Darknet Diaries - 76: Knaves Out
Episode Date: October 13, 2020This is the story about how someone hacked into JP Morgan Chase, one of the biggest financial institutions in the world. It’s obvious why someone would want to break into a bank right? Well... the people who hacked into this bank, did not do it for obvious reasons. The hackers are best described as knaves. Which are tricky, deceitful fellows.SponsorsSupport for this show comes from LastPass by LogMeIn. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.Support for this episode comes from SentinelOne which can protect and assistwith ransomeware attacks. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Go to SentinelOne.com/DarknetDiaries for your free demo. Your cybersecurity future starts today with SentinelOne.Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.For a complete list of sources and a full transcript of the show visit darknetdiaries.com/episode/76.
Transcript
Discussion (0)
To build a successful business, you need a good business plan,
a carefully thought-out, step-by-step guide to launch, develop, and expand.
You need good people, too, people you trust and can rely on.
But the Internet has changed how people become entrepreneurs.
It's made it easier to find good help and easier to find customers.
Digital technology and the Internet have created a whole range of new opportunities
for businesses and entrepreneurs. But there's a flip side to these innovations, a darker side. You see, the criminal
underworld has also benefited from the explosion of digital technology and the internet. Criminals
make business plans too. They build networks and work together to advance their illicit agendas.
When greedy criminals set out to execute a business model armed with the powers of the
internet and a hacker or two, they can achieve astounding criminal feats. And the thing is,
it's not easy to catch a cybercriminal. Hacking is mostly invisible. It's quiet, secretive,
and always done under the cover of the internet. It's like the perfect burglary that takes place
in pitch black. There's no trace of the perpetrator on the CCTV camera
footage, no fingerprints, and no leads. With hacking, it's all digital, so whatever virtual
fingerprints you might have left behind can be covered up, deleted, or hidden. This is why so
many cyber criminals get away with their crimes. This is a story about a group of very savvy
businessmen who made a fortune exploiting people online.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service that finds and removes personal information from hundreds of data
brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they
got busy deleting things. It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries.
Use code darknet.
In July 2014, Hold Security, a small firm that specializes in external cyber threat intelligence, made an unbelievable discovery.
This small firm, which supposedly monitors the dark web for hacker activity that may be a threat to their clients, reported to the New York Times claiming to have found a credential dump containing 4.5 billion usernames and passwords on the dark web.
Now, 4.5 billion usernames and passwords is just a crazy amount of credentials.
When HoldSecurity filtered out duplicates, they were left with 1.2 billion credentials.
But still, a credential dump that large would be the biggest credential dump ever found.
The New York Times ran with this story, but the security community
was pretty skeptical. First, everyone wanted to see what was in the dump, but Hold Security
wouldn't reveal this data to anyone. Later, Hold Security announced that for a $120 fee,
they would tell companies whether the dump included credentials from their websites.
Huh. So with Hold Security claiming they had one of the largest dumps ever and not sharing
it with anyone, except a few people who paid to search for their own names, it was just a little
hard to trust. Alex Holden, the CEO of HoldSecurity, was interviewed by Forbes. This is what he said.
Tom, let me try to clear up the criticisms here. There are two different pieces to this puzzle.
First of all, we have 1.2 billion credentials that belong to about half a billion email addresses, unique email addresses.
And these are the individuals who entrusted their credentials to different web services, websites.
And these credentials were stored on those websites.
Unfortunately, through no wrongdoing on the individual side,
this information had been stolen by the hackers.
So these individuals are the ultimate victims in this particular crime.
Later, Holds Security released a summary report of the dump.
They said the dump was from
420,000 different websites that had been breached, some of which were Fortune 500 companies.
The report listed some of the companies that were breached, and they called the group that
stole this data cybervore, which means cyber thief in Russian. 420,000 websites is a huge proportion of the entire
World Wide Web. So at this point, even I think this dump sounds a bit ridiculous to me,
because it just doesn't add up. But let's switch gears for a second. Imagine you're part of a IT
security team at the JPMorgan Chase Bank. You work for the biggest bank in the U.S. and the sixth biggest bank in the
world. Your bank pretty much dominates the financial sector in terms of investments and
banking. Imagine you're one of JPMorgan Chase's 250,000 employees scattered across 171 offices
in 39 different countries. And imagine you're part of the team that's responsible for protecting
data in this bank, which has an annual revenue of $115 billion, of which about $10 billion is Thank you. I'm not sure if any company spends more money on security than JPMorgan Chase. But either way, they aren't messing around when it comes to protecting their networks.
So, if you were on the IT security team of JPMorgan Chase,
and you saw that HoldSecurity released a summary report,
would you take a look to see which companies had been breached?
Of course you do.
It doesn't matter if it's real or not.
If your company is spending every dollar it can to do everything to protect the network.
You'd definitely be looking at this report.
You'd be looking at every report that might have anything to do with JPMorgan Chase's IT security.
So that's just what happened.
An IT security analyst at JPMorgan Chase did read Hold Security's report.
In it, Hold Security claimed the website for a charity race sponsored
by J.P. Morgan, called Corporate Challenge, was breached. This site had been used by J.P. Morgan
employees to register for the race. It was hosted by a company called Simcoe Data Systems. As it
happened, Simcoe Data Systems was also mentioned in the Hold Security Report. It claimed that Simcoe Data Systems was also mentioned in the HOLD security report. It claimed that Simcoe had been breached too.
Huh.
So if JPMorgan Chase employees were registering at that site,
then it's possible their data was stolen.
And this caused the IT security analysts at JPMorgan Chase
to look into this a little more.
So the security team at JPMorgan Chase contacted Simcoe
Data Systems to investigate the claims made by Hold Security. Simcoe Data dug around their network
logs and confirmed that the Corporate Challenge website was hacked and breached. The hackers had
stolen an SSL certificate from the site, and the hack was executed through a few IP addresses that
had been creeping around the network without any legitimate reason to be there. Two certificate from the site, and the hack was executed through a few IP addresses that had been creeping around the network without any legitimate reason to be there, two techs from the JPMorgan
Chase office in Columbus, Ohio went over to Simcoe Data Systems office in Michigan to get copies of
any forensic data they could find. They wanted to know exactly what had been stolen and understand
the indicators of compromise.
As the JPMorgan Chase security team was collecting data from Simcoe, they were using this data, including IP addresses, to search their own logs for any similar activity.
They were looking for any trace of a breach and any sign of activity from the IP addresses associated with the Simcoe data breach. And sure enough, they found the same 11 IP addresses that had been used to execute the Simcoe breach had also been used to attack JPMorgan
Chase. What's more, some of these attacks against JPMorgan Chase had been successful. The biggest
bank in America had been hacked, and they never even knew it happened. At this point, JPMorgan Chase contacted
the FBI and handed over these IP addresses to the Financial Services Information Sharing Analysis
Center. This is an organization that circulates this kind of data to banks and financial institutes
so they can check whether they have been breached. Up until this point, JPMorgan Chase had kept this
whole situation under wraps while they were working to figure out what was going on.
But this kind of breach is a huge deal, and they weren't going to be able to keep quiet about this for long.
We don't know exactly how the hackers jumped from the charity's website into the bank's servers.
But I've got a few theories.
First, it's possible that the hacker gained access to this Corporate Challenge charity site.
How? Possibly by hacking through Simcoe Data Systems, which was the hosting provider for the Corporate Challenge charity site.
So if the hosting provider got hacked, then the hackers would have access to the back end of all the other websites that hosting provider hosts.
So if they got into the Corporate Challenge website that way, they could have accessed the credentials for all the JPMorgan employees that were registering on the site.
And maybe some of those username and passwords were the same usernames and passwords used to log into JPMorgan Chase's network.
This kind of tactic would likely work because so many people reuse passwords on multiple sites.
Any JPMorgan employee who used their JPMorgan network password on another site
would have made their network vulnerable for this kind of attack. So that's one theory. The other is
that this hacker crew might have targeted an IT admin at JPMorgan Chase through spear phishing or
some other attack that got them remote access into the admin's computer. And if a hacker was able to
do that, they'd be able to steal that IT admin's network credentials and do whatever they want from there.
Either way, what we know is that this hacker group did have a valid login to a JP Morgan server.
And with that, they were able to get past the huge front gates of this super secure JP Morgan Chase network.
But once they got past the front gates, they still needed to figure out where to go.
It's as if they broke into a bank but didn't know where the safe was. work. But once they got past the front gates, they still needed to figure out where to go.
It's as if they broke into a bank but didn't know where the safe was. They were just wandering through the network, and they hadn't actually gained access to anything valuable yet.
There was an old server that the bank used to manage employee benefits data.
It was still running, just not used very often. See, there's 250,000 employees at JPMorgan Chase, and they're using
about a half a million computers in this network. It's not easy for such a large company to manage
half a million computers. And in this case, the employee benefits server had been neglected.
It wasn't updated with the latest security patches and features, and it wasn't set up for
two-factor authentication, which would have required users to enter a time-sensitive token code
with their password to get in.
