U.S. authorities have arrested a fugitive who (allegedly) was part of one of the largest cybercrime enterprises in history.
Joshua Aaron was taken into custody upon his arrival at JFK airport. He joins alleged co-conspirators Gery Shalon and Ziv Orenstein, who were extradited to the U.S. earlier this year. Together, they are accused of running a vast and innovative international crime ring.
Their alleged crimes are noteworthy for their scope, duration, and ingenuity.
And the staggering amount of illicit cash that they generated — hundreds of millions of dollars — has ominous implications for any organization with web assets to protect.
The scam ran successfully for years. From 2012 to 2015, the hackers targeted dozens of companies, including brokerage firms, banks, and financial publication houses.
They successfully penetrated at least nine firms, including JP Morgan Chase & Co, Scottrade Financial Services Inc, Dow Jones & Co., and E*Trade Financial Corp. They stole at least 100 million customer records, including 83 million from JP Morgan Chase & Co alone. The records included contact information such as names, phone numbers, and email addresses.
And that’s where the story gets interesting.
Data theft is a two-step process. Stealing the data is only the first step. Converting it into cash is the second step, and is arguably the more important (and the more difficult) of the two.
In this case, the hackers could have just sold their stolen data on the black market. There are plenty of criminals who purchase such data to use it for identity theft and other types of fraud.
But this isn’t as profitable as it used to be. Large-scale data breaches have become very common. (In 2016 alone, we’ve seen the announcement of over one billion compromised records, and the year isn’t even over yet.) As a result, the black market has a glut of stolen data for sale.
And these men had much bigger aspirations than merely reselling their data anyway. According to authorities, they monetized it on a breathtaking scaleinstead — perhaps more so than any previous hackers have ever done.
Here is just some of what they did with the stolen contact data:
- They ran a massive email pump-and-dump scam, manipulating stock prices for dozens of publicly-traded companies.
- They profited from fake pharmaceuticals.
- They profited from fake anti-virus software.
- They profited from illegal internet casinos.
- They set up an unlicensed bitcoin exchange, and used it to process payments for ransomware attacks.
- To aid in their money laundering, they even acquired control of a New Jersey credit union with $150,000 in bribes.
Their criminal enterprise was massive. Keeping it running required 75 companies, bank, and brokerage accounts around the world. They had hundreds of employees and co-conspirators. Their operation spanned more than a dozen countries.
And most importantly, they ultimately harvested hundreds of millions of dollars from their illicit activities.
These men set an impressive new standard for cybercrime monetization.
And that’s an ominous development for any organization with web assets to protect.
The world’s black hat community now understands that a decent-sized data breach, when monetized correctly, can be insanely profitable — far beyond the normal prices offered for stolen data on the black market.
The potential rewards for cybercrime are suddenly much higher. And that will increase the scale, tenacity, and technical sophistication of attempted hacks from now on.
Photo credit: Manuel De La Pena