3 Charged In Hacking Case Against JPMorgan Chase, 11 Other Firms
RENEE MONTAGNE, HOST:
And in other news, the Justice Department believes it's figured out who hacked JPMorgan Chase beginning in 2012, the biggest cyber-attack ever against an American financial institution. Yesterday, prosecutors unsealed an indictment naming three men, two Israelis and one U.S. citizen believed living in Moscow. Here to talk with us more about that is NPR tech reporter Aarti Shahani. Good morning.
AARTI SHAHANI, BYLINE: Good morning.
MONTAGNE: And what exactly are federal prosecutors alleging in the indictment?
SHAHANI: Well, this case is coming out of the Southern District of New York. And prosecutors say that three men are behind the massive breach against JPMorgan, which netted them 83 million customer records, generating hundreds of millions of dollars in illegal profits. The Israelis are Gery Shalon and Ziv Orenstein. Both are in custody in Israel. And the American, Joshua Aaron, is at-large. Using servers overseas, they allegedly also hit 11 other companies. They're very productive people. And we know the names of three - Dow Jones, which publishes The Wall Street Journal, and the online trading firms E-Trade and Scottrade.
MONTAGNE: And one thing that's really interesting is the reason that they allegedly attacked the networks. It would not have been for the reason one might expect - that is, to drain bank accounts or get a bunch of credit card numbers - right?
SHAHANI: Yeah, you know, that's exactly right. Back in July, the defendants were indicted on charges of securities fraud and money laundering. And that's when the two Israelis were taken into custody. They allegedly bought a bunch of penny stocks. They inflated the price, did a bunch of false advertising and then got people to buy the stock. They then sold their shares and pocketed the profits. The big question was, how did they find the buyers anyway? Well, it turns out they got a shortlist of victims, if you can call tens of millions of people a shortlist. They got it by hacking places whose customers are very likely to buy and trade stock. So it was a classic pump-and-dump scheme but on cyber steroids. That's how U.S. attorney Preet Bharara described it.
MONTAGNE: But basically, their scam led them to look for customers at JPMorgan Chase, which finally arrived at this indictment.
SHAHANI: Yeah, that's right. I mean, and it was quite creative, their use of stolen data. And, you know, for me, yesterday's announcement was one of these aha moments. You know, we report on breaches all the time. They keep happening to all sorts of companies and all sorts of data sets. And we're not really sure how hackers are making money off of it. Like, why would anyone want to know my email address? And hey, now we know a reason why.
MONTAGNE: And last year, there were reports that Russia was behind the JPMorgan hack. Now, one of these guys - the American indicted - is actually supposedly living in Moscow. Is there any relationship there?
SHAHANI: You know, I spoke with the Justice Department after yesterday's press conference. And they say, pretty much unequivocally, no. The Russian government had nothing to do with the JPMorgan hack. They think it was basically the two Israelis and the American that were out to steal money the old-fashioned way with some help from tech. So it really looks like some old-school crime.
MONTAGNE: NPR's Aarti Shahani, thanks very much.
SHAHANI: Thank you.