JPMorgan Hack Suspect Leaves Russia to Face U.S. Charges

  • Joshua Aaron appears in Manhattan courtroom Wednesday evening
  • He’s accused of helping steal data on 100 million customers

An American fugitive who is accused of conspiring to organize the largest known cyber attack on Wall Street arrived back home in the U.S. from Russia, resolving months of negotiations at a moment of high tension over hacking between Moscow and Washington.

Joshua Aaron pleaded not guilty in a Manhattan courtroom Wednesday evening to 16 criminal counts, including hacking, securities fraud and conspiracy. The most serious charges carry a possible sentence of as long as 20 years in prison.

Joshua Aaron

Joshua Aaron

Source: FBI

Aaron, 32, was taken into custody about 12:30 p.m. Wednesday at New York’s John F. Kennedy International Airport, after arriving on a flight from Moscow. His arrest follows negotiations with U.S. authorities from a migrant detention center near the Russian capital for more than seven months, according to people who asked not to be identified because the information is private.

Aaron’s attorney, Ben Brafman, said his client waived extradition and is in the U.S. voluntarily. A spokesman for Russia’s Interior Ministry, which is in charge of the migration center, couldn’t be reached by phone for comment.

Aaron, a Maryland native, was ordered held without bail by U.S. Magistrate Judge James Francis and is scheduled to appear in court again Thursday morning.

Aaron and two Israelis are accused of orchestrating what Manhattan U.S. Attorney Preet Bharara called “securities fraud on cyber steroids” from 2007 to mid-2015. They’re implicated in stealing data from more than 100 million customers from companies including JPMorgan Chase & Co. and using that information to manipulate stocks and undertake other schemes that netted hundreds of millions of dollars.

“Joshua Samuel Aaron allegedly worked to hack into the networks of dozens of American companies, ultimately leading to the largest theft of personal information from U.S. financial institutions ever,” Bharara said in a statement.

Unidentified Hacker

What remains unclear in the case is who conducted the actual attacks. Court documents filed in relation to the breaches link it to an unidentified Russian-speaking hacker, making it possible that Aaron may have information on the hacking to share with U.S. investigators.

Aaron’s arrival comes as members of the U.S. security community and cyber investigators say Russia is behind efforts to hack the Democratic National Committee to sow confusion in elections and attempt to disrupt the failed campaign of Democratic presidential candidate Hillary Clinton.

The events leading to Aaron’s return came together abruptly this week, with the 32-year-old roused early this morning and dispatched to the airport, one of the people said.

U.S. authorities issued an arrest warrant for Aaron in July 2015, accusing him and co-defendants Gery Shalon and Ziv Orenstein of participating in a ring that extracted nonpublic information from financial corporations, processed payment information for fake pharmaceuticals and fake anti-virus software, falsified passports and took control of a New Jersey credit union. The three used 75 companies and bank and brokerage accounts around the world to launder money, authorities allege. Israel extradited Shalon and Orenstein to the U.S. in July 2016.

Aaron arrived in Moscow from Ukraine in May 2015, just weeks before the U.S. unveiled charges against him and his co-defendants.

Moscow police detained Aaron a year later, after he failed to produce a valid passport during a midnight check at his apartment above the Beverly Hills Diner near downtown. In a statement to Russian prosecutors on the day of his detention, Aaron said he wasn’t aware of the U.S. arrest warrant and denied breaking any U.S. laws.

A Russian man also faces U.S. hacking charges. For more, click here

On May 20, a Russian judge ordered Aaron deported and fined him 5,000 rubles ($82) for violating the rules of his three-year visa, which requires holders to exit and re-enter the country every six months. A second judge rejected his appeal in June. Aaron was moved to a detention center for illegal immigrants near Moscow.

Aaron, who attended Florida State University, was negotiating his return to the U.S. in October, and talks between his lawyers and U.S. officials were progressing, people familiar with the matter said at the time. The sides discussed a possible plea deal, these people said.

Russia, which doesn’t extradite its citizens or have an extradition treaty with the U.S., had offered to hand him over in exchange for a “reciprocal” act, but received no reply from the U.S. Embassy, court transcripts show. He had presumably been free to leave Russia for a country of his choice. 

Aside from JPMorgan, companies that have confirmed being attacked in connection with the group linked to Aaron include Fidelity Investments Ltd., E*Trade Financial Corp., Scottrade Financial Services Inc. and Dow Jones & Co., a unit of News Corp.

    Before it's here, it's on the Bloomberg Terminal.