The hackers discovered this server on the network
and used their stolen credentials to log in.
This is a perfect example of when two-factor authentication
probably would have stopped these hackers from getting any further into the network.
Anyway, once a skilled hacker establishes access
to a network, they're going to want to create a persistent connection and elevate their privileges.
They'll need a persistent connection in case their connection gets dropped, then they have a
guaranteed way to get back into that server. So the hackers created a backdoor into the JP Morgan
Chase network. This was a point of access that only the hackers would know about, but the security
team wouldn't be able to detect them. Once they did that, they began crawling around the network,
looking for something in particular. They slowly made their way towards the systems they were after.
They were good, hiding their tracks, doing things just the right way to avoid setting off alarms,
and avoid being detected by antivirus scans. For months, these hackers had been creeping around,
quietly accessing databases and exporting data to their own servers as they went along.
And all the while, they were silent and invisible.
In all, they breached over 90 of JPMorgan Chase's servers,
which included multiple databases used to store customer information.
This story became public on August 27, 2014,
when Michael Reilly and Jordan Robertson reported on this hack in an article in Bloomberg.
They revealed that there had been a successful breach at JPMorgan Chase,
and they said it was the work of Russian hackers.
The accusation that this was a nation-state attack on U.S. financial infrastructure
grabbed the attention of the U.S. financial system. Could it be that Kremlin-sponsored
hackers had managed to get inside the networks of JPMorgan Chase, breach layer after layer of
security, and make off with tons of customer data without JPMorgan Chase knowing anything about it?
It wasn't until the bank filed a disclosure with
the Security Exchange Commission on October 2nd that we learned more details about this hack.
And it was way worse than anyone thought. The hackers had accessed multiple customer databases
and stole 83 million personal identifiable records of JPMorgan Chase's customers. These
records were associated with 76 million households
and 7 million small businesses,
pretty much all located in the U.S.
To put that into context,
in 2014 there were something like 127 million U.S. households.
So that's around 60% of all U.S. households
that got their information stolen from this hack.
The idea that Russians were behind this hack
and that they were probably state-sponsored wasn't all that surprising.
I mean, just a few months before this,
the U.S. had put a load of heavy sanctions on Russia's financial infrastructure.
See, in 2014, that was the year when Putin decided
he wanted to take the Crimea Peninsula from Ukraine.
Putin dispatched scores of massed-arm
soldiers to Crimea, and they seized the territory, raising Russian flags, and then went on to take
control of the cities and the Supreme Council building. The Supreme Council is sort of like
the Crimean Parliament. The current PM was booted out, and a new one was voted in. Although there
were some good reasons to doubt the fairness of this election,
this was the most blatant land grab in Europe since World War II. Russia's invasion of Crimea
stirred up a whirlwind of controversy. The U.S. and EU, and of course Ukraine, strongly condemned
Russia's tactics and said that Putin had violated multiple local and international laws. So the U.S.
and EU imposed sanctions against Russia. And these sanctions
threatened to tip the already fragile Russian economy into recession. The U.S. and EU intended
for these sanctions to force Putin to relent and relinquish control of the Crimean Peninsula
back to Ukraine. But Putin wasn't having any of it. He denounced the U.S. and EU for imposing
these sanctions, which he said was just another example of the U.S. and E.U. for imposing these sanctions, which he said was just
another example of aggressive U.S. foreign policy. And he warned that Russia may retaliate against
these actions. So it seemed possible that the hack on JPMorgan Chase was the first volley of
Russia's retaliation. Here's a clip from CNN discussing the very idea. The FBI is investigating
a series of cyber attacks against U.S. banks thought to be coming from Russia.
Hackers are believed to have accessed sensitive information from several financial institutions,
including banking giant JPMorgan Chase.
Could this be retaliation for Western sanctions against the Russians?
Christine Romans is here with more.
Is this retaliation?
Well, that's what the investigation is going to have to really zero in on here, quite frankly, Allison.
A U.S. official tells us that the location of the hacker still isn't clear.
But given the sophistication of this, the cybersecurity community is saying this investigation appears to center
and should definitely center on Russia.
Now, hackers from Russia are often top FBI suspects,
and the timing of the hack has raised suspicions given recent U.S. sanctions against Russia.
Also, still this big question, the motivation. And the timing of the hack has raised suspicions given recent U.S. sanctions against Russia.
Also still this big question, the motivation.
Still unclear if the attack was financially or politically motivated or if it was some
sort of espionage.
Banks have very tough security.
Getting through that and getting account information, getting so much information, definitely not
an easy task.
Now, in response to this breach, JPMorgan said, companies of its size experience cyber
attacks every day,
and the bank has measures to protect itself. And again, the FBI U.S. officials are investigating
just what the cause was of this cyber attack. For JPMorgan Chase, this attack came at the
tail end of a really bad year. They lost a heap of staff in the previous months. In 2013,
their chief information officer resigned and took
a position as the CEO of a payment processor called First Data. And around this time, five
other senior staff from JPMorgan Chase also quit. This included the information officer and chief
of security for their IT teams. In early 2014, a new chief of security was appointed, James Cummings. He helped to recruit a new information officer, Gregory Rattray.
So when this hack was carried out in July 2014,
the top IT leadership had only been in place for about six months.
Both Cummings and Rattray were former U.S. Air Force,
and they were both convinced that this attack was state-sponsored
and probably executed by Russians.
And they thought this hack represented a threat to U.S. national security.
I have to wonder, though, whether their military training and experience biased their interpretation of this hack.
After all, they would have been used to dealing with state-sponsored attacks while in the military.
So it's not like this hack couldn't have been what Cummings and Rattray thought it was. But the problem is the FBI's analysis just didn't match up with Cummings and
Rattray's. The FBI had several specialist units working on this hack. They pulled in their
cybercrime unit, the Secret Service, and Homeland Security to investigate this attack. And all of
this analysis wasn't enough to convince the FBI
that the hack was executed by a nation state, or that there was a clear threat to national security.
So that set off this weird political drama over the data that had been stolen from JPMorgan Chase.
See, there was this system in place that was supposed to capture any stolen data in a hack
like this. Think of it like a CCTV system that you could
rewind and watch back if you knew something bad happened. But according to Bloomberg sources,
this system didn't have enough storage at the time of the attack. So even though they collected the
data at the time of the attack, they didn't have it anymore. And on top of that, maybe because of
political drama around who committed this hack, JPMorgan Chase didn't want to hand over the data they did have from the hack to the FBI. Things were starting to get out of hand, and none of
this was helping to solve the actual problem that millions of JPMorgan Chase customer records had
been compromised. Two weeks after the hack had been discovered, the assistant director of the
FBI's cyber division, Joseph Demarest, had a conference call with JPMorgan Chase's COO,
Matt Zames,
James Cummings, and Gregory Rattray. Cummings and Rattray, the Air Force veterans from JPMorgan
Chase's IT department, were pushing for the hack to be deemed a threat to national security.
And if they got their way, the U.S. Department of Justice would excuse them from any obligations to
tell their customers about the hack. The idea of this policy is that if a hack is a threat to national security,
then it should be kept quiet as possible while it's being investigated.
But in the end, the FBI thought it was more likely that this hack was done
by a group of clever and skilled criminal actors,
rather than a nation-sponsored threat actor.
JPMorgan Chase and the FBI reached a truce.
JPMorgan Chase handed over all the data they collected during the hack so the FBI could conduct a thorough investigation.
But geez, this was a bumpy ride to get there. Jordan Robertson, the journalist from Bloomberg
who originally broke this story, talks about what happened between JPMorgan and the FBI.
One of the questions we set out to answer eight months ago when this breach occurred
was why we were hearing such a different story from folks who were familiar with the bank's
investigation, which they said the Russian government was believed involved, versus the
law enforcement investigation, which was indicating a criminal attack. And the answer to that is, you know, the bank is
staffing up on, you know, former senior military officials, cyber warriors, and they come to these
problems with a very specific, you know, mindset about who's responsible for hacking. And, you
know, there's a fundamental difference between studying attacks on military infrastructure
versus studying attacks on the private sector. The private sector faces a lot more for-profit criminal activity than the military does,
and that really animated the bank's investigation.
Very interesting.
Now, the military approach, that's led to some problems, Jordan, right, that you found out,
including some clashes internally but also with the FBI as well, right?
Yeah.
You know, what happens is, you know, you hire people who are really great
at offensive cyber operations and they're great network attackers. Defending a network is a whole
other matter and dealing with law enforcement beyond that is another matter entirely. And what
we found was that the bank repeatedly clashed with the FBI and the Secret Service over information
sharing. The Secret Service went so far as to threaten to subpoena the attack data because they believed they were not getting it in a timely fashion.
And a senior FBI official, you know, had to intervene on his agent's behalf
to facilitate that information sharing more quickly. So there were clashes, you know,
at multiple levels. And a lot of it traces back to this difference in mindset between the military
and private sector.
So now the FBI were hunting down these hackers using the IP addresses JPMorgan Chase and Simcoe data systems had found on it.
