Episode Show Notes

							
			

[START OF RECORDING] JACK: To build a successful business, you need a good business plan; a carefully thought-out, step-by-step guide to launch, develop, and expand. You need good people too, people you trust and can rely on. But the internet has changed how people become entrepreneurs. It’s made it easier to find good help and easier to find customers. Digital technology and the internet have created a whole range of new opportunities for businesses and entrepreneurs. But there’s a flip-side to these innovations, a darker side. You see, the criminal underworld has also benefited from the explosion of digital technology and the internet. Criminals make business plans, too. They build networks and work together to advance their elicit agendas. When greedy criminals set out to execute a business model armed with the powers of the internet and a hacker or two, they can achieve astounding criminal feats. The thing is, it’s not easy to catch a cyber-criminal. Hacking is mostly invisible. It’s quiet, secretive, and always done under the cover of the internet. It’s like the perfect burglary that takes place in pitch black. There’s no trace of the perpetrator on the CCTV camera footage, no fingerprints, and no leads. With hacking, it’s all digital. Whatever virtual fingerprints you might have left behind can be covered up, deleted, or hidden. This is why so many cyber-criminals get away with their crimes. This is a story about a group of very savvy businessmen who made a fortune exploiting people online.

(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: In July 2014, Hold Security, a small firm that specializes in external cyber-threat intelligence made an unbelievable discovery. This small firm which supposedly monitors the darkweb for hacker activity that may be a threat to their clients, reported to the New York Times claiming to have found a credential dump containing 4.5 billion usernames and passwords on the darkweb. Now, 4.5 billion usernames and passwords is just a crazy amount of credentials. When Hold Security filtered out duplicates, they were left with 1.2 billion credentials. But still, a credential dump that large would be the biggest credential dump ever found.

The New York Times ran with this story but the security community was pretty skeptical. First, everyone wanted to see what was in the dump but Hold Security wouldn’t reveal this data to anyone. Later, Hold Security announced that for a $120 fee, they would tell companies whether the dump included credentials from their websites. Huh. With Hold Security claiming they had one of the largest dumps ever and not sharing it with anyone except a few people who paid to search for their own names, it was just a little hard to trust. Alex Holden, the CEO of Hold Security, was interviewed by Forbes. This is what he said.

ALEX: …had come with me. I tried to clear up the criticisms here. There are two different pieces to this puzzle. First of all, we have 1.2 billion credentials that belong to about half a billion e-mail addresses, unique e-mail addresses. These are the individuals who entrusted their credentials to different web services’ websites. These credentials were stored on those websites. Unfortunately through no wrongdoing on the individual side, these – this information had been stolen by the hackers. These individuals are the ultimate victims in this particular crime.

JACK: Later, Hold Security released a summary report of the dump. They said the dump was from 420,000 different websites that had been breached, some of which were Fortune 500 companies. The report listed some of the companies that were breached and they called the group that stole this data CyberVor which means ‘cyber-thief’ in Russian. [MUSIC] 420,000 websites is a huge proportion of the entire world wide web. At this point, even I think this dump sounds a bit ridiculous to me ‘cause it just doesn’t add up. But let’s switch gears for a second. Imagine you are part of a IT security team at the JPMorgan Chase Bank. You work for the biggest bank in the US and the sixth-biggest bank in the world. Your bank pretty much dominates the financial sector in terms of investments and banking. Imagine you’re one of JPMorgan Chase’s 250,000 employees scattered across 171 offices in 39 different countries.

Imagine you’re part of the team that’s responsible for [00:05:00] protecting data in this bank which has an annual revenue of 115 billion dollars, of which about ten billion is spent on tech and 250 million dollars a year is spent on cyber-security. There’s about 1,000 people working with you in the IT security team at JPMorgan Chase. Now, I’m not sure if any company spends more money on security than JPMorgan Chase. But either way, they aren’t messing around when it comes to protecting their networks. If you were on the IT security team of JPMorgan Chase and you saw that Hold Security released a summary report, would you take a look to see which companies had been breached? Of course you do. It doesn’t matter if it’s real or not; your company is spending every dollar it can to do everything to protect the network.

You’d definitely be looking at this report. You’d be looking at every report that might have anything to do with JPMorgan Chase’s IT security. That’s just what happened; an IT security analyst at JPMorgan Chase did read Hold Security’s report. In it, Hold Security claimed the website for a charity race sponsored by JPMorgan called Corporate Challenge was breached. This site had been used by JPMorgan employees to register for the race. It was hosted by a company called Simmco Data Systems. As it happened, Simmco Data Systems was also mentioned in the Hold Security report. It claimed that Simmco had been breached, too. Huh. So, if JPMorgan Chase employees were registering at that site, then it’s possible their data was stolen. This caused the IT security analysts at JPMorgan Chase to look into this a little more.

[MUSIC] The security team at JPMorgan Chase contacted Simmco Data Systems to investigate the claims made by Hold Security. Simmco Data dug around their network logs and confirmed that the Corporate Challenge website was hacked and breached. The hackers had stolen an SSL certificate from the site and the hack was executed through a few IP addresses that had been creeping around the network without any legitimate reason to be there. Two techs from the JPMorgan Chase office in Columbus, Ohio went over to Simmco Data Systems’ office in Michigan to get copies of any forensic data they could find. They wanted to know exactly what had been stolen and understand the indicators of compromise.

As the JPMorgan Chase security team was collecting data from Simmco, they were using this data, including IP addresses, to search their own logs for any similar activity. They were looking for any trace of a breach and any sign of activity from the IP addresses associated with the Simmco data breach. Sure enough, they found the same eleven IP addresses that had been used to execute the Simmco breach had also been used to attack JPMorgan Chase. What’s more, some of these attacks against JPMorgan Chase had been successful. The biggest bank in America had been hacked and they never even knew it happened. At this point, JPMorgan Chase contacted the FBI and handed over these IP addresses to the Financial Services Information Sharing Analysis Center. This is an organization that circulates this kind of data to banks and financial institutes so they can check whether they have been breached.

Up until this point, JPMorgan Chase had kept this whole situation under wraps while they were working to figure out what was going on, but this kind of breach is a huge deal and they weren’t going to be able to keep quiet about this for long. [MUSIC] We don’t know exactly how the hackers jumped from the charity’s website into the bank’s servers, but I’ve got a few theories. First, it’s possible that the hacker gained access to this Corporate Challenge charity site. How? Possibly by hacking through Simmco Data Systems which was the hosting provider for the Corporate Challenge charity site. If the hosting provider got hacked, then the hackers would have access to the back end of all the other websites that hosting provider hosts.

If they got into the Corporate Challenge website that way, they could have accessed the credentials for all the JPMorgan employees that were registering on the site. Maybe some of those username and passwords were the same usernames and passwords used to log into JPMorgan Chase’s network. This kind of tactic would likely work because so many people reuse passwords on multiple sites. Any JPMorgan employee who used their JPMorgan network password on another site would have made their network vulnerable for this kind of attack. That’s one theory. The other is that this hacker crew might have targeted an IT admin at JPMorgan Chase through spear phishing or some other attack that got them remote access into the admin’s computer.

If a hacker was able to do that, they’d be able to steal that IT admin’s network credentials and do whatever they want from there. Either way, what we know is that this hacker group did have a valid login to a JPMorgan server. With that, they were able to get past the huge front gates of the super-secure JPMorgan Chase network. But once they got past the [00:10:00] front gates, they still needed to figure out where to go. It’s as if they broke into a bank but didn’t know where the safe was. They were just wandering through the network and they hadn’t actually gained access to anything valuable yet. There was an old server that the bank used to manage employee benefits data. It was still running, just not used very often. See, there’s 250,000 employees at JPMorgan Chase and they’re using about a half a million computers in this network.

It’s not easy for such a large company to manage half a million computers. In this case, the employee benefits server had been neglected. It wasn’t updated with the latest security patches and features, and it wasn’t set up for two-factor authentication which would have required users to enter a time-sensitive token code with their password to get in. The hackers discovered this server on the network and used their stolen credentials to log in. This is a perfect example of when two-factor authentication probably would have stopped these hackers from getting any further into the network. [MUSIC] Anyway, once a skilled hacker establishes access to a network, they’re gonna want to create a persistent connection and elevate their privileges.

They’ll need a persistent connection in case their connection gets dropped. Then they have a guaranteed way to get back into that server. The hackers created a back door into the JPMorgan Chase network. This was a point of access that only the hackers would know about but the security team wouldn’t be able to detect them. Once they did that, they began crawling around the network, looking for something in particular. They slowly made their way towards the systems they were after. They were good; hiding their tracks, doing things just the right way to avoid setting off alarms and avoid being detected by antivirus scans. For months, these hackers had been creeping around, quietly accessing databases and exporting data to their own servers as they went along. All the while, they were silent and invisible.

