On Tuesday, federal prosecutors unsealed charges against three men, revealing details of a booming criminal enterprise that involved hacking into some of the largest financial institutions in the United States, stealing data on some 100 million customers. By selling the stolen information, the trio were able to get off with hundreds of millions of dollars, according to documents.
Although not publicly stated in the indictment, financial institutions that were hacked by the men include JP Morgan Chase, ETrade, Scottrade and News Corp., who all confirmed to Reuters they were a party in the crime described.
The newly unsealed charges (PDF) accuse 31-year-old Israeli, Gery Shalon, of carefully planning and coordinating the attacks that resulted in the theft of 100 million US financial institution customers. Second, they accuse Joshua Aaron, a 31-year-old American, of acting as a co-conspirator in the hacking operations. Lastly, 40-year-old, Ziz Orenstein, is an Israeli who allegedly operated illegal casinos and payment processor alongside Shalon and controlled shell companies for Shalon. Both Shalon and Orenstein were arrested in July, however Aaron remains at large.
According to Tuesday’s unsealed indictment, it cites how attackers were able to hack into the corporate networks and steal large troves of information. The US Attorney General claims that Aaron was a customer of the hacked companies, and gave his login credentials to his friends, Shalon among one unnamed co-conspirator who scoped out the network. Shalon and his partner were later able to hack the companies and place malware on their machines, stealing portions of information over a period of months.
Come 2014, Shalon and Aaron had their sights set on bigger fraud operations and tried hacking into a company only identified in the indictment as “one of the world’s largest financial services corporations, providing mutual fund, online stock brokerage and other services, with headquarters in Boston, Massachusetts.”
Another case cites Shalon and his partner exploiting the Heartbleed vulnerability to gain access to one of the target networks. The hacks were also intended to gain access to e-mails belonging to company executes and online gambling competitors. In 2012, Shalon allegedly sent DDoS attacks towards competing gambling sites in hopes of shutting down their operation.
The three men are highly skilled hackers who were able to break into some of the largest companies in the world.
In one incident cited in the charges, Shalon and Aaron used their unauthorized access to financial institutions to artificially manipulate certain US stock prices through a “pump-and-dump” scheme. The two allegedly used stolen information to market stocks, allowing Shalon and Aaron’s operation to sell high despite the stocks’ actual value. As the criminal operation sold its shares, the stock’s price plummeted, leaving investors defrauded with “significant losses.”
Federal authorities also charged Shalon and his co-conspirators for operating illegal gambling websites, processed payments for criminals selling anything from illegal drugs to malware, and for operating an illegal US-based Bitcoin exchange that ran against US anti-money laundering laws.
These illegal activities allegedly earned the group hundreds of millions of dollars between 2007 and July 2015, “of which Shalon concealed at least $100 million in Swiss and other bank accounts,” the indictment states.
The trio are believed to have used more than 200 fraudulent identification documents, including 30 fake passports, to control at least 75 shell companies as well as numerous bank and brokerage accounts scattered across the world.
Included in the indictment is a quote of Shalon bragging about his manipulation of the securities markets while chatting with the others, saying that getting Americans to buy US stocks was “like drinking freaking vodka in Russia.”
The three men were charged with 23 counts of hacking, identity theft, securities fraud, money laundering among countless other charges.