NEW YORK -- Two men held in Israel and a U.S. citizen believed to be living in Moscow were among four people who have been charged with stealing the contact information of more than 100 million customers of U.S. financial institutions to generate hundreds of millions of dollars in illegal profits, authorities said Tuesday.
Two indictments, unsealed Tuesday, tied three suspects to previously reported hacks of JPMorgan Chase & Co., E-Trade Financial Corp., Scottrade Financial Services Inc. and Dow Jones & Co., a unit of News Corp.
The summer 2014 theft of data such as names, addresses, emails and phone numbers of more than 83 million customers of JPMorgan, the nation's biggest bank by assets, was described at a news conference by U.S. Attorney Preet Bharara as "the single largest theft of customer data from a U.S. financial institution ever."
In a news release, Attorney General Loretta Lynch said the defendants "perpetrated one of the largest thefts of financial-related data in history -- making off with the sensitive information of literally thousands of hard- working Americans."
One of the indictments, unsealed in Manhattan federal court, said information on millions of other customers was stolen in cyberattacks from 2012 to last summer against other businesses in the financial sector.
Charged in the indictment were Gery Shalon, 31, of Savyon, Israel; Ziv Orenstein, 40, of Bat Hefer, Israel; and Joshua Samuel Aaron, 31, a U.S. citizen living in Moscow and Tel Aviv, Israel. All three men were charged in July with related crimes, though the hacking crimes were not specified then. Aaron was labeled a fugitive; Orenstein and Shalon were arrested in Israel in July. Bharara said the U.S. was seeking their extradition.
Since 2007, one or more of the defendants had engaged in other schemes, including U.S. securities market manipulation and the operation of at least a dozen Internet casinos that violated U.S. laws, the indictment said.
"In our view, the conduct alleged in this case showcases a brave new world of hacking for profit," Bharara said. "In short, it is hacking as a business model."
The indictment said some of the cyberattacks occurred as the men sought to steal the customer bases of competing Internet gambling businesses or to secretly review executives' emails in a quest to cripple rivals.
Authorities said the suspects used about 200 fake identity documents, including more than 30 fake passports, made to look as if they were issued by the United States and at least 16 other countries, as they operated their schemes and laundered the proceeds through at least 75 shell companies and bank and brokerage accounts worldwide.
Among the charges in the indictment were computer hacking, conspiracy to commit computer hacking, securities fraud and conspiracy to commit securities fraud.
"We continue to cooperate with law enforcement in fighting cybercrime," JPMorgan spokesman Trish Wexler said in a statement Tuesday.
A related indictment unsealed Tuesday in Atlanta named Shalon, Aaron and an unidentified person. They are charged in a scheme to hack into E-Trade Financial Corp. and Scottrade Financial Services Inc. to steal personal information from millions of customers with the intent to build their own securities brokerage.
U.S. Attorney John Horn in Atlanta said Shalon and the unidentified hacker used online chats to discuss their plan. He said they had some success cold-calling investors and had discussed selling their database to a bank. Horn said the contact information of more than 10 million E-Trade and Scottrade customers was compromised in the late 2013 attack.
Charges related to those attacks are included in the New York indictment, but the companies aren't identified by name.
On Tuesday, E-Trade Financial, based in New York, said it found no evidence that sensitive financial information taken in the 2013 attack had been compromised. It added that access may have been obtained to contact information for about 31,000 customers.
"Security is a top priority, and we focus a significant amount of time and energy to help keep our customers' data and information safe and secure," E-Trade said in a statement.
A lawyer for Orenstein didn't immediately return a message seeking comment. A lawyer for Shalon couldn't immediately be reached.
Bharara said law enforcement authorities teamed up as never before in the case.
"The sad truth is that to date, complex cybercrimes like these tend to go unsolved and the criminals tend to go unprosecuted. More often than not, the trail goes cold and the perpetrators get off," Bharara said. "We believe we've changed that narrative and this case is game-changing proof."
Information for this article was contributed by Larry Neumeister, Kate Brumback and Marcy Gordon of The Associated Press; by Liz Moyer of The New York Times; and by Greg Farrell and Patricia Hurtado of Bloomberg News.
A Section on 11/11/2015