In all, they breached over ninety of JPMorgan Chase’s servers which included multiple databases used to store customer information. This story became public on August 27th, 2014 when Michael Riley and Jordan Robertson reported on this hack in an article in Bloomberg. They revealed that there had been a successful breach at JPMorgan Chase and they said it was the work of Russian hackers. The accusation that this was a nation state attack on US financial infrastructure grabbed the attention of the US financial system. Could it be that Kremlin-sponsored hackers had managed to get inside the networks of JPMorgan Chase, breach layer after layer of security, and make off with tons of customer data without JPMorgan Chase knowing anything about it?

It wasn’t until the bank filed a disclosure with the Security Exchange Commission on October 2nd that we learned more details about this hack. It was way worse than anyone thought. [MUSIC] The hackers had accessed multiple customer databases and stole 83 million personal identifiable records of JPMorgan Chase’s customers. These records were associated with 76 million households and seven million small businesses, pretty much all located in the US. To put that into context, in 2014 there was something like 127 million US households. That’s around 60% of all US households that got their information stolen from this hack. The idea that Russians were behind this hack and that they were probably state-sponsored wasn’t all that surprising.

I mean, just a few months before this, the US had put a load of heavy sanctions on Russia’s financial infrastructure. See, in 2014, that was the year when Putin decided he wanted to take the Crimea Peninsula from Ukraine. Putin dispatched scores of mast armed soldiers to Crimea. They seized the territory, raising Russian flags, and then went on to take control of the cities and the Supreme Council building. The Supreme Council is sort of like the Crimean parliament. The current PM was booted out and a new one was voted in although there were some good reasons to doubt the fairness of this election. This was the most blatant land-grab in Europe since World War II. Russia’s invasion of Crimea stirred up a whirlwind of controversy.

The US and EU and of course Ukraine strongly condemned Russia’s tactics and said that Putin had violated multiple local and international laws. The US and EU imposed sanctions against Russia. These sanctions threatened to tip the already fragile Russian economy into recession. The US and EU intended for these sanctions to force Putin to relent and relinquish control of the Crimean Peninsula back to Ukraine. But Putin wasn’t having any of it. He denounced the US and EU for imposing these sanctions which he said was just another example of aggressive US foreign policy, and he warned that Russia may retaliate against these actions. It seemed possible that the hack on JPMorgan Chase was the first volley of Russia’s retaliation. Here’s a clip from CNN discussing the very idea.

ALISYN: [00:15:00] The FBI is investigating a series of cyber-attacks against US banks thought to be coming from Russia. Hackers are believed to have accessed sensitive information from several financial institutions including banking giant JPMorgan Chase. Could this be retaliation for western sanctions against the Russians? Christine Romans is here with more. Is this retaliation?

CHRISTINE: Well, that’s what the investigation is gonna have to really zero in on here, quite frankly, Alisyn. The US official tells us that the location of the hacker still isn’t clear but given the sophistication of this, the cyber-security community is saying this investigation appears to center and should definitely center on Russia. Now, hackers from Russia are often top FBI suspects. The timing of the hack has raised suspicions given recent US sanctions against Russia. Also, still this big question; the motivation.

Still unclear if the attack was financially or politically motivated or if it was some sort of espionage. Banks have very tough security. Getting through that and getting account information, getting so much information, definitely not an easy task. Now, in response to this breach, JPMorgan said companies of its size experience cyber-attacks every day and the bank has measures to protect itself. Again, the FBI US officials are investigating just what the cause was of this cyber-attack.

JACK: [MUSIC] For JPMorgan Chase, this attack came at the tail-end of a really bad year. They lost a heap of staff in the previous months. In 2013, their chief information officer resigned and took a position as the CEO of a payment processor called First Data. Around this time, five other senior staff from JPMorgan Chase also quit. This included the information officer and chief of security for their IT teams. In early 2014, a new chief of security was appointed; James Cummings. He helped to recruit a new information officer, Gregory Rattray. When this hack was carried out in July 2014, the top IT leadership had only been in place for about six months. Both Cummings and Rattray were former US Air Force and they were both convinced that this attack was state-sponsored and probably executed by Russians.

They thought this hack represented a threat to US national security. I have to wonder though whether their military training and experience biased their interpretation of this hack. After all, they would have been used to dealing with state-sponsored attacks while in the military. It’s not like this hack couldn’t have been what Cummings and Rattray thought it was, but the problem is the FBI’s analysis just didn’t match up with Cummings’ and Rattray’s. The FBI had several specialist units working on this hack. They pulled in their cyber-crime unit, the Secret Service, and Homeland Security to investigate this attack. All of this analysis wasn’t enough to convince the FBI that the hack was executed by a nation state or that there was a clear threat to national security.

That set off this weird political drama over the data that had been stolen from JPMorgan Chase. See, there was this system in place that was supposed to capture any stolen data in a hack like this. Think of it like a CCTV system that you could rewind and watch back if you knew something bad happened. But according to Bloomberg sources, this system didn’t have enough storage at the time of the attack. Even though they collected the data at the time of the attack, they didn’t have it anymore. On top of that, maybe because of political drama around who committed this hack, JPMorgan Chase didn’t want to hand over the data they did have from the hack to the FBI. Things were starting to get out of hand and none of this was helping to solve the actual problem that millions of JPMorgan Chase customer records had been compromised.

[MUSIC] Two weeks after the hack had been discovered, the Assistant Director of the FBI’s Cyber Division, Joseph Demarest, had a conference call with JPMorgan Chase’s COO Matt Zames, James Cummings, and Gregory Rattray. Cummings and Rattray, the Air Force veterans from JPMorgan Chase’s IT department, were pushing for the hack to be deemed a threat to national security. If they got their way, the US Department of Justice would excuse them from any obligations to tell their customers about the hack. The idea of this policy is that if a hack is a threat to national security, then it should be kept quiet as possible while it’s being investigated.

But in the end, the FBI thought it was more likely that this hack was done by a group of clever and skilled criminal actors rather than a nation-sponsored threat actor. JPMorgan Chase and the FBI reached a truce. JPMorgan Chase handed over all the data they collected during the hack so the FBI could conduct a thorough investigation. But jeez, this was a bumpy ride to get there. Jordan Robertson, the journalist from Bloomberg who originally broke this story talks about what happened between JPMorgan and the FBI.

JORDAN: In one of the questions we set out to answer eight months ago when this breach occurred was why we were hearing such a different story from folks who were familiar with the bank’s investigation, which they said the Russian government was believed involved, versus the law enforcement investigation which was indicating a criminal [00:20:00] attack. The answer to that is yeah, the bank is staffing up on former senior military officials, cyber-warriors, and they come to these problems with a very specific mindset about who’s responsible for hacking. There’s a fundamental difference between studying attacks on military infrastructure versus studying attacks on the private sector. The private sector faces a lot more for-profit criminal activity than the military does, and that really animated the bank’s investigation.

HOST: Very interesting on the military approach. That’s led to some problems, Jordan, right, that you’ve found out; including some clashes internally but also with the FBI as well, right?

JORDAN: Yeah. What happens is you hire people who are really great at offensive cyber operations and they’re great network attackers. Defending a network is a whole another matter and dealing with law enforcement beyond that is another matter entirely. What we found was that the bank repeatedly clashed with the FBI and the Secret Service over information-sharing. The Secret Service went so far as to threaten to subpoena the attack data because they believed they were not getting it in a timely fashion. A senior FBI official had to intervene on his agent’s behalf to facilitate that information-sharing more quickly. There were clashes at multiple levels and a lot of it traces back to this difference in mindset between the military and private sector.

JACK: Now the FBI were hunting down these hackers using the IP addresses JPMorgan Chase and Simmco Data Systems had found on it. It was hard for investigators to track this attack because the hackers deleted most of the log files that would have left bread crumbs, revealing their activity in the network. Early in the investigation it was suggested that the hackers spoke Russian, but I’m not sure whether they had any actual evidence of that. [MUSIC] Now, what about these IP addresses the hackers were using? Well, investigators started tracing these back and found the IPs were from different countries all over the world. The computers that had launched these attacks were located in Russia, Egypt, Czech Republic, South Africa, and Brazil.

