Authorities arrested four people in Israel and Florida and revealed a complex securities fraud scheme tied to the computer hacks of JPMorgan Chase & Co. and other financial institutions.
Behind the alleged crimes described Tuesday is a remarkable story of unpredictable alliances in modern computer crime involving, if true, a multi-layered organization with tentacles reaching Moscow, Tel Aviv and West Palm Beach.
Officials in Israel this morning picked up two men charged in the U.S. with running a multimillion-dollar stock manipulation scheme. A third person remains at large. In another case in Florida, officials arrested two men for operating an unlicensed money-transfer business using bitcoins.
Though these are separate cases, some of the individuals are linked. A principal in the alleged securities-fraud scheme is a business associate of one of those charged in the Florida bitcoin operation, a friendship dating back more than a decade to their days at Florida State University.
The two are also identified in a previously unreported FBI memo that connects them to the investigation of the hack of JPMorgan as well as to incidents at Fidelity Investments Ltd. and E*Trade Financial Corp. JPMorgan officials argued initially that one of the largest U.S. bank hacks in history was the work of the Russian government.
None of the documents outlining the charges mention the JPMorgan hack, nor do prosecutors tie the securities fraud and money-transfer schemes to each other.
However, a person familiar with the investigation said that data stolen from JPMorgan, including tens of millions of e-mails and names of customers, may have been sought for promoting stocks through a massive spam campaign.
The alleged pump-and-dump scheme was several years old by the time of the Wall Street hacks. At least five stocks were manipulated in 2011 and 2012, according to the grand jury indictment unsealed Tuesday in Manhattan federal court.
The stock fraud is described as a “pump-and-dump” scheme in which promotional e-mails were sent to victims, encouraging them to buy “hot” stocks, according to a parallel complaint filed by the U.S. Securities and Exchange Commission. The perpetrators secretly sold their own holdings, it said, earning at least $2.8 million in illegal profits.
Two Israelis and an American are charged with the fraud. Two unidentified men from New Jersey and Florida, described as co-conspirators and not charged, picked the publicly traded companies as targets for manipulation, prosecutors said. In some cases, they sought to press private companies to go public so they could be targeted.
The men charged are Gery Shalon and Ziv Orenstein, both Israeli citizens, and Joshua Samuel Aaron, a U.S. citizen who resided in both the U.S. and Israel.
According to the indictment, Aaron acted as the conduit between the unnamed U.S. conspirators and Shalon, the scheme’s main Israeli architect.
Aaron wasn’t arrested.
Elements of the case apparently began to unravel this month. Investigators had hoped to arrest Aaron in Tel Aviv, where he lives with his wife, according to people familiar with the probe. Aaron and his wife were in St. Petersburg as recently as Sunday, based on social-media posts from her account. In Russia, Aaron is outside the reach of U.S. law-enforcement authorities. Investigators may have determined that he was no longer likely to return to Israel.
One of Aaron’s friends from his Florida State days is Anthony Murgio, a 31-year-old from West Palm Beach, Florida.
Murgio is charged in a complaint also filed in Manhattan federal court on Tuesday, alongside the securities complaints. Prosecutors say Murgio created a Bitcoin-exchange business in 2013 that laundered at least $1.8 million in the digital currency for tens of thousands of customers, including hackers receiving payment for “ransomware” attacks on PCs.
The documents allege that Murgio operated the exchange with an accused co-conspirator, Yuri Lebedev, under the guise of a front company, the Collectables Club Private Member Association, which lists Murgio’s West Palm Beach address. Lebedev was also charged.
Prosecutors allege that Murgio tried to keep Coin.mx’s activities hidden and used multiple Russian payment processors to “wash” illicit funds.
Both Murgio and Aaron traveled frequently to Russia, and a person involved in the investigation said there were links between the suspects and members of Russia’s cyber underground.
Though U.S. officials didn’t connect the alleged criminal activities of Murgio and Aaron, the men were linked in the FBI’s October memo to the hack of the three financial institutions. Bloomberg News learned their identities earlier this year but held off reporting about them at the request of the FBI, which said the information would compromise the investigation.
Upon learning that Murgio and Aaron were accused of crimes, a friend from Florida State expressed dismay at the alleged schemes. “That’s absurd,” said Bryan Ravit, a Phi Kappa Sigma brother of Murgio who lives in Winter Park, Florida.
