Three indicted in largest theft of customer data from a U.S. financial institution in history
On Tuesday, federal prosecutors unsealed a superseding indictment charging Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein with orchestrating massive computer hacking crimes against U.S. financial institutions, brokerage firms and financial news publishers.
As alleged, Shalon also orchestrated computer network hacks and cyberattacks in furtherance of other major criminal schemes, including unlawful internet casinos and illicit payment processors which Shalon operated with Orenstein.
Shalon also owned and controlled an illegal U.S.-based Bitcoin exchange known as Coin.mx. Shalon and Orenstein were arrested in July 2015 by the Israel Police on an indictment that charged the underlying securities fraud, and they remain in custody in Israel pending extradition on those charges.
The U.S. Attorney’s Office will seek their extradition to stand trial in the United States. Aaron remains at large. Also announced today is the unsealing of a separate indictment charging Anthony R. Murgio with operating Coin.mx in the United States, and related crimes.
“The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model. The alleged conduct also signals the next frontier in securities fraud – sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise. Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds. Even the most sophisticated companies – like those victimized by the hacks in this case – have to appreciate the limits of their ability to uncover the full scope of any cyber-intrusion and to stop the perpetrators before they strike again. If they have been hacked, most likely others have been as well, and even more will be. The best bet to identify, stop and punish cybercriminals is to work closely, and early, with law enforcement. That happened here, and today’s charges are proof of that,” said U.S. Attorney Bharara.
According to the allegations contained in the superseding indictment:
From approximately 2012 to mid-2015, Shalon, working with Aaron and others, orchestrated the U.S. Financial Sector Hacks, stealing personal information of over 100 million customers of the victim companies. Among these, their network intrusion at one bank (Victim-1) resulted in the theft of personal information of over 80 million Victim-1 customers, making it the largest theft of customer data from a U.S. financial institution in history. Shalon, Aaron and their co-conspirators engaged in these crimes in furtherance of other criminal schemes. In particular, in an effort to artificially manipulate the price of certain stocks publicly traded in the United States, Shalon and his co-conspirators sought to market the stocks, in a deceptive and misleading manner, to customers of the victim companies whose contact information they had stolen in the intrusions.
In addition to directing the U.S. Financial Sector Hacks, Shalon directed computer network hacks and cyberattacks against numerous companies outside of the financial sector. Shalon and his co-conspirators engaged in these crimes in furtherance of large-scale criminal businesses that Shalon and Orenstein operated in the United States and other countries.
In particular, between approximately 2007 and July 2015, Shalon owned and operated unlawful internet gambling businesses in the United States and abroad; owned and operated multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software (malware) distributors, and unlawful internet casinos; and owned and controlled Coin.mx, an illegal U.S.-based Bitcoin exchange that operated in violation of federal anti-money laundering laws. Nearly all of these schemes, like Shalon’s securities market manipulation schemes, relied for their success on computer hacking and other cybercrimes committed by Shalon and his co-conspirators.
Through their criminal schemes, between in or about 2007 and in or about July 2015, Shalon and his co-conspirators earned hundreds of millions of dollars in illicit proceeds, of which Shalon concealed at least $100 million in Swiss and other bank accounts.
Shalon, Aaron, Orenstein and their co-conspirators operated their criminal schemes, and laundered their criminal proceeds, through at least 75 shell companies and bank and brokerage accounts around the world. The defendants controlled these companies and accounts using aliases, and by fraudulently using approximately 200 purported identification documents, including over 30 false passports that purported to be issued by the United States and at least 16 other countries.
The U.S. financial sector hacks
Between approximately 2012 and August 2014, Shalon and a co-conspirator (CC-1), working at times with Aaron, executed the hacks of the computer networks of Victims 1 through 9. Among other things, in foreign-language electronic communications, during these hacks, Shalon bragged about the size and scope of his securities market manipulation schemes and described to CC-1 his use of the stolen data in furtherance of those schemes. Shalon and CC-1 also discussed expanding their network intrusions to encompass thefts of material non-public information from the financial institutions and other firms they were hacking.
