Data Breach

Charges Announced in JPMorgan Chase Hack

Prosecutors Claim 12 Organizations Hit by Same Group
Charges Announced in JPMorgan Chase Hack

U.S. authorities have indicted three men for their alleged involvement in a massive cyberattack scheme that affected JPMorgan Chase and 11 other U.S. banks and financial services corporations from 2012 until mid-2015.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

In the indictment, unsealed Nov. 10, federal prosecutors say the scheme involved the "the largest theft of customer data from a U.S. financial institution in history."

JPMorgan Chase confirms that some of the charges noted in this new indictment are related to Chase's 2014 cyberattack, Chase spokeswoman Patricia Wexler notes in a statement provided to Information Security Media Group. She says Chase wants to make it clear that news about the indictment is not related to a new breach, and that the only consumer data that was breached back in 2014 was contact information.

"We appreciate the strong partnership with law enforcement in bringing the criminals to justice," Wexler says. "As we did here, we continue to cooperate with law enforcement in fighting cybercrime."

The attack against JP Morgan Chase exposed contact information for about 76 million households and 7 million small businesses.

The indictment says 12 unnamed U.S.-based entities were attacked, noting that financial services firms based in New York; Boston; St. Louis, Omaha, Neb.; St. Louis; Charlotte, N.C., and elsewhere were impacted.

The defendants are allegedly responsible for network intrusions that led to the theft of personal information about more than 100 million customers of these companies, the indictment states.

The Wall Street Journal reports that in addition to JPMorgan Chase, other victims include, among others, Dow Jones & Co., which is the parent company of the newspaper, as well as E*Trade Financial Corp. and Scott Trade. Other news reports note possible connections to Fidelity Investments Ltd. and Bank of America.

Of the other institutions allegedly attacked by the same group that targeted Chase, only Fidelity responded to ISMG's request for comment. Fidelity spokesman Adam Banker says that despite of news reports claiming a connection, there is no indication that any of Fidelity's systems were affected by the cyberattack linked to Chase. "Through our ongoing partnership with law enforcement officials to strengthen cybersecurity industrywide, we have confirmed with the FBI that there is no indication that our customers were affected," he says.

The Charges

Gery Shalon, an Israeli citizen and self-proclaimed founder of the cybercrime enterprise; Joshua Samuel Aaron, a U.S. citizen who allegedly hacked U.S. banks and manipulated securities markets; and Ziv Orenstein, a citizen of Israel who allegedly opened bank and brokerage accounts using aliases and shell companies to manage payments for co-conspirators, were named in one indictment issued by a grand jury in the Southern District of New York. The indictment lists 23 charges, including computer hacking, wire fraud, securities fraud and operation of an unlicensed money-transmitting business. Shalon and Orenstein were arrested in Israel in July.

The three were named in another 11-count indictment, announced in July, in which they were charged with orchestrating a scheme to manipulate the price and volume of traded shares by deception and misleading email campaigns, as well as manipulative and prearranged stock trading (see Report: Spammers Tied To JPMorgan Chase Hack). The three allegedly "dumped" their stocks, making at least $2.8 million in profits, according to the indictment.

The defendants allegedly viewed privileged communications shared among executives at the companies they hacked and used customer information they stole to perpetrate their securities fraud scheme. The latest indictment claims Shalon's crew took steps to artificially inflate stock prices and then contacted customers with spam emails to trick them into buying the stocks before the defendants sold their shares for a profit.

Second Indictment

A separate indictment revealed this week charges Anthony Murgio, a U.S. citizen, with operating an unlicensed Bitcoin exchange service known as Coin.mx that was used to illegally move money out of the country. Murgio's indictment does not mention any connection to Shalon's operation. But in the indictment against Shalon, federal prosecutors claim that from April 2013 until July 2015 Shalon directed and controlled all or part of Murgio's Bitcoin business.

In a Nov. 10 statement issued by the U.S. Attorney's Office for the Southern District of New York, Shalon is named as an owner of Coin.mx.

"Today, we have exposed a cybercriminal enterprise that for years successfully and secretly hacked into the networks of a dozen companies, allegedly stealing personal information of over 100 million people, including over 80 million customers from one financial institution alone," says Manhattan U.S. Attorney Preet Bharara in the statement.

"This was hacking as a business model. The alleged conduct also signals the next frontier in securities fraud - sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise. Fueled by their hacking, the defendants' criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds. Even the most sophisticated companies - like those victimized by the hacks in this case - have to appreciate the limits of their ability to uncover the full scope of any cyber-intrusion and to stop the perpetrators before they strike again. If they have been hacked, most likely others have been as well, and even more will be."

Tim Erlin, director of IT security and risk strategy for security firm Tripwire, says the case reiterates why sharing threat intelligence with law enforcement is so critical for banks. "While we tend to focus on the technical tools to prevent these types of cyberattacks, these indictments are a good reminder that partnership with law enforcement can provide more traditional tools for fighting cybercrime," he says. "Hopefully we'll hear more about how JPMorgan was able to partner with law enforcement. This type of information sharing can be educational for others in the industry and result in better preparation and cooperation. "

Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says informants likely played a role in the investigation. "These breaches were historic, as they utilized the market data against the market," he says. "The fraud was directly related to front-running, and the monies were laundered via compromised corporate accounts. This speaks to the financial acumen of cybercriminals. ... I firmly believe a viable confidential informant tipped the scales."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network