This is the story about how someone hacked into JP Morgan Chase, one of the biggest financial institutions in the world. It’s obvious why someone would want to break into a bank right? Well the people who hacked into this bank, did not do it for obvious reasons. The hackers are best described as knaves. Which are tricky, deceitful fellows.
76_ Knaves Out.mp3 was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.
To build a successful business, you need a good business plan, a carefully thought out step by step guide to launch, develop and expand. You need good people to people you trust and can rely on. But the Internet has changed how people become entrepreneurs. It’s made it easier to find good help and easier to find customers. Digital technology and the Internet have created a whole range of new opportunities for businesses and entrepreneurs. But there’s a flip side to these innovations a darker side. You see, the criminal underworld has also benefited from the explosion of digital technology and the Internet criminals that make business plans to. They build networks and work together to advance their illicit agendas. When greedy criminals set out to execute a business model armed with the powers of the Internet and a hacker or two, they can achieve astounding criminal feats. And the thing is, it’s not easy to catch a cyber criminal hacking is mostly invisible. It’s quite secretive and always done under the cover of the Internet. It’s like the perfect burglary that takes place in pitch black. There’s no trace of the perpetrator on the CCTV camera footage, no fingerprints and no leads with hacking. It’s all digital.
So whatever virtual fingerprints you might have left behind can be covered up, deleted or hidden. This is why so many cybercriminals get away with their crimes. This is a story about a group of very savvy businessmen who made a fortune exploiting people online.
These are true stories from the dark side of the Internet.
I’m Jack reciter, this is Darknet Diaries.
Support for this episode comes from SentinelOne, it’s all too common – a family member or colleague calls asking for help because ransomware infected their computer, they clicked something and now, oops, their entire computer got encrypted. And there’s a ransom note demanding a few hundred dollars in Bitcoin. Now, imagine this. On the scale of an enterprise and with many of its employees working remotely, this is exactly what no one was built to prevent and solve. Stopping a breach is simply too late. Besides the ability to prevent ransomware and even roll back ransomware using patented artificial intelligence, SentinelOne also has a ransomware warranty. SentinelOne protects all versions of Windows and Linux and Mac OS and even cloud workloads in containers and visibility into each of these endpoints is available from an easy to use console, allowing security teams to be more efficient without the need to hire more and more people on top of that. So no one offers threat, hunting, visibility and remote administration tools that no one helps you replace many products with. One, say goodbye to legacy antivirus like Symantec and McAfee. So visit SentinelOne.com to learn more.
In July 2014, Hold Security, a small firm that specializes in external cyber threat intelligence, made an unbelievable discovery. This small firm which supposedly monitors the dark web for hacker activity that may be a threat to their clients, reported to The New York Times, claiming to have found a credential dump containing 4.5 billion usernames and passwords on the Dark Web. Now, four point five billion usernames and passwords is just a crazy amount of credentials. When security filtered out duplicates, they were left with one point two billion credentials. But still, a credential dump that large would be the biggest credential dump ever found. The New York Times ran with this story, but the security community was pretty skeptical. First, everyone wanted to see what was in the dump, but hold security when it revealed this data to anyone. Later hold security announced that for one hundred and twenty dollars fee, they would tell companies whether the dump included credentials from their websites. Huh? So withhold security, claiming they had one of the largest dumps ever and not sharing it with anyone except a few people who paid to search for their own names. It was just a little hard to trust. Alex Holden, the CEO of Whole Security, was interviewed by Forbes. This is what he said.
Let me try to clear up the criticisms here. There are two different pieces to the puzzle. First of all, we have one point two billion credentials that belong to about half a billion email addresses, unique email addresses. And these are the individuals who entrusted their credentials to different Web services websites. And these credentials were stored on those websites, unfortunately, through no wrongdoing on individual side. These this information had been stolen by the hackers. So these individuals are the ultimate victims in this particular crime.
Later, Hold Security released a summary report of the dump. They said the dump was from 420000 different websites that had been breached, some of which were Fortune 500 companies. The report listed some of the companies that were breached and they called the group that stole this data.
Cyberwar, which means cyber thief and Russian 420000 websites, is a huge proportion of the entire World Wide Web.
So at this point, even I think this dump sounds a bit ridiculous to me because it just doesn’t add up. But let’s switch gears for a second.
Imagine you’re part of a security team at the JPMorgan Chase Bank. You work for the biggest bank in the U.S. and the sixth biggest bank in the world. Your bank pretty much dominates the financial sector in terms of investments and banking. Imagine you’re one of JPMorgan Chase’s 250000 employees scattered across one hundred and seventy-one offices in 39 different countries. And imagine you’re part of the team that’s responsible for protecting data in this bank, which has an annual revenue of one hundred and fifteen billion dollars, of which about 10 billion is spent on tech and two hundred and fifty million dollars a year is spent on cybersecurity. There’s about 1000 people working with you in the security team at JPMorgan Chase. No, I’m not sure if any company spends more money on security than JPMorgan Chase, but either way, they aren’t messing around when it comes to protecting their networks. So if you were on the IT security team of JPMorgan Chase and you saw that hold security released a summary report, would you take a look to see which companies had been breached? Of course you do. It doesn’t matter if it’s real or not. Your company is spending every dollar it can to do everything to protect the network. You definitely be looking at this report. You’d be looking at every report that might have anything to do with JPMorgan Chase’s IT security. So that’s just what happened in it.
Security analyst at JPMorgan Chase. Did Reed hold security report in it? Hold security claim? The website for a charity race sponsored by JPMorgan called Corporate Challenge was breached. This site had been used by JPMorgan employees to register for the race. It was hosted by a company called Simko Data Systems. As it happened, Simco Data Systems was also mentioned in the whole security report. It claimed that Simko had been breached, too. Huh? So if JPMorgan Chase employees were registering at that site, then it’s possible their data was stolen. And this caused the IT security analysts at JPMorgan Chase to look into this a little more.
So the security team at JPMorgan Chase contacted Simko Data Systems to investigate the claims made by hold security Simco data dug around their network logs and confirmed that the corporate challenge website was hacked and breached. The hackers had stolen an SSL certificate from the site and the hack was executed through a few IP addresses that had been creeping around the network without any legitimate reason to be there. To text from the JPMorgan Chase office in Columbus, Ohio, went over to Simko Data Systems Office in Michigan to get copies of any forensic data they could find. They wanted to know exactly what had been stolen and understand the indicators of compromised. As the JPMorgan Chase security team was collecting data from Semco, they were using this data, including IP addresses, to search their own logs for any similar activity, they were looking for any trace of a breach in any sign of activity from the IP addresses associated with the Simko data breach. And sure enough, they found the same 11 IP addresses that had been used to execute the Simko breach had also been used to attack JPMorgan Chase. What’s more, some of these attacks against JPMorgan Chase had been successful.
The biggest bank in America had been hacked, and they never even knew what happened.
At this point, JPMorgan Chase contacted the FBI and handed over these IP addresses to the Financial Services Information Sharing Analysis Center. This is an organization that circulates this kind of data to banks and financial institutes so they can check whether they have been breached. Up until this point, JPMorgan Chase had kept this whole situation under wraps while they were working to figure out what was going on. But this kind of breach is a huge deal and they weren’t going to be able to keep quiet about this for long.
We don’t know exactly how the hackers jumped from the charity’s website into the bank’s servers, but I’ve got a few theories. First, it’s possible that the hacker gained access to this corporate challenge charity site. How? Possibly by hacking through code data systems, which was the hosting provider for the corporate challenged charity site. So if the hosting provider got hacked, then the hackers would have access to the back end of all the other websites that hosting provider hosts. So if they got into the corporate challenge website that way they could have access to credentials for all the JPMorgan employees that were registering on the site. And maybe some of those username and passwords were the same usernames and passwords used to log in to JPMorgan Chase’s network. This kind of tactic would likely work because so many people reuse passwords on multiple sites. Any JPMorgan employee who use their JPMorgan network password on another site would have made their network vulnerable for this kind of attack. So that’s one theory. The other is that this hacker crew might have targeted an I.T. admin at JPMorgan Chase through spearfishing or some other attack that got them remote access into the admin’s computer. And if a hacker was able to do that, they’d be able to steal that I.T. admins network credentials and do whatever they want from there.
Either way, what we know is that this hacker group did have a valid log in to a JPMorgan server. And with that, they were able to get past a huge front gates of this super secure JPMorgan Chase network. But once they got past the front gates, they still needed to figure out where to go. It’s as if they broke into a bank but didn’t know where the safe was. They were just wandering through the network and they hadn’t actually gained access to anything valuable yet.
