Describing a sprawling criminal enterprise that includes at least 75 shell companies and the use of multiple fake identities, the Justice Department has indicted four men for hacking, securities fraud and a range of other crimes that involved hundreds of employees and accomplices.
Investigators say they believe the group "generated hundreds of millions of dollars in illicit proceeds."
The group's ringleader was Gery Shalon, according to the U.S. attorney's office for the Southern District of New York, which adds that Shalon used multiple aliases, from Garri Shalelashvili to Phillipe Mousset and Christopher Engeham.
Saying that the criminal ring stole the personal information of more than 100 million people, the federal indictment says that the targeted companies include "one of the world's largest financial institutions," along with a string of large financial services companies and at least two financial news publishers.
At an afternoon news conference to discuss what it calls the "largest U.S. bank breach ever," the U.S. attorney's office laid out the case, which includes more than 23 criminal counts — several of which carry maximum prison terms of 20 years.
"The charged crimes showcase a brave new world of hacking for profit," Manhattan U.S. Attorney Preet Bharara said. "It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model."
The U.S. documents don't name the entities that were hacked, identifying them only by headquarter location and other details. According to Bloomberg News and other news outlets, the victims include JPMorgan Chase, which announced last October that it had been hacked. Bloomberg says other affected companies include ETrade, Scottrade, and Dow Jones and Co.
NPR's Aarti Shahani reports:
"Shalon and his co-conspirators allegedly procured servers in Egypt, the Czech Republic, South Africa, Brazil and other countries. And they then used those networks as a launchpad to attack some of the largest financial firms based in the U.S.
"The indictment charges that the defendants hacked networks, stole customer contact information, and then marketed stocks deceptively to these unsuspecting people, making tens of millions of dollars.
"Shalon also allegedly ran an Internet gambling business, distribution centers for malicious software, and an illegal Bitcoin exchange."
Aarti adds that a Justice Department spokesperson says the hack did not involve Russians — something that was suggested by some reports about the large banking hack last October.
Two of the suspects, Shalon and Ziv Orenstein, are Israelis who were arrested in their home country this summer; the U.S. then sought their extradition. The third suspect is Joshua Samuel Aaron, an American who lived in Tel Aviv, Moscow, and the U.S. during the alleged crimes and who now remains at large.
The Justice Department says that to carry out their crimes, Shalon, Aaron and Orenstein and their co-conspirators used "false approximately 200 purported identification documents, including over 30 false passports that purported to be issued by the United States and at least 16 other countries."
The fourth defendant, Anthony Murgio, is from Tampa, Fla.; he was arrested in July on charges that he laundered millions of dollars.
Murgio, 31, is charged in a separate indictment related to the Bitcoin exchange called Coin.mx, in a scheme that involved "a phony front-company, 'Collectables Club' [sic]," that was supposedly a members-only group, according to the indictment.