All of these IPs belonged to hosting providers who were in the business of renting servers to whoever wanted them. This is a simple way to hide your tracks as an attacker. You don’t want to do all this hacking from your own office or house. You want to rent a server on the other side of the planet and use that to carry out your hacks. The hackers had rented one server in Egypt which they used on some of these hacks. Get this; the day after the news broke about JPMorgan Chase, the hackers stopped using that server in Egypt and canceled that account. It seems like whoever was behind this was watching the news and knew they were about to be hunted. While all these investigations were going on, there were reports coming out of other financial companies across the US. Slowly, these reports started to paint a bigger picture.

JPMorgan Chase wasn’t the only target. The same hackers had hit multiple other financial institutions. By October 2014, investigators believed the same hackers had hit at least twelve or thirteen other financial institutions. But from what I can tell, none of these companies have officially come forward about these breaches. But reports are naming some pretty specific banks including Fidelity Investments, ADP, HSBC, Citigroup, and Bank of the West. They had all found signs that these IP addresses from the JPMorgan Chase hack had also been sniffing around inside their network. Now the financial industry was really starting to get worried. Some of the banks only found evidence that the hackers had entered the network and had poked around, but others found signs that stuff was stolen. Here’s journalist Emily Glazer from the Wall Street Journal.

EMILY: Yeah, so right now we know that Fidelity and E-Trader are on that list of thirteen financial institutions including JPMorgan. We had reported earlier yesterday that Citigroup, HSBC, ADP, the payroll processor, and regional lender Regions Financial were also spotting traffic from alleged hackers linked to JPMorgan. There is a lot going on here and it’s very fluid. FBI already involved onsite at JPMorgan, we reported, Secret Service, NSA, Benjamin Lawsky, the top New York financial watchdog, and SDNY, the US attorney based in Manhattan. There are a lot of regulators and prosecutors either examining or investigating this.

JACK: It’s early 2015, seven months after the hack, and the JPMorgan Chase security team is still working on the investigation. Internally, they were calling it the Rio Investigation. They hired outside experts plus some tech executives to form a control board panel. [MUSIC] The job was to meet every two weeks and figure out just how this hack was going to affect JPMorgan Chase and their customers. They also needed to make sure these hackers could never get in the systems again. The year all these financial companies got hacked was a pretty big year for large [00:25:00] data breaches. Target was breached at the end of 2013 and they had forty million customer credit card records stolen. eBay was hacked less than six months later in May 2014.

Their customer database was breached. In September 2014, while JPMorgan Chase was working on the Rio Investigation, Home Depot discovered they’d been hacked, too. A heap of credit card information from their customer database appeared on the darkweb. Investigators suspected that the same people were behind both the Target and Home Depot hacks but they still had no idea who those hackers were. The truth is, many hackers working on this scale don’t ever get caught. But in the middle of 2015, things started to get weird for the Rio Investigation. On July 21st, the Israeli police made two coordinated arrests in Israel at the request of the FBI. Now remember that date; July 21st, 2015. It’s gonna come up a few other times in this story.

The police arrived unexpectedly at the homes of thirty-one year old Gery Shalon and forty-year-old Ziv Orenstein. They were both arrested and charged with securities fraud which is basically illegal stock market manipulation. Now, Gery Shalon is a bit of a flashy guy. He lives in a six million dollar mansion in the very posh Savyon suburb of Tel Aviv. This is kind of like Israel’s version of Beverly Hills where all the celebrities live. His closets were full of expensive tailored suits and the police found half a million dollars in cash in his house when he was arrested. Ziv Orenstein who lived in Bat Hefer, about twenty-nine miles away, may have been wealthy too, but he was more low-key.

[MUSIC] Both of these guys are Israeli citizens and in 2009 they established a web marketing company called Webologic Ltd. Gery was the manager of this company and Ziv wasn’t listed as being involved with Webologic, at least on the books. Still, the Wall Street Journal reported that there were thirty odd employees that worked there and they all knew Ziv was really the guy in charge. As part of the securities fraud investigation, the Israeli police seized all electronic devices in both Gery and Ziv’s house and the Webologic offices. Now, there was this third guy involved in all this. The Israeli police also raided the house of thirty-one year old Joshua Samuel Aaron at the same time. But when they went to his house, he wasn’t home. He had been in Russia but he was supposed to be back in Tel Aviv at the time of the arrest.

But there was no sign of him at all. They report back to the FBI that they didn’t get Joshua. So, Joshua becomes a wanted man. Get this; at the same time that Gery and Ziv are arrested in Israel, the FBI coordinated a simultaneous raid in Florida. They arrested Anthony Murgio and Yuri Lebedev for running an illegal Bitcoin exchange called Coin.mx. What do these arrests have to do with major US bank hacks? Well, on that same day, July 21st, Preet Bharara, US attorney of the Southern District of New York, unsealed an indictment against Gery, Ziv, and Joshua. Bloomberg News and the New York Times published some wild claims. They reported that a leaked internal FBI memo had linked Joshua, the man on the run from Israel police and Anthony, the man arrested in Florida, to the JPMorgan Chase hack.

[MUSIC] The memo said there was evidence of Joshua logging into the servers that were used for these hacks. On the same day, we also find out exactly what they stole. I mean, these people attempted to get into twelve banks and they successfully got into a few of them. They must have done this for monetary gain, right? But did they steal any money? No. I mean, I can think of a number of ways they could have stolen money. Obviously a bank the size of JPMorgan Chase has a lot of money in its accounts. The hackers could have moved some of that money around. Okay, but there’s other ways they could have made money too, like the Chase Bank giftcards. Imagine if they got into the database of those or prepaid debit cards, or they could have manipulated the bank’s reward points system.

Imagine if they set their own accounts to have like, a billion reward points. They could convert that to cash and just siphon money out that way. Or what if they instructed a ton of accounts to buy a certain stock, driving up the price? There are a ton of things they could have done while in the bank’s networks. But all they did was steal customer database records. Specifically, they grabbed e-mail addresses of bank customers. I just don’t understand that. Why go through all the effort of breaking into the biggest and possibly the most secure company in America just to steal 83 million customer records? There’s something more to this story. Things are pretty confusing at this point. We have three people who were supposed to be arrested in Israel; Gery, Ziv, and Joshua. They got Gery and Ziv but Joshua wasn’t home. Then, at the same time, two people were arrested in Florida; Anthony and Yuri.

The two Israelis were arrested on charges of securities fraud and the Florida men were arrested [00:30:00] on charges connected with the JPMorgan Chase hack and something to do with a Bitcoin exchange. Finally, some news agencies started reporting on an FBI memo, suggesting that all five men were connected with this hack. Were they the hackers or were they conmen? What role did everyone play? It turns out the feds had started investigating this group shortly after the JPMorgan Chase hack was discovered. The forensic data that the FBI got from JPMorgan Chase had led authorities to Joshua. Somehow, they got server logs that pointed them to his IP address, but they didn’t know how involved he was and they were pretty sure he wasn’t in on it alone. They start digging around his life to see what he was doing and who he was associating with.

That’s how they discovered Anthony, Gery, and Ziv. These guys were looking pretty suspicious. [MUSIC] Joshua was the prime suspect who led investigators to the door of the others. He’s an American citizen. He grew up in Potomac in Maryland. He enrolled in Florida State University in 2002 and studied business. There is where he met Anthony Murgio who was later arrested in Florida. While at university together, they became pretty good friends and being business students, they wanted to find ways to earn cash while in college. They set up a money-making scheme writing Google ads for affiliate commissions. They did pretty well at it, too. They had other students working for them and they were making thousands of dollars a month. Not bad for a couple college kids, actually.

Joshua dropped out of his courses in 2005 but he stayed in touch with Anthony. Now from there, Anthony’s story actually goes in a wild and crazy adventure totally tangent to this one, which is another story worth telling but it doesn’t quite fit this story. I mean, he was arrested in connection with this story but Anthony tells me he was only arrested so the feds could get information on Gery, because Anthony and Gery started a Bitcoin exchange together called Coin.mx. They purposely hid from financial regulators and even went so far as to take over a Credit Union to look legit. The feds swooped in on Anthony for his illegal Bitcoin exchange and because they knew he was working with Gery. Okay, so back to Joshua, the man on the run. In 2013, Joshua set up an internet marketing business with a partner who had a history of defrauding stock markets.

Apparently this guy had been banned for life from the Financial Industry Regulation Authority for marketing useless stocks, sort of a pump-and-dump kind of thing; you buy up an unknown stock, try to inflate the price of it, and when it’s at its peak, you dump it and make a massive profit. But Joshua’s partner got caught doing this and got banned so after that fell apart, Joshua moved to Israel. It seems that’s where he met Gery Shalon and that relationship started. By 2014, Joshua and Gery were running their own stock fraud scam with Ziv Orenstein who was one of Gery’s associates. They had been running that Webologic business together in Israel. Now, the feds didn’t think it was actually Gery, Joshua, or even Ziv that carried out these hacks.

