NEW YORK – Four people were indicted Tuesday in a massive hacking scheme by a “diversified criminal conglomerate” that compromised data from millions of customers of JPMorgan Chase and other firms, officials said.
One indictment unsealed Tuesday charged three people in the computer breach against the huge bank and other organizations. The fourth person was charged in an indictment for running a bitcoin scheme to launder the proceeds of the hackers.
The bank revealed last year that a hack had compromised data on 76 million household customers and 7 million businesses, including their names, email addresses and telephone numbers — the largest theft of data from a U.S. financial institution.
The indictment unsealed in New York federal court said the three defendants charged in the hacking led a “sprawling cybercriminal enterprise” that hit at least a dozen firms, including banks and brokerages.
From the 12 companies, more than 100 million customers had personal information stolen or compromised, according to the Justice Department.
JPMorgan Chase was not mentioned in the indictment, but the bank confirmed the investigation was linked to the breach disclosed last year.
“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” bank spokeswoman Patricia Wexler said in a statement.
“As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
Other firms previously identified as victims included the Dow Jones media group and online brokers ETrade and Scottrade.
Two Israeli nationals — Gery Shalon and Ziv Orenstein — and U.S. citizen Joshua Samuel Aaron were charged with multiple counts of fraud, conspiracy and other charges related to the hack.
Among the various schemes alleged in the indictment, the defendants used the stolen data to send emails in an effort to artificially pump up the prices of certain “penny” stocks — a so-called “pump and dump” operation.
The hackers operated a wide range of other criminal activities, including an Internet gambling scheme, an unlawful bitcoin exchange and an illicit payment processing operation for shady online pharmaceutical sellers and others, according to prosecutors who alleged the schemes netted “hundreds of millions of dollars” in illegal proceeds.
“We have exposed a cybercriminal enterprise that for years successfully and secretly hacked into the networks of a dozen companies, allegedly stealing personal information of over 100 million people, including over 80 million customers from one financial institution alone,” said U.S. Attorney Preet Bharara.
“The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
In July, Shalon and Orenstein were arrested in Israel, and around the same time U.S. officials detained Anthony Murgio, who was charged with operating an illegal money transfer service using the bitcoin virtual currency that helped launder the profits from the scheme.
Murgio was accused in a separate indictment of operating the Coin.mx service that was used to conceal the gains of the hackers.
Aaron, who is known to have ties to Russia, remains at large, according to officials. Shalon and Orenstein remain in custody in Israel pending an extradition proceeding.
The indictments include some 30 criminal charges carrying penalties of between five and 20 years each.