It was hard for investigators to track this attack because the hackers deleted most of the log files that would have left breadcrumbs, revealing their activity in the network.
Early in the investigation, it was suggested that the hackers spoke Russian,
but I'm not sure whether they had any actual evidence of that.
Now, what about these IP addresses the hackers were using? Well, investigators started tracing
these back and found the IPs were from different countries all over the world. The computers that
had launched these attacks were located in Russia, Egypt, Czech Republic, South Africa, and Brazil.
And all of these IPs belonged to hosting providers
who were in the business of renting servers to whoever wanted them.
This is a simple way to hide your tracks as an attacker.
You don't want to do all this hacking from your own office or house.
You want to rent a server on the other side of the planet
and use that to carry out your hacks.
So the hackers had rented one server in Egypt,
which they used on some of these
hacks. And get this, the day after the news broke about JPMorgan Chase, the hackers stopped using
that server in Egypt and canceled that account. It seems like whoever was behind this was watching
the news and knew they were about to be hunted. While all these investigations were going on,
there were reports coming out of other financial companies across the U.S. Slowly all these investigations were going on, there were reports coming out of other
financial companies across the U.S. Slowly, these reports started to paint a bigger picture. JPMorgan
Chase wasn't the only target. The same hackers had hit multiple other financial institutions.
By October 2014, investigators believed the same hackers had hit at least 12 or 13 other financial institutions.
But from what I can tell, none of these companies have officially come forward about these breaches.
But reports are naming some pretty specific banks, including Fidelity Investments, ADP, HSBC,
Citigroup, and Bank of the West. They had all found signs that these IP addresses from the JPMorgan Chase hack
had also been sniffing around inside their network.
Now the financial industry was really starting to get worried.
Some of the banks only found evidence that the hackers had entered the network
and had poked around, but others found signs that stuff was stolen.
Here's journalist Emily Glazier
from The Wall Street Journal. Yeah, so right now we know that Fidelity and E-Trade are on that list
of 13 financial institutions, including J.P. Morgan. We had reported earlier yesterday that
Citigroup, HSBC, ADP, the payroll processor, and regional lender Regions Financial. We're also spotting traffic from alleged hackers linked to J.P. Morgan.
So there is a lot going on here, and it's very fluid.
FBI already involved on site at J.P. Morgan, we reported.
Secret Service, NSA, Benjamin Lofsky, the top New York financial watchdog,
and SDNY, the U.S. attorney based in Manhattan. So there are a lot
of regulators and prosecutors either examining or investigating this.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes
do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com. BlackHillsInfosec.com.
So it's early 2015, seven months after the hack,
and the JPMorgan Chase security team is still working on the investigation.
Internally, they were calling it the Rio investigation.
They hired outside experts plus some tech executives to form a control board
panel. The job was to meet every two weeks and figure out just how this hack was going to affect
JPMorgan Chase and their customers. And they also needed to make sure these hackers could never get
in the systems again. The year all these financial companies got hacked was a pretty big year for
large data breaches. Target was breached at the end of 2013, and they had 40 million customer credit card records stolen. eBay was hacked less than six months later in May 2014. Their customer database
was breached. In September 2014, while JPMorgan Chase was working on the Rio investigation,
Home Depot discovered they'd been hacked too. A heap of credit card information from their
customer database appeared on the dark web. Investigators suspected that the same people were
behind both the Target and Home Depot hacks, but they still had no idea who those hackers were.
And the truth is, many hackers working on the scale don't ever get caught. But in the middle
of 2015, things started to get weird for the real investigation. On July 21st, the Israeli police made two coordinated arrests in Israel at the request of the FBI.
Now remember that date, July 21st, 2015. It's going to come up a few other times in the story.
So the police arrived unexpectedly at the homes of 31-year-old Gary Shalom and 40-year-old Ziv Orenstein.
They were both arrested and charged with securities fraud, which is basically
illegal stock market manipulation. Now, Gary Shalone is a bit of a flashy guy. He lives in a
$6 million mansion in the very posh Savion suburb of Tel Aviv. This is kind of like Israel's version
of Beverly Hills, where all the celebrities live. His closets were full of expensive tailored suits,
and the police found half a million dollars in cash in his house when he was arrested.
Ziv Orenstein, who lived in Bat Heifer, about 29 miles away,
may have been wealthy too, but he was more low-key.
Both of these guys are Israeli citizens,
and in 2009 they established a web marketing company called Webologic Limited.
Gary was the manager of this
company, and Ziv wasn't listed as being involved with Webologic, at least on the books. Still,
the Wall Street Journal reported that there were 30-odd employees that worked there,
and they all knew Ziv was really the guy in charge. As part of the securities fraud investigation,
the Israeli police seized all electronic devices in both Gary and Ziv's house
and the Web of Logic offices. Now, there was this third guy involved in all this. The Israeli police
also raided the house of 31-year-old Joshua Samuel Aaron at the same time. But when they went to his
house, he wasn't home. He had been in Russia, but he was supposed to be back in Tel Aviv at the time
of the arrest. There was no sign of him at all. So they report back to the FBI that they didn't get Joshua. And so Joshua becomes a
wanted man. And get this, at the same time that Gary and Ziv are arrested in Israel, the FBI
coordinated a simultaneous raid in Florida. They arrested Anthony Mergio and Yuri Lebedev for
running an illegal Bitcoin exchange called Coin.mx.
So what do these arrests have to do with major U.S. bank hacks?
Well, on that same day, July 21st, Preet Bharara, U.S. attorney of the Southern District of New York,
unsealed an indictment against Gary, Ziv, and Joshua.
Bloomberg News and the New York Times published some wild claims.
They reported that a
leaked internal FBI memo had linked Joshua, the man on the run from Israel police, and Anthony,
the man arrested in Florida, to the JP Morgan Chase hack. The memo said there was evidence of Joshua
logging into the servers that were used for these hacks. On the same day, we also find out exactly what they stole.
I mean, these people attempted to get into 12 banks and they successfully got into a few of
them. They must have done this for monetary gain, right? But did they steal any money? No. I mean,
I can think of a number of ways they could have stolen money. Obviously, a bank the size of JP
Morgan Chase has a lot of money in its, and the hackers could have moved some of that money around. Okay, but there's other ways they could have made money too, like
the Chase Bank gift cards. Imagine if they got into the database of those, or prepaid debit cards,
or they could have manipulated the bank's reward point system. Imagine if they set their own
accounts to have like a billion reward points, and they could convert that to cash and just
siphon money out that way. Or what if they instructed a ton of accounts to buy a certain stock, driving up the
price? There are a ton of things they could have done while in the bank's networks. But all they
did was steal customer database records. Specifically, they grabbed email addresses
of bank customers. And I just don't understand that. Why go through all the effort
of breaking into the biggest and possibly the most secure company in America just to steal
83 million customer records? There's something more to the story.
So things are pretty confusing at this point. We have three people who were supposed to be arrested in Israel,
Gary, Ziv, and Joshua.
They got Gary and Ziv, but Joshua wasn't home.
Then at the same time, two people were arrested in Florida,
Anthony and Yuri.
The two Israelis were arrested on charges of securities fraud,
and the Florida men were arrested on charges connected with the JPMorgan Chase hack
and something to do with a Bitcoin exchange.
Finally, some news agencies started reporting on an FBI memo suggesting that all five men
were connected with this hack. So, were they the hackers or were they con men? What role did
everyone play? It turns out the feds had started investigating this group shortly after the JPMorgan
Chase hack was discovered. The forensic data that the FBI got
from JPMorgan Chase had led authorities to Joshua. Somehow they got server logs that pointed them to
his IP address, but they didn't know how involved he was, and they were pretty sure he wasn't in on
it alone. So they start digging around his life to see what he was doing and who he was associating
with. And that's how they discovered Anthony, Gary, and Ziv.
And these guys were looking pretty suspicious. So Joshua was the prime suspect who led investigators
to the door of the others. And he's an American citizen. He grew up in Potomac in Maryland.
He enrolled in Florida State University in 2002 and studied business. And there is where he met
Anthony Mergio, who was later arrested in Florida. While at university together, they became pretty good
friends and being business students, they wanted to find ways to earn cash while in college.
So they set up a money-making scheme, writing Google ads for affiliate commissions,
and they did pretty well at it too. They had other students working for them and they were
making thousands of dollars a month. Not bad for a couple college kids, actually. Joshua dropped out of his courses in 2005,
but he stayed in touch with Anthony. Now, from there, Anthony's story actually goes in a wild
and crazy adventure, totally tangent to this one, which is another story worth telling,
but it doesn't quite fit this story. I mean, he was arrested in connection with this story,
but Anthony tells me he was only arrested so the feds could get information on Gary. Because Anthony and Gary
started a Bitcoin exchange together called Coin.mx. And they purposely hid from financial
regulators and even went so far as to take over a credit union to look legit. So the feds swooped
in on Anthony for his illegal Bitcoin exchange and because they knew he
was working with Gary. Okay, so back to Joshua, the man on the run. In 2013, Joshua set up an
internet marketing business with a partner who had a history of defrauding stock markets. Apparently,
this guy had been banned for life from the Financial Industry Regulation Authority for
marketing useless stocks, sort of a pump and dump kind of thing. You buy up an unknown stock, try to inflate the price of it,
and when it's at its peak, you dump it and make a massive profit.
