Getty Images

It has become a familiar pattern: The computer system of a big American company is breached, the personal information of tens of millions of customers is stolen and a public outcry ensues. Rarely are the thieves caught. But last summer's attack on JPMorgan Chase — which resulted in hackers gaining access to email addresses and phone numbers for 83 million households and small businesses — may break that pattern of investigative dead ends in large corporate breaches. Federal authorities investigating the attack at JPMorgan are increasingly confident that a criminal case will be filed against the hackers in the coming months, said people briefed on the investigation. Law enforcement officials believe that several of the suspects are "gettable," meaning that they live in a country with which the United States has an extradition treaty. That would not include countries like Russia. Indictments and arrests would be a notable victory for the Federal Bureau of Investigation and Preet Bharara, the United States attorney in Manhattan. In contrast, there have been no criminal charges in a December 2013 breach at Target, where payment card data for 40 million customers was stolen, along with the personal information of 70 million customers, or in the major attacks against eBay and Home Depot involving hundreds of millions more customers last year. Although the breach at JPMorgan did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank and a warning sign that the American financial system was vulnerable.

Officials with the F.B.I. and Mr. Bharara's office declined to comment on the investigation. The JPMorgan case is advancing quickly partly because the attack was not nearly as sophisticated as initially believed, and law enforcement authorities were able to identify at least some suspects early on, said the people briefed on the matter, who spoke on the condition they not be named because they were not authorized to discuss the case. Law enforcement officials also made the investigation a top priority given that the Department of Homeland Security has declared the banking system critical infrastructure, requiring additional protection from digital attacks. The JPMorgan investigation is being handled at the highest levels of law enforcement, with the F.B.I. in New York assigning several senior agents to the matter along with a top prosecutor with the computer crimes division of Mr. Bharara's office, the people briefed on the matter said. Read MoreUS is a 'country of mushrooms' when it comes to cybersecurity Thomas Brown, a senior managing director with FTI Consulting and a former chief of the computer and intellectual property crime unit for Mr. Bharara, said law enforcement tends to aggressively pursue cases where it has a better chance of sending a message of deterrence. "The government has finite resources to deal with cybercrime and as a result tends to look for cases which can create maximum impact," Mr. Brown said. The intensifying hunt for the JPMorgan hackers comes as the bank, which has said it spends about $250 million a year on digital security and plans on doubling that in the future, wrestles every day with securing its vast global network. An internal assessment of the bank's security found that by the end of 2014 the bank had made "significant progress" in reducing "severe patch issues" in its digital network, but still had critical issues to address. The January report to the bank's cybersecurity business control committee — a copy of which was reviewed by The New York Times — also noted that one server did not have the latest antivirus protection, but that it was being upgraded. Patching holes in the bank's network is critical because hackers exploited such vulnerabilities to gain access to JPMorgan in the first place. Attackers breached a server that had not been upgraded with so-called two-factor authentication, The Times previously reported. Double authentication schemes, which are now considered industry standard, require a second, one-time password for employees to gain access to a secure system. Without that second password requirement, hackers were able to breach a server using the stolen login credentials for a bank employee. Once inside, hackers gained high-level access to more than 90 servers, but they were stopped before they could move customers' financial information to their servers abroad. The internal review also noted that JPMorgan recently increased its requirements for giving people the highest level of access to the bank's network. It did so, according to the review, to minimize the risk of "catastrophic technical or reputational damage to the firm." JPMorgan now limits so-called "high security access" to bank employees who must submit to annual credit screenings and criminal background checks. The bank now also conducts a "routine review" to make sure that high security access is justified for a particular person. A JPMorgan spokeswoman declined to comment for this article. Federal authorities said the lack of prosecutions in big breach cases is often a reflection of the fact that the attackers are cloistered away in countries where the ability to make arrests is limited.