Bank Hackers Thought Some Insider Trading Might Be Cool
Let's say you hacked into the computer system of a major financial company. There is a lot of information there. All sorts of stuff, with all sorts of illicit uses. The world is your oyster. You could do anything. You could ... wait, what could you do?
CC-1 noted, "the top managers in [Victim-5], can they have some interesting info in their mail [i.e., email]? Regarding working on the stock market, etc. It's a big company after all. mb [Maybe] they have some secrets. . . What do you think?" SHALON responded, "Yes, this is a very cool idea. Some inside [i.e., inside, or material non-public, information]. We need to think how we can do it."
That's from an indictment unsealed today against Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein for an assortment of cybercrimes, and it's maybe the most encouraging thing I've ever read about hacking. This is just not a scary conversation!
Here is how U.S. Attorney Preet Bharara described their schemes:
Today, we have exposed a cybercriminal enterprise that for years successfully and secretly hacked into the networks of a dozen companies, allegedly stealing personal information of over 100 million people, including over 80 million customers from one financial institution alone. The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model. The alleged conduct also signals the next frontier in securities fraud – sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise. Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds.
Shalon was the alleged ringleader; CC-1 was an unnamed co-conspirator who seems to have been one of Shalon's main financial-institutions hackers. (Victim-5 was Scottrade.) These were -- allegedly -- criminal geniuses, the masterminds of a global network that pulled off some of the biggest financial hacks in history. "This was securities fraud on cyber steroids," said Bharara, absurdly.
And there they were, inside of Scottrade's computers. And they were like, maybe we should do stock stuff? Secret stock stuff? Cool plan!
They don't seem to have done any secret stock stuff with whatever they found at Scottrade, presumably because they never actually found any juicy info "regarding working on the stock market, etc." And although they hacked into at least two financial news publishers, including Dow Jones, there is no allegation that they ever got early access to market-moving news there or anywhere else. (Unlike some people!) Instead, they focused on getting customer account information from Dow Jones and Scottrade and a bunch of others, including especially JPMorgan, from which they allegedly "stole customer records of over 83 million customers." This does not seem to have been the sort of customer information that would let them, oh, say, steal the customers' money, or trade in the customers' accounts.
But they did allegedly do some stock stuff with all the stolen customer information. Specifically this:
SHALON and AARON began disseminating materially misleading, unsolicited ("spam") messages by various means - including by email to up to millions of recipients per day - that falsely touted the stock in order to trick others into buying it. SHALON and AARON engaged in the U.S. Financial Sector Hacks in part to acquire email and mailing addresses, phone numbers and other contact information for potential victims to whom they could send such deceptive communications.
So their massive financial hacking scheme seems to have been purely in the service of sending e-mail spam.
Don't get me wrong, e-mail spam is terrible, and I say this as someone whose e-mail address is published on the Internet every day (scroll down!). And these particular spam e-mails were allegedly sent in pursuit of pump-and-dump schemes that "generated tens of millions of dollars in unlawful proceeds" and also generated this magnificent exchange:
As to a particular publicly traded stock for which SHALON, AARON and ORENSTEIN had manipulated trading in the United States, SHALON boasted that his sale of that stock for large profits was "a small step towards a large empire." As SHALON explained, "We buy them [i.e., stocks] very cheap, perform machinations, then play with them. . ." When CC-1 asked, with respect to SHALON's ability to cause people in the United States to purchase stocks, if it really was "popular in America - buying stocks?," SHALON responded, "It's like drinking freaking vodka in Russia."
But the hacking was really a very small component of this scheme. It (allegedly) got these guys contact lists, and pretty good contact lists: People with Scottrade or Dow Jones or even JPMorgan accounts probably are more likely to want to trade securities than the average person. But everything else was just a bog-standard pump-and-dump, complete with shell-company reverse mergers to create new public companies, "pre-arranged manipulative trades" to pump up the stocks, and spammy fake e-mails to keep them up while the conspirators sold their shares at a profit.