There was an old server that the bank used to manage employee benefits data. It was still running, just not used very often. There’s 250000 employees at JPMorgan Chase and they’re using about a half a million computers in this network. It’s not easy for such a large company to manage half a million computers. And in this case, the employee benefits server had been neglected. It wasn’t updated with the latest security patches and features and it wasn’t set up for Two-Factor authentication, which would have required users to enter a time sensitive token code with their password to get in. The hackers discovered this server on the network and used their stolen credentials to log in. This is a perfect example of when two factor authentication probably would have stopped these hackers from getting any further into the network anyway. Once a skilled hacker establishes access to a network, they’re going to want to create a persistent connection and elevate their privileges. They’ll need a persistent connection in case their connection gets dropped. Then they have a guaranteed way to get back into that server. So the hackers created a backdoor into the JPMorgan Chase network.
This was a point of access that only the hackers would know about, but the security team wouldn’t be able to detect them. Once they did that, they began crawling around the network looking for something in particular, slowly made their way towards the systems they were after. They were good, hiding their tracks, doing things just the right way to avoid setting off alarms and avoid being detected by antivirus scans. For months, these hackers had been creeping around quietly, accessing databases and exporting data to their own servers as they went along. And all the while they were silent and invisible. In all, they breached over 90 of JPMorgan Chase’s servers, which included multiple databases used to store customer information.
This story became public on August 27, 2014, when Michael Riley and Jordan Robertson reported on this hack. In an article in Bloomberg, they revealed that there had been a successful breach at JPMorgan Chase and they said it was the work of Russian hackers. The accusation that this was a nation state attack on U.S. financial infrastructure grabbed the attention of the U.S. financial system.
Could it be that Kremlin sponsored hackers had managed to get inside the networks of JPMorgan Chase, breach layer after layer of security and make off with tons of customer data without JPMorgan Chase knowing anything about it?
It wasn’t until the bank filed a disclosure with the Security Exchange Commission on October 2nd that we learned more details about this hack and it was way worse than anyone thought.
The hackers had access multiple customer databases and stole 83 million personal identifiable records of JPMorgan Chase’s customers. These records were associated with 76 million households and seven million small businesses, pretty much all located in the U.S.. To put that into context, in 2014, there was something like one hundred and twenty seven million U.S. households. So that’s around 60 percent of all U.S. households that got their information stolen from this hack. The idea that Russians were behind this hack and that they were probably state sponsored wasn’t all that surprising. I mean, just a few months before this, the U.S. had put a load of heavy sanctions on Russia’s financial infrastructure. See, in 2014, that was the year when Putin decided he wanted to take the Crimea peninsula from Ukraine. Putin dispatched scores of masked armed soldiers to Crimea and they seized the territory, raising Russian flags, and then went on to take control of the cities and the Supreme Council building. The Supreme Council is sort of like the Crimean parliament. The current PM was booted out and a new one was voted in, although there were some good reasons to doubt the fairness of this election. This was the most blatant land grab in Europe since World War Two. Russia’s invasion of Crimea stirred up a whirlwind of controversy. The U.S. and EU. And, of course, Ukraine strongly condemned Russia’s tactics and said that Putin had violated multiple local and international laws. So the U.S. and EU imposed sanctions against Russia, and these sanctions threatened to tip the already fragile Russian economy into recession. The U.S. and EU intended for these sanctions to force Putin to relent and relinquish control of the Crimean Peninsula back to Ukraine. But Putin wasn’t having any of it. He denounced the U.S. and EU for imposing these sanctions, which he said was just another example of aggressive U.S. foreign policy. And he warned that Russia may retaliate against these actions. So it seemed possible that the hack on JPMorgan Chase was the first volley of Russia’s retaliation.
Here’s a clip from CNN discussing the very idea the FBI is investigating a series of cyber attacks against US banks thought to be coming from Russia. Hackers are believed to have access to sensitive information from several financial institutions, including banking giant JPMorgan Chase. Could this be retaliation for Western sanctions against the Russians? Christine Romans is here with more. Is this retaliation? Well, that’s what the investigation is going to have to really zero in on here, quite frankly, Alisyn, a U.S. official tells us that the location of the hackers still isn’t clear.
But given the sophistication of this, the cyber security community is saying this investigation appears to center and should definitely center on Russia. And the hackers from Russia are often top FBI suspects. And the timing of the hack has raised suspicions given recent U.S. sanctions against Russia. Also still this big question, the motivation still unclear if the attack was financially or politically motivated or if it was some sort of espionage. Banks have very tough security getting through that and getting account information, getting so much information. Definitely not an easy task. Now, in response to this breach, JPMorgan said companies of its size experience cyber attacks every day and the bank has measures to protect itself. And again, the FBI, U.S. officials are investigating just what the cause was of this cyber attack for JPMorgan Chase.
This attack came at the tail end of a really bad year. They lost a heap of staff in the previous months. In 2013, their chief information officer resigned and took a position as the CEO of a payment processor called First Data. And around this time, five other senior staff from JPMorgan Chase also quit. This included the information officer and chief of security for their IT teams. In early 2014, a new chief of security was appointed, James Cummings. He helped to recruit a new information officer, Gregory Rattray. So when this hack was carried out in July 2014, the top IT leadership had only been in place for about six months. Both Cummings and Rattray were former U.S. Air Force, and they were both convinced that this attack was state sponsored and probably executed by Russians. And they thought this hack represented a threat to U.S. national security. I have to wonder, though, whether their military training and experience biased their interpretation of this hack. After all, they would have been used to dealing with state sponsored attacks while in the military.
So it’s not like this hack couldn’t have been what Cummings and Rattray thought it was. But the problem is the FBI’s analysis just didn’t match up with Cummings and retries. The FBI had several specialist units working on this hack. They pulled in their cybercrime unit, the Secret Service and Homeland Security, to investigate this attack and all of. This analysis wasn’t enough to convince the FBI that the hack was executed by a nation state or that there was a clear threat to national security, so that set off this weird political drama over the data that had been stolen from JPMorgan Chase. See, there was this system in place that was supposed to capture any stolen data in a hack like this. Think of it like a CCTV system that you could rewind and watch back if you knew something bad happened. But according to Bloomberg sources, this system didn’t have enough storage at the time of the attack. So even though they collected the data at the time of the attack, they didn’t have it anymore. And on top of that, maybe because of political drama around who committed this hack, JPMorgan Chase didn’t want to hand over the data they did have from the hack to the FBI. Things were starting to get out of hand. And none of this was helping to solve the actual problem that millions of JPMorgan Chase customer records had been compromised.
Two weeks after the hack had been discovered, the assistant director of the FBI’s cyber division, Joseph Demarest, at a conference call with JPMorgan Chase’s CEO, Maxime’s James Cummings and Gregory Rattray, Cummings and Rattray, the Air Force veterans from JPMorgan Chase’s I.T. department were pushing for the hack to be deemed a threat to national security. And if they got their way, the U.S. Department of Justice would excuse them from any obligations to tell their customers about the hack. The idea of this policy is that if a hack is a threat to national security, then it should be kept quiet as possible while it’s being investigated. But in the end, the FBI thought it was more likely that this hack was done by a group of clever and skilled criminal actors rather than a nation sponsored threat. Actor JPMorgan Chase and the FBI reached a truce with JPMorgan Chase, handed over all the data they collected during the hack so the FBI could conduct a thorough investigation.
But, geez, this was a bumpy ride to get there. Jordan Robertson, the journalist from Bloomberg who originally broke the story, talks about what happened between JPMorgan and the FBI.
And one of the questions we set out to answer eight months ago when this breach occurred was why we were hearing such a different story from folks who are familiar with the bank’s investigation, which they said, you know, the Russian government was believed involved versus a law enforcement investigation, which, you know, was indicating a criminal attack. And the answer to that is, yeah, the bank is staffing up on former senior military officials, cyber warriors, and they come to these problems with a very specific mindset about who’s responsible for hacking. And, you know, there’s a fundamental difference between studying attacks on military infrastructure versus studying attacks on the private sector. And the private sector face a lot more for profit criminal activity than the military does. And that really animated the bank’s investigation.
Very interesting on the military approach that’s led to some problems drawing. Right, that you found out, including some clashes internally, but also with the FBI as well, right?
Yeah. You know, what happens is, you know, you hire people who are really great at offensive cyber operations and their great network attackers defending a network as a whole. Another matter and dealing with law enforcement beyond that is is another matter entirely. And what we found was that the bank repeatedly clashed with the FBI and the Secret Service over information sharing at the Secret Service, went so far as to threaten to subpoena the attack data because they believe they were not getting it in a timely fashion. And a senior FBI official had to intervene on his agent’s behalf to to facilitate that information sharing more quickly. So there were clashes, you know, at multiple levels. And a lot of it traces back to this difference in mindset between the military and private sector.
So now the FBI were hunting down these hackers using the IP addresses JPMorgan Chase and Simko data systems had found on it. It was hard for investigators to track this attack because the hackers deleted most of the log files that would have left breadcrumbs revealing their activity in the network. Early in the investigation, it was suggested that the hackers spoke Russian, but I’m not sure whether they had any actual evidence of that.