But it looked like they were working with whoever did. As the feds investigated Gery, Ziv, and Joshua, they find these guys are up to their necks in scams and plots, and may have been connected to some serious hacking. By October 2014, internally the feds have totally rejected the idea that these hacks were state-sponsored by Russia. No, it wasn’t the Russians. It was this collection of conmen and fraudsters who’ve been operating huge scams under the radar for years. [MUSIC] Let’s take a look at this indictment that was unsealed by Preet Bharara on July 21st, 2015. It was a lawsuit brought by the SEC, the Securities and Exchange Commission. They’re the US federal agency that enforces security laws.

This lawsuit was brought against Gery, Ziv, and Joshua for six stock market scams they pulled off over the previous four years. It included details about how much money they were making off these scams. Let’s take a look at the first one. They were buying stocks in a company called Southern Home Medical Equipment, a US company based in South Carolina that provided healthcare services across the country. In May 2011, Gery and Joshua bought the company’s stock at 1.7 cents each, not quite two cents per share. They launched their own marketing campaign for this company, hyping it up, writing articles about how great it was and telling everyone that this company was about to go to the moon.

Gery was the savvy business guy. He knew stocks inside and out, and Joshua was the marketer. He was great at selling anything. They successfully raised Southern Home Medical Equipment’s stock price from just under two cents per share to thirty-three cents per share before selling off their stocks in the company. Their net value in that stock rose 1,800% in just six days. But the problem was that all the marketing they did for this company was made up. They had faked the numbers and the news about this company in order to temporarily inflate the stock price. That’s why this kind of market manipulation [00:35:00] is illegal. If you’ve seen the Wolf of Wall Street, you may recognize this idea because that movie is about a similar kind of scheme.

JORDAN: The Securities and Exchange Commission sent two lawyers down to review our files so I set them up in our conference room, and I had it bugged and the air conditioning turned up so high that it felt like Antarctica in there. Then, while they were looking for a smoking gun in that room, I was gonna fire off a bazooka in here, offering up our latest IPO. An IPO is an initial public offering. It’s the first time a stock is offered for sale to the general population. Now, as the firm taking the company public, we set the initial sales price and sold those shares right back to our friends. Look, I know you’re not following what I’m saying anyway, right? That’s okay. That doesn’t matter. The real question is this; was all this legal? Absolutely not, but we were making more money than we knew what to do with.

JACK: Gery, Joshua, and Ziv were in the business of manipulating the stock market and getting people to buy stocks based on false information. These scams are called pump-and-dumps because the scammers try to pump up the value to make a quick profit by dumping the stocks at a higher price. Here’s how they did it. [MUSIC] First, they forged documents so that they could present themselves as stock brokers. They were already working under false pretenses. Now, stock brokers are like middlemen between investors and the stock exchanges. They help investors figure out what stock to buy, when to buy them, and they seek out good investment opportunities for their clients. These days, everything is digital and online so Gery, Joshua, and Ziv created newsletters, social media accounts, and websites to tell investors what shares to buy.

These tools gave their investors the impression that if they followed Gery, Joshua, and Ziv’s tips, their money would grow quickly. Sometimes they would fake the data on these articles and predict that a stock was going to rise in value, but they would actually backdate that article to make it seem like all their predictions came true. Their indictments show that these guys were all using the classic scams. Since May 2011, they hit six microcap companies. They targeted one after another with their tried-and-tested schemes. They hit each of these six companies using the same pump-and-dump formula. They’d buy the company while the stock was less than five dollars each and then they’d create a bunch of false hype about these stocks resulting in a buyer surge that would drastically increase the trading volume and stock price within just a few days. In 2011, they made about $460,000 doing just three companies.

Then they upped their game. In February 2012, they hit a company called Mustang Alliance which is a mining corporation. In just one week, they bought two million shares of Mustang Alliance, increased the share price over 65%, and then sold the shares for a 2.2 million dollar profit. Altogether, they collected 3.5 million dollars in just a couple years running these scams. But this wasn’t their only racket. Gery was the head of operations and CEO of their company, Webologic. He had the final say on all these decisions and he found a couple of stock promoters to bring in on these scams. Their job was to advertise and promote different stocks and shares all day long. They would go hunting for companies that they knew could easily be promoted to be a pump-and-dump. But they did more than that.

In case you didn’t know, there’s a big difference between being a public and private company. Basically, it has to do with who owns the company. A private company is own by some group of people, usually the founders or a management group, or private investor. But a public company is a company that has sold some of its shares to the public through a stock exchange. This means that part of the public company is literally owned by members of the public, the people who have purchased shares in the company. That’s why they’re called shareholders. Also, private companies can’t sell shares of their company on the stock market and it’s actually really hard for a private company to become a publicly-trading company.

It’s a long process that takes years. Even for legit, fast-growing companies, they have to apply and be audited before they can be listed as a publicly-trading company. When that finally happens, they have an event called an initial public offering, or IPO. I say all that because sometimes Gery would find private companies that seem like they would be easy to falsely promote. He worked out a system to help these companies go public so that he could run his pump-and-dump scams using their shares. [MUSIC] Over the years, Gery created heaps of shell corporations. These are companies with no staff, no revenue, no office. These corporations only exist on paper and Gery would go through the long, rigorous process of getting these corporations to go public and be traded on the stock exchange which might have taken him years.

But with publicly-trading shell corporations ready to go, Gery was able to approach private companies, pretend to be a legit stockbroker, convince them to do a reverse merger with his shell corporation, and that would fast-track that company to be public trading on the stock market. Now, this whole scheme is all upside for Gery. First, he’s going to sell his shell corporation to [00:40:00] some company. This could make him anywhere between a few thousand dollars to a few hundred thousand dollars. Because he created these shell companies, he was able to assign any amount of company shares to himself or his friends like Joshua or Ziv. If he did that, then before the actual scam even started, he would already have tons of shares in these companies.

He would sell his shell corporation to a company and then that company does a reverse merger with it, and now that company is suddenly a publicly-trading company. He did all this under the guise of being a helpful stockbroker just here to help them navigate going public. Then once the reverse mergers were complete and that private company was now publicly trading, Gery’s fake marketing campaign would ramp up and make the stock of that company boom. That’s the pump. Right when the hype was about to fizzle out, Gery and Ziv and Joshua would sell all of their stocks which they could have had from the very beginning, and that’s the dump. If Gery was the CEO of this scam operation, Ziv was his ops manager with some IT thrown in.

Ziv bought up a heap of domains and built stockbroker websites that all looked legit. He was the one who maintained all of the different brokerage accounts and the false documents for their schemes. He was the one keeping track of all the moving pieces. Joshua was like the communications and marketing manager; he wrote all the promotional materials that they used to market the companies. With this systematic approach and with all the pieces ready to move, these scams were really just a matter of bombarding people with marketing and buying and selling stocks at the right times. Now, at this point you might be wondering how is any of this connected to the breach at JPMorgan Chase? Well, we’re almost there. Bear with me.

See, over time as these guys were marketing stocks, they were starting to do some e-mail marketing. They would send people e-mails that said ‘Amazing opportunity! Small cap investment can double your money in weeks. Don’t blow your shot at financial freedom.’ They would list a stock ticker symbol and make people feel like they had to buy this stock right away. You’ve probably seen these types of e-mails. I receive thousands of them, myself. The way they work is that the sender of these scammy e-mails just buys a huge list of e-mail addresses and blasts out millions of e-mails at a time. That’s what Gery’s crew was doing at first and that was somewhat successful, but they wanted to take their scam to the next level. [MUSIC] They thought if they could get a list of e-mail addresses of real stock market investors, their spam would be much more effective.

I mean, who better to advertise a stock tip to than people who are actively trading on the stock market?Traders are always looking for a hot stock, and they might just go ahead and buy some random stock that they saw in a scammy-looking e-mail. That brings us to JPMorgan Chase. It turns out that the whole JPMorgan Chase hack was about getting better leads for Gery’s marketing campaign to make his pump-and-dump scams more profitable. That’s right; Gery, Ziv, and Joshua wanted millions of stolen JPMorgan Chase’s customers’ e-mail addresses just to e-mail them stock tips. Of all the absurd, off-the-wall, preposterous crimes, this one takes the cake. Three random scammers orchestrated a hack into the largest bank in the US just to make money on their pump-and-dump scams. Unbelievable. But their criminal activity went beyond just stock market manipulation.

