Canadian Underwriter
News

U.S. Department of Justice lays charges in connection with largest-ever theft of customer data from a U.S. financial institution


November 11, 2015   by Canadian Underwriter


Print this page Share

The United States Department of Justice announced on Tuesday that three men have been charged in connection with the JPMorgan Chase & Co. cyberattack last year.

FILE - This Monday, July 13, 2015 file photo shows a Chase Bank office tower in New York's financial center. JPMorgan reports quarterly financial results on Tuesday, Oct. 13, 2015. (AP Photo/Mark Lennihan, File)

Loretta E. Lynch, the Attorney General of the United States and Preet Bharara, the United States Attorney for the Southern District of New York, along with officials from the Federal Bureau of Investigation and the US Secret Service, announced the indictments. Gery Shalon, 31, has been charged with “orchestrating massive computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers, including the largest theft of customer data from a U.S. financial institution in history,” the Department of Justice said in a press release.

Shalon is charged with committing these crimes with Joshua Aaron, 31, “in furtherance of securities market manipulation schemes” that both perpetrated with Ziv Orenstein, 40, in the U.S. Shalon is also alleged to have orchestrated computer network hacks and cyberattacks in furtherance of other criminal schemes, including unlawful Internet casinos and illicit payment processors which Shalon operated with Orenstein. Shalon owned and controlled an illegal U.S.-based Bitcoin exchange known as Coin.mx, the release said.

Both Shalon and Orenstein were arrested in July in Israel and they remain in custody there pending extradition. Aaron remains at large. Another person, Anthony Murgio, 31, who was also arrested in July, has been charged with operating Coin.mx and other related crimes.

Related: FBI says it’s investigating reports of cyberattacks against U.S. financial institutions

According to the indictment, from approximately 2012 to mid-2015, Shalon, working with Aaron and others, stole the personal information of more than 100 million customers of the victim companies, including more than 80 million customers from JPMorgan, making it the largest theft of customer data from a U.S. financial institution in history. It is alleged that Shalon, Aaron and their co-conspirators engaged in these crimes to “artificially manipulate the price of certain stocks publicly traded in the United States” and to market the stocks to customers of the victim companies whose contact information they had stolen in the intrusions.

“We have exposed a cybercriminal enterprise that for years successfully and secretly hacked into the networks of a dozen companies, allegedly stealing personal information of over 100 million people, including over 80 million customers from one financial institution alone,” Bharara said in the release. “The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds.”

Related: JPMorgan data breach adds to concern over security of consumer data at banks, retailers

In addition to directing the financial sector hacks, Shalon directed computer network hacks and cyberattacks against numerous companies outside of the financial sector, the indictment said. In particular, between approximately 2007 and July 2015, Shalon owned and operated at least 12 unlawful Internet gambling businesses in the U.S. and abroad; owned and operated multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software distributors, and unlawful internet casinos; and owned and controlled Coin.mx, an illegal Bitcoin exchange that operated in violation of federal anti-money laundering laws.

Through their criminal schemes, Shalon and his co-conspirators earned hundreds of millions of dollars in illicit proceeds, of which Shalon concealed at least US$100 million in Swiss and other bank accounts, the indictment said.

Shalon, Aaron and Orenstein have been charged with 23 counts, including, among others, computer hacking, securities fraud, wire fraud, identification document fraud conspiracy, aggravated identity theft, Unlawful Internet Gambling Enforcement Act conspiracy, operation of an illegal gambling business and money laundering conspiracy. Murgio faces seven charges, including some of the above, operation of an unlicensed money transmitting business and making corrupt payments with intent to influence an officer of a financial institution, among others.

<script async src=”//platform.twitter.com/widgets.js” charset=”utf-8″></script>