4 Arrested in Schemes Said to Be Tied to JPMorgan Chase Breach

Matthew Goldstein

A huge computer attack against JPMorgan Chase last summer may have been more of an attempt to fuel an ongoing pump-and-dump stock scheme rather than an effort to steal financial data from the nation's biggest bank.

Federal authorities on Tuesday announced the arrest of four men in Florida and Israel in connection with a series of fraudulent investment schemes involving penny stocks and Bitcoin that spanned the globe, from Florida to New York to Israel to Cyprus and Russia.

But authorities also suspect that some of the men arrested, along with a fifth man charged but still at large, had a hand in last summer's hacking at JPMorgan that compromised the contact information for 83 million of the bank's customers, according to people briefed on the matter who spoke on the condition of anonymity.

More from The New York Times:
New Criticism Over the S.E.C.'s Use of In-House Judges
Top 5 Hedge Fund Earners
Private Sector Pay Lures F.B.I.'s Hacking Experts

None of the five men have been charged with the theft of email addresses and other contact information from the bank or carrying out the hacking.

One of two Israeli men charged with the hacking of the JPMorgan Chase bank attends a court hearing, on July 22, 2015 in Jerusalem, Israel.
Getty Images

Still, authorities are hoping that some of the defendants will seek to cooperate with the investigation and provide prosecutors with enough evidence to also file charges over the hacking — one of the largest ever targeting a United States bank.

A series of court filings unsealed by federal prosecutors in Manhattan did not mention the attack on JPMorgan's vast network that went on for several months before it was discovered in late July. Rather, the court filings detailed charges involving a multiyear campaign to drive up the price of worthless penny stocks by pitching them to unsuspecting investors through millions of spam emails.

One of the people briefed on the matter said he believed that the defendants had intended to use some of the email addresses obtained in the JPMorgan hacking to find other people who could be persuaded to invest in otherwise worthless stocks.

Read More JPMorgan: After 1,300 days, time for correction

Still another scheme involved an unlicensed money-transfer operation used by criminals to cash in Bitcoin paid by people to get malicious software removed from their computers. The perpetrators of that scheme sought to hide their illegal activities by taking control of a small New Jersey credit union.

It is not clear how the five men came to know each other or how the schemes were related.

A JPMorgan spokeswoman declined to comment on the arrests. The bank has said the breach did not compromise customer financial information or sensitive personal information like Social Security numbers.

The two men charged and arrested in Florida, Anthony Murgio and Yuri Lebedev, both attended Florida State University, according to their LinkedIn pages. The men were charged with running an illegal money-transfer operation that converted the digital currency Bitcoin into cash for online criminals.

Information about their lawyers could not be learned late Tuesday.

Less is known about the three Israel residents charged with running a pump-and-dump stock scheme that dates back to at least 2011. Two of the men, Gery Shalon and Ziv Orenstein, were arrested in Israel. United States prosecutors said they would seek to extradite them. A third man, Joshua Samuel Aaron, an American citizen who lives in both Israel and the United States, was charged but remains at large.

In a criminal indictment, Mr. Aaron was described as a frontman for the pump-and-dump schemes who went by the alias "Mike Shields" and communicated with unidentified stock promoters in the United States at Mr. Shalon's direction. Prosecutors contend the investment schemes made millions of dollars for the men, who laundered their money through bank accounts for a Cyprus-based shell company that had no actual business.

Read MoreAnother murder-suicide hits JPMorgan

The Securities and Exchange Commission filed its own civil lawsuit against Mr. Shalon, Mr. Orenstein and Mr. Aaron.

Information about their lawyers could not be learned.

Soon after the hacking was discovered at JPMorgan, agents with the Federal Bureau of Investigation determined the attack was not particularly sophisticated even though the bank's security people had argued otherwise. The hacking succeeded largely because the bank failed to properly put updates on a remote server that was part of its vast digital network.

Early on, federal authorities had identified some of the five men as being involved in the hacking but did not have enough evidence to charge them, said the people briefed on the matter.

So authorities began investigating them for other possible acts of wrongdoing and discovered the pump-and-dump scheme and the illegal money-transfer operation.

It is not clear if any of the email addresses stolen from JPMorgan were used by the defendants to further one of their penny stock schemes.

Preet Bharara, the United States attorney in Manhattan, said in a statement: "As alleged, the defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies. Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world."

The attack on JPMorgan garnered major headlines and attention last year because of the number of people affected and a theory that it may have been tied to Russian gangs, with possible ties to the Russian government. Federal authorities, however, quickly ruled out the Russian government as a suspect, as well as the possibility of direct ties to Russian gangs. The court filings on Tuesday, however, suggest some loose connection to Russia.

The attack on the bank was discovered somewhat by accident. In July, security employees of the bank learned that the website for the JPMorgan Corporate Challenge, a charitable race organized by the bank, had been hacked and compromised. The website is run by an outside vendor for the bank. But information gleaned from the hacking on the racing website pointed back to a bigger problem with the bank's own network.

After that, the bank discovered its own breach. While the hacking itself was not said to be sophisticated, it went on long enough to give the hackers access to 90 servers.

JPMorgan says it spends $250 million a year on online security and intends to double that amount.

Federal authorities in New York had made the JPMorgan attack a priority investigation because the bank is a critical component of the nation's financial system. The hackers had tried to infiltrate nearly a dozen other financial institutions but were less successful. By the spring, some investigators were expressing confidence in private that they expected to announce some arrests by the summer if not earlier.

Much of the JPMorgan investigation for Mr. Bharara's office was overseen by Nicole Friedlander, a chief of the online crimes division, who was working while out on maternity leave for several months, said people briefed on the matter.

It remains to be seen whether prosecutors working with the F.B.I. can get any of those arrested to provide the evidence they need to bring charges for the hacking as well.

Nathaniel Popper contributed reporting.