On November 10, 2015, Loretta E. Lynch, Attorney General of the
United States and Preet Bharara, U.S. Attorney for the Southern
District of New York, unsealed an indictment of three individuals
on charges of computer hacking and conspiracy to commit computer
hacking. Those charges followed an earlier indictment of the same
three, in July 2015, for fraud, identity theft, and conspiracy. The
indictments were the result of the investigative work of the FBI
and the Secret Service. Two of the above defendants have been
apprehended, although one, Joshua Aaron, remains at large.
The indictment relates to thefts of personal information
discovered in August of 2014 from institutions including JP Morgan
Chase & Co., Scottrade Financial Services Inc., and Dow Jones
& Co. as identified by the media. The names and contact
information of over 100 million customers of these and other banks,
brokerages, and financial news publishers had been stolen: 80
million from one institution alone. The indictment alleges that the
stolen information was used by the defendants to manipulate the
price of penny stocks for their personal gain.
Beginning in 2012, the defendants are alleged to have overseen
and directed network intrusions against a total of 9 separate
financial institutions, financial services corporations, and
financial news publishers. In each case, a defendant opened an
account or registered as a customer using a false identity complete
with social security number.
Using overseas networks and unknown agents, the defendants are
alleged to have stolen the name and contact information of other
customers by using the defendant's own online login as a point
of entry. They were also successful in installing malware which
provided them with ongoing access to the computer network of the
institution in some cases.
The indictments allege that in 2014, the defendants focused on
large financial institutions: identified as Victims 1 to 3. They
used a variety of methods, some of which were detected. For
example, the defendants attempted to gain access to the secure
servers of Victim 3 by attempting to remotely access an account
belonging to one of the defendants from an Egyptian based
server. The financial institution, however, blocked the
remote access and locked the account on the basis that the
attempted access was suspicious. Victim 2 was successfully targeted
through the "Heartbleed" vulnerability. For a short
period of time, the defendants obtained access to the company's
servers and customer lists.
The defendants' greatest success allegedly came when they
accessed the servers and computer systems of Victim 1 in June 2014,
through one of the defendant's accounts. That access allowed
them to steal the records of over 83 million customers.
Approximately 2 months later, Victim 1 discovered that its customer
data had been stolen and cut off the defendants' access.
The customers, whose data was stolen, were then targeted with
stock tips sent via email from twenty or so seemingly unrelated
stock promotion websites controlled by the defendants. The
indictment alleges that the defendants took great pains to hide
their controlling interest in these websites and lied to customers
about where their information had been obtained.
The defendants encouraged investors to purchase certain penny
stocks which they had "pumped". Once the price and
trading volume of these stocks increased, the defendants would dump
their shares for sizeable profits.
The indictments describe a "sprawling criminal
enterprise" which employed hundreds of individuals. As the
U.S. Attorney for New York stated, "It is no longer hacking
merely for a quick payout, but [...] hacking as a business
model". As part of this, the defendants used online
casinos and bit coin exchange as means of laundering their
If proven, the indictment demonstrates not only the tremendous
scope and impact of a cybersecurity breach, but also the extent to
which criminals are able to organize themselves to exploit the
information stolen, and the diverse uses to which it can be
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).