Federal prosecutors have unsealed documents relating to the breach at JPMorgan Chase, revealing that cyber-criminals stole information from more than 83 million customers (as well as data from other companies, like Scottrade and E*Trade), and used that information to carry out a stock-manipulation scheme, credit-card fraud and illegal online casinos.
US prosecutors have unsealed two indictments, in which they described a vast, multi-year criminal enterprise that spanned more than a dozen countries, and targeted at least nine big financial and publishing firms, including JPMorgan Chase, E*Trade, Fidelity Investments, Scottrade Financial and Dow Jones & Co. The indictments revealed that the perpetrators stole some 10 million email addresses from customers of Dow Jones, far bigger of a breach than the 3,500 customers the company said in October could have been compromised.
“From 2012 to mid-2015, the suspects and their co-conspirators successfully manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose email addresses they’d stolen, and profited by using trading accounts set up under fake names,” reported Bloomberg.
The ring also “tried to extract nonpublic information from financial corporations, processed payment information for fake pharmaceuticals and fake antivirus software, falsified passports and took control of a New Jersey credit union,” said prosecutors.
About 75 companies and bank and brokerage accounts around the world were allegedly used to launder money, prosecutors wrote, and the ring’s operations network stretched from Israel to the US, including stops in Cyprus, Azerbaijan and Switzerland.
Gery Shalon, Joshua Aaron and Ziv Orenstein were named in the indictment, for a range of offenses that include hacking, securities fraud, wire fraud and identity theft. Shalon and Orenstein were arrested in Israel in July. Aaron remains at large.
“They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” according to the indictment.
“The shocking size and reach of this cyber breach underscores the sophistication of today’s cyber-criminal enterprises and shows what security teams across all industries are up against,” said Fortscale CEO Idan Tendler, in an email. “Today’s hackers aren’t necessarily looking for a quick payday. Once the initial data theft is completed, there are countless opportunities for cyber-criminals to conduct targeted campaigns. The key for organizations is to prevent the initial breaches from occurring in the first place. These types of attacks can be prevented, but only through aggressive monitoring of internal networks with a key emphasis on user behavior.”