Three men charged over JP Morgan hacking and fraud

US federal prosecutors have charged three men in connection with a hacking and fraud operation aimed at JP Morgan and other financial sector firms, which was initially attributed to Russian hackers.

Israelis Gery Shalon and Ziv Orenstein are accused alongside US citizen Joshua Samuel Aaron of orchestrating the theft of more than 100 million customer data records from financial institutions, brokerage firms and financial news organisations.

Shalon and Orenstein were arrested by Israeli Police in July 2015 and remain in custody in Israel as prosecutors continue to negotiate their extradition to the US, while Aaron remains at large, with prosecutors declining to confirm or deny whether they know where he is currently hiding, according to a Sophos Naked Security blog post.

The indictment does not provide details of how the hackers broke into JP Morgan and other banks, but said they were able to access a mutual fund in Boston because it was slow in patching for the Heartbleed bug.

US Attorney Preet Bharara said the case highlights “a brave new world” of hacking for profit and that the scheme was so sophisticated that many companies could still be unaware they were targeted.

“It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model,” he said.

The case also signals the next frontier in securities fraud, said Bharara, with the accused discussing sophisticated hacking to steal non-public information as the next stage of their operation.

“Even the most sophisticated companies – such as those victimised by the hacks in this case – have to appreciate the limits of their ability to uncover the full scope of any cyber-intrusion and to stop the perpetrators before they strike again,” he said.

The indictments show that the cyber attacks were carried out by cyber criminals for financial gain and not Russian hackers for political motives, as was widely suspected when the intrusion were detected.

The three accused are believed to have stolen information from the targeted organisations to manipulate stock prices for profit.

In a variation of the well-known “pump and dump” technique, the hackers used the stolen personal details to promote certain stocks that hackers had bought cheaply. These were then sold at a profit when the stock price rose.

The stolen information was used to get more intelligence on the companies the hackers were targeting to give them additional insight into future stock values.

The three are also accused of running a Bitcoin trading platform to help launder the cash, running illegal online casinos, selling fake antivirus software and selling pharmaceuticals.

According to investigators, the operation employed hundreds of people across 75 shell companies created in a number of countries using fake passports.

These criminal operations enabled the three hackers to amass an alleged haul of $100m in bank accounts in Switzerland, reports the BBC.

JPMorgan said that strong co-operation with law enforcement had been essential in bringing the criminals to justice.

In October 2014, the bank confirmed that the data breach affected up to 76 million households and seven million small businesses.

Information security experts said at the time that the disclosure in a mandatory filing with the US Securities and Exchange Commission shows data is the prime target and that traditional defences are no longer enough.