But Joshua's partner got caught doing this and got banned.
So after that fell apart, Joshua moved to Israel.
And it seems that's where he met Gary Shalone, and that relationship started.
By 2014, Joshua and Gary were running their own stock fraud scam with
Ziv Orenstein, who was one of Gary's associates. They had been running that WebOlogic business
together in Israel. Now, the feds didn't think it was actually Gary, Joshua, or even Ziv that
carried out these hacks, but it looked like they were working with whoever did. So as the feds investigated,
Gary, Ziv, and Joshua, they find these guys are up to their necks in scams and plots and may have
been connected to some serious hacking. By October 2014, internally, the feds have totally rejected
the idea that these hacks were state-sponsored by Russia. No, it wasn't the Russians. It was
this collection of conmen and fraudsters who've been
operating huge scams under the radar for years. So let's take a look at this indictment that was
unsealed by Preet Bharara on July 21st, 2015. It was a lawsuit brought by the SEC, the Securities
and Exchange Commission. They're the U.S. federal agency that enforces security laws.
This lawsuit was brought against Gary, Ziv, and Joshua
for six stock market scams they pulled off over the previous four years,
and it included details about how much money they were making off these scams.
Let's take a look at the first one.
They were buying stocks in a company called Southern Home Medical Equipment,
a U.S. company based in South Carolina that provided health care services across the country. In May 2011, Gary and Joshua bought the
company's stock at 1.7 cents each, not quite two cents per share. And they launched their own
marketing campaign for this company, hyping it up, writing articles about how great it was and
telling everyone that this company was about to go to the moon. Gary was the savvy business guy. He knew stocks inside and out. And Joshua was the marketer. He
was great at selling anything. They successfully raised Southern Home Medical Equipment's stock
price from just under two cents per share to 33 cents per share before selling off their stocks
in the company. Their net value in that stock rose 1,800% in just six days. But the problem was that all the
marketing they did for this company was made up. They had faked the numbers and the news about this
company in order to temporarily inflate the stock price. That's why this kind of market manipulation
is illegal. If you've seen The Wolf of Wall Street, you may recognize this idea,
because that movie is about a similar kind of scheme.
The Securities and Exchange Commission sent two lawyers down to review our files.
So I set them up in our conference room, and I had it bugged, and the air conditioning turned
up so high that it felt like Antarctica in there. Then, while they were looking for a smoking gun
in that room, I was going to fire off a bazooka in here, offering up our latest IPO.
An IPO is an initial public offering.
It's the first time a stock is offered for sale to the general population.
Now, as the firm taking the company public,
we set the initial sales price and sold those shares right back to our friends.
The idea...
Look, I know you're not following what I'm saying anyway, right? That's okay. That
doesn't matter. The real question is this. Was all this legal? Absolutely not. But we were making
more money than we knew what to do with. Gary, Joshua, and Ziv were in the business of manipulating
the stock market and getting people to buy stocks based on false information. These scams are called
pump and dumps because the scammers try to pump up the value to make a quick profit by dumping the
stocks at a higher price. And here's how they did it. First, they forged documents so that they
could present themselves as stockbrokers. So they were already working under false pretenses. Now,
stockbrokers are like middlemen between investors and the stock exchanges. They help investors
figure out what stock to buy, when to buy them,
and they seek out good investment opportunities for their clients.
These days, everything is digital and online.
So Gary, Joshua, and Ziv created newsletters, social media accounts,
and websites to tell investors what shares to buy.
These tools gave their investors the impression that if they followed
Gary, Joshua, and Ziv's tips, their money would grow quickly.
Sometimes they would fake the data on these articles and predict that a stock was going
to rise in value, but they would actually backdate that article to make it seem like
all their predictions came true. Their indictments showed that these guys were all using the classic
scams. Since May 2011, they hit six microcap companies. They targeted one after another with their tried and tested schemes.
They hit each of these six companies using the same pump and dump formula.
They'd buy the company while the stock was less than $5 each,
and then they'd create a bunch of false hype about these stocks,
resulting in a buyer surge that would drastically increase the trading volume
and stock price within just a few days.
In 2011, they made about $460,000
doing just three companies.
Then they upped their game.
In February 2012,
they hit a company called Mustang Alliance,
which is a mining corporation.
In just one week,
they bought 2 million shares of Mustang Alliance,
increased the share price over 65%,
and then sold the shares for a $2.2 million profit.
Altogether, they collected $3.5
million in just a couple years running these scams. But this wasn't their only racket. Gary
was the head of operations and CEO of their company, Web of Logic. He had the final say on
all these decisions, and he found a couple of stock promoters to bring in on these scams.
Their job was to advertise and promote different stocks and shares all day long. And they would go hunting for companies that they knew could easily be promoted
to be a pump and dump. But they did more than that. So in case you didn't know, there's a big
difference between being a public and private company. Basically, it has to do with who owns
the company. A private company is owned by some group of people, usually the founders or management
group or private investor. But a public company is a company that has by some group of people, usually the founders or management group or private investor.
But a public company is a company that has sold some of its shares to the public through
a stock exchange.
This means that part of the public company is literally owned by members of the public,
the people who have purchased shares in the company.
And that's why they're called shareholders.
Also, private companies can't sell shares of their company on the stock market.
And it's actually really hard for a private company to become a publicly trading company.
It's a long process that takes years.
Even for legit, fast-growing companies, they have to apply and be audited before they can
be listed as a publicly trading company.
And when that finally happens, they have an event called an initial public offering, or
IPO.
So I say all that because sometimes Gary would find private companies
that seemed like they would be easy to falsely promote.
He worked out a system to help these companies go public
so that he could run his pump and dump scams using their shares.
Over the years, Gary created heaps of shell corporations.
These are companies with no staff, no revenue, no office.
These corporations only exist on paper.
And Gary would go through the long, rigorous process of getting these corporations to go public and be able to approach private companies, pretend to be
a legit stockbroker, convince them to do a reverse merger with his shell corporation, and that would
fast track that company to be public trading on the stock market. Now this whole scheme is all
upside for Gary. First, he's going to sell his shell corporation to some company. This could
make him anywhere between a few thousand dollars to a few hundred thousand dollars. And because he created these shell companies, he was able to assign any amount of
company shares to himself or his friends like Joshua or Ziv. So if he did that, then before the
actual scam even started, he would already have tons of shares in these companies. So he would
sell his shell corporation to a company, and then that company does a reverse merger with it. And
now that company is suddenly a publicly trading company. he did all this under the guise of being a helpful stock
broker just here to help them navigate going public then once the reverse mergers were complete
and that private company was now publicly trading gary's fake marketing campaign would ramp up and
make the stock of that company boom that's the pump And right when the hype was about to fizzle out, Gary and Ziv and Joshua would sell all of their stocks, which they could
have had from the very beginning. And that's the dump. If Gary was the CEO of this scam operation,
Ziv was his ops manager with some IT thrown in. Ziv bought up a heap of domains and built
stockbroker websites that all looked
legit. And he was the one who maintained all of the different brokerage accounts and the false
documents for their schemes. He was the one keeping track of all the moving pieces. Joshua was like
the communications and marketing manager. He wrote all the promotional materials that they used to
market the companies. And with this systematic approach and with all the pieces ready to move,
these scams were really just a matter of bombarding people with marketing and buying and selling stocks at the right times.
Now, at this point, you might be wondering, how is any of this connected to the breach at JPMorgan
Chase? Well, we're almost there. Bear with me. See, over time, as these guys were marketing stocks,
they were starting to do some email marketing. They would send people emails that said, amazing opportunity, small cap investment can double your money in
weeks. Don't blow your shot at financial freedom. They would list a stock ticker symbol and make
people feel like they had to buy this stock right away. You've probably seen these types of emails.
I've received thousands of them myself. The way they work is that the sender of these scammy
emails just buys a huge list of email addresses and blasts out millions of emails at a time. And that's what Gary's crew was doing at first.
And that was somewhat successful, but they wanted to take their scam to the next level.
They thought if they could get a list of email addresses of real stock market investors,
their spam would be much more effective. I mean, who better to advertise a stock tip to than people
who are actively trading on the stock market? Traders are always looking for a hot stock,
and they might just go ahead and buy some random stock that they saw in a scammy-looking email.
And that brings us to JPMorgan Chase. It turns out that the whole JPMorgan Chase hack
was about getting better leads for Gary's marketing campaign to make his pump and dump scams more profitable.
That's right. Gary, Ziv and Joshua wanted millions of stolen JPMorgan Chase's customers email addresses just to email them stock tips of all the absurd, off-the-wall, preposterous crimes,
this one takes the cake.
Three random scammers orchestrated
a hack into the largest bank
in the U.S. just to make
money on their pump-and-dump scams.
