In a criminal indictment, Mr. Aaron was described as a frontman for the pump-and-dump schemes who went by the alias "Mike Shields" and communicated with unidentified stock promoters in the United States at Mr. Shalon's direction. Prosecutors contend the investment schemes made millions of dollars for the men, who laundered their money through bank accounts for a Cyprus-based shell company that had no actual business.
Read MoreAnother murder-suicide hits JPMorgan
The Securities and Exchange Commission filed its own civil lawsuit against Mr. Shalon, Mr. Orenstein and Mr. Aaron.
Information about their lawyers could not be learned.
Soon after the hacking was discovered at JPMorgan, agents with the Federal Bureau of Investigation determined the attack was not particularly sophisticated even though the bank's security people had argued otherwise. The hacking succeeded largely because the bank failed to properly put updates on a remote server that was part of its vast digital network.
Early on, federal authorities had identified some of the five men as being involved in the hacking but did not have enough evidence to charge them, said the people briefed on the matter.
So authorities began investigating them for other possible acts of wrongdoing and discovered the pump-and-dump scheme and the illegal money-transfer operation.
It is not clear if any of the email addresses stolen from JPMorgan were used by the defendants to further one of their penny stock schemes.
Preet Bharara, the United States attorney in Manhattan, said in a statement: "As alleged, the defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies. Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world."
The attack on JPMorgan garnered major headlines and attention last year because of the number of people affected and a theory that it may have been tied to Russian gangs, with possible ties to the Russian government. Federal authorities, however, quickly ruled out the Russian government as a suspect, as well as the possibility of direct ties to Russian gangs. The court filings on Tuesday, however, suggest some loose connection to Russia.
The attack on the bank was discovered somewhat by accident. In July, security employees of the bank learned that the website for the JPMorgan Corporate Challenge, a charitable race organized by the bank, had been hacked and compromised. The website is run by an outside vendor for the bank. But information gleaned from the hacking on the racing website pointed back to a bigger problem with the bank's own network.
After that, the bank discovered its own breach. While the hacking itself was not said to be sophisticated, it went on long enough to give the hackers access to 90 servers.
JPMorgan says it spends $250 million a year on online security and intends to double that amount.
Federal authorities in New York had made the JPMorgan attack a priority investigation because the bank is a critical component of the nation's financial system. The hackers had tried to infiltrate nearly a dozen other financial institutions but were less successful. By the spring, some investigators were expressing confidence in private that they expected to announce some arrests by the summer if not earlier.
Much of the JPMorgan investigation for Mr. Bharara's office was overseen by Nicole Friedlander, a chief of the online crimes division, who was working while out on maternity leave for several months, said people briefed on the matter.
It remains to be seen whether prosecutors working with the F.B.I. can get any of those arrested to provide the evidence they need to bring charges for the hacking as well.
—Nathaniel Popper contributed reporting.