Now, what about these IP addresses the hackers were using? Well, investigators started tracing these back and found the IPS were from different countries all over the world. The computers that had launched these attacks were located in Russia, Egypt, Czech Republic, South Africa and Brazil. And all of these ships belong to hosting providers who were in the business of renting servers to whoever wanted them. This is a simple way to hide your tracks as an attacker. You don’t want to do all this hacking from your own office or house. You want to rent a server on the other side of the planet and use that to carry out your hacks. So the hackers had rented one server in Egypt, which they used on some of these hacks. And get this, the day after the news broke about JPMorgan Chase, the hackers stopped using that server in Egypt and canceled that account. It seems like whoever was behind this was watching the news and they knew they were about to be hunted while all these in. Asians were going on. There were reports coming out of other financial companies across the US, slowly these reports started to paint a bigger picture. JPMorgan Chase wasn’t the only target. The same hackers had hit multiple other financial institutions by October 2014. Investigators believed the same hackers had hit at least 12 or 13 other financial institutions. But from what I can tell, none of these companies have officially come forward about these breaches. But reports are naming some pretty specific banks, including Fidelity Investments, ADP, HSBC, Citigroup and Bank of the West. They had all found signs that these IP addresses from the JPMorgan Chase hack had also been sniffing around inside their network.
Now, the financial industry was really starting to get worried. Some of the banks only found evidence that the hackers had entered the network and had poked around. But others found signs that stuff was stolen. Here’s journalist Emily Glaser from The Wall Street Journal.
Yes. So right now we know that Fidelity and ETrade are on that list of 13 financial institutions, including Morgan. We had reported earlier yesterday that Citigroup, HSBC, ADP, the payroll processor and regional lender Regions’ Financial were also spotting traffic from alleged hackers linked to JPMorgan. So there is a lot going on here and it’s very fluid. FBI already involved onsite at JPMorgan. We reported Secret Service NSA Benjamin Lawsky, the top new New York financial watchdog, and FDNY, the US attorney based in Manhattan. So there are a lot of regulators and prosecutors either examining or investigating this.
Support for this episode comes from last pass by logging in last pass is a great password manager which can remember all the passwords you have on all your different websites, but it can do so much more than that. Last pass has great enterprise tools, too. Like, for instance, right now a lot of employees are working remote but doing proper authentication for at home. Workers can be hard and that’s where it can help for remote employees. Accessing the corporate VPN last past can help secure this by adding biometric and multifactor authentication. Last past offers offline mode for password management so your employees can gain access no matter where they might be. Last Pass enables remote employees to securely share passwords across teams in order to stay on top of critical projects. Setting up glass pass is intuitive, allowing admins to get up and running in minutes, not days, and enables teams to remain in complete control over which employees are accessing which resources, no matter where they’re working.
To start a free 14 day trial with last past visit, last past dotcom slash darknet. That’s last pass dotcom darknet.
So it’s early 2015, seven months after the hack and the JPMorgan Chase security team is still working on the investigation internally, they were calling it the Rio investigation. They hired outside experts, plus some tech executives to form a control board panel.
The job was to meet every two weeks and figure out just how this hack was going to affect JPMorgan Chase and their customers. And they also needed to make sure these hackers could never get in the systems again. The year all these financial companies got hacked was a pretty big year for large data breaches. Target was breached at the end of 2013 and they had 40 million customer credit card records stolen. eBay was hacked less than six months later in May 2014. Their customer database was breached. In September 2014, while JPMorgan Chase was working on the real investigation, Home Depot discovered they’d been hacked to a heap of credit card. Information from their customer database appeared on the Dark Web. Investigators suspected that the same people were behind both the target and Home Depot hacks, but they still had no idea who those hackers were. And the truth is, many hackers working on the scale don’t ever get caught. But in the middle of 2015, things started to get weird for the real investigation.
On July 21st, the Israeli police made two coordinated arrests in Israel at the request of the FBI. Now, remember that date, July 21st, 2015. It’s going to come up a few other times in the story. So the police arrived unexpectedly at the homes of 31 year old Gary Shalon and 40 year old Ziv Orenstein. They were both arrested and charged with securities fraud, which is basically illegal stock market manipulation. Now, Gary, Shalan, is a bit of a flashy guy. He lives in a six million dollar mansion in the very posh Savion suburb of Tel Aviv. This is kind of like Israel’s version of Beverly Hills where all the celebrities live. His closets were full of expensive, tailored suits and the police found half a million dollars in cash in his house when he was arrested. Ziv Orenstein, who lived in Heffer, about 29 miles away, may have been wealthy, too, but he was more low key.
Both of these guys are Israeli citizens, and in 2009, they established a Web marketing company called Weibo Logic Limited. Gary was the manager of this company, and Ziv wasn’t listed as being involved with Weber Logic, at least on the books. Still, the Wall Street Journal reported that there were 30 odd employees that worked there and they all knew this was really the guy in charge. As part of the securities fraud investigation, the Israeli police seized all electronic devices in both Gary and Civs House and the Web of Logic offices. Now, there was this third guy involved in all this. The Israeli police also raided the house of 31 year old Joshua Samuel Erin at the same time. But when they went to his house, he wasn’t home.
He had been in Russia, but he was supposed to be back in Tel Aviv at the time of the arrest. There was no sign of him at all. So they report back to the FBI that they didn’t get Joshua. And so Joshua becomes a wanted man and get this at the same time that Gary and Xev are arrested in Israel, the FBI coordinated a simultaneous raid in Florida. They arrested Anthony Murgia and Yuri Lebedev for running an illegal Bitcoin exchange called Coingate Max.
So what do these arrests have to do with major U.S. bank hacks? Well, on that same day, July 21st, Preet Bharara, U.S. attorney of the Southern District of New York, unsealed an indictment against Gary Ziv and Joshua Bloomberg News in The New York Times published some wild claims. They reported that a leaked internal FBI memo had linked Joshua, the man on the run from Israel police.
And Anthony, the man arrested in Florida to the JPMorgan Chase hack memo, said there was evidence of Joshua logging into the servers that were used for these hacks on the same day. We also find out exactly what they stole. I mean, these people attempted to get into 12 banks and they successfully got into a few of them. They must have done this for monetary gain. Right. But did they still any money? No. I mean, I can think of a number of ways they could have stolen money. Obviously, a bank the size of JPMorgan Chase has a lot of money in its accounts, and the hackers could have moved some of that money around. OK, but there’s other ways they could have made money to like the Chase Bank gift cards. Imagine if they got into the database of those were prepaid debit cards or they could have manipulated the banks reward point system. Imagine if they set their own accounts to have like a billion reward points and they could convert that to cash and just siphon money out that way. What if they instructed a ton of accounts to buy a certain stock driving up the price? There are a ton of things they could have done while in the banks networks, but all they did was still customer database records. Specifically, they grabbed email addresses of bank customers.
And I just don’t understand that. Why go through all the effort of breaking into the biggest and. I believe the most secure company in America, just to steal 83 million customer records, there’s something more to the story.
So things are pretty confusing at this point, we have three people who were supposed to be arrested in Israel, Gary Ziv and Joshua. They got Gary and Zev, but Joshua wasn’t home. Then at the same time, two people were arrested in Florida, Anthony and Gary. The two Israelis were arrested on charges of securities fraud. And the Florida men were arrested on charges connected with the JPMorgan Chase hack and something to do with a Bitcoin exchange. Finally, some news agencies started reporting on an FBI memo suggesting that all five men were connected with this hack.
So where are they, the hackers, or were they con men? What role did everyone play?
It turns out the feds had started investigating this group shortly after the JPMorgan Chase hack was discovered. The forensic data that the FBI got from JPMorgan Chase had led authorities to Joshua. Somehow they got server logs that pointed them to his IP address, but they didn’t know how involved he was and they were pretty sure he wasn’t in on it alone. So they start digging around his life to see what he was doing and who he was associating with. And that’s how they discovered Anthony Geary and Ziv and these guys were looking pretty suspicious.
So Joshua was the prime suspect who led investigators to the door of the others. And he’s an American citizen. He grew up in Potomac in Maryland.
He enrolled in Florida State University in 2002 and studied business. And there is where he met Anthony Murgia, who was later arrested in Florida while at university. Together, they became pretty good friends and being business students, they wanted to find ways to earn cash while in college. So they set up a money making scheme writing Google ads for affiliate commissions. And they did pretty well at it, too. They had other students working for them and they were making thousands of dollars a month. Not bad for a couple of college kids, actually. Joshua dropped out of his courses in 2005, but he stayed in touch with Anthony.
