The Man Accused of Masterminding the Hacks That Shook Wall Street

Worldwide Hacking Ring Is Broken Up
  • U.S. says stocks, drugs, casinos, bitcoins fueled cyber-empire
  • Global scheme called `business model' for 21st-century fraud

Through the dark world of cybercrime, its tentacles spread everywhere: stock manipulation, money laundering, gambling and more.

Nothing in the annals of corporate hacking compares to the portrait U.S. authorities painted Tuesday of a vast, global crime syndicate -- a mob for the digital age. As described by federal prosecutors, it was an operation of breathtaking scale, involving more than 100 people in a dozen countries, with illicit proceeds stretching into the hundreds of millions of dollars.

At its head is a mysterious Israeli, Gery Shalon -- a 31-year-old from the Republic of Georgia who prosecutors said used aliases, fake passports and banking havens to turn hacking into the backbone of his criminal enterprise.

Much as the mafia gained footholds in construction, shipping, trucking and gambling, Shalon’s organization was a conglomerate that allegedly ran illegal Internet casinos and elaborate pump-and-dump stock schemes, while dabbling in credit-card fraud and fake pharmaceuticals.

Biggest Attacks

His group is the thread that runs through many of the biggest cyber-attacks of recent years, including the largest bank breach on record, involving the theft of information relating to 83 million customer accounts from JPMorgan Chase & Co.

Along with JPMorgan, Fidelity Investments Ltd., E*Trade Financial Corp., Scottrade Financial Services Inc. and Dow Jones & Co., a unit of News Corp., confirmed they had been among the victims of hackers who worked for the group. The indictment unsealed Tuesday against Shalon and two other men didn’t name those institutions, saying only that hackers linked with the group had breached banks and other financial firms, stealing information on 100 million of their customers.

“The conduct alleged in this case showcases the brave new world of hacking for profit,” U.S. Attorney Preet Bharara in Manhattan said Tuesday in announcing two of the indictments that laid out parts of the scheme.

“It is no longer hacking merely for a quick payout,” Bharara said. “It is hacking as a business model.”

The allegations are perhaps the starkest illustration yet that even the most sophisticated computer networks, run by companies at the heart of the global financial system, may be vulnerable in the age of the Digital Don. The latest revelations come just three months after U.S. authorities arrested several men they accuse of lurking inside servers where corporate press announcements were awaiting release, in order to trade on the information before it went public.

Fake Names

Shalon’s alleged ring processed payment information for fake pharmaceuticals and fake anti-virus software. Its members sent misleading stock pitches to clients of banks and brokerages, whose e-mail addresses they’d stolen. They profited by using trading accounts set up under fake names and used dozens of shell companies and bank and brokerage accounts around the world to launder money. They also tried to extract nonpublic information from financial corporations, prosecutors said.

Shalon -- also known as Garri Shalelashvili, Phillipe Mousset and Christopher Engeham -- was the self-described “founder” of the enterprise, according to an indictment unsealed in Manhattan that also named Joshua Aaron and Ziv Orenstein. Shalon directed hacks to further his market-manipulation and Internet gambling schemes, the indictment said, concealing at least $100 million in Swiss and other bank accounts.

Shalon and Orenstein were arrested in Israel in July, and the U.S. is seeking their extradition to New York for trial. Aaron remains at large.

Alan Futerfas, a lawyer for Orenstein, didn’t immediately return a voice-mail message left at his office seeking comment. Shalon and Aaron couldn’t be reached for comment.

A separate indictment outlined the case against Anthony Murgio, who was arrested in Florida in July. He was accused of crimes related to a bitcoin-exchange service owned by Shalon, as well as the takeover of a New Jersey credit union, all used to launder proceeds from the criminal enterprise.

Gregory Kehoe, a lawyer for Murgio, didn’t immediately return a voicemail message left at his office seeking comment.

