NEW YORK (AP) — Two men held in Israel and one U.S. citizen believed to be living in Moscow have been charged with stealing the contact information of more than 100 million customers of U.S. financial institutions to generate hundreds of millions of dollars in illegal profits, authorities said Tuesday.
The summer 2014 theft of data such as names, addresses, emails and phone numbers of more than 83 million customers of JPMorgan Chase & Co., the nation's biggest bank by assets, was described at a news conference by U.S. Attorney Preet Bharara as "the single largest theft of customer data from a U.S. financial institution ever."
In a release, Attorney General Loretta E. Lynch said the defendants "perpetrated one of the largest thefts of financial-related data in history — making off with the sensitive information of literally thousands of hard working Americans."
An indictment unsealed in Manhattan federal court said identifying information on millions more customers was stolen in cyberattacks from 2012 to last summer against several other financial institutions, financial services corporations and financial news publishers.
Since 2007, one or more of the defendants also engaged in other criminal schemes, including U.S. securities market manipulation schemes and the operation of at least a dozen Internet casinos that violated U.S. laws, the indictment said.
"In our view, the conduct alleged in this case showcases a brave new world of hacking for profit," Bharara said. "In short, it is hacking as a business model."
The indictment said some of the massive computer hacks and cyberattacks occurred as the men sought to steal the customer base of competing Internet gambling businesses or to secretly review executives' emails in a quest to cripple rivals.
Authorities said they used about 200 fake identity documents, including over 30 fake passports supposedly issued by the United States and at least 16 other countries, as they operated their criminal schemes and laundered the proceeds through at least 75 shell companies and bank and brokerage accounts worldwide.
Charged in the indictment were Gery Shalon, 31, of Savyon, Israel; Ziv Orenstein, 40, of Bat Hefer, Israel; and Joshua Samuel Aaron, 31, a U.S. citizen living in Moscow and Tel Aviv, Israel. All three men were charged in July with related crimes, though the hacking crimes were not specified then. Aaron was labeled a fugitive while Orenstein and Shalon were arrested in Israel in July. Bharara said the U.S. was seeking their extradition.
Among charges in the indictment were computer hacking, conspiracy to commit computer hacking, securities fraud and conspiracy to commit securities fraud.
A related indictment unsealed Tuesday in Atlanta also named Shalon, Aaron and a third unidentified person. They are charged in a scheme to hack into E-Trade Financial Services Corp. and Scottrade Financial Services Inc. to steal personal information from millions of customers with the intent to build their own securities brokerage.
U.S. Attorney John Horn in Atlanta said Shalon and the unidentified hacker used online chats to discuss their plan. He said they had some success cold-calling investors and had discussed selling their database to another bank. Horn said the contact information of more than 10 million E-Trade and Scottrade customers was compromised in the late 2013 attack.
Charges related to those companies are included in the New York indictment, but the companies aren't identified by name.
A lawyer for Orenstein didn't immediately return a message seeking comment. A lawyer for Shalon couldn't immediately be reached.
Bharara said law enforcement teamed up as never before in the prosecution.
"The sad truth is that to date, complex cybercrimes like these tend to go unsolved and the criminals tend to go unprosecuted. More often than not, the trail goes cold and the perpetrators get off," Bharara said. "We believe we've changed that narrative and this case is game-changing proof."
Associated Press Writers Kate Brumback in Atlanta and Marcy Gordon in Washington contributed to this report.
This story has been corrected to show that 100 million customers, not 100, were affected.