Now, from there, Anthony’s story actually goes in a wild and crazy adventure. Totally tangent to this one, which is another story worth telling, but it doesn’t quite fit this story. I mean, he was arrested in connection with this story, but Anthony tells me he was only arrested so the feds could get information on Gary because Anthony and Gary started a Bitcoin exchange together called Coin Max, and they purposely hid from financial regulators and even went so far as to take over a credit union to look legit. So the feds swooped in on Anthony for his illegal Bitcoin exchange and because they knew he was working with Gary. OK, so back to Joshua, the man on the run. In 2013, Joshua set up an Internet marketing business with a partner who had a history of defrauding stock markets. Apparently, this guy had been banned for life from the Financial Industry Regulation Authority, from marketing useless stocks, sort of a pump and dump kind of thing. You buy up an unknown stock, try to inflate the price of it, and when it’s at its peak, you dump it and make a massive profit.
But Joshua’s partner got caught doing this and got banned. So after that fell apart, Joshua moved to Israel. And it seems that’s where he met Gary Shalon. And that relationship started by 2014. Joshua and Gary were running their own stock fraud scam with Ziv Orenstein, who was one of Gary’s associates. They had been running that Web biologic business together in Israel. Now, the feds didn’t think it was actually Gary, Joshua or even Ziv that carried out these hacks, but it looked like they were working with whoever did so as the feds investigated Gary Ziv and Joshua, they find these guys are up to their necks in scams and plots and may have been connected to some serious hacking by October 2014. Internally, the feds have totally rejected the idea that these hacks were state sponsored by Russia. No, it wasn’t the Russians. It was this collection of conmen and fraudsters who’ve been operating huge scams under the radar for years.
So let’s take a look at this indictment that was unsealed by Preet Bharara on July 21st, 2015. It was a lawsuit brought by the S.E.C., the Securities and Exchange Commission there, the U.S. federal agency that enforces securities laws.
This lawsuit was brought against Gary Ziv and Joshua for six stock market scams they pulled off over the previous four years. And it included details about how much money they were making off these scams. Let’s take a look at the first one. They were buying stocks in a company called Southern Home Medical Equipment, a U.S. company based in South Carolina that provided health care services across the country. In May 2011, Gary and Joshua bought the company stock at one point seven cents each, not quite two cents per share. And they launched their own marketing campaign for this company, hyping it up, writing articles about how great it was and telling everyone that this company was about to go to the moon.
Gary was the savvy business guy. He knew stocks inside and out, and Joshua was the marketer. He was great at selling anything.
They successfully raised Southern home medical equipment, stock price from just under two cents per share to 33 cents per share before selling off their stocks in the company. Their net value and that stock rose 1800 percent in just six days.
But the problem was that all the marketing they did for this company was made up. They had faked the numbers and the news about this company in order to temporarily inflate the stock price. That’s why this kind of market manipulation is illegal. If you’ve seen the Wolf of Wall Street.
You may recognize this idea because that movie is about a similar kind of scheme by the Securities and Exchange Commission, sent two lawyers down to review our files. So I set them up in a conference room and I had it bugged and the air conditioning turned up so high that it felt like Antarctica. And then, well, they were looking for a smoking gun in that room. I was going to fire off a bazooka and here offering up our latest IPO.
An IPO is an initial public offering. It’s the first time a stock is offered for sale to the general population. That was the firm taking the company public. We set the initial sales price, then sold those shares right back to our friends. Look, I know you’re not following what I’m saying anyway, right? That’s that’s OK. That doesn’t matter. The real question is this. Was all this legal? Absolutely not. But we were making more money and we knew what to do.
Gary, Joshua and Zev were in the business of manipulating the stock market and getting people to buy stocks based on false information. These scams are called pump and dumps because the scammers try to pump up the value to make a quick profit by dumping the stocks at a higher price. And here’s how they did it.
First, they forged documents so that they could present themselves as stockbrokers. So they were already working under false pretenses. Now, stockbrokers are like middlemen between investors and the stock exchanges. They help investors figure out what stock to buy, when to buy them, and they seek out good investment opportunities for their clients. These days, everything is digital and online. So Gary, Joshua and Zev created newsletters, social media accounts and websites to tell investors what shares to buy. These tools gave their investors the impression that if they followed Gary Joshua and gives tips, their money would grow quickly. Sometimes they would fake the data on these articles and predict that a stock was going to rise in value. But they would actually back article to make it seem like all their predictions came true. Their indictments showed that these guys were all using the classic scams. Since May 2011, they hit six micro-cap companies. They targeted one after another with their tried and tested schemes. They hit each of these six companies using the same pump and dump formula. They’d buy the company while the stock was less than five dollars each. And then they’d create a bunch of false hype about these stocks, resulting in a buyer surge that would drastically increase the trading volume and stock price within just a few days. In 2011, they made about four hundred and sixty thousand dollars, doing just three companies. Then they upped their game. In February 2012, they hit a company called Mustang Alliance, which is a mining corporation, and just one week they bought two million shares of Mustang Alliance, increase the share price over sixty five percent, and then sold the shares for a two point two million dollar profit. Altogether, they collected three point five million dollars in just a couple of years running these scams.
But this wasn’t their only racket. Gary was the head of operations and CEO of their company, Weber Logic. He had the final say on all these decisions and he found a couple of stock promoters to bring in on these scams. Their job was to advertise and promote different stocks and shares all day long. And they would go hunting for companies that they knew could easily be promoted to be a pump and dump.
But they did more than that.
So in case you didn’t know, there’s a big difference between being a public and private company basically has to do with who owns the company. A private company is owned by some group of people, usually the founders or management group or private investor. But a public company is a company that has sold some of its shares to the public through a stock exchange. This means that part of the public company is literally owned by members of the public, the people who have purchased shares in the company, and that’s why they’re called shareholders. So private companies can’t sell shares of their company on the stock market. And it’s actually really hard for a private company to become a publicly traded company. It’s a long process that takes years even for legit, fast growing companies. They have to apply and be audited before they can be listed as a publicly traded company. And when that finally happens, they have an event called an initial public offering or IPO. So I see all that because sometimes Gary would find private companies that seemed like they would be easy to falsely promote. He worked out a system to help these companies go public so that he could run his pump and dump scams using their shares.
Over the years, Gary created heaps of shell corporations. These are companies with no staff, no revenue, no office. These corporations only exist on paper. And Gary would go through the long, rigorous process of getting these corporations to go public and be traded on the stock exchange, which might have taken him years. But with publicly trading show called. Operation’s ready to go. Gary was able to approach private companies, pretend to be a legit stock broker, convinced them to do a reverse merger with his Shell corporation and that would fast track that company to be public trading on the stock market. Now, this whole scheme is all upside for Gary. First, he’s going to sell his Shell corporation to some company. This could make him anywhere between a few thousand dollars to a few hundred thousand dollars. And because he created these shell companies, he was able to assign any amount of company shares to himself or his friends like Joshua is. If so, if he did that, then before the actual scam even started, he would already have tons of shares in these companies. So he would sell his Shell corporation to a company. And then that company does a reverse merger with it. And now that company is suddenly a publicly traded company. And he did all this under the guise of being a helpful stockbroker, just here to help them navigate going public.
Then once the reverse mergers were complete and that private company was now publicly trading, Gary’s fake marketing campaign would ramp up and make the stock of that company boom. That’s the pump. And right when the hype was about to fizzle out, Gary and Ziv and Joshua would sell all of their stocks, which they could have had from the very beginning.
And that’s the dump. If Gary was the CEO of the scam operation, Zaev was his ops manager with some it thrown in Xev bought up a heap of domain’s and built stockbroker websites that all looked legit.
And he was the one who maintained all of the different brokerage accounts and the false documents for their schemes. He was the one keeping track of all the moving pieces. Joshua was like the communications and marketing manager. He wrote all the promotional materials that they use to market the companies. And with this systematic approach and with all the pieces ready to move, these scams were really just a matter of bombarding people with marketing and buying and selling stocks at the right times. Now, at this point, you might be wondering how is any of this connected to the breach at JPMorgan Chase? Well, we’re almost there. Bear with me. See, over time, as these guys were marketing stocks, they were starting to do some email marketing. They would send people emails that said amazing opportunity, small cap investment can double your money in weeks. Don’t blow your shot at financial freedom. They would list a stock ticker symbol and make people feel like they had to buy this stock right away. You’ve probably seen these types of emails. I received thousands of them myself. The way they work is at the center of these scam emails just buys a huge list of email addresses and lasts out millions of emails at a time. And that’s what Geary’s crew was doing at first. And that was somewhat successful. But they wanted to take their scam to the next level.
They thought if they could get a list of email addresses of real stock market investors, their spam would be much more effective. I mean, who better to advertise a stock tip to than people who are actively trading on the stock market? Traders are always looking for a hot stock and they might just go ahead and buy some random stock that they saw in a scamming looking email. And that brings us to JPMorgan Chase. It turns out that the whole JPMorgan Chase hack was about getting better leads for Geary’s marketing campaign to make his pump and dump scams more profitable. That’s right. Gary Ziv and Joshua wanted millions of stolen JPMorgan Chase’s customers email addresses just to email them stock tips of all the absurd off the wall, preposterous crimes. This one takes the cake.