The securities market manipulation schemes
Since 2011, Shalon, Aaron, Orenstein and their co-conspirators orchestrated multimillion-dollar stock manipulation – or “pump and dump” – schemes to manipulate the price and trading volume of dozens of publicly traded microcap stocks (penny stocks) in order to enable members of the conspiracy to sell their holdings in those stocks at artificially inflated prices. In some instances, Shalon and Aaron caused the companies to become publicly traded in furtherance of the scheme. To do so, Shalon caused privately held companies to engage in “reverse mergers” with publicly traded shell corporations Shalon controlled. Orenstein managed bank and brokerage accounts used in furtherance of the schemes under aliases that he supported with false passports and other false personal identification information.
To artificially manipulate the trading volume and prices of dozens of stocks, among other things, at pre-arranged times, Shalon and Aaron disseminated materially misleading, unsolicited messages by various means – including by email (spam) to up to millions of recipients per day – that falsely touted the stock in order to trick others into buying it. Shalon and Aaron engaged in the U.S. Financial Sector Hacks in part to acquire email and mailing addresses, phone numbers and other contact information for potential victims to whom they could send such deceptive communications. Shalon and his co-conspirators generated tens of millions of dollars in unlawful proceeds from the securities market manipulation schemes.
The unlawful Internet gambling schemes, hacks and cyberattacks
From at least in or about 2007 up to and including in or about July 2015, Shalon, Orenstein and their co-conspirators operated unlawful internet casinos in the United States and elsewhere through hundreds of employees in multiple countries. In the United States, the defendants knowingly operated at least 12 unlawful internet casinos (the Casino Companies) which, through their websites, offered real-money casino gambling in violation of federal law and the laws of numerous states, including New York state. Through the Casino Companies, Shalon, Orenstein and their co-conspirators generated hundreds of millions of dollars in unlawful income.
In furtherance of his unlawful internet gambling schemes, Shalon and his co-conspirators engaged in massive hacks and cyberattacks against other internet gambling businesses to steal customer information, secretly review executives’ emails and cripple rival businesses. For example, Shalon orchestrated network intrusions of Victims-10 and -11, companies that provided operating software to Shalon’s internet casinos. In doing so, Shalon sought to, and did, secretly obtain access to the email accounts of senior executives at both companies to ensure that the companies’ work with Shalon’s competitors did not compromise the success of Shalon’s unlawful internet gambling businesses.
The illicit payment processing scheme and hack
From at least in or about 2011 until in or about July 2015, Shalon, Orenstein and their co-conspirators operated IDPay and Todur, multinational payment processors for criminals who sought to receive payments by credit and debit card in furtherance of their unlawful schemes. Through these payment processors, Shalon, Orenstein and their co-conspirators knowingly processed credit and debit card payments for, at a minimum, unlawful pharmaceutical distributors, purveyors of counterfeit and malicious purported “anti-virus” computer software, their own unlawful internet casinos and Coin.mx, an illegal U.S.-based Bitcoin exchange owned by Shalon. In doing so, Shalon, Orenstein, and their co-conspirators knowingly processed hundreds of millions of dollars in transactions for criminal schemes, for which they earned a percentage of every transaction.
Beginning in or about 2012, Shalon and his co-conspirators hacked into the computer networks of Victim-12, a U.S. company which assessed merchant risk and compliance for credit card issuers and others, including by detecting merchants that accepted credit card payments for unlawful goods or services. Thereafter, on an ongoing basis, Shalon and his co-conspirators monitored Victim-12’s detection efforts, including by reading emails of Victim-12 employees, so they could take steps to evade detection by Victim-12 of their unlawful payment processing scheme.
The unlawful Bitcoin exchange
From in or about 2013 to in or about July 2015, Shalon knowingly owned Coin.mx, which was operated by Murgio in the United States at Shalon’s direction in violation of federal anti-money laundering (AML) registration and reporting laws and regulations. Through Coin.mx, Shalon, Murgio and their co-conspirators enabled their customers to exchange cash for Bitcoins, charging a fee for their service. In total, between approximately October 2013 and July 2015, Coin.mx exchanged millions of dollars for Bitcoins on behalf of its customers.