Federal prosecutors called it “the largest theft of financial-related data in history” when they unsealed an indictment against three men at the center of a sprawling hacking criminal enterprise. The men face decades in jail, and one is still at-large.
“The charged crimes showcase a brave new world of hacking for profit,” said Manhattan US Attorney Preet Bharara in a statement on Tuesday. “It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
The men, two Israelis and an American, hacked the networks of a dozen US financial institutions over an eight-year period and stole customer data from 100 million people, including 80 million from one financial institution alone, according to prosecutors. They manipulated stock prices, processed payments for other criminals and concealed over $100 million in a Swiss bank account and other accounts.
“These three defendants perpetrated one of the largest thefts of financial-related data in history — making off with the sensitive information of literally thousands of hard-working Americans,” said US Attorney General Loretta Lynch in a statement.
Federal officials charged Gery Shalon, 31, an Israeli, who allegedly masterminding the hacks that led to the loss of personal information from US financial institutions.
“At all relevant times, Shalon was the leader and self-described ‘founder’ of a sprawling cybercriminal enterprise that encompassed criminal schemes…operated through hundreds of employees, co-conspirators and infrastructure in over a dozen countries,” said the indictment.
The charges accuse Joshua Aaron, 31, an American, of acting as a co-conspirator in the hacking, and Ziv Orenstein, 40, also an Israeli, of operating an illegal casino and payment processor, as well as controlling shell companies. The 23-count indictment includes charges for computer hacking, wire fraud, unlawful internet gambling and conspiracy to commit money laundering, among others. Each count includes a maximum prison term of anywhere from five to 20 years.
Shalon and Orenstein were arrested in July; Aaron remains at large and is the subject of an FBI “wanted” poster.
Among the allegations are that Shalon and Aaron used their unauthorized access to financial institution networks to artificially manipulate certain US stock prices and market the stocks in order to sell them at high rates and defraud investors, causing them significant losses.
According to prosecutors, Shalon was sure this would work because Americans liked buying stocks. “It’s like drinking freaking vodka in Russia,” he allegedly told an accomplice.
They are also charged with operating illegal gambling websites, an illegal US-based Bitcoin exchange, and processing payments for criminals selling anything from illegal pharmaceuticals to malware. The men are accused of using more than 200 fraudulent identification documents, including 30 false passports, to control at least 75 shell companies, as well as numerous bank and brokerage accounts around the world.
The attorney general alleges that Aaron was a customer of many of the hacked companies and gave his credentials to Shalon, who performed analysis of the companies’ networks. At this time, he placed malware that allowed them to hack data over a period of months.
The 12 victims are identified only numerically, but Reuters reported that they include JP Morgan Chase, ETrade and News Corp, among others.