Three random scammers orchestrated a hack into the largest bank in the US just to make money on their pump and dump scams. Unbelievable.
But their criminal activity went way beyond stock market manipulation. Stay with us, because after the break, we’ll hear what else they did.
Support for this episode comes from it. Pro TV. If what you hear on this show fascinates you and you want to get more into tech or even it security, but don’t know where to start. Check out it. Provocative slash darknet. And if you use promo code at 25, they’ll give you 65 hours of free training. Now, at this website, they’ll train you to get certified. You can get training for the security plus exam, Cisco, networking certified ethical hacker or even Windows and Linux certifications. Their instructors are brilliant and break down all the stuff so you can easily digest it all. They have over 4000 hours of binge worthy On-Demand training and post new content every day. Courses are conveniently listed by category certification. And Jabrill, you can watch it through your Chromecast, Roku, Amazon, Fire TV, Apple TV, PC or even their mobile app get started today by visiting it. Provocative sites darknet and use promo code darknet twenty five to get sixty five hours of free training. That’s it.
Pro TV Darknet Promo Code Darknet. Twenty five.
On the same day Gary and Z were arrested, July 21st, 2015, an Israeli newspaper reported that another indictment had named them both. But this time it was for a huge illegal online gambling operation, an operation that was supposedly even bigger than the stock fraud scams they’ve been pulling. When this report came out, the online gambling forums just lit up. It turned out that Gary and I were behind the well-known dodgy online casinos, effective and revenue. Yet these are actually groups of casinos owned and operated by companies called Net Ad Management and Miller Limited and had dozens and dozens of online gambling websites for years. The casino sites run by these two companies have been getting called out by the gaming review sites as being scams. The review sites actively warn players not to use Gaines’s online casinos. In fact, in 2010, Casino Maistre gave effective group the Worst Casino Group Award, citing their terrible customer service and failure to pay players their winnings. Now all of these sites, under effective and revenue used gambling software called Rival and RTG for the Games. These are the leading suppliers of casino games and online gambling. Then they leased as gaming software to the independent casinos. So the games on effective and revenue jet were legitimate. Well, games, and that’s how they attract new players to come to their sites to gamble. But to gamble on these sites, you need money to play. And when winners would actually win money. That’s when Gary and Xev would start pulling some shady business.
His casino sites started to develop a reputation for being really unreliable at paying out their players. When a player made a cash out withdrawal request, there were all kinds of delays. Security procedures would make players wait 90 days. Some players waited the 90 days for their money, only to be told their cash out wasn’t valid because they didn’t play at the casino for the last few weeks. Sometimes they wouldn’t pay the whole amount, maybe just a percentage, just to keep the players guessing. But that would be as far as it went off and players would just give up, take the loss and move on to a different site, or they end up gambling away their winnings and playing more games in the casino by avoiding paying out the players. These sites were raking in tons of cash.
Like the JPMorgan Chase hack, this is an absurd scam that doesn’t make any sense to me. An online casino, by its very nature, makes a ton of cash. The odds are always in the casino’s favor to win even without scamming anyone. Maybe you’ve heard the term the house always wins. Yeah, that’s about casinos. They are literally money printing machines for the owners. So why treat the players so poorly? Oh, the nerve of these guys. The greed is just astounding to me, but it gets worse. Just after the arrest, the Net Ad Management Casino’s network collapse just stopped. None of the sites were loading at all. And the executive director of the gambling portal Webmasters Association said that he got a notice that the effective was closing its operations effective immediately. It seems like as soon as the indictments came through, someone pulled the plug on the casinos. Their online casino empire had crumbled overnight.
At that time, Gary and Xev were in custody in Israel and the U.S. was trying to get them extradited to face these stock fraud charges. Joshua was still nowhere to be found, and with his indictment unsealed, his name showed up on the FBI’s most wanted list. But still, we don’t know who actually conducted the hack against JPMorgan Chase and the other 12 financial institutions. Gary Ziv and Joshua were market manipulators, shady businessmen and con artists, but they weren’t hackers. And we know they had the stolen email addresses from the JPMorgan Chase hack.
But how did they get them? Breaking into JPMorgan Chase’s network is not an amateur hacking project.
Whoever did it really knew what they were doing.
But if Gary or Ziv or Joshua weren’t the hackers, then who was?
A year after JPMorgan Chase discovered they’d been hacked, several more financial companies received visits from the FBI informing them that their networks had been breached and they had evidence to prove it. So these companies started to send out letters to their customers. In October 2015, the online discount stockbroker ETrade sent a letter to all their customers explaining that their network had been breached and that customer’s personal information had been compromised. They said their database was breached, which contained 31000 ETrade customers. Data Scottrade, another online stockbroker, revealed that they were also hit by these hacks, but their breach was way bigger. They believe that the personal information of four point six million of their customers had been stolen. Dow Jones sent out letters to now they’re not a financial institution in the way of a bank or broker is, but they’re a big publisher of financial information. They’ve been going for one hundred and thirty seven years. They publish the Wall Street Journal, MarketWatch and Barron’s in October 2015. They inform their customers of a data breach in their letter. They explained that the hackers may have been in the system for three years, but they’d only found evidence of the theft of three thousand five hundred people’s contacts or payment data. There were clues like IP addresses and the malware and the data that was stolen, which made authorities suspect that these hacks were all conducted by the same hackers. A month later, all the evidence came out. On November 10th, 2015, Preet Bharara, the attorney general of the Southern District of New York, unsealed a superseding indictment against Gary Ziv and Joshua. And it was a bombshell. Getting indicted for these stock scams probably seemed bad enough for these guys, but now they were really in trouble.
Ah, good afternoon. My name is Preet Bharara and I’m the United States attorney for the Southern District of New York. Today, we announce criminal charges in one of the largest cyber cyber hacking schemes ever uncovered. The charges involve cyber intrusions over several years, targeting 12 different companies, seven financial institutions, to financial news publications, to software development firms and a market risk intelligence company. By any measure, the data breaches at these firms were breathtaking in scope and in size. The defendants allegedly stole personal information for over one hundred million customers, including eighty three million customers from one bank alone, the single largest theft of customer data from a US financial institution ever. That bank was JP Morgan Chase, as it has disclosed itself. To hide their tracks, the defendants allegedly operated their criminal schemes through over seventy five shell companies and used close to twenty two hundred I’m sorry, ID documents fraudulently, including 30 false passports from 17 different companies. The good news is that the FBI and the Secret Service have cracked this case and we aim to prove it in court.
At this point, the evidence of the case was getting massive. These guys have been running an international cybercrime enterprise. The new indictment accused them of 23 counts, which included computer fraud, hacking, wire fraud, securities fraud, money laundering, identity theft. It just went on and on. This one group had been running this whole system of interconnected illegal schemes.
Scam on top of scam on top of scam. They were making hundreds of millions of dollars. What the feds had uncovered here was huge.
The scale of this is just incredible. I mean, it’s really crazy. But let’s stop for a minute and talk about the money. That’s what Gary was doing all this for, right? Well, he was living the high life in his Tel Aviv mansion, passing himself off as a really successful businessman. And I guess that in a certain sense, he was a successful businessman and he did have some legitimate business interests and investments that earned him good money. But to live the kind of lifestyle he wanted, I guess he felt like he needed to keep chasing the next big payday. Anyway, all these scams, the online casino stock fraud, the hacks they were making Gary Ziv and Joshua, hundreds of millions of dollars. And they couldn’t just throw all that into a bank account that definitely would have attracted some unwanted attention. Banks are required to report deposits of a certain size. And I’m sure that if Gary Ziv and Joshua had deposited their hundreds of millions of dollars, they would have triggered some sort of reporting policy. So they needed a solution, a way to launder the money, convert their money from illicit and unusable to clean and spendable. And they came up with a couple of ways to do it.
Remember those Shell corporations that Gary was using to do reverse mergers with private companies for their stock scam? Well, this also came in handy for laundering a lot of money they were making. Gary and Ziv were moving money around left, right and center, and they were transferring millions of dollars from their casino businesses to bank accounts in Cyprus and then shifting it all around through all the shell companies. They had their money laundering down to a science. All they had to do was fill their shell companies ledgers with transactions for goods and services that they had supposedly been providing their customers. They could then use this dirty money to pay themselves for those made up goods and services. That way it would look like this money was just shell companies invoicing it and paying out legitimate customers. This left the shell companies with loads of money in their accounts and a nice audit trail that made everything look more legit. And at the end they had clean money.