Unbelievable!
But their criminal activity went way
beyond stock market manipulation.
Stay with us, because after the break, we'll hear what else they did.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast, my focus was on finding a catchy name, some
cool stories, and working out the best way to record.
But oh, so much more goes
into making a podcast than that. If you're thinking, what if I start my own business? Don't be scared
off, because with Shopify, you can make it a reality. Shopify makes it simple to create your
brand, open for business, and get your first sale. Get your store online easily with thousands of
customizable drag and drop templates, and Shopify helps you manage your growing business. Shipping,
taxes, and payments are all visible from one dashboard, allowing you to focus
on the important stuff.
So what happens if you don't act now
and someone beats you to the idea?
The best time to start your new business
is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at
shopify.com slash darknet. Go to shopify.com slash darknet and start selling with Shopify today.
Shopify.com slash darknet.
On the same day Gary and Ziv were arrested, July 21st, 2015, an Israeli newspaper reported that another indictment had named them both.
But this time, it was for a huge illegal online gambling operation.
An operation that was supposedly even bigger than the stock fraud scams they'd been pulling.
When this report came out, the online gambling forums just lit up.
It turned out that Gary and Ziv were behind the well-known dodgy online casinos Effective
and RevenueJet. These are actually groups of casinos owned and operated by companies called
NetAd Management and Millore Limited and had dozens and dozens of online gambling websites.
For years, the casino sites ran by these two companies have been getting called out by the
gaming review sites as being scams. The review sites actively warned players not to use Gary and Ziv's
online casinos. In fact, in 2010, Casino Meister gave Effective Group the worst casino group award,
citing their terrible customer service and failure to pay players their winnings.
Now, all these sites under Effective and RevenueJet used gambling software called
Rival and RTG for their games. These are the leading suppliers of casino
games and online gambling. Then they leased this gaming software to the independent casinos.
So the games on Affective and RevenueJet were legitimate, well-designed games, and that's how
they attracted players to come to their sites to gamble. But to gamble on these sites, you need
money to play. And when winners would actually win money, that's when Gary and Ziv would start pulling some shady business.
His casino sites started to develop a reputation for being really unreliable at paying out their players.
When a player made a cash-out withdrawal request, there were all kinds of delays.
Security procedures would make players wait 90 days.
Some players waited the 90 days for their money, only to be told their cash
out wasn't valid because they didn't play at the casino for the last few weeks. Sometimes they
wouldn't pay the whole amount, maybe just a percentage, just to keep the players guessing.
But that would be as far as it went. Often players would just give up, take the loss,
and move on to a different site. Or they'd end up gambling away their winnings and playing more
games in the casino. By avoiding paying out to players Besides, we're racking in tons of cash. Like the JP Morgan Chase hack, this is an
absurd scam that doesn't make any sense to me. An online casino, by its very nature, makes a ton of
cash. The odds are always in the casino's favor to win, even without scamming anyone. Maybe you've
heard the term, the house always wins.
Yeah, that's about casinos. They are literally money printing machines for the owners.
So why treat the players so poorly? Oh, none of these guys. The greed is just astounding to me.
But it gets worse. Just after the arrest, the net ad management casinos network collapsed,
just stopped. None of the sites were loading at all, and the executive director of the Gambling Portal Webmasters Association
said that he got a notice that the Effective was closing its operations effective immediately.
It seems like as soon as the indictments came through,
someone pulled the plug on the casinos.
Their online casino empire had crumbled overnight.
At that time, Gary and Ziv were in custody in Israel,
and the U.S. was trying to
get them extradited to face these stock fraud charges. Joshua was still nowhere to be found,
and with his indictment unsealed, his name showed up on the FBI's most wanted list. But still,
we don't know who actually conducted the hack against JPMorgan Chase and the other 12 financial
institutions. Gary, Ziv, and Joshua were market manipulators, shady businessmen, and con artists, but they weren't hackers. And we know
they had the stolen email addresses from the JPMorgan Chase hack, but how did they get them?
Breaking into JPMorgan Chase's network is not an amateur hacking project. Whoever did it
really knew what they were doing. But if Gary or Ziv or Joshua weren't the hackers, then who was?
A year after JPMorgan Chase discovered they'd been hacked,
several more financial companies received visits from the FBI
informing them that their networks had been breached,
and they had evidence to prove it.
So these companies started to send out letters to their customers. In October 2015, the online discount stockbroker E-Trade sent a letter to all
their customers explaining that their network had been breached and that customers' personal
information had been compromised. They said their database was breached, which contained 31,000
E-Trade customers' data. Scottrade, another online stockbroker, revealed that they were also hit by these hacks,
but their breach was way bigger.
They believe that the personal information
of 4.6 million of their customers had been stolen.
Dow Jones sent out letters too.
Now, they're not a financial institution
in the way of a bank or a broker is,
but they're a big publisher of financial information.
They've been going for
137 years. They published the Wall Street Journal, Market Watch, and Barron's. In October 2015, they
informed their customers of a data breach. In their letter, they explained that the hackers may have
been in the system for three years, but they'd only found evidence of the theft of 3,500 people's
contacts or payment data. There were
clues like IP addresses and the malware and the data that was stolen, which made authorities
suspect that these hacks were all conducted by the same hackers. A month later, all the evidence
came out. On November 10th, 2015, Preet Bharara, the Attorney General of the Southern District of
New York, unsealed a superseding indictment against Gary, Ziv, and Joshua.
And it was a bombshell.
Getting indicted for these stock scams probably seemed bad enough for these guys.
But now they were really in trouble.
Good afternoon.
My name is Preet Bharara, and I'm the United States Attorney for the Southern District of New York.
Today, we announce criminal charges in one of the largest cyber hacking schemes
ever uncovered. The charges involve cyber intrusions over several years, targeting 12
different companies, seven financial institutions, two financial news publications, two software
development firms, and a market risk intelligence company. By any measure, the data breaches at these firms
were breathtaking in scope and in size.
The defendants allegedly stole personal information
for over 100 million customers,
including 83 million customers from one bank alone,
the single largest theft of customer data
from a U.S. financial institution ever.
That bank was JPMorgan Chase, as it has disclosed itself.
To hide their tracks, the defendants allegedly operated their criminal schemes
through over 75 shell companies and used close to 200 identification documents fraudulently,
including 30 false passports from 17 different companies.
The good news is that the FBI and the Secret Service
have cracked this case, and we aim to prove it in court.
At this point, the evidence of the case was getting massive. These guys have been running
an international cybercrime enterprise. The new indictment accused them of 23 counts,
which included computer fraud, hacking, wire fraud, securities fraud, money laundering, identity theft.
It just went on and on.
This one group had been running this whole system of interconnected illegal schemes.
Scam on top of scam on top of scam.
They were making hundreds of millions of dollars.
What the feds had uncovered here was huge.
The scale of this is just incredible.
I mean, it's really crazy.
But let's stop for a minute and talk about the money.
That's what Gary was doing all this for, right?
Well, he was living the high life in his Tel Aviv mansion,
passing himself off as a really successful businessman.
And I guess that in a certain sense, he was a successful businessman.
And he did have some legitimate business interests and investments that earned him good money.
But to live the kind of lifestyle he wanted,
I guess he felt like he needed to keep chasing the next big payday.
Anyway, all these scams, the online casino, the stock fraud, the hacks,
they were making Gary, Ziv, and Joshua hundreds of millions of dollars.
And they couldn't just throw all that into a bank account.
That definitely would have attracted some unwanted attention.
Banks are required to report deposits of a certain size. And I'm sure that if Gary,
Ziv, and Joshua had deposited their hundreds of millions of dollars,
they would have triggered some sort of reporting policy. So they needed a solution, a way to launder the money, convert their money from illicit and unusable to clean and spendable.
And they came up with a couple of ways to do it.
Remember those shell corporations that Gary was using to do reverse mergers
with private companies for their stock scam?
Well, this also came in handy
for laundering a lot of money they were making.
Gary and Ziv were moving money around
left, right, and center,
and they were transferring millions of dollars
from their casino businesses
to bank accounts in Cyprus,
and then shifting it all around
through all the shell companies. They had their money laundering down to a science. All they had to do
was fill their shell company's ledgers with transactions for goods and services that they
had supposedly been providing their customers. They could then use this dirty money to pay
themselves for those made up goods and services. That way it would look like this money was just
shell companies invoicing it and paying out legitimate customers.
This left the shell companies with loads of money in their accounts and a nice audit trail that made everything look more legit.
And at the end, they had clean money.
Gary had 75 different shell companies.
He, Ziv, and Joshua had multiple bank accounts and brokerage accounts in countries all over the world.
Obviously, none of them were set up in their own names.
All three of these guys had aliases they would use.
They had 30 different fake passports from across 70 different countries,
keeping track of all these companies and accounts and the false documents and the different names.
That must have been a full-time operation just doing that.
It's pretty impressive how they were able to manage all these moving pieces.
