NEW YORK • Billing it as the largest hacking case uncovered, federal prosecutors in Manhattan described a global, multi-year scheme to steal information on 100 million customers of a dozen companies in the United States and use the data to advance stock manipulation activities, illicit online gambling and fraud.
Prosecutors said on Tuesday that they uncovered the complex scheme in their investigation of a computer hacking last year at JPMorgan Chase & Co, which involved a breach of contact information, such as e-mails, from 83 million customer accounts.
Before long, investigators had uncovered a trail of 75 shell companies and a hacking scheme in which the three defendants used 30 false passports from 17 different countries. The group's activity goes back as far as 2007. It has reaped "hundreds of millions of dollars in illicit proceeds", some of it hidden in Swiss accounts and other bank accounts, prosecutors said.
The data breaches "were breathtaking in their scope and size", said Mr Preet Bharara, the US attorney for the Southern District of New York, at a news conference on Tuesday.
The activity unveiled the existence of "a brave new world of hacking for profit", perhaps signalling the next frontier in securities fraud.
The accused - two Israeli citizens and a US citizen - face 23 counts of fraud and other illegal activities, according to an indictment unsealed on Tuesday, which added hacking to manipulation and fraud charges that were filed against the trio in July. The charges are the first directly linked to the JPMorgan hacking case.
Two of the accused, Gery Shalon and Ziv Orenstein, remain in custody awaiting extradition from Israel after being arrested in July. A third defendant, Joshua Aaron, the American, is believed to be in Russia.
Shalon was described by prosecutors as the founder and leader of the sprawling criminal enterprise, which hacked seven financial institutions and two newspapers to get contact information with which it could advance the pump-and-dump stock manipulation scheme. It "took the classic stock fraud scheme and brought it into the cyber age", Mr Bharara said.
Prosecutors said the group was involved in a broad array of activities, including processing payments for illegal pharmaceutical suppliers, running illegal online casinos and owning an unlicensed bitcoin exchange.
According to the indictment, the trio used a rented computer server based in Egypt to try hacking into customer databases at the brokerage firms TD Ameritrade and Fidelity Investments, as well as JPMorgan. The ring also gained access to a computer network at Dow Jones, publisher of The Wall Street Journal, containing up to 10 million customer e-mail addresses, prosecutors said.
Separately, federal prosecutors in Atlanta on Tuesday announced charges against Shalon, Aaron and an unnamed defendant in the late-2013 attacks on E-Trade Financial and also Scottrade Financial Services, both major online brokers. The 10 charges include aggravated identity theft, computer fraud and wire fraud.
Prosecutors in Atlanta said they uncovered online chats in which Shalon and an unnamed hacker discussed their plans to use stolen customer contact information to build their own brokerage database for peddling stocks to potential investors.
The New York indictment also charges the three men with hacking two software development firms to obtain information to advance their online gambling activities. They also allegedly targeted a market intelligence firm to support their card-processing activities.
The men operated at least 12 unlawful Internet casinos and marketed them to customers in the US through extensive e-mail promotions. The casinos generated "hundreds of millions of dollars in unlawful income", prosecutors said, at least US$1 million (S$1.4 million) in profits a month.
NEW YORK TIMES