Gary had seventy five different shell companies. He, Ziv and Joshua had multiple bank accounts and brokerage accounts in countries all over the world. Obviously, none of them were set up in their own names. All three of these guys had aliases they would use.
They had 30 different fake passports from across 70 different countries, keeping track of all these companies and accounts and the false documents and the different names, that must have been a full time operation.
Just doing that. It’s pretty impressive how they were able to manage all these moving pieces before they got caught. It probably seemed like it was worth all this work.
In 2011, the same year he started the pump and dump scams, Gary created two online payment processing companies called ADP and two tours. You can think of these as more like shady versions of PayPal. Gary, use these payment processors to let his players deposit money into gaming accounts and his online casinos. These sites where the intermediaries between the players, bank accounts and the casinos, bank accounts, each transaction would go through these payment processors. But Gary had to hide that money because it wasn’t legal to turn that money into money he could actually use. He needed to make it look like it came from a legal source, Gary. And they’ve opened multiple bank accounts in different countries using fake IDs and fake documentation. They would send transactions made through ID pay into law, into these accounts around the world. No credit card companies are not allowed to process payments that they believe might have come from illegal activity. So Gary and Anzu would code their transactions to make them look like simple online purchases from everyday retail websites like pet stores, wedding outlets. If they could find banking officials in the countries they were depositing their money, they would bribe them to turn a blind eye. Basically, they did anything they could to prevent anyone from catching on to their operations. Of course, the players that Gary’s online casinos had no clue what was going on in the background.
Everything probably just seemed normal from their perspective. And Gary had a bunch of like minded friends, other criminals who needed to launder money just as much as Gary did. And he was friends with people selling fake pharmaceuticals, malware and fake antivirus software. Whatever their business, if they wanted to collect payments via credit card, they needed a shady payment processor and they would use Gary’s ID. And to talk, of course, just like any payment processor, Gary would take a nice cut of each transaction. But sometimes the credit card companies did get suspicious. When that happened, the credit card companies would start processing Gary’s transactions and issue fines and penalties to whichever financial institution Gary got caught using. Gary would just pay these off and carry on where he could. It was just a minor inconvenience, a cost of doing business. If they got questioned about this, they’d all be shocked and surprised, as if they had no idea the transactions were for illegal goods and activities. If a bank got suspicious and closed one of Gary’s accounts, he’d just find a new bank and open a new account. And it became a pretty constant process of finding new accounts and coming up with fake merchants to use for transactions to make them look legit. It was all very shady, but it was working.
In 2012, Gary did another astonishing move. There was this company called G2 Web Services. This is sort of a watchdog company that monitors payment processors to make sure they’re above board and not fraudulent. Basically, the stuff Ajita will go and do a test payment processors to make sure they’re trustworthy. Well, Gary was using it in to door to process a lot of payments for his illegal activities. And he didn’t want to to flag his payment processor as fraudulent. So he hired a hacker to break into two and get a list of credit cards that were used in test payment transactions. Then Gary would just block those credit card numbers from being used at ADP and two doors so that nobody, G2 could even test the payment processing on his websites.
The Audacity. I’ve never heard of a hack like this to hack into a watchdog company just to make sure that they don’t talk bad about you and to block them. It’s just ridiculous.
In July 2013, two years after Gary first created IDP in Utah, Brian Krebs published a report about potentially suspicious activity being conducted at I’d Pay. A source had found IDP’s customer database and discovered a bunch of fake antivirus sites were using this payment processor. These websites had addresses like Spy, Blocher, Dotcom, Malware, Defendor, Dotcom, Personal Garden.com and so many more of 50 domains. Krebs investigated IDP and he couldn’t find anything about them. There were no records of this company existing at all. So he concluded that these websites were installing fake malware on the victim’s computers and then asked the victim to pay to get the virus removed. And these sites were using ID because a legitimate processor would never process sketchy transactions like this. If this is what was going on, then I guess we can add this bogus antivirus payment processing scam to the list of growing crimes that were committed by Gary and his friends. One site on the list of IDP’s customers was our partners, Dotcom. This was known to be an illegal pharmacy affiliate program. Hackers and spammers would sign up and earn cash for promoting illegal pharmacies in 2013. Not many people knew about Gary and his massive empire of hacking and scamming, and they didn’t know he was the one behind it. Well, Gary was focusing on making sure antifraud companies like Jitu Web Services weren’t on him. He didn’t realize that the feds were on to him. How did the feds get on Gary’s trail?
Well, a month before he was arrested, an undercover federal agent went on to one of his casinos websites and deposited some money using his credit card to make a bet when he checked his credit card statement. He found the transaction had been recorded as a payment to house for pets dotcom, which wasn’t even a real website. This was the first thing that tipped off the feds. And from there, they quickly found a lot of evidence leading to Gary Ziv and Joshua. It was the hack on JPMorgan Chase that really brought down Gary’s empire. If you remember, the hackers successfully broke into the JPMorgan Chase network and stole 86 million records and got out without raising a single alert. JPMorgan Chase had no idea they were breached and that was by design. The hackers were extremely careful not to raise any red flags. The only reason JPMorgan Chase ever found out that they’d been breached was when they read that whole security report and found that Simko data was breached. And the evidence from that breach is how JPMorgan Chase figured out they were breached. JPMorgan Chase was never supposed to find out that they were breached. So once it came out that JPMorgan Chase did know that they were breached, it was time for the hackers to start covering their tracks. Remember the canceled Egyptian server rental? Yeah, they knew they were getting rumbled. But again, JPMorgan Chase wasn’t their first hack. They already got away with hacking. Six other U.S. financial companies on the same day of the big 23 count indictment was unsealed.
A third indictment was unsealed also in Atlanta. This indictment was focused on the hacks and it tells us exactly how they happened.
The feds had confirmed that it was Gary pulling the strings on all these hacks, and they knew Joshua helped him out. But they also knew that neither Gary nor Joshua were hackers capable of doing this.
So the indictment brought charges against Gary, Joshua and an unidentified suspect, a John Doe, the mystery hacker. OK, so with this indictment, we learn about how the hacker got into E-Trade and Scottrade, at first the hacker got a regular login to ETrade and poked around as just a normal user looking for vulnerabilities on the site. I’m not sure what he found, but on that same day, three of E-Trade developers servers got accessed by the hackers, but nothing was stolen at that time. Almost a whole year passes. Then Gary tells the hacker the plan to steal customer data from the databases and gives the hacker servers around the world to use servers in South Africa, Romania and the Czech Republic. These were not bulletproof servers which were untouchable by the feds. But Gary told the hacker they were registered anonymously. So with the hacker ready the infrastructure in place and the plan figured out, Scottrade was the first of the two to be hacked.
On September 8th, 2013, Geary’s hacker reported that he’d hit a wall of Scottrade, had antivirus in place, and he could only get access to one employee’s computer without raising alarms. But this employee had no admin rights, so this slowed down the hacker. And for the next two months, he tried and failed to gain access. But on November 22nd, the hacker asked Gary to get him a Scottrade user account, hoping he could use it to breach Scottrade systems. So Joshua and Gary provided the hacker with a regular user login. And from there, the hacker was able to find vulnerabilities in the site and exploit them to get access to Scottrade servers. The next day, he was searching through Scottrade networks for customer databases, and he found them. He looked through a few of the records in the database and he saw customer names, phone numbers and e-mail addresses.
Bingo. This is what he was looking for. He did a quick count to see how many records were in the database. There were six million customer details. Gary was very excited about this discovery. And of course, he wanted the email addresses of this database. The hacker took one more look around the database server and he noticed he wasn’t in there alone. A database admin was also logged into the customer database and actively running commands. Hacker got nervous. He needed to download these six million records. He was right there in front of it, but he wanted to do it in secrecy so that nobody would ever know he was there. And he was nervous that if he downloaded the data while the other admin was there, he might draw unwanted attention. He couldn’t afford for that admin to notice that something fishy was going on. And at the same time, he didn’t want the admin to notice he was there and kick him out. So he waited nervously until that admin logged out.
Then he quickly copied six million customer records to a server that the hacker controlled, covered his tracks and disconnected from Scott Trades Network. The hacker gave Gary the password and location of the stolen database.
On November 25th, Gary sent the hacker a report of the customer data that was stolen from Scottrade. The database included information of four million Scottrade customers. 100000 of them were residents of Georgia. The hacker then added more, around 200000 to 300000 bank customers of Scottrade. Two days later, he breached more databases and added more data to the server. On November 27th, Gary’s hacker reported that he now had six million records from Scottrade.
They didn’t waste any time before going to E-Trade. The very next day, the hacker breached E trade server using a brute force attack to gain access to a video teleconferencing server on their network. And of course, once he got in, he got himself persistence and elevated his privileges. He installed a backdoor into the servers and started looking around the network for database servers. Four days later, the hacker breached another server on E Trades Network and installed a reverse shell on it.
