled these companies and accounts using aliases, and by fraudulently using approximately 200 purported identification documents, including over 30 false passports that purported to be issued by the United States and at least 16 other countries.
Bharara called the massive scale of the operation as “securities fraud on steroids.”
An Illegal Bitcoin Exchange
The sweeping crime had court papers reveal details of an illegal Bitcoin exchange. A fourth person named Anthony R. Murgio was charged after allegedly operating Florida-based Coin.mx, a bitcoin exchange along with Shalon as a means to launder the hackers’ ill-gotten gains.
A government charge further alleges that Shalon owned and controlled Coin.mx that fundamentally operated in violation of federal anti-money laundering laws.
Authorities note the duo found ways to trick credit card companies and banks to authorize payment transactions to purchase Bitcoins through Coin.mx by faking transactions purporting to be something else, like a purchase from a pet supply store.
The investigation essentially started with one ‘victim company’ and one hack. And as we dug deeper and used all the investigative tools at our disposal, we were able to unearth the gargantuan scheme that you see in the charges unsealed today.
Images from Shutterstock.