FSU Friendships

Outlines of the government’s case against the men began emerging with the arrests last summer, when Shalon, Orenstein and Aaron were implicated in a pump-and-dump scheme. That began raising questions about the links between Shalon and a group of men, including Murgio and Aaron, whose friendship dated back more than a decade to their days at Florida State University.

Another mystery: Who did the hacking? A clue emerged in an indictment over the E*Trade attack, which was unsealed Tuesday in federal court in Atlanta. It names Shalon, Aaron and a third person -- “a computer hacker who is believed to have resided in Russia” -- who it alleges infiltrated computer networks under Shalon’s direction, located customer databases and exported the profile information to computers overseas.

Among the ring’s early hacking targets was Dow Jones. The hackers located some 10 million e-mail addresses of customers and stole millions of those from Dow Jones, identified as Victim 8 in the indictment.

In October, the company disclosed that its computer systems had been hacked. As part of that disclosure, Dow Jones chief executive officer William Lewis said that some customer payment information may have been compromised -- on no more than 3,500 accounts -- and that it was unknown whether other information had been taken.

Earlier in October, Scottrade disclosed that it had been hacked and that information on 4.6 million customers had been taken.

‘Interesting Info’

According to the indictment, Shalon and a co-conspirator expanded their efforts to seek material non-public information from firms they were hacking. In one e-mail, they referred to seeking “interesting info” from top managers at Victim 5, a St. Louis brokerage firm now confirmed as Scottrade.

A spokeswoman for Dow Jones said in a statement: "The indictment unsealed today refers to the public disclosure we made on October 9. The government’s investigation is ongoing, and we continue to cooperate with law enforcement."

The hack of Fidelity has been previously reported. The company said it has no indication that any customer accounts, customer information or related systems were affected. E*Trade confirmed it was attacked in late 2013 but declined to provide more information.

“We continue to cooperate with law enforcement in fighting cybercrime,” JPMorgan spokeswoman Trish Wexler said in a statement.

Since 2007

Shalon began building his criminal conglomerate in 2007 with Internet casinos and capped it off with stock and credit-card schemes years later, according to the 68-page indictment against Shalon and others in Manhattan.

Shalon and his associates operated at least a dozen online “real money” casinos in the U.S. from 2007 until this year, raking in hundreds of millions of dollars in revenue and, in some months, millions in profit. By December 2013, Shalon was paying 270 casino employees in Hungary and Ukraine, the indictment said.

“Casino turnover” in October 2013 alone was $78.9 million, Shalon’s associate Orenstein said in an e-mail. Profit for February 2015 totaled $7.29 million, another e-mail said.

To attract bettors, Shalon used “massive” e-mail campaigns. He also arranged to send promotional material through the regular mail to as many as 100,000 U.S. residents in more than 30 states.

Customer Data

All the while, Shalon was bent on crippling his rivals, the government said. He and his accomplices allegedly broke into other Internet gambling operations to steal customer data and orchestrated the hack of two firms that supplied software to online casinos.

By 2012, the government said, Shalon had grown so aggressive he was engineering cyber-attacks to incapacitate rival gambling sites “in response to perceived misconduct” directed at his own casinos.

Another part of Shalon’s 21st-century cyberfraud was a classic 20th-century pump-and-dump scheme, which authorities said netted tens of millions of dollars in illicit profits.

Teaming with two allegedly crooked stock promoters who are now cooperating with prosecutors, Shalon, Aaron and sometimes Orenstein selected publicly traded companies or private firms they could take public through reverse mergers with listed shell corporations.

Aliases, Passports

Using aliases and phony passports, the five opened trading accounts and then bought on the cheap almost all of a company’s shares, driving its price higher -- in one instance, more than 1,800 percent higher.

In the first phase, they and their accomplices executed prearranged trades that spurred a modest price rise on successive days. Next, prosecutors wrote, Shalon and Aaron sent spam e-mails touting the stock and its price rise to millions of potential investors they’d identified in their earlier hacks of banks and brokerages.