Four days after that, he gained access to three more internal servers and a core admin platform. This was the mother lode.
These servers contained all of the customer data for E-Trade customers. The hacker began copying all the data stored on these servers.
The reverse shell he had set up was exporting data for days after that, Geary’s hacker would eventually steal fifteen million customer records from E!
Trades Network, and once he stole them, he would send them straight to Gary. By December 16th, one of Gary’s associates had cleaned up and merged all the stolen customer records from E-Trade and Scottrade into an enormous database. This was the customer information. Gary wanted a vast database containing the contact details of millions of potential investors, people who he knows are already investors. Over the course of four months, Gary’s hacker had been going in and out of multiple servers on both E-Trade and Scottrade internal networks, and he hadn’t set off any alarms. No security scans picked up on his activity. But at some point, ETrade began to suspect their systems had been breached. They launched an internal investigation and they got law enforcement involved, but nothing came of it.
They couldn’t find any evidence that data was stolen. There were no logs that somebody copied the data because the. He hid his tracks so he wouldn’t get detected, E-Trade concluded that if they had been breached, then the perpetrator had hidden their tracks really well. So the investigation just kind of stalled out. But they were right. Someone had been in the systems and it was Gary’s mysterious hacker as E-Trade and Scottrade were being hacked.
Gary’s online casinos were making considerable money. He was running at least 12 different casinos in October 2013. They made him 78 million dollars. Gary and Zev had two hundred and seventy employees in Ukraine and Hungary working in call centers to help keep these casinos running. And they were responding to queries and trying to help keep players happy. But they were also giving the runaround to players who are trying to cash out their money.
Gary needed to draw as many players to their casino as possible, more people playing and the more people they could scam out of their winnings.
So the help that bit along, Gary called in his hacker. When people want to do some online gambling, they typically start with a Google search and visit the first few gambling websites that show up. They think, oh, this casino is the first resort in Google, so it must be popular and trustworthy. Knowing this, Gary started trying to get his hacker to find ways to improve the casino’s search ranking on Google. Now, there’s a whole lot that goes into search ranking. It’s called SEO search engine optimization. And what actually determines the ranking on Google Search is a little bit mysterious. They use an algorithm of some kind. But in the ACA world, it’s generally believed that to boost the site’s ranking, you need more links to that website. So much of SEO is based on the idea that the more websites in the Internet, the post links to your site means that your site becomes more popular in the search rankings.
So Gary knew this. I wanted more links to his casinos and used a secret ingredient to get that.
Want to take a guess on what that was? The secret ingredient is crime. He asked the hacker for help and the hacker got the work to try to find a way to make tons of links to Gary’s online casinos. And after a bit of searching, he started hacking into dormant gambling related WordPress blogs, talking like thousands of them here, blogs that hadn’t been updated in ages and whoever owned them lost interest in it. All their plug ins were out of date. The software hadn’t been updated and well, yeah, there were vulnerable to being hacked. So the hacker exploited a lot of these old WordPress blogs and he created tons of links to the casino’s websites. Compare this to hacking into banks. It was pretty easy once he finished these sites, a new post mentioning Gary’s casinos and how they were absolutely the best place to gamble on. And when these blogs got indexed by Google, these new posts make Gary’s casinos rise up in the ranking and become more popular. Now, whenever users searched Google for keywords like Best Online Casino or where to play online casino games, these ancient blogs were starting to pop up with fresh results. And people always click on the first couple of results. That’s just how it is. So people clicked on these old blogs. They saw tons of glowing reviews of Gary’s casinos, and this hijacking of neglected blogs drove enormous amounts of traffic straight to Gary’s online gambling sites.
And that wasn’t all. He like to be in control and know exactly what was going on. So he paid this hacker to visit his competitors websites. He would have the hacker take down any competing gambling site he got annoyed at. The hacker would use a botnet to launch a huge denial of service attack on competitor casinos, interrupting service for those casino players. And of course, when gamblers can’t get into their favorite gambling site, they might go looking for a different site to gamble on. So the attacks that Gary was conducting could actually drive players to his casino, to then Gary would find out what software the competitor casinos were using and then asked the hacker to gain access to that software company to monitor what rival casinos were saying and doing. He also hacked into email accounts of executives at the companies that made online gambling software used by many casinos to Gary in on deals that executives were making with each online casino. This allowed him to stay a step ahead of his competitors. If anything was going on that might compromise one of his casinos, you would have an early warning. Gary was used to getting what he wanted, and he was quite happy to use sneaky, underhanded tactics to get his way. He was getting away with everything until it all caught up with him on July 2015 when Gary and they’ve got arrested by the Israeli police. Once the indictment was announced on November, everything went well, a little bit quiet.
The feds and prosecutors were working to prepare their cases. The first thing they were going to do was get Gary and Zev extradited to the U.S. This was a pretty long process, which took about a year. In June 2016. They were both extradited to New York and found themselves in a Manhattan prison. On June 9th, they appeared in Manhattan Federal Court. Both Gary and Zev pleaded not guilty to the long list of charges against them.
But there was still one guy out there, Joshua. Joshua was still somewhere in the wild and the FBI was. Searching everywhere for him, they suspected that he was hiding out in Russia and it made it pretty complicated to look for him there, but then Joshua just solved that problem for them. It turned out Joshua was in Moscow all along. And on December 14th, 2016, his attorney called the feds and said Joshua is going to turn himself in and is flying into the JFK Airport in New York.
And so Joshua did.
He flew to New York and was arrested on the spot.
You see, Joshua got himself in a bit of trouble with the Russians.
He had flown into Russia via Ukraine on May 23, 2015, and had been staying in an apartment in Moscow in May 2016. Right. As Gary and Zib were about to be extradited from Israel to the U.S., Joshua was arrested by the Russian immigration police. They turned up at his apartment for a surprise spot check on his visa documents for Joshua to maintain his visa. He was supposed to fly out of the country and then come back every six months. And he hadn’t been doing that because he was hiding out from the FBI. So the Russian immigration police put him in jail on May 20th. A Russian judge find him an equivalent of 80 dollars and ordered him to leave Russia. So Joshua had to leave Russia, but he wasn’t interested in going to the U.S. and getting arrested by the FBI.
So he applied for refugee status so that he could stay in Russia.
So while he was waiting on his refugee status at an immigration office in Moscow, he talked to his lawyers and they changed his mind. They convinced him that it was better for him to come to the U.S. and face charges than to continue hiding out in Russia. But strangely enough, when Russia found out Joshua was wanted by the FBI, they offered him asylum.
They probably thought he would be useful for some sort of political or diplomatic leverage. Joshua had already made up his mind, though, so he turned down the offer of asylum. But Russian immigration was no hesitant about letting him leave.
So he was stuck in the immigration center while his lawyers were negotiating with Russians and the feds, both of which wanted Joshua in their custody.
At this point, after about six months of this in December 2016, everyone agreed and Joshua got on the flight to New York and was arrested.
By the time Joshua gave himself up, Gary had been in prison for almost two years. Gary pled not guilty and was looking at a lengthy court trial. Garrett was the mastermind behind all these schemes. He had the valuable knowledge and connections with the underground criminals. Plus, he probably knew some stuff about Russian cybercrime networks. The feds recognize that Gary could be really valuable to them. So they offered him some plea deals. They offered to release him if he agreed to plead guilty to all the crimes he did, if he became an informant. On May 22nd, 2017, a big daily newspaper in Israel, the calculus reported that Gary had agreed to pay U.S. authorities 403 million dollars in cash under forfeiture. His plea deal also meant that three criminal proceedings against him, plus an SEC civil lawsuit were all dropped.
Now, four hundred and three million dollars sounds like a lot, but the feds estimated he had earned over two billion dollars. So Gary probably was walking away with some extra cash left in his pockets. But giving up his cash meant that he had to tell the feds where the money was. And, wow, he had a lot of cash stashed all around the world. He had 81 different bank accounts around the world. Many of them were in Switzerland and some of these accounts had over 100 million dollars in them. There were accounts in Cyprus, Georgia, Virgin Islands, Luxembourg, Latvia. They were everywhere. On top of that, he had stashes of cash and jewelry worth millions and a six million dollar house. Carrie’s plea deal wasn’t straightforward. According to the culturalist, it took six different law firms to negotiate it. Five of these law firms were in the U.S. and one was in Israel. So while Gary agreed to pay hundreds of million dollars of his illegal profits to get out of prison, he had to give the feds more than money.