Before they got caught, it probably seemed like it was worth all this work. In 2011, the same year he started the pump and dump scams, Gary created two online
payment processing companies called IDPay and Tudor. You can think of these as more like shady
versions of PayPal. Gary used these payment processors to let his players deposit money
into gaming accounts and his online casinos.
These sites were the intermediaries between the players' bank accounts and the casino's bank accounts. Each transaction would go through these payment processors, but Gary had to hide that
money because it wasn't legal. To turn that money into money he could actually use, he needed to
make it look like it came from a legal source. Gary and Ziv opened multiple bank accounts in different
countries using fake IDs and fake documentation. They would send transactions made through IDPay
and Tudor into these accounts around the world. Now, credit card companies are not allowed to
process payments that they believe might have come from illegal activity. So Gary and Ziv would code
their transactions to make them look like simple online purchases from everyday retail websites,
like pet stores or wedding outlets.
If they could find banking officials in the countries they were depositing their money,
they would bribe them to turn a blind eye.
Basically, they did anything they could to prevent anyone from catching on to their operations.
Of course, the players at Gary's online casinos had no clue what was going on in the background.
Everything probably just seemed normal from their perspective. And Gary had a bunch of
like-minded friends, other criminals, who needed to launder money just as much as Gary did.
And he was friends with people selling fake pharmaceuticals, malware, and fake antivirus
software. Whatever their business, if they wanted to collect payments via credit card,
they needed a shady payment processor, and they would use Gary's ID Pay and Tudor. Of course, just like any payment processor,
Gary would take a nice cut of each transaction. But sometimes the credit card companies did get
suspicious. When that happened, the credit card companies would stop processing Gary's transactions
and issue fines and penalties to whichever financial institution Gary got caught
using. Gary would just pay these off and carry on where he could. It was just a minor inconvenience,
a cost of doing business. If they got questioned about this, they'd all act shocked and surprised
as if they had no idea the transactions were for illegal goods and activities. If a bank got
suspicious and closed one of Gary's accounts, he'd just find a new bank and open a new account.
And it became a pretty constant process of finding new accounts
and coming up with fake merchants to use for transactions to make them look legit.
It was all very shady, but it was working.
In 2012, Gary did another astonishing move.
There was this company called G2 Web Services.
This is sort of a watchdog company that monitors payment processors to make
sure they're above board and not fraudulent. Basically, the staff at G2 will go and do a
test at payment processors to make sure they're trustworthy. Well, Gary was using IDPay and
Tudor to process a lot of payments for his illegal activities, and he didn't want G2 to flag his
payment processor as fraudulent.
So he hired a hacker to break into G2 and get a list of credit cards that were used in test payment transactions.
Then Gary would just block those credit card numbers from being used at IDPay and Tudor
so that nobody at G2 could even test the payment processing on his websites.
The audacity! I've never heard of a hack like this.
To hack into a watchdog company just to make sure that they don't talk bad about you and
to block them.
It's just ridiculous.
In July 2013, two years after Gary first created IDPay and Tudor, Brian Krebs published a report
about potentially suspicious activity being conducted at ID Pay. A source had found ID Pay's customer database and discovered a bunch of fake
antivirus sites were using this payment processor. These websites had addresses like spyblocker.com,
malwaredefender.com, personalguard.com, and so many more, 50 domains. Krebs investigated ID Pay,
and he couldn't find anything about them. There were
no records of this company existing at all. So he concluded that these websites were installing
fake malware onto victims' computers and then asked the victim to pay to get the virus removed.
And these sites were using IDPay because a legitimate processor would never process
sketchy transactions like this. If this is what was going on, then I guess we can add this bogus antivirus payment processing scam to the list of growing crimes that were committed
by Gary and his friends. One site on the list of IDP's customers was rxpartners.com. This was
known to be an illegal pharmacy affiliate program. Hackers and spammers would sign up and earn cash
for promoting illegal pharmacies. In 2013, not many people knew about
Gary and his massive empire of hacking and scamming, and they didn't know he was the one
behind IDPay. While Gary was focusing on making sure anti-fraud companies like G2 Web Services
weren't onto him, he didn't realize that the feds were onto him. How did the feds get on Gary's
trail? Well, a month before he was arrested, an undercover
federal agent went on to one of his casino's websites and deposited some money using his
credit card to make a bet. When he checked his credit card statement, he found the transaction
had been recorded as a payment to houseforpets.com, which wasn't even a real website. This was the first thing that tipped
off the feds. And from there, they quickly found a lot of evidence leading to Gary, Ziv, and Joshua.
It was the hack on JPMorgan Chase that really brought down Gary's empire. If you remember,
the hackers successfully broke into the JPMorgan Chase's network and stole 86 million records
and got out without raising a single alert. JPMorgan Chase had no idea they were breached, and that was by design. The hackers were
extremely careful not to raise any red flags. The only reason JPMorgan Chase ever found out that
they'd been breached was when they read that whole security report and found that Simcoe data was
breached, and the evidence from that breach is how JPMorgan Chase figured out they were breached.
JPMorgan Chase was never supposed to find out that they were breached. JPMorgan Chase was never
supposed to find out that they were breached. So once it came out that JPMorgan Chase did know
that they were breached, it was time for the hackers to start covering their tracks. Remember
the cancelled Egyptian server rental? Yeah, they knew they were getting rumbled. But again, JPMorgan
Chase wasn't their first hack. Uh-uh. They already got away with hacking six other U.S. financial companies.
On the same day of the big 23 count indictment was unsealed, a third indictment was unsealed
also in Atlanta. This indictment was focused on the hacks, and it tells us exactly how they
happened. The feds had confirmed that it was Gary pulling the strings on all these hacks,
and they knew Joshua helped him out. But they also knew that neither Gary nor Joshua were hackers capable of doing this. So the indictment brought charges
against Gary, Joshua, and an unidentified suspect, a John Doe, the mystery hacker.
Okay, so with this indictment, we learn about how the hacker got into E-Trade and Scottrade.
At first, the hacker got a regular login to E-Trade and Scottrade. At first, the hacker got a regular
login to E-Trade and poked around as just a normal user looking for vulnerabilities on the site.
I'm not sure what he found, but on that same day, three of E-Trade developers' servers got
accessed by the hackers. But nothing was stolen at that time. Almost a whole year passes. Then
Gary tells the hacker the plan to steal customer data from the
databases and gives the hacker servers around the world to use. Servers in South Africa, Romania,
and the Czech Republic. These were not bulletproof servers, which were untouchable by the feds,
but Gary told the hacker they were registered anonymously. So with the hacker ready, the
infrastructure in place, and the plan figured out,
Scottrade was the first of the two to be hacked. On September 8th, 2013, Gary's hacker reported that
he'd hit a wall. Scottrade had antivirus in place, and he could only get access to one employee's
computer without raising alarms. But this employee had no admin rights, so this slowed down the hacker, and for the next two
months, he tried and failed to gain access. But on November 22nd, the hacker asked Gary to get him a
Scottrade user account, hoping he could use it to breach Scottrade's systems. So Joshua and Gary
provided the hacker with a regular user login, and from there, the hacker was able to find vulnerabilities
in the site and exploit them to get access to Scottrade's servers. The next day, he was searching
through Scottrade's networks for customer databases, and he found them. He looked through a few of the
records in the database, and he saw customer name, phone numbers, and email addresses. Bingo. This is
what he was looking for. He did a quick
count to see how many records were in the database. There were six million customer details.
Gary was very excited about this discovery, and of course, he wanted the email addresses of this
database. The hacker took one more look around the database server, and he noticed he wasn't in
there alone. A database admin was also logged into the customer database and actively running commands.
Hacker got nervous.
He needed to download these 6 million records.
He was right there in front of it.
But he wanted to do it in secrecy so that nobody would ever know he was there.
He was nervous that if he downloaded the data while the other admin was there,
he might draw unwanted attention.
He couldn't afford for that admin to notice that something fishy was going on. At the same time, he didn't want the admin to notice he was there and kick him out.
So he waited nervously until that admin logged out. Then he quickly copied six million customer
records to a server that the hacker controlled, covered his tracks and disconnected from Scott
Trades Network. The hacker gave Gary the password and location of the stolen database.
On November 25th, Gary sent the hacker a report of the customer data that was stolen from Scottrade.
The database included information of 4 million Scottrade customers. 100,000 of them were
residents of Georgia. The hacker then added more, around 200,000 to 300,000 bank customers of
Scottrade. Two days later, he breached more databases and added more data around 200,000 to 300,000 bank customers of Scottrade. Two days later,
he breached more databases and added more data to the server. On November 27th,
Gary's hacker reported that he now had 6 million records from Scottrade. They didn't waste any
time before going to E-Trade. The very next day, the hacker breached E-Trade's server using a brute
force attack to gain access to a video teleconferencing server on their network. And of course, once he got in, he got himself persistence
and elevated his privileges. He installed a backdoor into the servers and started looking
around the network for database servers. Four days later, the hacker breached another server
on E-Trade's network and installed a reverse shell on it. Four days after that, he gained access to
three more internal servers and a core admin platform. This was the motherlode. These servers contained all of the customer data
for E-Trade customers. The hacker began copying all the data stored on these servers. The reverse
shell he had set up was exporting data for days after that. Gary's hacker would eventually steal
15 million customer records from E-Trade's network.