On the same day Gery and Ziv were arrested, July 21st, 2015, an Israeli newspaper reported that another indictment had named them both. But this time it was for a huge, illegal online gambling operation, an operation that was supposedly even bigger than the stock fraud scams they had been pulling. When this report came out, the online gambling forums just lit up. It turned out that Gery and Ziv were behind the well-known, dodgy online casinos Affactive and RevenueJet. These are actually groups of casinos owned and operated by companies called Netad Management and Milore Ltd, and it had dozens and dozens of online gambling websites. For years, the casino sites ran by these two companies had been getting called out by the gaming review sites as being scams. The review sites actively warned players not to use Gery and Ziv’s online casinos.

In fact, in 2010, Casinomeister gave Affactive Group the Worst Casino Group Award, citing their terrible customer service and failure to pay players their winnings. Now, all these sites under Affactive and RevenueJet used gambling software called Rival and RTG for the games. These are the leading suppliers of casino games and online gambling. Then they lease this gaming software to the independent casinos. The games on Affactive and Revenue Jet were legitimate, well-designed games and that’s how they attracted players to come to their sites to gamble. But to gamble on these sites, you need money to play. When winners would actually win money, that’s when Gery and Ziv would start pulling some shady business.

[MUSIC] His casino sites started to develop a reputation for being really unreliable at paying out their players. When a player made a cash-out withdrawal request, [00:45:00] there were all kinds of delays. Security procedures would make players wait ninety days. Some players waited the ninety days for their money only to be told their cash-out wasn’t valid because they didn’t play at the casino for the last few weeks. Sometimes they wouldn’t pay the whole amount; maybe just a percentage just to keep the players guessing. But that would be as far as it went. Often, players would just give up, take the loss, and move on to a different site or they’d end up gambling away their winnings and playing more games in the casino. By avoiding paying out the players, these sites were racking in tons of cash.

Like the JPMorgan Chase hack, this is an absurd scam that doesn’t make any sense to me. An online casino by its very nature makes a ton of cash. The odds are always in the casino’s favor to win, even without scamming anyone. Maybe you’ve heard the term ‘the house always wins.’ Yeah, that’s about casinos. They are literally money-printing machines for the owners. Why treat the players so poorly? Ugh, the nerve of these guys. The greed is just astounding to me. But it gets worse. Just after the arrests, the Netad Management casino’s network collapsed; just stopped. None of the sites were loading at all and the executive director of the Gambling Portal Webmaster’s Association said that he got a notice that the Affactive was closing its operations, effective immediately. It seems like as soon as the indictments came through, someone pulled the plug on the casinos. Their online casino empire had crumbled overnight.

[MUSIC] At that time, Gery and Ziv were in custody in Israel and the US was trying to get them extradited to face these stock fraud charges. Joshua was still nowhere to be found and with his indictment unsealed, his name showed up on the FBI’s Most Wanted list. But still, we don’t know who actually conducted the hack against JPMorgan Chase and the other twelve financial institutions. Gery, Ziv, and Joshua were market manipulators, shady businessmen, and con artists, but they weren’t hackers. We know they had the stolen e-mail addresses from the JPMorgan Chase hack, but how did they get them? Breaking into JPMorgan Chase’s network is not an amateur hacking project. Whoever did it really knew what they were doing.

But if Gery or Ziv or Joshua weren’t the hackers, then who was? A year after JPMorgan Chase discovered they’d been hacked, several more financial companies received visits from the FBI informing them that their networks had been breached and they had evidence to prove it. These companies started to send out letters to their customers. In October 2015, the online discount stockbroker E-Trade sent a letter to all their customers explaining that their network had been breached and that customers’ personal information had been compromised. They said their database was breached which contained 31,000 E-Trade customers’ data. Scottrade, another online stockbroker, revealed that they were also hit by these hacks, but their breach was way bigger. They believe that the person information of 4.6 million of their customers had been stolen.

Dow Jones sent out letters, too. Now, they’re not a financial institution in the way of a bank or a broker is, but they’re a big publisher of financial information. They’ve been going for 137 years. They published the Wall Street Journal, MarketWatch, and Barrons. In October 2015, they informed their customers of a data breach. In their letter, they explain that the hackers may have been in the system for three years but they’d only found evidence of the theft of 3,500 people’s contacts or payment data.

There were clues like IP addresses and the malware and the data that was stolen which made authorities suspect that these hacks were all conducted by the same hackers. A month later, all the evidence came out. On November 10th, 2015, Preet Bharara, the attorney general of the Southern District of New York, unsealed a superseding indictment against Gery, Ziv, and Joshua. It was a bombshell. Getting indicted for these stock scams probably seemed bad enough for these guys, but now they were really in trouble.

PREET: Good afternoon. My name is Preet Bharara and I’m the United States attorney for the Southern District of New York. Today we announce criminal charges in one of the largest cyber-hacking schemes ever uncovered. The charges involve cyber-intrusions over several years targeting twelve different companies; seven financial institutions, two financial news publications, two software development firms, and a market risk intelligence company. By any measure, the data breaches of these firms were breathtaking in scope and in size.

The defendants allegedly stole personal information for over 100 million customers including 83 million customers from one bank alone, the single-largest theft of customer data from a US financial institution ever. That bank was JPMorgan Chase, as it has disclosed itself. To hide their tracks, the defendants allegedly operated their criminal schemes through over seventy-five shell companies and used close to twenty – two-hundred, I’m sorry, identification [00:50:00] documents fraudulently including thirty false passports from seventeen different companies. The good news is that the FBI and the Secret Service have cracked this case and we aim to prove it in court.

JACK: [MUSIC] At this point, the evidence of the case was getting massive. These guys have been running an international cyber-crime enterprise. The new indictment accused them of twenty-three counts which included computer fraud, hacking, wire fraud, security fraud, money laundering, identity theft. It just went on and on. This one group had been running this whole system of interconnected, illegal schemes; scam on top of scam on top of scam. They were making hundreds of millions of dollars. What the feds had uncovered here was huge. The scale of this is just incredible. I mean, it’s really crazy. But let’s stop for a minute and talk about the money. That’s what Gery was doing all this for, right? Well, he was living the high life in his Tel Aviv mansion, passing himself off as a really successful businessman.

I guess that in a certain sense he was a successful businessman and he did have some legitimate business interests and investments that earned him good money. But to live the kind of lifestyle he wanted, I guess he felt like he needed to keep chasing the next big payday. Anyway, all these scams; the online casino, stock fraud, the hacks, they were making Gery, Ziv, and Joshua hundreds of millions of dollars and they couldn’t just throw all that into a bank account. That definitely would have attracted some unwanted attention. Banks are required to report deposits of a certain size and I’m sure that if Gery, Ziv, and Joshua had deposited their hundreds of millions of dollars, it would have triggered some sort of reporting policy. They needed a solution, a way to launder the money, convert their money from illicit and unusable to clean and spendable. They came up with a couple of ways to do it.

[MUSIC] Remember those shell corporations that Gery was using to do reverse mergers with private companies for their stock scam? Well, this also came in handy for laundering a lot of money they were making. Gery and Ziv were moving money around left, right, and center. They were transferring millions of dollars from their casino businesses to bank accounts in Cyprus, and then shifting it all around through all the shell companies. They had their money-laundering down to a science. All they had to do was fill their shell companies’ ledgers with transactions for goods and services that they had supposedly been providing their customers. They could then use this dirty money to pay themselves for those made-up goods and services.

That way, it would look like this money was just shell companies invoicing it and paying out legitimate customers. This left the shell companies with loads of money in their accounts and a nice audit trail that made everything look more legit. At the end, they had clean money. Gery had seventy-five different shell companies. He, Ziv, and Joshua had multiple bank accounts and brokerage accounts in countries all over the world. Obviously, none of them were set up in their own names. All three of these guys had aliases they would use. They had thirty different fake passports from across seventy different countries. Keeping track of all these companies and accounts and the false documents and the different names; that must have been a full-time operation just doing that.

It’s pretty impressive how they were able to manage all these moving pieces. Before they got caught, it probably seemed like it was worth all this work. [MUSIC] In 2011, the same year he started the pump-and-dump scams, Gery created two online payment processing companies called IDPay and Todur. You could think of these as more like shady versions of PayPal. Gery used these payment processors to let his players deposit money into gaming accounts in his online casinos. These sites were the intermediaries between the players’ bank accounts and the casinos’ bank accounts. Each transaction would go through these payment processors, but Gery had to hide that money because it wasn’t legal. To turn that money into money he could actually use, he needed to make it look like it came from a legal source.