And it seems like he gave up a hacker, a 38 year old Russian man named Peter Leavis. Qof Peter was from St. Petersburg and he’s the one who built the Chelios botnet, which infected 100000 computers. This botnet was built to send massive amounts of spam emails, but the Chelios botnet was also available for hire. Anyone could use it to send tons of spam themselves, and Gary was definitely sending a lot of spam. Peter was arrested on April nine, 2017, while on holiday with his family in Barcelona, Spain. He was accused of running the Chelios botnet and pleaded guilty of it in Connecticut in September. Twenty eighteen. The counts against him included the distribution of fake spam emails promoting counterfeit pharmaceuticals and other frauds, including pump and dump stock schemes he’s still awaiting. Sentencing, it’s not clear what Gary told feds about Peter, whether he just straight up ratted Peter out or what happened there. But the question everyone had was, hey, this Peter guy, is that Gary’s mystery hacker? At first I thought it was, but no, he wasn’t. Peter wasn’t Gary’s hacker. That was someone else entirely. In December 2017. Law enforcement flew into the airport of Georgia, an Eastern European country.
They were there at the request of the U.S. authorities and they went to the Capitol to arrest 35 year old Andrei Turon. Andre is a Russian citizen, but the U.S. had been tracking him and knew he was flying into Georgia from Moscow and they wanted him in custody before he could disappear. Andre was a well-known high level Russian hacker. The feds believed he was the hacker working with Gary in his empire of scams. And they spent the last two years trying to track him down and detain him. Once in custody in Georgia, the feds set out to get him extradited to the U.S.. Now, Russia does not like giving up attackers, but there’s not much they can do when it’s outside their country. So that’s why the U.S. arrested him in Georgia, because you can get him extradited out of Georgia. Now, some Russian hackers have a double motive for hacking. They work on a freelance basis, taking jobs from whoever is willing to pay their fee. But they may also be looking to pass any juicy information they find to the Russian government or anyone else who’s willing to pay for this information. So regardless of who’s paying for the hack, the hacker is always the first person to get their eyes on the data. Sure, the hacker will upload a copy to whoever hired them, but there’s nothing stopping them from uploading a copy to someone else, too. Although the FBI had ruled out the possibility that the JPMorgan Chase hack was executed by the Russian government. U.S. intelligence had apparently found some evidence to suggest Andrei was getting some protection from the FSB, Russia’s intelligence agency.
It hasn’t been confirmed, but some evidence suggests that the FSB tried to recruit Andrei while other bits of evidence suggest he may have had a bigger role in the operation run by FSB. Either way, it took almost a year for feds to get through the red tape and bring Andre onto U.S. soil and book him into a federal prison.
Now, a quick aside about U.S. attorneys. This case was being handled in the southern district of New York, and Preet Bharara was the U.S. attorney for that district. So when the U.S. government brings this case to trial, a federally appointed attorney handles the case. But when Trump was elected president, he had Jeff Sessions ordered all 46 U.S. attorneys from Obama’s administration to resign. Preet Bharara had met with Trump a few days earlier and did not get the impression that he was being fired. So Freep refused to resign. But Trump fired him. The next day, the Trump administration appointed Jeffrey Berman as the new U.S. attorney for the Southern District of New York. So on September seven, 2013, Jeffrey Berman announced that Andre had been extradited from Georgia to New York. And this was a massive win for the feds, getting an indicted Russian hacker extradited into the U.S. for cyber crimes. It’s not something that happens very often. Oh, and as for the U.S. attorney for the Southern District of New York, Jeffrey Berman, Trump fired him, too. I guess Trump didn’t like that. Berman was investigating Rudy Giuliani, Trump’s personal attorney, regarding some suspected criminal activity. So Trump put G. Clayton in place to be the current U.S. attorney for the Southern District of New York. Clinton has never been a federal prosecutor before, but he was the chairman of the Securities and Exchange Commission. So this case has now passed through the hands of three different U.S. attorneys for the Southern District of New York. Andre was charged with 10 counts, including computer hacking, conspiracy, wire fraud and identity theft, all relating to Geary’s enterprises the same day they got him into New York. He was put in front of a judge to state his plea of not guilty. Andre wouldn’t admit to anything. On September 25th, there was an initial pre-trial conference hearing. The prosecution presented their evidence to Andre through a Russian interpreter.
The evidence against him, which was mostly in Russian, was pretty damning. They had almost three thousand five hundred pages of online chats between Andre and Gary, all discussing the hacks and scams. The evidence took up nearly two terabytes of storage, and they also had evidence from devices seized from Gary and Ziv when they were arrested in Israel, which all pointed to Andre being involved in this. They had the data from the hacked companies, too, like logs and records from the hack, and that resulted in another few terabytes of data which was not looking good for Andre. The data from the JPMorgan Chase hack was over three terabytes just on its own. The prosecution and defense had to agree on a way to deal with all this digital evidence. I mean, you can’t just print all that out. It’s just too much information. And it’s not like it’s just some long text document. Lots of this evidence was complex technical data. Prosecutors and defense attorneys aren’t computer experts. So they needed to get all this data into a format that they understood that could be used in the court case like this. So the prosecution and defense work together to figure out how they were going to do that. And what followed was a long line of adjourned court dates and pretrial hearings for a full year. Nothing moved in terms of court appearances.
And then suddenly Andre’s case ended in one day.
On September twenty third, twenty nineteen, Andre submitted a change of plea. He was now pleading guilty. Andre admitted to conspiracy to commit computer hacking, wire fraud, unlawful Internet gambling conspiracies and conspiracy to commit wire fraud and bank fraud.
So in pleading guilty to these four counts against him, he was admitting to hacking eight different U.S. financial institutions between June 2012 and August 2014. These include JPMorgan Chase, Fidelity, Dow Jones, E-Trade and Scottrade. Publicly, at least, Andre’s conviction was the first in this entire case. His lawyer said that Andray was hired by the masterminds of the schemes to hack these computer networks under their instructions because he pleaded guilty. There will be no trial for Andre, but he is looking at a lengthy prison sentence. A sentencing date, just like his hearings, have been repeatedly adjourned and is currently awaiting sentencing. Gary is believed to be out of prison and living somewhere in the U.S. until his forfeiture is completely paid. He’s not allowed to fly out of the country. Information about his court hearings or progress on his remaining charges are hard to come by. I mean, if Gary is an informant, then that means that a lot of his court documents are going to be sealed and a lot of his court documents are sealed. So it’s just one of those things I don’t have a visual into. Xev, though, has been convicted of something he is currently waiting to be sentenced. The fact that he hasn’t been in any news about any of these cases could mean that all three are cooperating with U.S. authorities. It’s possible that they are providing information in exchange for leniency in their own cases.
But unless their cases are unsealed, we might not ever find out. Altogether, these schemes made a colossal amount of money. It really was sprawling, interconnected network of scams, building on top of each other, scaling up, leveling up and expanding outward. The whole story is full of surprises. And by the end, it’s mind bogglingly complex. A web of illegal schemes, hacking, fraud, money laundering carried out by some shady businessmen and con men joining forces with a hacker, just as the schemes themselves were large scale. So, too, was the network of people and resources Gary had built to operate at all. The story has it all the villains, the hacks, the underground illegal acts, and finally, a hammer of justice that brings it all crashing down.
The hack into JPMorgan Chase wasn’t random. A one off attack, it was done by someone who seemed to have an insatiable appetite for more, more hacking, more data, more scams, more money. Sure, there’s an element of glamour to Gary Shalon story, the money, the fancy watches the mansion, but there’s also an element of desperation. I mean, what was the point of all this besides just wanting more? How many hundreds of millions of dollars more did he need? From my point of view, it’s like none of these schemes seemed big enough for him. No amount of money seems satisfying enough. And at the end, it kind of seems like it was all an endless desire that eventually led to the destruction of Gary’s Schilens empire.
If you love Darknet diaries, stories from the dark side of the Internet, then support it, go to Patriot dot com, slash darknet diaries and join the group of the most amazing people, the people who keep my network running. I talked with one patron member the other day and he told me he drove for eight hours while listening to the show. What’s funny is he only had to go to the store to get some bread, but the show was so addicting that he kept driving around just to listen. If that’s the kind of listener you are, then consider giving back to the show by supporting it at Patreon. Dotcom Darknet Diaries joined today and I’ll grant you special access to bonus content and an ad free feed. Thank you.
This show is made by me, the spider buyer Jack Reciter. This episode is written by the crime traveler Fiona Guy. Sound design and original music was created by the graphical interface. Andrew Meriweather editing help this episode by the window gazing Damián. Our theme music is by the sound system brake master cylinder.
And even though back in my day we didn’t have USB, we only had USA. This is Darknet Diaries.
Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.
Create and share better audio content with Sonix. Sometimes you don’t have super fancy audio recording equipment around; here’s how you can record better audio on your phone. Manual audio transcription is tedious and expensive. Here are five reasons you should transcribe your podcast with Sonix. More computing power makes audio-to-text faster and more efficient. Automated transcription is much more accurate if you upload high quality audio. Here’s how to capture high quality audio. Better audio means a higher transcript accuracy rate. Are you a podcaster looking for automated transcription? Sonix can help you better transcribe your podcast episodes.