And once he stole them, he would send them straight to Gary.
By December 16th, one of Gary's associates had cleaned up and merged all the stolen customer records from E-Trade and Scottrade into an enormous database.
This was the customer information Gary wanted.
A vast database containing the contact details of millions of potential investors,
people who he knows are already investors. Over the course of four months, Gary's hacker had been
going in and out of multiple servers on both E-Trade and Scottrade's internal networks,
and he hadn't set off any alarms. No security scans picked up on his activity. But at some
point, E-Trade began to suspect their systems had been breached. They launched an internal investigation and they got law enforcement involved, but nothing
came of it. They couldn't find any evidence that data was stolen. There were no logs that somebody
copied the data because the hacker hid his tracks so he wouldn't get detected. E-Trade concluded that
if they had been breached, then the perpetrator had hidden their tracks really well.
So the investigation just kind of stalled out.
But they were right.
Someone had been in the systems, and it was Gary's mysterious hacker.
As E-Trade and Scottrade were being hacked,
Gary's online casinos were making considerable money.
He was running at least 12 different casinos.
In October 2013, they made him $78 million. Gary and Ziv had 270
employees in Ukraine and Hungary working in call centers to help keep these casinos running.
And they were responding to queries and trying to help keep players happy, but they were also
giving the runaround to players who were trying to cash out their money. Gary and Ziv needed to
draw as many players to their casino as possible.
The more people playing meant the more people they could scam out of their winnings.
So to help that bit along, Gary called in his hacker.
When people want to do some online gambling, they typically start with a Google search
and visit the first few gambling websites that show up.
They think, oh, this casino is the first result in Google, so it must be popular and trustworthy. Knowing this, Gary started trying to
get his hacker to find ways to improve the casino's search ranking on Google. Now, there's a whole lot
that goes into search ranking. It's called SEO, search engine optimization, and what actually
determines the ranking on Google search is a little bit mysterious. They use an algorithm of
some kind, but in the SEO world, it's generally
believed that to boost a site's ranking,
you need more links to that website.
So, much of SEO is
based on the idea that the more websites in the internet
that post links to your site means that
your site becomes more popular in the search
rankings. So Gary knew this.
I wanted more links to his casinos
and used a secret ingredient
to get that. Want to take a guess on what that and used a secret ingredient to get that.
Want to take a guess on what that was?
The secret ingredient is crime.
He asked the hacker for help
and the hacker got the work to try to find a way
to make tons of links to Gary's online casinos.
And after a bit of searching,
he started hacking into dormant,
gambling-related WordPress blogs.
I'm talking like thousands of them here.
Blogs that hadn't been updated in ages
and whoever owned them lost interest in it. All their plugins were out here. Blogs that hadn't been updated in ages and whoever
owned them lost interest in it. All their plugins were out of date, the software hadn't been updated
and well yeah they were vulnerable to being hacked. So the hacker exploited a lot of these
old WordPress blogs and he created tons of links to the casino's websites. Compare this to hacking
into banks it was pretty easy. Once he finished, these sites had
new posts mentioning Gary's casinos and how they were absolutely the best place to gamble on.
And when these blogs got re-indexed by Google, these new posts made Gary's casinos rise up in
the ranking and become more popular. Now, whenever users searched Google for keywords like
best online casino or where to play online casino games, these ancient blogs were starting to pop up with fresh results.
And people always click on the first couple of results.
That's just how it is.
So people clicked on these old blogs.
They saw tons of glowing reviews of Gary's casinos.
And this hijacking of neglected blogs
drove enormous amounts of traffic straight to Gary's online gambling sites.
And that wasn't all.
Gary liked to be in
control and know exactly what was going on, so he paid this hacker to visit his competitors' websites.
He would have the hacker take down any competing gambling site he got annoyed at. The hacker would
use a botnet to launch a huge denial of service attack on competitor casinos, interrupting service
for those casino players. And of course, when gamblers can't get into their favorite gambling site, they might go looking for a different site to gamble on.
So the DDoS attacks that Gary was conducting could actually drive players to his casino too.
Then Gary would find out what software the competitor casinos were using and then ask the
hacker to gain access to that software company to monitor what rival casinos were saying and doing.
He also hacked into email accounts of executives at the companies that made online gambling
software used by many casinos.
This let Gary in on deals that executives were making with each online casino.
This allowed him to stay a step ahead of his competitors.
If anything was going on that might compromise one of his casinos, he would have an early
warning.
Gary was used to getting what he wanted,
and he was quite happy to use sneaky,
underhanded tactics to get his way.
He was getting away with everything until it all caught up with him on July 2015,
when Gary and Ziv got arrested by the Israeli police.
Once the indictment was announced on November,
everything went, well, a little bit
quiet. The feds and prosecutors were working to prepare their cases. The first thing they were
going to do was get Gary and Ziv extradited to the U.S. This was a pretty long process, which took
about a year. In June 2016, they were both extradited to New York and found themselves in a
Manhattan prison. On June 9th, they appeared in Manhattan federal court. Both
Gary and Zev pleaded not guilty to the long list of charges against them. But there was still one
guy out there, Joshua. Joshua was still somewhere in the wild and the FBI was searching everywhere
for him. They suspected that he was hiding out in Russia and it made it pretty complicated to
look for him there. But then Joshua just solved that problem for them. It turned out Joshua was in Moscow all along.
And on December 14th, 2016, his attorney called the feds and said Joshua is going to turn himself
in and he's flying into the JFK airport in New York. And so Joshua did. He flew to New York
and was arrested on the spot. You see,
Joshua got himself in a bit of trouble with the Russians. He had flown into Russia via Ukraine
on May 23rd, 2015, and had been staying in an apartment in Moscow. In May 2016, right as Gary
and Ziv were about to be extradited from Israel to the U.S., Joshua was arrested by the Russian
immigration police. They turned up at his apartment for a surprise spot check on his visa documents.
For Joshua to maintain his visa, he was supposed to fly out of the country and then come back
every six months. And he hadn't been doing that because he was hiding out from the FBI.
So the Russian immigration police put him in jail. On May 20th, a Russian judge
fined him an equivalence of $80 and ordered him to leave Russia. So Joshua had to leave Russia,
but he wasn't interested in going to the U.S. and getting arrested by the FBI.
So he applied for refugee status so that he could stay in Russia. So while he was waiting on his
refugee status at an immigration office in Moscow,
he talked to his lawyers and they changed his mind.
They convinced him that it was better for him to come to the U.S.
and face his charges than to continue hiding out in Russia.
But strangely enough, when Russia found out Joshua was wanted by the FBI,
they offered him asylum.
They probably thought he would be useful for some
sort of political or diplomatic leverage. Joshua had already made up his mind though, so he turned
down the offer of asylum. But Russian immigration was now hesitant about letting him leave, so he
was stuck in the immigration center while his lawyers were negotiating with Russians and the
feds, both of which wanted Joshua in their custody at this point.
After about six months of this, in December 2016, everyone agreed and Joshua got on the
flight to New York and was arrested. By the time Joshua gave himself up, Gary had been in prison
for almost two years. Gary pled not guilty and was looking at a lengthy court trial. Gary was
the mastermind behind all these schemes.
He had the valuable knowledge and connections with the underground criminals.
Plus, he probably knew some stuff about Russian cybercrime networks.
The feds recognized that Gary could be really valuable to them.
So they offered him some plea deals.
They offered to release him if he agreed to plead guilty to all the crimes he did,
if he became an informant. On May 22nd,
2017, a big daily newspaper in Israel, the Kalkalus, reported that Gary had agreed to pay
U.S. authorities $403 million in cash under forfeiture. His plea deal also meant that three
criminal proceedings against him plus an SEC civil lawsuit were all
dropped. Now, $403 million sounds like a lot, but the feds estimated he had earned over $2 billion.
So Gary probably was walking away with some extra cash left in his pockets. But giving up his cash
meant that he had to tell the feds where the money was. And wow, he had a lot of cash stashed all around the world.
He had 81 different bank accounts around the world.
Many of them were in Switzerland.
And some of these accounts had over $100 million in them.
There were accounts in Cyprus, Georgia, Virgin Islands, Luxembourg, Latvia.
They were everywhere.
On top of that, he had stashes of cash and jewelry worth millions.
And a $6 million house.
Gary's plea deal wasn't straightforward.
According to the Calcalist, it took six different law firms to negotiate it.
Five of these law firms were in the U.S. and one was in Israel.
So while Gary agreed to pay hundreds of million dollars of his illegal profits to get out of prison,
he had to give the feds more than money.
And it seems like he gave up a hacker, a 38-year-old Russian man named Peter Leveshov. Peter was from St. Petersburg,
and he's the one who built the Kelios botnet, which infected 100,000 computers. This botnet
was built to send massive amounts of spam emails. But the Kelly O's botnet was also available for hire.
