Two men being held in Israel after their arrests in July, and a U.S. citizen believed to be hiding out in Moscow have been charged with stealing the contact details of up to 100 million customers of banking giant JPMorgan Chase & Co. and others in the largest illegal data harvest known to date by cyber-attack.
Named in the indictment were Ziv Orenstein and Gery Shalon, who were earlier arrested in Israel and held without bond. The other defendant who is still at large is an American, Joshua Aaron who normally resides in Tel Aviv and Moscow.
Beginning in 2012 and ending with the arrests this summer, the trio may have stolen details such as names, phone numbers, emails, and physical addresses of as many 83 million JPMorgan Chase customers – the largest bank in the U.S. by deposits.
The theft was described by U.S. Attorney for the District of New York, Preet Bharara as “the single largest theft of customer data from a U.S. financial institution ever.”
According to an indictment unsealed in Manhattan federal court this afternoon, one or more of the defendants also engaged in securities market manipulations called “pump and dump” schemes where they would purchase worthless stocks, trade in them to increase the prices, then using the stolen data, contact unwitting victims to sell the inflated instruments to them.
At least a dozen internet casinos including Slots Jungle and Win Palace were also allegedly owned and operated by the men and used to funnel cash outside of financial controls. The casino websites shutdown the day the arrests were announced in July.
The indictment alleges that other cyber attacks and computer hacks were part of a scheme to steal online casino competitor’s customer databases or to covertly spy on executive’s emails in an effort to gain an unfair advantage over their rivals.
In the pump and dump scheme, Shalon, Aaron and Orenstein allegedly “manipulated trading” in a particularly publicly traded stock. Huffington Post reports that Sharon is accused of saying, “We buy [stocks] very cheap, perform machinations, then play with them.”
Authorities are saying that the trio used around 200 false identity documents, including passports from the United States and 16 other countries. They laundered their ill gotten gains through some 75 shell companies and bank accounts around the world.
The charges announced today include conspiracy, computer hacking, and security fraud.
Another indictment was also unsealed today that charges Aaron, Shalon, and a third unidentified person in a scheme to hack Scottrade Financial Services Inc. and E-Trade Financial Services Corp. in an attempt to steal the customer databases and start their own securities brokerage. U.S. Attorney John Horn in Atlanta said contact details for more than 10 million Scottrade and E-Trade clients were compromised in the attack which occurred in 2013.
Charges for securities manipulation were announced in July but today’s indictment is the first public statement charging the men with hacking.