U.S. Racing to Show Links to Elusive Hackers in JPMorgan Attack

Gery Shalon, center, one of two Israeli men charged in the U.S. in connection with securities fraud.

Gery Shalon, center, one of two Israeli men charged in the U.S. in connection with securities fraud.

Photographer: Ilia Yefimovich/Getty Images

The criminal charges against five men who authorities tracked down after last year’s hacking attack on JPMorgan Chase & Co. leave one very important question.

Where are the hackers?

The complaints filed Tuesday in Manhattan federal court against the men are unrelated to hacking and are narrowly tailored to claims of securities fraud and a bitcoin scam in Florida. But they are a key step in an elaborate investigative gamble to crack the hacking case, according to three people familiar with the investigators’ strategy who provided details of events leading up to the arrests.

The investigators’ immediate goal is to unearth new evidence from those arrested. They could then fortify their existing case by adding charges that link one or more of those arrested with the Wall Street hacking spree, now known to have affected Fidelity Investments Ltd., E*Trade Financial Corp. and other financial institutions as well as JPMorgan.

There is an even more elusive quarry. Investigators suspect the actual keyboard work was done by an elite group of Russian cyber criminals who may have partnered with the alleged stock fraudsters and who may have had additional criminal motives. The men charged simply don’t have the kind of computer skills needed for the JPMorgan attack, the investigators have concluded.

Because some of them traveled frequently to Russia, they may have interacted directly with the real hackers. The FBI savors the prospect of interrogating anyone who could provide rich and colorful evidence against this type of cybercriminal, long untouchable by U.S. law enforcement.

Digital Trail

A lot of things have to fall into place before a victory can be claimed by authorities who have followed the digital trail for nearly a year from JPMorgan’s data center to intermediate points in Ukraine and South Africa, then to Russia, Israel and back to the U.S.

From the early days of their investigation, officials sensed an opportunity to break a long losing streak. For years, hackers operating from safe havens in China and Eastern Europe have rifled secret government data centers and the computer networks of thousands of American companies with little chance of ever ending up in an American court.

In the JPMorgan case, the trail of evidence rapidly led investigators to men well within their reach. The unlikely group included a pair of former Florida State University frat buddies and an alleged group of Israeli stock schemers. According to those close to the investigation, the primary architects are believed to be an Israeli man, Gery Shalon, who was arrested in Israel Tuesday and charged with defrauding investors by pumping up the value of low volume stocks, and Joshua Samuel Aaron, who grew up in Potomac, Maryland, and charted a conventional path in middle-class America before his alleged involvement in a complex international fraud scheme.

High Gear

With Shalon and others in custody, the investigation is moving into high gear after months of plodding work.

It’s unlikely that U.S. agents will be allowed to conduct the initial interrogations of Shalon, who appeared Wednesday in a Jerusalem court. According to one of the people familiar with the case, the FBI has prepared questions for the Israeli police and agents are available for real-time consultations, depending on Shalon’s willingness to cooperate.

Anthony Murgio, Aaron’s old college friend, who is charged with running a money-laundering scheme through his Coin.mx bitcoin exchange, was arrested early Tuesday at his home in Florida, according to the FBI. He wasn’t booked until 6:30 p.m., according to Pinellas County jail officials. It's unknown if those intervening hours were spent with FBI interrogators.

Anthony Murgio's booking photo on July 21, 2015.
Anthony Murgio's booking photo on July 21, 2015.
Source: Pinellas County Sheriff's Office via Bloomberg

One or more of the men in custody will be pressed to become a cooperating witness, providing prosecutors with more evidence and perhaps even a road map to the Wall Street hacks, according to the people familiar with the investigation. Of the five men charged, Aaron is still at large.

Significant Weaknesses

Prosecutors need that help because of significant weaknesses in their hacking case, three people familiar with the investigation said.

According to an October FBI memo, agents had early evidence pointing to Aaron and his long-time friend, Murgio. People familiar with the probe said Aaron signed in to some servers used in the attack that agents managed to trace back to him. E-mails subpoenaed later also suggest a link between Aaron and Shalon and the attacks, they said.

A series of meetings between agents and prosecutors began last fall and continued until earlier this year. The two sides wrangled over the evidence linking the men and a growing circle of associates to the hacks. The FBI kept pressing for a date to make arrests, and prosecutors kept pushing it back, asking for more evidence and stronger links.

Prosecutors found the evidence was compelling, but circumstantial, and not strong enough to meet the threshold for charging the men with the Wall Street hacks.