Anyone could use it to send tons of spam themselves.
And Geary was definitely sending a lot of spam.
Peter was arrested on April 9, 2017, while on holiday with his family in Barcelona, Spain.
He was accused of running the Kelly O's botnet and pleaded guilty of it in Connecticut in September 2018.
The counts against him included the distribution of fake spam emails, promoting counterfeit pharmaceuticals, and other frauds, including pump-and-dump stock schemes.
He's still awaiting his sentencing.
It's not clear what Gary told feds about Peter, whether he just straight-up ratted Peter out or what happened there. But the question
everyone had was, hey, this Peter guy, is that Gary's mystery hacker? At first I thought it was,
but no, he wasn't. Peter wasn't Gary's hacker. That was someone else entirely. In December 2017,
law enforcement flew into the airport of Georgia, an Eastern European country. They were there at
the request of the U.S. authorities, and they went to the capital to arrest 35-year-old Andrei
Turin. Andrei is a Russian citizen, but the U.S. had been tracking him and knew he was flying into
Georgia from Moscow, and they wanted him in custody before he could disappear. Andrei was a well-known
high-level Russian hacker. The feds
believed he was the hacker working with Gary in his empire of scams, and they spent the last two
years trying to track him down and detain him. Once in custody in Georgia, the feds set out to
get him extradited to the U.S. Now, Russia does not like giving up its hackers, but there's not
much they can do when it's outside their country. So that's why the U.S. arrested him in Georgia, because you
can get them extradited out of Georgia. Now, some Russian hackers have a double motive for hacking.
They work on a freelance basis, taking jobs from whoever is willing to pay their fee. But they may
also be looking to pass any juicy information they find to the Russian government or anyone else who's willing to pay for this information. So regardless of who's paying for the hack, the hacker is always the first person
to get their eyes on the data. Sure, the hacker will upload a copy to whoever hired them,
but there's nothing stopping them from uploading a copy to someone else too.
Although the FBI had ruled out the possibility that the JPMorgan Chase hack was executed by the Russian government,
U.S. intelligence had apparently found some evidence to suggest Andrei was getting some protection from the FSB, Russia's intelligence agency.
It hasn't been confirmed, but some evidence suggests that the FSB tried to recruit Andrei,
while other bits of evidence suggest he may have had a bigger
role in the operation run by FSB. Either way, it took almost a year for feds to get through the
red tape and bring Andre onto U.S. soil and book him into a federal prison. Now, a quick aside about
U.S. attorneys. This case was being handled in the Southern District of New York, and Preet Bharara
was the U.S. attorney for that district. So when the U.S. government brings this case to trial, a federally appointed
attorney handles the case. But when Trump was elected president, he had Jeff Sessions order
all 46 U.S. attorneys from Obama's administration to resign. Preet Bharara had met with Trump a few
days earlier and did not get the impression that he was being fired. So Preet refused to resign. But Trump fired him the next day. The Trump administration appointed Jeffrey Berman
as the new U.S. attorney for the Southern District of New York. So on September 7, 2018,
Jeffrey Berman announced that Andre had been extradited from Georgia to New York. And this
was a massive win for the Feds. Getting an indicted Russian hacker extradited into the U.S. for cybercrimes was not something that happens very often. Oh, and as for the U.S.
attorney for the Southern District of New York, Jeffrey Berman, Trump fired him too. I guess
Trump didn't like that Berman was investigating Rudy Giuliani, Trump's personal attorney,
regarding some suspected criminal activity. So Trump put Jay Clayton in place to be the current U.S. attorney for the Southern District of New York.
Clayton has never been a federal prosecutor before, but he was the chairman of the Security and Exchange Commission.
So this case has now passed through the hands of three different U.S. attorneys for the Southern District of New York.
Andre was charged with 10 counts, including computer hacking, conspiracy, wire fraud,
and identity theft, all relating to Gary's enterprises. The same day they got him into
New York, he was put in front of a judge to state his plea. Not guilty. Andre wouldn't admit to
anything. On September 25th, there was an initial pretrial conference hearing. The prosecution presented their evidence to Andrei through a Russian
interpreter. The evidence against him, which was mostly in Russian, was pretty damning. They had
almost 3,500 pages of online chats between Andrei and Gary, all discussing the hacks and scams.
The evidence took up nearly two terabytes of storage. And they also had
evidence from devices seized from Gary and Ziv when they were arrested in Israel, which all
pointed to Andre being involved in this. They had the data from the hacked companies too, like logs
and records from the hack. And that resulted in another few terabytes of data, which was not
looking good for Andre. The data from the JPMorgan Chase hack was over 3 terabytes just on its own.
The prosecution and defense had to agree on a way to deal with all this digital evidence.
I mean, you can't just print all that out.
It's just too much information.
And it's not like it's just some long text document.
Lots of this evidence was complex, technical data.
Prosecutors and defense attorneys aren't computer experts,
so they needed to get all this data into a format that they understood
that could be used in a court case like this.
So the prosecution and defense worked together to figure out
how they were going to do that.
And what followed was a long line of adjourned court dates
and pretrial hearings.
For a full year, nothing moved in terms of court appearances.
And then, suddenly, Andre's case ended in one day. On September 23rd, 2019,
Andre submitted a change of plea. He was now pleading guilty. Andre admitted to conspiracy
to commit computer hacking, wire fraud, unlawful internet gambling conspiracies,
and conspiracy to commit wire fraud and bank fraud.
So in pleading guilty to these four counts against him, he was
admitting to hacking eight different U.S. financial institutions between June 2012 and August 2014.
These include JPMorgan Chase, Fidelity, Dow Jones, E-Trade, and Scottrade. Publicly, at least,
Andre's conviction was the first in this entire case. His lawyer said that Andre was hired by the masterminds of the schemes
to hack these computer networks under their instructions.
Because he pleaded guilty, there will be no trial for Andre.
But he is looking at a lengthy prison sentence.
His sentencing date, just like his hearings, have been repeatedly adjourned,
and he's currently awaiting sentencing.
Gary is believed to be out of prison and living somewhere in the U.S.
Until his forfeiture is completely paid, he's not allowed to fly out of the country.
Information about his court hearings or progress on his remaining charges are hard to come by.
I mean, if Gary is an informant, then that means that a lot of his court documents are going to
be sealed. And a lot of his court documents are sealed. So it's just one of those things I don't have a visual into. On October 22nd, 2020, Ziv was
sentenced. Now, by this time, he had been in prison for 11 months. His sentence was to let him go.
The judge ordered his prison time to be equal to his time served, which meant the 11 months he
already did
in prison, the judge thought that was good enough. On top of that, they required him to forfeit $1.8
million. But yeah, I'm surprised by this sentence. I think it's minimal for such an extraordinary
amount of criminal activity. My guess is that Ziv cooperated, which means he gave up some names of other criminals in order to get his sentence shortened.
But that's just my guess.
Altogether, these schemes made a colossal amount of money.
It really was sprawling, interconnected network of scams, building on top of each other, scaling up, leveling up, and expanding outward.
The whole story is full of surprises, and by the end, it's mind-bogglingly complex.
A web of illegal schemes, hacking, fraud, money laundering, carried out by some shady
businessmen and conmen, joining forces with a hacker.
Just as the schemes themselves were large-scale, so too was the network of people and resources
Gary had built to operate it all.
The story has it all.
The villains, the hacks, the underground illegal acts,
and finally a hammer of justice that brings it all crashing down.
The hack into JPMorgan Chase wasn't random, a one-off attack. It was done by someone who
seemed to have an insatiable appetite for more. More hacking, more data, more scams, more money.
Sure, there's an element of glamour to Gary Shalone's story.
The money, the fancy watches, the mansion.
But there's also an element of desperation.
I mean, what was the point of all this besides just wanting more?
How many hundreds of millions of dollars more did he need?
From my point of view, it's like none of these schemes seemed big enough for him.
No amount of money seemed satisfying enough.
And at the end, it kind of seems like it was all an endless desire
that eventually led to the destruction of Gary Shalom's empire. If you love Darknet Diaries, stories from the dark side of the internet, then support it.
Go to patreon.com slash darknetdiaries and join the group of the most amazing people,
the people who keep my network running.
I talked with one Patreon member the other day,
and he told me he drove for eight hours while listening to the show.
What's funny is he only had to go to the store to get some bread,
but the show was so addicting that he kept driving around just to listen.
If that's the kind of listener you are,
then consider giving back to the show by supporting it at patreon.com.
Join today, and I'll grant you special access to bonus content and an ad-free feed.
Thank you.
This show is made by me, the spider buyer, Jack Recider.
This episode is written by the crime traveler, Fiona Guy.
Sound design and original music was created by the graphical interface, Andrew Merriweather.
Editing helped this episode by the window gazing, Damien.
Our theme music is by the sound
system, Breakmaster Cylinder.
And even though, back in my day
we didn't have USB. We only
had USA. This
is Darknet Diaries.