Is it “popular in America -- buying stocks?” an accomplice not named in the indictment asked Shalon at one point.

“It’s like drinking freaking vodka in Russia,” Shalon answered, according to the indictment. “We buy them” -- stocks -- “very cheap, perform machinations, then play with them.”

Dumped Shares

With the price inflated, Shalon, Aaron and the promoters began dumping their shares in coordinated fashion, often generating millions of dollars in profit per stock. Their sales eventually put downward pressure on the stock, and unsuspecting investors suffered big losses, prosecutors said.

The profits, Shalon boasted, were “a small step towards a larger empire.”

In all, Shalon, Aaron and Orenstein manipulated dozens of stocks, prosecutors said. They made more than $2 million in 2012 when they pushed up the price of Mustang Alliances Inc., a purported mining company with operations in Honduras, according to a Securities and Exchange Commission lawsuit filed against the three in July.

By telling investors that the company was “sitting on at least $1.7 billion worth of gold,” the group raised the price of Mustang by 65 percent.

“In a way, it was securities fraud on cybersteroids,” Bharara said.

Credit-Card Challenge

There was more than a fair amount of ingenuity involved.

Criminals seeking to accept payments by credit and debit cards face a big problem -- how to steer money through a global financial system where card networks, banks and regulators doggedly prowl for suspicious transactions. Prosecutors said Shalon and conspirators offered a solution.

They allegedly set up a sophisticated processing system that funneled hundreds of millions of dollars for criminals while charging a fee for each transaction -- more than $18 million total. Tactics described in the indictment ranged from old-fashioned bribery to other strategies requiring more creativity.

First, Shalon set up a bogus pet-supply store and dress shop. Then, every time a card was used by a U.S. gambler, he and his accomplices made it look like payments went to fake stores selling pet supplies and wedding dresses.

When card networks caught the ring’s illegal payments, they imposed millions of dollars in penalties on banks that let transactions slip through. Shalon and his accomplices allegedly feigned shock, reimbursed the banks, then set up more accounts, according to prosecutors.

Hacking the Watchdogs

When all else failed, they hacked the watchdogs.

Shalon’s alleged victims included a risk-intelligence firm in Bellevue, Washington, that flagged merchants accepting payments for “unlawful goods or services," according to the indictment.

Prosecutors said the defendants hacked into the company’s computer network to read e-mails and keep tabs on its efforts. The hackers figured out which credit and debit cards the company used to detect bogus merchants, then blacklisted those card numbers from Shalon’s network.

With hundreds of millions rolling in from their global enterprise, the gang needed a way to process and launder its cash, prosecutors said.

Shalon, Orenstein and others used Shalon’s bitcoin-exchange company, Coin.mx, to process transactions and hide their origins, while charging fees on each deal. Murgio, the ex-Florida State University student arrested over the summer, operated Coin.mx.

The group set up a front company, Collectibles Club –- supposedly a platform for hobbyists to chat and sell treasures like stamps and sports memorabilia –-  to disguise the unlicensed money-transmitting business. They then took over the New Jersey credit union -- with Murgio allegedly paying over $200,000 to two accounts at the direction of an unidentified bank executive between May and December 2014 -- and installing accomplices on the board of directors. They then moved Coin.mx’s banking operations there, making it “a captive bank for their unlawful business,” the U.S. said.

The money-laundering operation was as complex as other parts of the vast scheme. Using phony documents and aliases, the ring used accounts and at least 75 shell companies to wash its proceeds and moved gambling proceeds from account to account to account.

“They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” according to the indictment of the three.

The outfit may have had grander ambitions -- stealing inside information about companies to win a leg up in the market -- Bharara said Tuesday.

“The conduct alleged in this case also may signal next frontier in securities fraud, sophisticated hacking to steal material non-public information,” he said. The defendants discussed this “as the next stage of their sprawling criminal enterprise.”

Before it's here, it's on the Bloomberg Terminal. LEARN MORE