• United States



Senior Staff Writer

Three indicted in JPMorgan hacking case

Nov 10, 20152 mins
CybercrimeData BreachVulnerabilities

Expanded charges link three men to JPMorgan hack, as well as other incidents

On Tuesday, Manhattan US Attorney Preet Bharara’s office unsealed an indictment against three individuals charged with hacking several financial institutions, financial news publishers, and other companies.

In a statement to Reuters, JPMorgan confirmed that the recently unsealed indictment is connected to last year’s hack, which impacted 83 million households.

Monday’s indictment focuses on Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein.

In court documents shared with CSO Online, the prosecutors say that between 2012 and 2015, the three pulled off “the largest theft of customer data from a U.S. financial institution in history” by stealing the personal information of more than 100 million people.

The three men were first named earlier this year in an indictment related to stock and trading fraud. In addition to JPMorgan, the group targeted eleven other companies, though the twenty-three count indictment doesn’t name the victims.

The indictment overviews how the some of the attacks were conducted, which included social engineering and exploitation of the Heartbleed vulnerability against “one of the world’s largest financial services corporations” based in Boston, Massachusetts.

Using a mix of legitimate access provided to customers by the victims, the indictment names Shalon as the core criminal hacker of the group. Court documents say he was responsible for probing the targeted networks vulnerabilities and installing malware to gain additional access.

Data taken from one victim would be used in attacks against the other victims, including securities market manipulation. Later, the indictment says the group considered targeting email accounts owned by top executives and power traders for insider information, because “they have some interesting info in their mail.”

The group leveraged servers in Egypt, the Czech Republic, South Africa, and Brazil to run their financial attacks and serve as a clearinghouse for their stolen data.

Based on the charges, each of the three men indicted will face decades behind bars if convicted. In a related case, a separate indictment was unsealed against Anthony Murgio on Tuesday, who is also linked to the JPMorgan hack.

The Manhattan US Attorney is expected to release additional details later this afternoon.