On Tuesday federal prosecutors unsealed charges against three men, revealing details of a sprawling criminal enterprise that involved hacking some of the US' biggest financial institutions as well as the theft of personal information pertaining to 100 million customers. With that information, the men allegedly made off with hundreds of millions of dollars.

Although the indictment does not name the hacked financial institutions directly, Reuters reports that JP Morgan Chase, ETrade, and News Corp. (which owns The Wall Street Journal) have confirmed that they were party to the crimes described by the indictment.

The newly unsealed charges (PDF) accuse Gery Shalon, a 31-year-old Israeli, of masterminding the hacks that resulted in the loss of personal information pertaining to some 100 million customers of US financial institutions and accuse Joshua Aaron, a 31-year-old American, of acting as a co-conspirator in the hacking operation. Ziv Orenstein, a 40-year-old Israeli, allegedly operated illegal casinos and payment processors with Shalon and controlled shell companies for Shalon. Both Shalon and Orenstein were arrested in July; Aaron remains at large.

Chief among the allegations is that Shalon and Aaron used their unauthorized access to financial institution networks to artificially manipulate certain US stock prices through a “pump-and-dump” scheme. The two allegedly used lists of personal customer information to market stocks, allowing Shalon and Aaron’s criminal operation to sell high despite the stocks’ actual value. As the operation sold its shares, the stock’s price plummeted, leaving defrauded investors with “significant losses,” the indictment says.

US authorities also charged that Shalon and his co-conspirators operated illegal gambling websites, processed payments for criminals selling anything from illegal pharmaceuticals to malware, and operated an illegal US-based Bitcoin exchange that ran afoul of US anti-money laundering laws.

These activities apparently earned the group hundreds of millions of dollars between 2007 and July 2015, "of which Shalon concealed at least $100 million in Swiss and other bank accounts,” the indictment says.

The suspects are thought to have used more than 200 fraudulent identification documents, including 30 false passports, to control at least 75 shell companies as well as numerous bank and brokerage accounts around the world.

The indictment said that Shalon bragged about his manipulation of securities markets in communications with his partners, saying that getting Americans to buy US stocks was “like drinking freaking vodka in Russia.”

International hacking

Today’s unsealed indictment also paints an interesting picture of how some of the network intrusions allegedly occurred. The US Attorney General claims that Aaron was a customer of many of the hacked companies, and he gave his login credentials to Shalon and an unnamed co-conspirator who performed analysis of the companies' networks. Shalon and the co-conspirator later accessed the companies’ networks and placed malware on them to allow them to steal information about customers over a period of months. Back in August, The New York Times reported that the suspected hackers had stolen a JP Morgan employee's credentials and were able to access the company's network because one of its servers did not have two-factor authentication turned on. The indictment did not confirm or deny that version of events.

By 2014 Shalon and Aaron apparently set their sights on bigger cons and tried to hack into a company identified in the indictment only as “one of the world’s largest financial services corporations, providing mutual fund, online stock brokerage and other services, with headquarters in Boston, Massachusetts.”

The indictment charges that "In April 2014, Shalon and his co-conspirators unlawfully accessed the network of Victim-2 by exploiting the Heartbleed vulnerability, which had, at that time, just been widely identified as a previously unrecognized security vulnerability that existed in computer network servers on a widespread basis.” It notes that the financial institution in question closed the vulnerability “shortly” after Shalon and his partners allegedly exploited it.

The hacks were also intended to score Shalon and his co-conspirators access to e-mails belonging to company executives and online gambling competitors. At one point in 2012, Shalon allegedly directed DDOS attacks at online gambling competitors to shut down their operations. In another incident, Shalon apparently read the e-mails of executives at the companies that supplied operating software for Shalon’s gambling websites.

Global conspiracy

Shalon and Orenstein are also accused of processing payments for people and companies who were unable to work with US financial institutions because of the illegal nature of their business. The two defendants allegedly opened a variety of bank accounts in countries around the globe through which to process debit and credit card transactions and “colluded with corrupt international bank officials who willfully ignored” the criminal nature of the defendants' business.

When bank fraud detection activities pinpointed Shalon and Orenstein’s operations over the years, they imposed what amounted to millions of dollars in penalties which the two men allegedly paid. However, the indictment describes a constant race to establish new bank accounts, shell companies, and identities to keep the banks at bay. Allegedly, Shalon and Orenstein changed codes on transactions to make payments for illegal goods look like they were going to legal companies selling wedding dresses or other merchants, including one called “houses4petz.com.” The alleged money laundering operation brought in $18 million in processing fees.

At some point, Shalon and unnamed co-conspirators began hacking into the e-mails of employees of a merchant risk intelligence firm to stay ahead of banks looking to shut their operations down, the indictment claims.

Shalon was also accused of running an illegal Bitcoin exchange based in the US with Anthony Murgio, who was charged separately.

In a press release, Manhattan US Attorney Preet Bharara said, "The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”