So, the agents went back to the drawing board.

Technical Skills

Nothing they subsequently learned about the men suggested they had the technical skills to pull off the entirety of last summer’s complex heist of data from JPMorgan Chase.

In the words of one of the people involved, these were fraudsters, not hackers.

What they did discover was that several of the men may have been involved in a range of potentially criminal schemes that could benefit from data like that which was stolen from JPMorgan’s data center, including the names, addresses and e-mails of tens of millions of bank customers. Among that activity was a scheme prosecutors say was masterminded by Aaron and Shalon to pump up the value of stocks that are lightly traded. One way is to promote them with large spam e-mail campaigns encouraging investors to buy, and then cashing out of their own investments before the price falls back to earth.

Common Tactic

Investigators seized on that activity. People familiar with the probe said it’s a common tactic of prosecutors working such a complex case to charge suspects with some crimes that can be more easily proven and then rein in cooperating witnesses to achieve their ultimate goal.

Attempts to reach lawyers for the four people arrested have so far been unsuccessful.

By the time of this week’s arrests, the probe was bogging down. New York-based investigators seeking the cooperation of the courts and police outside the country were making requests through 100 year-old tools like a letter rogatory, which travels at the speed of molasses through diplomatic channels. They needed to gather information from privately owned data centers in Ukraine, South Africa and other countries that the hackers used in the attack.

Digital Evidence

According to two people, banks were also pressing investigators to hold someone accountable for the breach, which touched the data of more than 80 million customers.

The individuals charged this week at best only get investigators part way there. The government has digital evidence and other indicators that link the JPMorgan attack to other breaches in recent years, according to several people familiar with the case.

The bank may have even more insight. Security vendors employed by the bank to investigate the breach, and who asked not be identified because of the continuing investigation, attribute the hack to a well-known Russian group that is deeply involved in cybercrime that also does occasional contract work for Russian intelligence agencies.

Ziv Orenstein, center, one of two Israeli men charged in the U.S. in connection with a pump-and-dump securities fraud scheme.
Ziv Orenstein, center, one of two Israeli men charged in the U.S. in connection with a pump-and-dump securities fraud scheme.
Photographer: Ilia Yefimovich/Getty Images

Prevent Leaks

People familiar with the case say the FBI is less sure but may not have all the information gleaned by the bank. JPMorgan spokeswoman Trish Wexler declined to comment.

Greg Rattray, who was hired in June 2014 as JPMorgan’s chief information security officer, limited access to the attack data to control the investigation and prevent leaks, Bloomberg Businessweek reported in February. He and his boss, JPMorgan’s global security chief James Cummings, a former head of the U.S. Air Force’s cyber-combat unit, confounded the investigating agents so much that the Secret Service threatened to seize the evidence. Rattray was reassigned last month amid staff discord and controversy over his handling of the breach.

Joseph Demarest, then assistant director of the FBI’s cyber division, called Chief Operating Officer Matthew Zames to discuss delays in information-sharing, and the bank and FBI settled on what data would be handed over through a formal agreement. Demarest, who has been promoted to an FBI associate executive assistant director, issued a statement in February saying that the bank had been fully cooperative.

Full Accounting

The bank also doesn’t have a full accounting of what was taken. The hackers were inside for nearly three months. JPMorgan’s sophisticated system for recording all data packets flowing in and out of its networks was programmed with too little storage to retain all evidence of the intrusion, according to several people familiar with the bank’s systems. Wexler, the JPMorgan spokeswoman, earlier said the bank knows all the information that was breached.

It’s possible the intruders may have tried to exploit the hack for other criminal schemes or sold access to the bank’s network to others, one person familiar with the probe said.

The arrest phase of the investigation has not gone exactly as planned, according to the people close to the case.

Aaron, who lives in Tel Aviv and has evaded authorities, connects many of those charged and served as the intermediary between Shalon and unnamed conspirators in the U.S. who picked company stocks to manipulate, according to court papers and people familiar with the case. Aaron also traveled frequently to Russia, sometimes overlapping with Murgio, raising the possibility that he met with the hackers, according to the people.

Authorities had hoped to arrest Aaron at his home in Tel Aviv. Officials won’t say if they know where he is now. According to a social media post by his wife, they were in St. Petersburg, Russia, as recently as Sunday.

(Corrects captions of first and third photographs.)

For more, read this QuickTake: Cybersecurity

Before it's here, it's on the Bloomberg Terminal. LEARN MORE