Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Report: Spammers Tied To JPMorgan Chase Hack

Feds Detail Pump-and-Dump, Plus Bitcoin Exchange Busts
Report: Spammers Tied To JPMorgan Chase Hack

The Manhattan U.S. Attorney's office has charged three men with running a pump-and-dump stock scheme that blasted out millions of spam emails per day to artificially "pump" up the price of penny stocks they owned, before the defendants allegedly "dumped" their stocks, making at least $2.8 million in profits. The scheme was reportedly also tied to hack attacks against financial services heavyweights JPMorgan Chase, Fidelity Investments and E*Trade Financial.

See Also: The Anatomy of a Spear Phishing Attack: How Hackers Build Targeted Attacks (and why they're so effective)

Separately, authorities also announced that two men have been arrested in Florida on charges that they ran an unlicensed online Bitcoin exchange that was used in part by cybercriminals based in the United States, Russia and beyond.

In the pump-and-dump case, an 11-count indictment unsealed by the Manhattan U.S. Attorney July 21 charges Gery Shalon, 31, Joshua Samuel Aaron, 31, and Ziv Orenstein, 40, with running and financing the spam email campaigns, which included "false and fraudulent statements" designed to create demand for U.S. publicly traded microcap stocks - "penny stocks" - that they owned in substantial quantities. In what's known as a pump-and-dump scheme, the men allegedly waited for the price of the stock to artificially inflate before they allegedly began selling - or dumping - their shares, to cash in on the rise of the stocks' value. The scheme allegedly ran from sometime in 2011 until May 2015.

The men face a number of wire fraud, document fraud and securities fraud charges, and Aaron and Shalon have also been charged with aggravated identity theft and money laundering.

But the suspects have reportedly also been tied to a 2014 hack attack against JP Morgan Chase that resulted in the theft of millions of customers' names and email addresses, which bank authorities initially blamed on the Russian government. Although none of the documents unsealed July 21 mention this alleged connection, according to an unnamed person that is familiar with the FBI's related investigation, the men are suspected of being tied to the hack of JPMorgan - and using stolen email addresses in their spam campaigns; they're also suspected of being tied to intrusions involving Fidelity Investments Ltd. and E*Trade Financial Corp., Bloomberg reports.

A spokesman for the Manhattan U.S. Attorney's office didn't immediately respond to a related request for comment.

U.S. Suspect Remains At Large

Shalon and Orenstein were arrested by local police on July 21 at their respective residences in Israel, and U.S. authorities say they will seek the extradition of both men, who are Israeli citizens. But Aaron - a U.S. citizen who authorities say resides in the United States, as well as in Moscow and Tel Aviv - remains at large.

"As alleged, the defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies," Manhattan U.S. Attorney Preet Bharara says. "Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world."

The indictment accuses the suspects of using a variety of false identities to open bank and brokerage accounts in the United States, and operating a network of shell companies registered in the United Kingdom, British Virgin Islands and Cyprus. "Aaron acted as the scheme's 'front-man,' communicating with U.S.-based co-conspirators and others at the direction of Gery Shalon," according to the indictment. It says those co-conspirators, who were not named in the indictment, were based in New Jersey and Florida.

Separately, the United States Securities and Exchange Commission announced that it has filed civil charges against Shalon, Aaron and Orenstein.

If convicted of all the charges contained in the Justice Department's indictment, Shalon and Aaron face up to 192 years in prison, while Orenstein faces up to 90 years. But investigators may have missed their chance to arrest Aaron, who was in St. Petersburg, Russia, with his wife as recently as July 19, based on her social media posts, Bloomberg reports. Russia has no extradition treaty with the United States (see FBI Hacker Hunt Goes 'Wild West').

Alleged Illegal Bitcoin Exchange

The U.S. Department of Justice has also announced charges against Anthony R. Murgio, 31, and Yuri Lebedev, 37, related to running an "unlicensed money transmitting business" called Coin.mx, and for using front companies named "Collectables Club" and "Currency Enthusiasts" to disguise their activities (see Tougher to Use Bitcoin for Crime?). "They sought to trick the major financial institutions through which they operated into believing that their unlawful Bitcoin exchange business was simply a members-only association of individuals who discussed, bought and sold collectable items, such as sports memorabilia," according to the Manhattan U.S. Attorney's office.

The men allegedly funneled profits from the exchange to bank accounts in Cyprus, Hong Kong and Eastern Europe, and received hundreds of thousands of dollars from bank accounts in Cyprus and the British Virgin Islands. "In total, between approximately October 2013 and January 2015, Coin.mx exchanged at least $1.8 million for bitcoins on behalf of tens of thousands of customers," U.S. Secret Service special agent Tate Jarrow writes in a complaint against Lebedev, which was unsealed July 21.

Alleged Ransomware Payment Processing

Murgio, in another complaint unsealed the same day, has also been charged with money laundering and failing to file required "suspicious activity" reports related to ransomware victims claiming that they had used the exchange to pay off cybercriminals in an attempt to regain control of their PCs (see FBI Alert: $18 Million in Ransomware Losses).

Anyone who exchanges bitcoins or other virtual currencies can be subject to U.S. Treasury anti-money-laundering regulations - based on the amount of money they exchange - and those regulations also require the organization to register with the Treasury Department's Financial Crimes Enforcement Network, known as FinCEN, as well as develop and administer an effective anti-money-laundering program, and file regular, related reports.

But authorities say the business was never registered with FinCEN, or filed mandatory reports documenting any and all suspicious transactions.

"Murgio failed to file any Suspicious Activity Report as required by federal law and regulation with respect to numerous Bitcoin purchases conducted through Coin.mx by individuals who claimed they were being forced to make such purchases by cybercriminals who had gained remote control of their computers and were demanding 'ransom' payments in Bitcoins to relinquish control of those computers," FBI special agent Joel Decapua writes in Murgio's complaint.

The FBI complaint also alleges that Murgio installed Lebedev and others - including the exchange's alleged developer, who authorities have not named - on the board of directors of a credit union that Coin.mx used to process customer transactions. Authorities say that the related payment processing activities were discovered by the National Credit Union Administration, which forced the credit union to cease such processing, after which the suspects found overseas payment processing channels.

According to the FBI complaint, Coin.mx appeared to be working with one or more Russia-based payment processors in what authorities allege was an attempt to cultivate a customer base of Russia-based crooks who wanted to launder their criminal proceeds.

If convicted of all the charges filed against them, Lebedev faces a maximum of 10 years in prison, while Murgio faces up to 35 years in prison.

Do Cases, Suspects Overlap?


Pictured: Joshua Aaron (left), Anthony Murgio (center) and Joshua's wife Alona Aaron in Moscow in July 2015. Source: Instagram

But in a further twist to the case, Bloomberg reports that the hack attack against JPMorgan and the other financial firms may tie not just to the alleged pump-and-dump stock gang, but also the alleged Coin.mx masterminds. That's because Aaron and Murgio are reportedly friends from their time as Florida State University undergraduates more than a decade ago. In fact, just two weeks ago the two men were reportedly pictured together in Moscow in an Instagram photo, posted by Aaron's wife.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.