Gery and Ziv opened multiple bank accounts in different countries using fake IDs and fake documentation. They would send transactions made through IDPay and Todur into these accounts around the world. Now, credit card companies are not allowed to process payments that they believe might have come from illegal activity. Gery and Ziv would code their transactions to make them look like simple online purchases from everyday retail websites like pet stores or wedding outlets. If they could find banking officials in the countries they were depositing their money, they would bribe them to turn a blind eye. Basically, they did anything they could to prevent anyone from catching onto their operations. Of course, the players at Gery’s online casinos had no clue what was going on in the background.

Everything probably just seemed normal from their perspective. Gery had a bunch of like-minded friends, other criminals who needed to launder money just as much as Gery did. He was friends with people selling fake pharmaceuticals, malware, and fake antivirus software. Whatever their business, if they wanted to collect payments via credit card, they needed a shady payment processor and they would use Gery’s IDPay and Todur. Of course, just like any payment processor, Gery would take a nice cut of each transaction. But sometimes the credit card companies did get suspicious. [00:55:00] When that happened, the credit card companies would stop processing Gery’s transactions and issue fines and penalties to whichever financial institution Gery got caught using. Gery would just pay these off and carry on where he could.

It was just a minor inconvenience; a cost of doing business. If they got questioned about this, they’d all act shocked and surprised as if they had no idea the transactions were for illegal goods and activities. If a bank got suspicious and closed one of Gery’s accounts, he’d just find a new bank and open a new account. It became a pretty constant process of finding new accounts and coming up with fake merchants to use for transactions to make them look legit. It was all very shady but it was working. In 2012, Gery did another astonishing move. There was this company called G2 Web Services. This is sort of a watchdog company that monitors payment processors to make sure they’re above board and not fraudulent. Basically, the staff at G2 will go and do a test at payment processors to make sure they’re trustworthy.

Well, Gery was using IDPay and Todur to process a lot of payments for his illegal activities. He didn’t want G2 to flag his payment processor as fraudulent, so he hired a hacker to break into G2 and get a list of credit cards that were used in test-payment transactions. Then Gery would just block those credit card numbers from being used at IDPay and Todur so that nobody at G2 could even test the payment processing on his websites. The audacity! I’ve never heard of a hack like this; to hack into a watchdog company just to make sure that they don’t talk bad about you and to block them, it’s just ridiculous. In July 2013, two years after Gery first created IDPay and Todur, Brian Krebs published a report about potentially suspicious activity being conducted at IDPay.

A source had found IDPay’s customer database and discovered a bunch of fake antivirus sites were using this payment processor. These websites had addresses like spyblocker.com, malwaredefender.com, personalguard.com, and so many more of fifty domains. Krebs investigated IDPay and he couldn’t find anything about them. There were no records of this company existing at all, so he concluded that these websites were installing fake malware onto victims’ computers and then asked the victim to pay to get the virus removed. These sites were using IDPay because a legitimate processor would never process sketchy transactions like this.

If this is what was going on, then I guess we can add this bogus antivirus payment processing scam to the list of growing crimes that were committed by Gery and his friends. One site on the list of IDPay’s customers was rxpartners.com. This was known to be an illegal pharmacy affiliate program. Hackers and spammers would sign up and earn cash for promoting illegal pharmacies. In 2013, not many people knew about Gery and his massive empire of hacking and scamming, and they didn’t know he was the one behind IDPay. While Gery was focusing on making sure anti-fraud companies like G2 Web Services weren’t onto him, he didn’t realize that the feds were onto him. How did the feds get on Gery’s trail?

[MUSIC] Well, a month before he was arrested, an undercover federal agent went on to one of his casino’s websites and deposited some money using his credit card to make a bet. When he checked his credit card statement, he found the transaction had been recorded as a payment to houseforpets.com which wasn’t even a real website. This was the first thing that tipped off the feds and from there, they quickly found a lot of evidence leading to Gery, Ziv, and Joshua. It was the hack on JPMorgan Chase that really brought down Gery’s empire. If you remember, the hackers successfully broke into the JPMorgan Chase’s network and stole 86 million records and got out without raising a single alert. JPMorgan Chase had no idea they were breached and that was by design. The hackers were extremely careful not to raise any red flags.

The only reason JPMorgan Chase ever found out that they’d been breached was when they read that Hold Security report and found that Simmco Data was breached, and the evidence from that breach is how JPMorgan Chase figured out they were breached. JPMorgan Chase was never supposed to find out that they were breached, so once it came out that JPMorgan Chase did know that they were breached, it was time for the hackers to start covering their tracks. Remember the canceled Egyptian server rental? Yeah, they knew they were getting rumbled. But again, JPMorgan Chase wasn’t their first hack. Uh-uh. They already got away with hacking six other US financial companies. On the same day of the big twenty-three count indictment was unsealed, a third indictment was unsealed also in Atlanta.

This indictment was focused on the hacks and it tells us exactly how they happened. The feds had confirmed that it was Gery pulling the strings on all these hacks and they knew Joshua helped him out. But they also knew that neither Gery nor Joshua were hackers capable of doing this. The indictment brought charges against Gery, Joshua, and an unidentified suspect, a John Doe, the mystery hacker. [01:00:00] Okay, so with this indictment, we learned about how the hacker got into E-Trade and Scottrade. At first, the hacker got a regular login to E-Trade and poked around as just a normal user, looking for vulnerabilities on the site. I’m not sure what he found but on that same day, three of E-Trade developer servers got accessed by the hackers. But nothing was stolen at that time.

Almost a whole year passes, then Gery tells the hacker the plan to steal customer data from the databases and gives the hacker servers around the world to use; servers in South Africa, Romania, and the Czech Republic. These were not bulletproof servers which were untouchable by the feds, but Gery told the hacker they were registered anonymously. With the hacker ready, the infrastructure in place, and the plan figured out, Scottrade was the first of the two to be hacked. [MUSIC] On September 8th, 2013, Gery’s hacker reported that he’d hit a wall. Scottrade had antivirus in place and he could only get access to one employee’s computer without raising alarms. But this employee had no admin rights, so this slowed down the hacker. For the next two months, he tried and failed to gain access.

But on November 22nd, the hacker asked Gery to get him a Scottrade user account, hoping he could use it to breach Scottrade’s systems. So, Joshua and Gery provided the hacker with a regular user login. From there, the hacker was able to find vulnerabilities in the site and exploit them to get access to Scottrade’s servers. The next day, he was searching through Scottrade’s networks for customer databases and he found them. He looked through a few of the records in the database and he saw customer name, phone numbers, and e-mail addresses. Bingo. This is what he was looking for. He did a quick count to see how many records were in the database.

There were six million customer details. Gery was very excited about this discovery and of course, he wanted the e-mail addresses of this database. The hacker took one more look around the database server and he noticed he wasn’t in there alone. A database admin was also logged into the customer database and actively running commands. The hacker got nervous. He needed to download these six million records. He was right there in front of it, but he wanted to do it in secrecy so that nobody would ever know he was there. He was nervous that if he downloaded the data while the other admin was there, he might draw unwanted attention.

He couldn’t afford for that admin to notice that something fishy was going on and at the same time, he didn’t want the admin to notice he was there and kick him out. So, he waited nervously until that admin logged out. Then he quickly copied six million customer records to a server that the hacker controlled, covered his tracks, and disconnected from Scottrade’s network. The hacker gave Gery a password and location of the stolen database. On November 25th, Gery sent the hacker a report of the customer data that was stolen from Scottrade. The database included information of four million Scottrade customers. 100,000 of them were residents of Georgia. The hacker then added more, around 200,000 to 300,000 bank customers of Scottrade.

Two days later, he breached more databases and added more data to the server. On November 27th, Gery’s hacker reported that he now had six million records from Scottrade. They didn’t waste any time before going to E-Trade. The very next day, the hacker breached E-Trade’s server using a brute force attack to gain access to a video teleconferencing server on their network. Of course, once he got in, he got himself persistence and elevated his privileges. He installed a back door into the servers and started looking around the network for database servers. Four days later, the hacker breached another server on E-Trade’s network and installed a reverse shell on it. Four days after that, he gained access to three more internal servers and a core admin platform. This was the motherload.

These servers contained all of the customer data for E-Trade customers. The hacker began copying all the data stored on these servers. The reverse shell he had set up was exporting data for days after that. Gery’s hacker would eventually steal fifteen million customer records from E-Trade’s network. Once he stole them, he would send them straight to Gery. By December 16th, one of Gery’s associates had cleaned up and merged all the stolen customer records from E-Trade and Scottrade into an enormous database. This was the customer information Gery wanted; a vast database containing the contact details of millions of potential investors, people who he knows are already investors.

