Two Israeli citizens, arrested in Israel in July 2015 and extradited to the US this week pleaded guilty Thursday to orchestrating a computer hacking and fraud scheme that included, but was not limited to, the theft of personal information on 83 million customers from JPMorgan.
Gary Shalon and Ziv Orenstein entered their pleas in Manhattan federal court. A third defendant, Joshua Aaron, was not present.
Prosecutors said that the current whereabouts of Aaron is unknown, although the Wall Street Journal has suggested, “Mr. Aaron, a U.S. citizen, has since been arrested in Russia and is expected to be brought to the U.S., according to people familiar with the matter.” WSJ is one of 12 companies allegedly targeted by the defendants.
The best known of the attacks was against JPMorgan, which announced in October 2014 that it had been breached with the loss of personal information on 76 million household customers and seven million businesses. In all, more than 100 million people’s personal information was stolen by the gang allegedly led by the defendants. At the time, JPMorgan thought there may have been Russian government involvement.
This data was used to further other illegal practices, including pump & dump emails scams, online casinos and the operation of an unlicensed money laundering bitcoin exchange. The charges brought in New York carry possible prison sentences of between two and 20 years each.
A separate but related indictment unveiled in Atlanta against Shalon, and Aaron claims that the brokerages E*Trade and Scottrade were also targeted; and that the information of 10 million customers was compromised.
At the time of the arrests in Israel, Anthony Murgio and Yuri Lebedev were arrested and charged in New York for operating the Coin.mx bitcoin exchange, and using it to launder bitcoin proceeds from ransomware. The FBI released a statement that said, “In doing so, Murgio, and his co-conspirators knowingly enabled the criminals responsible for those attacks to receive the proceeds of their crimes, yet, in violation of federal anti-money laundering laws, Murgio never filed any suspicious activity reports regarding any of the transactions.”
Although these are separate indictments, it is generally considered that they are related. Murgio and Aaron were apparently friends at Florida State university. Both made frequent trips to Russia, and it has been suggested that there was involvement with the Russian underground. It may have been this Russian connection that led JPMorgan to initially link its breach with the Russian government.