Billing it as the largest hacking case ever uncovered, federal prosecutors in Manhattan on Tuesday described a global, multiyear scheme to steal information on 100 million customers of a dozen companies in the United States and use the data to advance stock manipulation activities, illicit online gambling and fraud.
Prosecutors said they uncovered the complex scheme in their investigation of a computer hacking last year atJPMorgan Chase that involved the breach of contact information, such as emails, from 83 million customer accounts.
Before long, investigators had uncovered a trail of 75 shell companies and a hacking scheme in which the three defendants used 30 false passports from 17 different countries. The group’s activity goes back as far as 2007, and it has reaped “hundreds of millions of dollars in illicit proceeds,” some of it hidden in Swiss accounts and other bank accounts, prosecutors said.
The data breaches “were breathtaking in their scope and size,” said Preet Bharara, the United States attorney for the Southern District of New York, at a news conference on Tuesday. The activity, described as a 21-century twist on tried-and-true criminal activity, unveiled the existence of “a brave new world of hacking for profit,” perhaps signaling the next frontier in securities fraud.
The accused — two Israeli citizens and a United States citizen — face 23 counts of fraud and other illegal activities, according to an indictment unsealed Tuesday that added hacking to manipulation and fraud charges that were filed against the three in July. The charges are the first directly linked to the JPMorgan hack.
Two of the accused, Gery Shalon and Ziv Orenstein, remain in custody awaiting extradition from Israel after being arrested in July. A third defendant, Joshua Aaron, the American, is believed to be in Russia. The Federal Bureau of Investigation has issued a “wanted notice” for him “for his alleged involvement in a scheme to hack major American companies in order to acquire customer contact information.”
A separate indictment on Tuesday outlined seven charges against Anthony Murgio, a Florida man previously accused of running an unlicensed Bitcoin exchange. That exchange was owned by Mr. Shalon, whom prosecutors described Tuesday as the founder and leader of the sprawling criminal enterprise.
Lawyers for the four men could not immediately be reached.
Another man facing fraud charges, Yuri Lebedev, has not been charged with hacking. Mr. Bharara said on Tuesday “there are discussions between the parties.”
Prosecutors charged that the group led by Mr. Shalon hacked seven financial institutions and two newspapers to get contact information with which they could advance their pump-and-dump stock manipulation scheme. They “took the classic stock fraud scheme and brought it into the cyber age,” Mr. Bharara said.
Prosecutors said the group was involved in a broad array of activities, including processing payments for illegal pharmaceutical suppliers, running illegal online casinos and owning an unlicensed Bitcoin exchange.
Nearly all the activities “relied for their success on computer hacking and other cybercrimes,” prosecutors said on Tuesday.
According to the indictment, the three used a rented computer server based in Egypt to try hacking into customer databases at the brokerage firms TD Ameritrade and Fidelity Investments as well as JPMorgan. The ring also gained access to a computer network at what was called “Victim 8,” or Dow Jones, publisher of The Wall Street Journal, containing up to 10 million customer email addresses, prosecutors said.
Separately, federal prosecutors in Atlanta on Tuesday announced charges against Mr. Shalon, Mr. Aaron and an unnamed defendant in the late-2013 attacks on E-Trade Financial Corporation and Scottrade Financial Services, both major online brokers. The 10 charges include aggravated identity theft, computer fraud and wire fraud.
Prosecutors in Atlanta said they had uncovered online chats in which Mr. Shalon and an unnamed hacker discussed their plans to use stolen customer contact information to build their own brokerage database for peddling stocks to investors.
The New York indictment also charges the three men with hacking two software development companies to obtain information to advance their online gambling activities, and they targeted a market intelligence firm to support their card-processing activities.
The men operated at least 12 unlawful Internet casinos and marketed them to customers in the United States through extensive email promotions. The casinos generated “hundreds of millions of dollars in unlawful income,” prosecutors said, at least $1 million in profits a month.
JPMorgan confirmed on Tuesday that it was identified as “Victim 1” in the superseding indictment.
“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” the bank said in a statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
On Tuesday, E-Trade Financial, based in New York, said it was attacked in late 2013 and found no evidence that sensitive financial information had been compromised. It added that contact information for some 31,000 customers may have been exposed.
“Security is a top priority, and we focus a significant amount of time and energy to help keep our customers’ data and information safe and secure,” E-Trade said in a statement.
Fidelity, based in Boston, said, “We have confirmed with the F.B.I. that there is no indication that our customers were affected.”
In a statement, Scottrade said, “We continue to work closely with the authorities by providing any and all information and resources we can to support their investigation and prosecution of the criminals.” Scottrade, based in St. Louis, previously said 4.6 million client accounts were targeted.
Dow Jones said in a statement on Tuesday, “The government’s investigation is ongoing, and we continue to cooperate with law enforcement.”