Over the course of four months, Gery’s hacker had been going in and out of multiple servers on both E-Trade and Scottrade’s internal networks. He hadn’t set off any alarms. No security scans picked up on his activity but at some point, E-Trade began to suspect their systems had been breached. They launched an internal investigation and they got law enforcement involved. But nothing came of it. They couldn’t find any evidence that data was stolen. There were no logs that somebody copied the data because [01:05:00] the hacker hid his tracks so he wouldn’t get detected. E-Trade concluded that if they had been breached, then the perpetrator had hidden their tracks really well, so the investigation just kinda stalled out. But they were right; someone had been in the systems and it was Gery’s mysterious hacker.

[MUSIC] As E-Trade and Scottrade were being hacked, Gery’s online casinos were making considerable money. He was running at least twelve different casinos. In October 2013, they made him 78 million dollars. Gery and Ziv had 270 employees in Ukraine and Hungary working in call centers to help keep these casinos running. They were responding to queries and trying to help keep players happy, but they were also giving the runaround to players who were trying to cash out their money. Gery and Ziv needed to draw as many players to their casino as possible. The more people playing meant the more people they could scam out of their winnings.

To help that bit along, Gery called in his hacker. When people want to do some online gambling, they typically start with a Google search and visit the first few gambling websites that show up. They think oh, this casino is the first result in Google so it must be popular and trustworthy. Knowing this, Gery started trying to get his hacker to find ways to improve the casino’s search ranking on Google. Now, there’s a whole lot that goes into search ranking.

It’s called SEO, search engine optimization, and what actually determines the ranking on Google’s search is a little bit mysterious. They use an algorithm of some kind but in the SEO world, it’s generally believed that to boost a site’s ranking, you need more links to that website. So, much of SEO is based on the idea that the more websites on the internet that post links to your site means that your site becomes more popular in the search rankings. Gery knew this and wanted more links to his casinos. He used a secret ingredient to get that. Want to take a guess on what that was?

HANS: The secret ingredient is crime.

JACK: He asked the hacker for help and the hacker got to work to try to find a way to make tons of links to Gery’s online casinos. After a bit of searching, he started hacking into dormant gambling-related WordPress blogs. We’re talking like, thousands of them here, blogs that hadn’t been updated in ages and whoever owned them lost interest in it. All their plugins were out of date, the software hadn’t been updated and well, yeah, they were vulnerable to being hacked. The hacker exploited a lot of these old WordPress blogs and he created tons of links to the casinos’ websites. Compare this to hacking into banks; it was pretty easy.

Once he finished, these sites had new posts mentioning Gery’s casinos and how they were absolutely the best place to gamble on. When these blogs got re-indexed by Google, these new posts made Gery’s casinos rise up in the ranking and become more popular. Now whenever users searched Google for keywords like ‘best online casino’ or ‘where to play online casino games’, these ancient blogs were starting to pop up with fresh results. People always click on the first couple of results. That’s just how it is. So, people clicked on these old blogs, they saw tons of glowing reviews of Gery’s casinos, and this hijacking of neglected blogs drove enormous amounts of traffic straight to Gery’s online gambling sites. That wasn’t all.

Gery liked to be in control and know exactly what was going on, so he paid this hacker to visit his competitors’ websites. [MUSIC] He would have the hacker take down any competing gambling site he got annoyed at. The hacker would use a botnet to launch a huge denial-of-service attack on competitor casinos, interrupting service for those casino players. Of course, when gamblers can’t get into their favorite gambling site, they might go looking for a different site to gamble on. The DDoS attacks that Gery was conducting could actually drive players to his casino, too. Then Gery would find out what software the competitor casinos were using and then ask the hacker to gain access to that software company to monitor what rival casinos were saying and doing.

He also hacked into e-mail accounts of executives at the companies that made online gambling software used by many casinos, just let Gery in on deals that executives were making with each online casino. This allowed him to stay a step ahead of his competitors. If anything was going on that might compromise one of his casinos, he would have an early warning. Gery was used to getting what he wanted and he was quite happy to use sneaky, underhanded tactics to get his way. He was getting away with everything until it all caught up with him on July, 2015 when Gery and Ziv got arrested by the Israeli police. Once the indictment was announced on November, everything went, well, a little bit quiet.

The feds and prosecutors were working to prepare their cases. The first thing they were going to do was get Gery and Ziv extradited to the US. This was a pretty long process which took about a year. In June 2016, they were both extradited to New York and found themselves in a Manhattan prison. On June 9th, they appeared in Manhattan Federal Court. Both Gery and Ziv pleaded not guilty to the long list of charges against them. But there was still one guy out there; Joshua. Joshua was still somewhere in the wild and the FBI was searching [01:10:00] everywhere for him. They suspected that he was hiding out in Russia. It made it pretty complicated to look for him there. But then Joshua just solved that problem for them.

It turned out Joshua was in Moscow all along and on December 14th, 2016, his attorney called the feds and said Joshua’s gonna turn himself in and is flying into the JFK Airport in New York. So, Joshua did. He flew to New York and was arrested on the spot. You see, Joshua got himself in a bit of trouble with the Russians. He had flown into Russia via Ukraine on May 23rd, 2015 and had been staying in an apartment in Moscow. In May 2016, right as Gery and Ziv were about to be extradited from Israel to the US, Joshua was arrested by the Russian immigration police. They turned up at his apartment for a surprise spot check on his Visa documents. For Joshua to maintain his Visa, he was supposed to fly out of the country and then come back every six months. He hadn’t been doing that because he was hiding out from the FBI.

The Russian immigration police put him in jail. On May 20th, a Russian judge fined him an equivalence of $80 and ordered him to leave Russia. Joshua had to leave Russia but he wasn’t interested in going to the US and getting arrested by the FBI. He applied for refugee status so that he could stay in Russia. [MUSIC] While he was waiting on his refugee status at an immigration office in Moscow, he talked to his lawyers and they changed his mind. They convinced him that it was better for him to come to the US and face his charges than to continue hiding out in Russia. But strangely enough, when Russia found out Joshua was wanted by the FBI, they offered him asylum.

They probably thought he would be useful for some sort of political or diplomatic leverage. Joshua had already made up his mind though so he turned down the offer of asylum, but Russian immigration was now hesitant about letting him leave. So, he was stuck in the immigration center while his lawyers were negotiating with Russians and the feds, both of which wanted Joshua in their custody at this point. After about six months of this, in December 2016, everyone agreed and Joshua got on the flight to New York and was arrested. By the time Joshua gave himself up, Gery had been in prison for almost two years. Gery plead not guilty and was looking at a lengthy court trial. Gery was the mastermind behind all these schemes.

He had the valuable knowledge and connections with the underground criminals. Plus, he probably knew some stuff about Russian cyber-crime networks. The feds recognized that Gery could be really valuable to them, so they offered him some plea deals. They offered to release him if he agreed to plead guilty to all the crimes he did if he became an informant. On May 22nd, 2017, a big daily newspaper in Israel, The Calcalist, reported that Gery had agreed to pay US authorities 403 million dollars in cash under forfeiture. His plea deal also meant that three criminal proceedings against him plus an SCC civil lawsuit, were all dropped. [MUSIC] Now, 403 million dollars sounds like a lot, but the feds estimated he had earned over two billion dollars.

Gery probably was walking away with some extra cash left in his pockets. But giving up his cash meant that he had to tell the feds where the money was and wow, he had a lot of cash stashed all around the world. He had eighty-one different bank accounts around the world. Many of them were in Switzerland and some of these accounts had over 100 million dollars in them. There were accounts in Cyprus, Georgia, Virgin Islands, Luxembourg, Latvia. They were everywhere. On top of that, he had stashes of cash and jewelry worth millions, and a six-million-dollar house. Gery’s plea deal wasn’t straightforward. According to The Calcalist, it took six different law firms to negotiate it. Five of these law firms were in the US and one was in Israel.

While Gery agreed to pay hundreds of million dollars of his illegal profits to get out of prison, he had to give the feds more than money. It seems like he gave up a hacker, a thirty-eight year old Russian man named Peter Levashov. Peter was from St. Petersburg and he’s the one who built the Kelihos botnet which infected 100,000 computers. This botnet was built to send massive amounts of spam e-mails. But the Kelihos botnet was also available for hire; anyone could use it to send tons of spam themselves, and Gery was definitely sending a lot of spam. Peter was arrested on April 9th, 2017 while on holiday with his family in Barcelona, Spain. He was accused of running the Kelihos botnet and pleaded guilty of it in Connecticut in September 2018.

