Two Israelis and an American with ties to Russia have been charged in connection with an alleged hacking scheme against 10 financial institutions, news organisations and other companies, including JPMorgan Chase, Fidelity Investments and the Wall Street Journal .
The three men are alleged to have the stolen personal information and data of more than 100m people, in the largest hack of a US financial institution, which JPMorgan disclosed had occurred at last year.
The indictments brought by the US attorney Preet Bharara’s office in Manhattan come as US prosecutors attempt to hold hackers accountable for a marked increase in breaches of retailers, banks and other companies.
Mr Bharara said that the alleged enterprise was “breathtaking in size and in scope” and heralded a new era of sustained hacking in support of a “diversified conglomerate”.
“[It is] a brave new world in hacking for profit,” he said. “It is hacking as a business model.”
Gery Shalon and Ziv Orenstein of Israel were arrested there in July in a related case brought by Mr Bharara’s office and prosecutors are seeking their extradition. US citizen Joshua Samuel Aaron, who has lived in Moscow and Tel Aviv, is still at large.
Mr Shalon is alleged to be the leader of what prosecutors called a “sprawling cybercriminal enterprise” that employed hundreds of people and operated in more than a dozen countries.
Mr Shalon and Mr Orenstein do not have US counsel and could not be reached for comment. Mr Aaron also could not be reached for comment.
Mr Orenstein was Mr Shalon’s deputy, while Mr Aaron is accused of hacking and manipulating the market, according to the indictment.
The hacks, which were perpetrated from 2012 to mid-2015, were conducted to aid their stock manipulation schemes that generated tens of millions of dollars in proceeds, prosecutors said.
As part of that effort, the suspects sought to market the stocks they were allegedly manipulating to customers of the companies they had hacked.
They also launched cyber attacks to help them process payments for illegal drug suppliers, counterfeit software, malware distributors, illegal online casinos and an illegal bitcoin exchange known as Coin.mx.
Mr Shalon told an unnamed co-conspirator that his manipulative trading in the US was “a small step towards a larger empire” and said that getting clients of hacked companies to buy stock was “like drinking freaking vodka in Russia”, according to the indictment.
Last year, a breach discovered at JPMorgan exposed contact information for at least 76m US households. The bank said no bank account information was taken during the breach.
“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” the bank said in a statement. “As we did here, we continue to co-operate with law enforcement in fighting cyber crime.”
The month of October saw a wave of hacking disclosures from financial institutions.
In that month, retail brokerage firm Scottrade said hackers stole contact information for 4.6m customers between late 2013 and early 2014. ETrade also last month notified about 31,000 customers that their personal information may have been affected in a hack in late 2013. Around the same time, Dow Jones said it was working with law enforcement agencies after discovering a breach that affected 3,500 customers.
An unnamed victim — listed as one of the world’s largest financial service companies based in Boston — is believed to be Fidelity Investments, according to people familiar with the case.
A spokesman for Fidelity said there was no indication that any information regarding customer accounts was affected in the breaches.
“We take security very seriously and closely monitor the online environment,” the spokesman said. “Fidelity has an extensive range of safeguards and multiple layers of security in place to protect customer accounts and customer information.”
In July, Messrs Shalon and Orenstein were arrested in relation to allegations they artificially pumped up the value of shares in tiny companies to later sell and make a profit.
They also face civil charges by the Securities and Exchange Commission.