Three men have been indicted in a huge cyberattack that rocked JPMorgan back in 2014, but according to prosecutors their cybercriminal activities include many more well-known victims.
In what Bloomberg reported as the largest cyber breach ever, two indictments were unsealed Tuesday (Nov. 10) tying three of the four suspects to the previously reported attacks on JPMorgan, E*Trade, Scottrade Financial Services and Dow Jones.
The hackers are being charged with running a criminal enterprise spanning multiple years, which involved stealing the information of more than 100 million customers of at least nine financial and publishing firms. The stolen information was used to drive stock manipulations, illegal online casinos and credit card fraud, Bloomberg said.
The global network of cybercrime reportedly included illegal online casinos and payments that ran from Israel to the U.S., hitting Cyprus, Azerbaijan and Switzerland.
According to prosecutors, the sophisticated operation began as early as 2007 and ran up until this summer. Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein are listed as the defendants in the indictment and have 23 charges brought against them, which include computer hacking, securities fraud, wire fraud and conspiring to commit money laundering.
U.S. authorities arrested Shalon and Orenstein, two Israeli nationals, earlier this year, while Aaron, a U.S. citizen, remains at large.
The cyberthieves laundered the proceeds of their criminal activities through more than 75 different shell companies and brokerages accounts located worldwide, The Wall Street Journal reported, noting that the team allegedly used aliases and over 30 fake passports to control the accounts.
“They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail,’” the indictment of the three suspects stated.
In the case of JPMorgan, the suspected hackers were able to walk away with the contact information for nearly 83 million accounts before Chase mitigated the attack before more sensitive bank data like customers’ passwords or Social Security numbers were compromised.