On November 10, federal authorities charged three men with the largest-ever consumer data theft from an American financial institution. The men are charged with a cyberattack on JPMorgan Chase, the biggest bank in the Unied States. The charges include wire fraud, money laundering, making corrupt payments with intent to influence, and operating an unlicensed money transmitting business.
From 2001 to 2015, the ringleaders of the scheme are thought to have ran illegal online gambling sites. During this time, they are thought to have stolen data from other gaming websites. Also, at least one of the men is thought to have ran illegal bitcoin scheme.
Heartbleed Data Schemes
The mining of data from business is a recurring pattern, and one which got worse over the years. From 2012 to 2015, the hackers stole data on 100,000,000 people from a variety of different companies. In 2012 and 2013, the men used that stolen data to contact specific victims and sell them stock. It is thought the data theft might have begun as far back as 2007, when it involved stealing data from smaller companies.
They would contact financial institutions, looking for people already making transactions. In 2014, the three men are alleged to have stolen data from 83 million JP Morgan customers. They used the so-called “heartbleed” virus to hack other companies which did business with JP Morgan. CBSN described the criminal syndicate as “an incredibly advanced scheme.”
Preet Bharara Announces Charges
U.S. Attorney Preet Bharara said in a press conference, saying these people “Allegedly stole personal information from over 100 million Americans, including 83 million customers from one bank alone, the single largest theft of customer data from a U.S. financial institution ever.”
The New York-based attorney said the three men used a massive deception effort to steal their information. In the Department of Justice investigation, the men used 75 shell companies, 200 identification documents, 30 false passports, and 7 different companies.
Preet Bharara emphasized the revolutionary nature of the data hacks by saying the scheme is “a Brave New World of hacking for profit.”
Details of Those Charged
Two of the men are Israeli citizens and one is an American citizen. They operated out of the United States, Israel, and Russia. Two of the men were arrested in their home country of Israel: Gery Shalon and Ziv Orenstein.
Gary Shalon is said to have been the leader and founder of the group. Ziv Orenstein is said to be Shalon’s chief lieutenant. One of the men, Joshua Samuel Aaron, remains at large. Joshua Samuel Aaron is thought to be hiding in Eastern Europe somewhere, most likely in Moscow.
JPMorgan Chase Named as Victim 1
It has long been expected “Victim 1” in the case was JPMorgan Chase, but this week was the first time that confirmation of its identity was offered by officials. The Justice Department does not name companies, because they want the companies to come to them early-on to help them avoid bad publicity.
JPMorgan Chase released a statement praising the Justice Department for its investigation. The financial institution’s spokesman said, “We appreciate the strong partnership with law enforcement in bringing the criminals to justice. As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
CBSN reported that the New York Stock Exchange is a likely second victim in the case. Also, the E-Trade Financial Services Corp. and Scottrade Financial Services Inc. are described as the men’s intended victims in a new scheme, though it is uncertain whether they were hit by a cyberattack before Israeli authorities arrested them. Shalon and Orenstein are being held in Israel, while U.S. authorities want them extradited.
The Affactive Group and The Revenue Jet Group
Besides the various scams on investors, Ziv Orenstein and Gery Shalon are thought to have operated “pump and dump” penny stock schemes since 2001. The men would artificially inflate the price of penny stocks, then dump them on the market to make a big profit.
They also operated 13 online gambling websites under the aegis of companies like Affactive Group and Revenue Jet Group. In the 48 hours after the men were arrested last summer, affiliates for those 13 websites began to discuss how their accounts had been frozen. They had no idea the men behind the Affactive Group were the men who used a cyberattack on JP Morgan Chase.