In one of the biggest cybercrimes in history, federal prosecutors say, three men stole data on more than 100 million people from a dozen companies' computers and used a vast global network of accomplices to turn it into hundreds of millions of dollars in illegal profits.Indictments unsealed Tuesday in Manhattan and Atlanta accused the men and hundreds of their accomplices of carrying out last year's big data breach at J.P. Morgan Chase & Co. and a host of other crimes around the world-involving computer networks in South Africa and Brazil, money laundered through Cyprus and illegal credit-card payments processed in Azerbaijan.
Manhattan U.S. Attorney Preet Bharara on Tuesday said this "diversified criminal conglomerate" was "breathtaking" in the size and scope of its hacking.
The indictments allege the three defendants and their associates hacked into banks and other companies to obtain customer information that they later used in a pump-and-dump stock scheme. Meanwhile, the computer-hacking operation made possible a network of other criminal activity, including illegal Internet casinos, a payment processing service for other criminals and an unlicensed bitcoin exchange, prosecutors alleged.
Among the most lucrative was a pump-and-dump scheme, where the men would artificially inflate prices of penny stocks and then trick investors into buying them by sending spam to the email addresses they had stolen during the hacks. To further the scheme, the defendants sometimes engineered mergers with shell companies to create publicly traded stocks that could be manipulated, prosecutors said.
The mastermind of the enterprise, prosecutors allege, was Gery Shalon, a 31-year-old Israeli citizen and resident. The indictment described moments where he bragged about the success of his schemes, including the pump-and-dump one, which he allegedly called "a small step towards a large empire."
When asked by a co-conspirator whether buying stocks in America was popular, Mr. Shalon allegedly responded: "It's like drinking freaking vodka in Russia."
One of the biggest breaches occurred last year when hackers broke into J.P. Morgan's networks and made off with the contact information of more than 83 million customers.
Although a criminal complaint had already been filed against the defendants earlier this year, Tuesday's indictments were the first time officials named the suspected hackers and linked them publicly to the J.P. Morgan hack.
In total, the men are accused of breaching 11 other companies, spanning online brokerages to software-development companies. The companies included Dow Jones & Co., the parent company of The Wall Street Journal. Ashley Huston, a spokeswoman for Dow Jones, said: "The indictment unsealed today refers to the public disclosure we made on Oct. 9. The government's investigation is ongoing, and we continue to cooperate with law enforcement."
The schemes allowed Mr. Shalon and his accomplices to turn stolen information into hundreds of millions of dollars, including at least $100 million hidden in his Swiss and other bank accounts, prosecutors said.
In addition to Mr. Shalon, prosecutors filed expanded charges against 40-year-old Ziv Orenstein, also an Israeli citizen, and 31-year-old Joshua Aaron, a U.S. citizen living in Moscow. The three face 23 criminal counts, including wire fraud, computer hacking and money laundering, which carry decades in prison if convicted.
Mr. Orenstein and Mr. Shalon were arrested this summer in Israel and are awaiting extradition to the U.S. Mr. Aaron remains a fugitive. Lawyers for Messrs. Shalon and Orenstein in Israel didn't comment, and an attorney representing Mr. Orenstein in the U.S. wasn't immediately available for comment. Neither Mr. Aaron nor his lawyer could be reached.
The breach of J.P. Morgan, described as "Victim 1" in one of the indictments, made use of a computer server based in Egypt that had been rented under an alias from a third-party company, prosecutors said, adding that the rental was abruptly canceled the day after the J.P. Morgan hack was first reported in the media in August 2014.
A J.P. Morgan spokeswoman said the bank has joined with law enforcement "in bringing the criminals to justice," and it continues to cooperate with them on cybercrime.
The investigation into the three men began when J.P. Morgan came forward "early on" to share information with the government, prosecutors said. That led investigators to uncover a broader network of criminal activity with computer hacking at its center. They built their case partly with the help of two cooperating witnesses, described in the indictment as "promoters" who identified companies for the defendants to target in the pump-and-dump scheme.
Another person allegedly involved with Mr. Shalon's schemes was Anthony Murgio, 31, who had been charged earlier this year for running an unlicensed bitcoin exchange and was slapped with new conspiracy and wire-fraud charges on Tuesday. Mr. Shalon owned the exchange, prosecutors alleged, and used it to charge customers a fee for exchanging cash to bitcoin, a digital currency. Mr. Murgio's lawyer didn't respond to a request for comment.
A separate but related indictment unsealed on Tuesday by the Atlanta U.S. attorney's office detailed how Mr. Shalon, Mr. Aaron and a third unnamed defendant hacked into E*Trade Financial Corp. and Scottrade Inc. to steal customer data. The unnamed defendant is described as a computer hacker believed to have resided in Russia.
At one point, the defendants discussed stealing nonpublic information, with an unnamed co-conspirator telling Mr. Shalon that top managers in one of the companies may have "some interesting info" in their email. "It's a big company after all. [Maybe] they have some secrets."
Mr. Shalon responded: "Yes, this is a very cool idea."
The company, identified in the indictment as Victim 5, is Scottrade. A Scottrade spokeswoman said the company was continuing to work closely with the authorities. An E*Trade representative said the company is continuing to focus "significant time and energy" to keep customer data safe.
Prosecutors said the case shows how much companies struggle to keep up with savvy cybercriminals. The defendants are also accused of processing payments for other criminals, including illegal pharmaceutical distributors and software counterfeiters.
In addition to disguising payments and constantly obtaining new bank accounts, the men tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers, starting in 2012. The breach allowed the defendants to read employees' emails and figure out how to sidestep the company's efforts to monitor illegal payments, according to the indictment.
Mr. Shalon discussed the risk of law-enforcement detection of their activities with an accomplice who said, "[in] Israel, you guys probably don't have to be afraid of the USA. . . meaning that even if there is some case, they won't be able to do anything?" Mr. Shalon responded that there was "nothing to be afraid of in Israel," though he later said he would get a passport in another name.
Prosecutors have also accused the defendants of operating at least 12 illegal Internet casinos around the world, including in the U.S. The men allegedly launched cyberattacks against rival gambling businesses to secretly review their executives' emails and gain a competitive edge, according to the indictment.
Mr. Shalon orchestrated hacks into his competitors' customer databases and directed denial-of-service attacks to temporarily shut down their businesses, prosecutors said.