An -- encouraging? discouraging? -- conclusion here is that technology only took these hacking masterminds so far. They ultimately made money not by manipulating computers, but by manipulating people. They monetized their hacking through good old fashioned human stupidity; their hacks were profitable only because, as Shalon accurately noted, in America, day-trading penny stocks on the basis of a misspelled e-mail from a stranger is "like drinking freaking vodka in Russia." We, and our financial markets, are not yet at the mercy of the computers, or of the shadowy international hackers who can control them. We still do a lot of dumb trading though.
The indictment goes on! There is so much more stuff! Honestly the financial manipulation seems to be the least of it. The defendants also allegedly "operated lucrative, unlawful internet casinos in the United States and elsewhere through hundreds of employees in multiple countries," earning "millions of dollars in profits per month." They "arranged for money received from United States gamblers to be disguised as payments to phony online non-gambling merchants, such as wedding dress and pet supply stores," to get around legal rules prohibiting processing payments for online gambling. They also processed payments for "unlawful pharmaceutical companies" and "purveyors of counterfeit and malicious 'anti-virus' computer software." There was a bitcoin exchange, because any sufficiently advanced criminal enterprise is indistinguishable from a bitcoin exchange.
The whole thing seems to have been bafflingly complex. People sometimes talk about how Citigroup or JPMorgan or whatever is "too big to manage," and you can see certain analogies here. Like a big universal bank, Shalon's conspiracy was allegedly involved in payments processing, equity trading and foreign exchange, and operated through multiple subsidiaries in various jurisdictions. It also allegedly ran "at least 12 unlawful internet casinos," which is not, strictly speaking, a traditional banking function. Plus the hacking. If Shalon himself was personally involved in all of these disparate activities, that is honestly a pretty impressive managerial feat. And he did all of it with only "hundreds of employees," which again is impressive efficiency.
In furtherance of his unlawful internet gambling businesses, GERY SHALON, the defendant, orchestrated network intrusions of Victim-10 and Victim-11, software development companies that provided operating software to SHALON's internet casinos and other such casinos around the world. In doing so, SHALON sought to, and did, secretly obtain access to the email accounts of senior executives at both companies, reading their emails on an ongoing basis, a fact SHALON ultimately admitted to at least one of the executives whose emails he had been secretly reading. SHALON monitored company executives' emails in order to ensure that the companies' work with SHALON's competitors did not, in SHALON's view, compromise the success of SHALON's unlawful internet gambling businesses.
Monitoring the e-mail of people who work for you! He really did run it like a bank. If you're going to run a multinational diversified financial-services enterprise, even an illegal one, it's important to follow best practices.
"A/k/a 'Garri Shalelashvili,' a/k/a 'Gabriel,' a/k/a 'Gabi,' a/k/a 'Phillipe Mousset,' a/k/a 'Christopher Engeham.'"
"SHALON directed a co-conspirator not indentified herein ('CC-1') to execute network intrusions at particular companies in an effort to steal customer data as identified by SHALON," though CC-1 falls out of the narrative later for the more audacious hacks.
I don't know what the "in part" means in that quote; there is no allegation that they ever did anything else with their financial-sector hacks, except muse about how cool it would be to stumble on some inside information.
Tragically, the indictments don't quote any of the spam e-mails, but I have a hunch on this one.
Their alleged co-conspirator in the bitcoin exchange was indicted separately.
I mean, bitcoin exchange, whatever.
From the press release: "SHALON, AARON, ORENSTEIN, and their co-conspirators operated their criminal schemes, and laundered their criminal proceeds, through at least 75 shell companies and bank and brokerage accounts around the world."
The indictment alleges some other hacking related to the illegal businesses, including attacks on the competitor casinos themselves, and a hack of "a U.S. company which assessed merchant risk and compliance for credit card issuers" to try to prevent their own illegal payments processing from being flagged.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Matt Levine at firstname.lastname@example.org
To contact the editor responsible for this story:
Zara Kessler at email@example.com