The counts against him included the distribution of fake spam e-mails, promoting counterfeit pharmaceuticals, and other frauds including pump-and-dump stock schemes. He’s still awaiting his sentencing. [01:15:00] It’s not clear what Gery told feds about Peter, whether he just straight-up ratted Peter out or what happened there. But the question everyone had was hey, this Peter guy, is that Gery’s mystery hacker? At first, I thought it was but no, he wasn’t. Peter wasn’t Gery’s hacker. That was someone else entirely. [MUSIC] In December 2017, law enforcement flew into the airport of Georgia, an Eastern European country. They were there at the request of the US authorities and they went to the capital to arrest thirty-five-year-old Andrei Tyurin.

Andrei is a Russian citizen but the US had been tracking him and knew he was flying into Georgia from Moscow, and they wanted him in custody before he could disappear. Andrei was a well-known, high-level Russian hacker. The feds believed he was the hacker working with Gery in his empire of scams, and they spent the last two years trying to track him down and detain him. Once in custody in Georgia, the feds set out to get him extradited to the US. Now, Russia does not like giving up its hackers, but there’s not much they can do when it’s outside their country. That’s why the US arrested him in Georgia, because you can get him extradited out of Georgia.

Now, some Russian hackers have a double motive for hacking. They work on a freelance basis, taking jobs from whoever is willing to pay their fee. But they may also be looking to pass any juicy information they find to the Russian government or anyone else who’s willing to pay for this information. Regardless of who’s paying for the hack, the hacker’s always the first person to get their eyes on the data. Sure, the hacker will upload a copy to whoever hired them, but there’s nothing stopping them from uploading a copy to someone else, too. Although the FBI had ruled out the possibility that the JPMorgan Chase hack was executed by the Russian government, US intelligence had apparently found some evidence to suggest Andrei was getting some protection from the FSB, Russia’s intelligence agency.

It hasn’t been confirmed but some evidence suggests that the FSB tried to recruit Andrei while other bits of evidence suggest he may have had a bigger role in the operation run by FSB. Either way, it took almost a year for feds to get through the red tape and bring Andrei onto US soil and book him into a federal prison. [MUSIC] Now, a quick aside about US attorneys; this case was being handled in the Southern District of New York and Preet Bharara was the US attorney for that district. When the US government brings this case to trial, a federally-appointed attorney handles the case. But when Trump was elected president, he had Jeff Sessions order all forty-six US attorneys from Obama’s administration to resign.

Preet Bharara had met with Trump a few days earlier and did not get the impression that he was being fired, so Preet refused to resign, but Trump fired him the next day. The Trump administration appointed Geoffrey Berman as the new US attorney for the Southern District of New York. On September 7th, 2018, Geoffrey Berman announced that Andrei had been extradited from Georgia to New York. This was a massive win for the feds; getting an indicted Russian hacker extradited into the US for cyber-crimes is not something that happens very often. Oh, and as for the US attorney for the Southern District of New York, Jeffrey Berman, Trump fired him, too. I guess Trump didn’t like that Berman was investigating Rudy Giuliani, Trump’s personal attorney regarding some suspected criminal activity.

Trump put Jay Clayton in place to be the current US attorney for the Southern District of New York. Clayton has never been a federal prosecutor before but he was the chairman of the Security and Exchange Commission. This case has now passed through the hands of three different US attorneys for the Southern District of New York. Andrei was charged with ten counts including computer hacking, conspiracy, wire fraud, and identity theft all relating to Gery’s enterprises. The same day they got him into New York, he was put in front of a judge to state his plea, not guilty. Andrei wouldn’t admit to anything. On September 25th, there was an initial pretrial conference hearing.

The prosecution presented their evidence to Andrei through a Russian interpreter. The evidence against him, which was mostly in Russian, was pretty damning. They had almost 3,500 pages of online chats between Andrei and Gery all discussing the hacks and scams. The evidence took up nearly two terabytes of storage. They also had evidence from devices seized from Gery and Ziv when they were arrested in Israel which all pointed to Andrei being involved in this. They had the data from the hacked companies too, like logs and records from the hack, and that resulted in another few terabytes of data which was not looking good for Andrei. The data from the JPMorgan Chase hack was over three terabytes just on its own. The prosecution and defense had to agree on a way to deal with all this digital evidence. You can’t just print all that out; it’s just too much information and it’s not like it’s just some long text document.

Lots of this evidence [01:20:00] was complex technical data. Prosecutors and defense attorneys aren’t computer experts, so they needed to get all this data into a format that they understood that could be used in the court case like this. The prosecution and defense worked together to figure out how they were gonna do that. What followed was a long line of adjourned court dates and pretrial hearings. For a full year, nothing moved in terms of court appearances. Then suddenly, Andrei’s case ended in one day. On September 23rd, 2019, Andrei submitted a change of plea. He was now pleading guilty.

Andrei admitted to conspiracy to commit computer hacking, wire fraud, unlawful internet gambling conspiracies, and conspiracy to commit wire fraud and bank fraud. [BEEPING] In pleading guilty to these four counts against him, he was admitting to hacking eight different US financial institutions between June 2012 and August 2014. These include JPMorgan Chase, Fidelity, Dow Jones, E-Trade, and Scottrade. Publicly at least, Andrei’s conviction was the first in this entire case. His lawyer said that Andrei was hired by the masterminds of the schemes to hack these computer networks under their instructions. Because he pleaded guilty, there will be no trial for Andrei, but he is looking at a lengthy prison sentence.

His sentencing date, just like his hearings, have been repeatedly adjourned and he’s currently awaiting sentencing. Gery is believed to be out of prison and living somewhere in the US. Until his forfeiture is completely paid, he’s not allowed to fly out of the country. Information about his court hearings or progress on his remaining charges are hard to come by. I mean, if Gery is an informant, then that means that a lot of his court documents are going to be sealed, and a lot of his court documents are sealed. It’s just one of those things I don’t have a visual into. Ziv, though, has been convicted of something. He is currently waiting to be sentenced. The fact that he hasn’t been in any news about any of these cases could mean that all three are cooperating with US authorities.

It’s possible that they are providing information in exchange for leniency in their own cases, but unless their cases are unsealed, we might not ever find out. Altogether, these schemes made a colossal amount of money. It really was a sprawling, interconnected network of scams building on top of each other, scaling up, leveling up, and expanding outward. The whole story is full of surprises and by the end, it’s mind-bogglingly complex; a web of illegal schemes, hacking fraud, money laundering, carried out by some shady businessmen and conmen joining forces with a hacker. Just as the schemes themselves were large-scale, so too was the network of people and resources Gery had built to operate it all. The story has it all; the villains, the hacks, the underground illegal acts, and finally a hammer of justice that brings it all crashing down.

The hack into JPMorgan Chase wasn’t random, a one-off attack. It was done by someone who seemed to have an insatiable appetite for more; more hacking, more data, more scams, more money. Sure, there’s an element of glamour to Gery Shalon’s story. The money, the fancy watches, the mansion, but there’s also an element of desperation. I mean, what was the point of all this besides just wanting more? How many hundreds of millions of dollars more did he need? From my point of view, it’s like none of these schemes seemed big enough for him. No amount of money seemed satisfying enough and at the end, it kinda seems like it was all an endless desire that eventually led to the destruction of Gery Shalon’s empire.

(OUTRO): [OUTRO MUSIC] If you love Darknet Diaries, stories from the dark side of the internet, then support it. Go to patreon.com/darknetdiaries and join the group of the most amazing people, the people who keep my network running. I talked with one Patreon member the other day and he told me he drove for eight hours while listening to the show. What’s funny is he only had to go to the store to get some bread but the show was so addicting that he kept driving around just to listen.

If that’s the kind of listener you are, then consider giving back to the show by supporting it at patreon.com/darknetdiaries. Join today and I’ll grant you special access to bonus content and an ad-free feed. Thank you. This show is made by me, the spider-buyer, Jack Rhysider. This episode was written by the crime-traveler, Fiona Guy. Sound design and original music was created by the graphical interface Andrew Merryweather; editing help this episode by the window-gazing Damienne. Our theme music is by the sound system Breakmaster Cylinder. Even though back in my day we didn’t have USB; we only had USA, this is Darknet Diaries. [01:25:00]

[OUTRO MUSIC ENDS]

[END OF RECORDING]

Transcription performed by Leah Hervoly www.leahtranscribes.com