The US government is accusing three men of hacking into JP Morgan last year and accessing more than 80 million accounts in what the feds called the "the largest theft of customer data from a U.S. financial institution in history."
The three men also hacked six other unnamed financial services companies and two financial news publications, according to an indictment against them unsealed on Tuesday.
The feds charged Gery Shalon, Joshua Samuel Aaron (who is among the FBI's "cyber's most wanted"), and Zic Orenstein with 23 different counts, including hacking, identity theft, securities fraud, wire fraud, and money laundering. The feds identified Shalon as the "leader" and founder of a "sprawling" cybercrime organization that operated from 2012 to mid 2015, allegedly orchestrating "massive computer hacking crimes" and stealing personal information of over 100 million people.
A spokesperson for JP Morgan confirmed to Motherboard that her company is referred to as Victim 1 in the indictment, and that this case refers to the massive data breach suffered by the bank in 2014, where the cybercriminals accessed information on 76 million households and 7 million small businesses.
"We appreciate the strong partnership with law enforcement in bringing the criminals to justice," JP Morgan spokesperson Patricia Wexler said in an emailed statement.
Shalon and his partners were not just into hacking banks though. Prosecutors accuse them of operating an illegal internet gambling business, distributing malware, and operating Coin.mx, "an illegal" US based Bitcoin exchange. Thanks to these activities, Shalon and the others allegedly made "hundreds of millions of dollars."
Shalon and the others allegedly made "hundreds of millions of dollars."
The cybercriminals allegedly used a complex system of aliases, over 30 fake passports, and 75 shell companies to launder the money they made, according to the indictment. Shalon allegedly concealed more than $100 million in Switzerland.
The three apparently did not act alone. The indictment mentions an unnamed co-conspirator who allegedly helped Shalon and the others to hack into systems and install malware that provided them with "persistent access."
The criminals allegedly used various techniques to hack into the banks networks, from social engineering to taking advantage of vulnerabilities such as Heartbleed, a critical bug in a widely used web encryption library.
Shalon, Aaron, and Orenstein were also previously charged with fraud to manipulate stock prices earlier this year. At the time, some speculated that the three might also be responsible for the JP Morgan hack, but this wasn't confirmed until Tuesday.
You can read the full indictment here.