The U.S. Justice Department announced on Nov. 10 the indictment of four hackers involved in the breach of “one of the world’s largest financial institutions” along with a string of large financial service companies and at least two financial news publishers. JP Morgan, Scottrade, and Wall Street Journal publications among others were the targets of the criminal ring. Between 2007 and 2015 the indictment said the ring had “earned hundreds of millions of dollars in illicit proceeds.”
When the Justice Department unsealed the indictment the U.S. attorney’s office laid out the case, which includes more than 23 criminal counts, several of which carry maximum prison terms of 20 years. It described “a sprawling criminal enterprise that includes at least 75 shell companies to launder money and the use of multiple fake identities.” The charges included securities fraud and a range of other crimes that involved hundreds of employees and accomplices.
“By any measure, the data breaches at these firms were breathtaking in scope and in size. The charged crimes showcase a brave new world of hacking for profit,” Manhattan U.S. Attorney Preet Bharara said at the afternoon press conference on Nov. 10. “It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
Nov. 10’s indictment focuses on Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein. A separate indictment was unsealed against Anthony Murgio who is also linked to the JPMorgan hack. The cases against the four hackers overview how some of the attacks were conducted, including the use of social engineering and the exploitation of the Heartbleed vulnerability of some of the world’s largest financial service corporations.
Shalon is named as the core criminal hacker and responsible for probing the targeted network vulnerabilities and installing malware to increase network access. A statement issued by Preet Bharara said, “Through their criminal schemes, between in or about 2007 and in or about July 2015, Shalon and his co-conspirators earned hundreds of millions of dollars in illicit proceeds, of which Shalon concealed at least $100 million in Swiss and other bank accounts.”
The group leveraged servers in Egypt, the Czech Republic, South Africa, and Brazil to run their financial attacks and serve as a clearinghouse for their stolen data. The alleged activities included pumping up stock prices, online casinos, payment processing for criminals, an illegal bitcoin exchange, and the laundering of money through at least 75 shell companies and accounts around the world. The case against the ring was first announced in July and according to U.S. Attorney General Loretta Lynch target “one of the largest thefts of financial-related data in history.”
KrebsonSecurity added more information about the indictment: “According to the Justice Department, between approximately 2007 and July 2015, Shalon owned and operated unlawful internet gambling businesses in the United States and abroad, and that he owned and operated multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software (“malware”) distributors.
“The government further alleges that Shalon owned and controlled Coin.mx, an illegal United States-based Bitcoin exchange that operated in violation of federal anti-money laundering laws.” The indictment against Shalon et. al is available here (PDF). Murgio’s indictment is here (PDF).
The indictment against Shalon, Aaron and an unnamed defendant confirmed the brokerages E*Trade Financial Corp and Scotttrade Inc. were targets and personal information of more than 10 million customers was compromised. Prosecutors said the activities of the ring caused the exposure of personal information belonging to more than 100 million people. They reassured that only names, addresses and emails was accessed and that account information, passwords or Social Security numbers were not compromised.