“They are very stand-up guys,” Ravit said in an interview. “I would trust them with my life.”
None of those charged with securities fraud or in the bitcoin scheme could be reached for comment.
Among the surprising twists of the JPMorgan investigation is that hackers appear to have broken into the digital version of Fort Knox to steal relatively innocuous data -- specifically e-mails of JPMorgan’s customers that could be used for spam.
The cybercriminals behind the JPMorgan hacks mowed through data at several major banks and brokerages, including Fidelity and E*Trade, for more than a year beginning in the fall of 2013, according to cyber-security firms and the Federal Bureau of Investigation memo. They contributed to a hodgepodge of scams, mainly securities fraud and spamming e-mails, according to one person familiar with the investigation.
It’s not clear if the JPMorgan hackers sought data other than the names, addresses and e-mails eventually removed from the bank’s main data center. U.S. officials believe the cyberattacks were done with the help of expert hackers in Russia, according to a second person familiar with the case.
One reason to target brokerage houses is to commit account-takeover fraud. Criminals steal users’ logins and passwords to hijack their trading accounts and use their money to pump up the value of penny stocks and other thinly traded securities. Such schemes are often accompanied by spamming campaigns to inflate further the value of the shares. The criminals, who also own the stocks, can then cash out of the shares in their own accounts, a classic “pump and dump.”
Trish Wexler, a spokeswoman for JPMorgan, declined to comment. The bank has said that it discovered no fraud against account-holders related to the attack.
Fidelity has multiple layers of security and has no indication that customer accounts or information were affected, a spokesman said. A representative for E*Trade didn’t immediately respond to a request for comment.
Over almost three months, intruders at JPMorgan had unrestricted access to its main data center, which controls critical functions for the bank and the broader U.S. financial system. They accessed at least 100 servers and stole 40 gigabytes of data, defying the security of a company that spent $250 million to protect its computers in 2014.
Sandwiched between last year’s attack on Sony by North Korea and the sack of Target Corp’s payment registers in late 2013, the JPMorgan breach quickly took its place in a menacing list of cyber milestones. It sparked a fight between U.S. investigators and a bank security team staffed with former Pentagon cyber warriors, who saw something darker than mere criminal behavior.
The case may now become an object lesson in the complexities of tracing cyberattacks to the true culprits. In June, JPMorgan reassigned Chief Information Security Officer Greg Rattray amid staff discord over his handling of the breach. Rattray and his boss, Jim Cummings, a former head of the U.S. Air Force’s cyber-combat unit, were the chief advocates of the theory that the Russian government was involved in the breach, Bloomberg Businessweek reported in February.
JPMorgan declined to make Cummings and Rattray available for comment.
While bank officials ran their own investigation into the massive breach, FBI officials focused early on an oddball collection of digital misfits.
Murgio wrote in a personal blog that he and Aaron had operated an online marketing company with a global clientele. Murgio ran a series of unsuccessful restaurant ventures and had been previously accused of stealing $110,000 in state sales tax collected from his business customers. He received a deferred prosecution, and the charges were dropped after he paid the taxes owed to Florida.
Named one of Tallahassee’s top 100 singles in 2010, Murgio listed his favorite outfit as “really tight jeans that I can hardly sit down in” and Ayn Rand’s “Atlas Shrugged” as his favorite book.
After losing a long battle with the landlord of a downtown Tallahassee nightclub blocks from the Florida State University campus, Murgio, who ran the club, had a confrontation with police in October 2011 over a noise complaint.
Six months later, he filed for Chapter 7 protection in U.S. Bankruptcy Court for the Northern District of Florida, citing $539,000 in debt.
His debts persisted. On a March 2013 application for indigent status in the tax case, Murgio reported $350,000 in debt, and said his only monthly income was $1,200 in veterans benefits.
Around that time, Murgio began taking frequent trips to Russia, posting videos of himself in Russian bars and with beautiful girls, one marked #Likealittleexcitedboy.
On social media, friends asked why he was suddenly spending so much time in Russia. Two of the visits coincided with the computer breaches: He was in Moscow in April 2014, when Fidelity was hacked, and again in early August, when hackers were active in JPMorgan, according to his posts.