Skip to content
Naked Security Naked Security

Third ‘JPMorgan hacker’ arrested as he arrived at JFK

Trio 'used stolen data to scoop hundreds of millions of dollars'

Joshua Samuel Aaron, one of many people to face charges relating to the hefty 2014 JPMorgan data breach, was arrested when he arrived at John F Kennedy International Airport in New York on Wednesday.

Aaron, aka “Mike Shields,” was one of three men indicted in November 2015 for the massive hack and fraud scheme.

The Justice Department charged Aaron, alleged mastermind Gery Shalon, and Ziv Orenstein with computer hacking crimes against not only JPMorgan, but also against other financial institutions, brokerage firms and financial news outlets, including The Wall Street Journal.

Shalon and Orenstein were arrested by Israeli authorities in July 2015, and were extradited from Israel in June.

Aaron was a fugitive until he turned up at a facility for illegal immigrants outside Moscow in October.

He had failed to show police a valid passport during a midnight check at his apartment, according to court documents.

The JPMorgan breach was initially thought to involve the theft of as many as 83m customer records.

But altogether, it’s a notch larger: the trio has been accused of ripping off the data of more than 100 people, and then using it in schemes such as stock manipulation that generated hundreds of millions of dollars in illicit gains.

In fact, according to a press release from the US Attorney’s Office of the Southern District of New York, the JPMorgan caper represents the largest theft of customer data from a US financial institution in history.

The Attorney’s Office says that Aaron, Shalon and Orenstein are being charged with quite the laundry list: the charges include computer hacking, securities fraud, wire fraud, identification document fraud, aggravated identity theft, money laundering and market manipulation.

With a rap sheet of charges like that, you can run, but you can’t hide: you just know US law enforcement will be after you like white on rice.

They were happy to emphasize that in the press release. US Secret Service Special Agent in Charge David E Beach:

The arrest of this alleged transnational cybercriminal illustrates the dedication of the Secret Service and reach of the US Government in the disruption and dismantling of global criminal networks.

The precedent set by this successful United States deportation should serve as a warning to criminals that the Secret Service will relentlessly investigate, detect, and defend the Nation’s financial infrastructure both domestically and internationally.

Maximum prison sentences are rarely handed out, so if the charges stick against 32-year-old Aaron, he’s looking at a minimum mandatory sentence of two years if he’s convicted.

 

5 Comments

So there’s Aaron Schwartz who did something relatively minor in the grand scheme of Internet “crime”, yet faced a list of felony charges and many years in prison for his downloading of millions of JSTOR articles. Then there’s this guy, who’s actions led to “hundreds of millions of dollars in illicit gains” likely negatively affecting the lives of a similarly large number in the process and he could receive two years in prison (never mind the massive government resources spent to find him).

I, for one, hope he’s forced to pay that amount and more in fines (regardless of what he has left in the way of assets), and that the proverbial book is thrown at him should he be found guilty of the charges.

Aaron Schwartz would have got 6 months if he had pleaded guilty, it seems. For all the publicity around that case and the tragedy now woven forever into it, there were aspects of his alleged behaviour – it is claimed that he broke into a secure computer room to implant an unauthorised server to bypass a ban he was already aware of, if memory serves – that bring more to that whole matter than met the eye at the time.

(I’m not arguing against your concerns that this chap might IYO get off lightly…I don’t know what happens in the US if you get a fine bigger than you can now possibly pay, for example. It happened to “Spamford” Wallace, the so-called Spam King. He has to pay back zillions but he surely won’t be able to. What then?)

Fines and restitution are not the same thing.

IIRC, Wallace has been fined large amounts over the years (as well as facing more modest restitution orders). I probably should have written “to pay” rather than to “to pay back” in my comment above.

The various trials and tribulations of this case have been covered here over the years:

https://nakedsecurity.sophos.com/?s=Spamford+Wallace

I agree Joshua’s punishment seems lenient compared to the damage done. How does it differ from what Burnie Madoff did?

Wish there was a better deterent. There should be some hefty community service and probation after serving time. We don’t want repeat offenders. Not much chance a convicted felon will be able to make good on fines.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?