To build a successful business, you need a good business plan. A carefully thought out step-by-step guide to launch, develop, and expand. You need good people, too. People you trust and can rely on. But the internet has changed how people become entrepreneurs. It's made it easier to find good help and easier to find customers. Digital technology and the internet have created a whole range of new opportunities for businesses and entrepreneurs.
But there's a flip side to these innovations, a darker side. You see, the criminal underworld has also benefited from the explosion of digital technology and the internet. Criminals make business plans too. They build networks and work together to advance their illicit agendas. When greedy criminals set out to execute a business model armed with the powers of the internet and a hacker or two, they can achieve astounding criminal feats.
And the thing is, it's not easy to catch a cyber criminal. Hacking is mostly invisible. It's quiet, secretive, and always done under the cover of the internet. It's like the perfect burglary that takes place in pitch black. There's no trace of the perpetrator on the CCTV camera footage, no fingerprints, and no leads. With hacking, it's all digital. So whatever virtual fingerprints you might have left behind can be covered up, deleted, or hidden.
This is why so many cyber criminals get away with their crimes. This is a story about a group of very savvy businessmen who made a fortune exploiting people online. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
In July 2014, hold security, a small firm that specializes in external cyber threat intelligence made an unbelievable discovery. This small firm, which supposedly monitors the dark web for hacker activity that may be a threat to their clients, reported to the New York Times claiming to have found a credential dump containing 4.5 billion usernames and passwords on the dark web.
Now 4.5 billion usernames and passwords is just a crazy amount of credentials. When hold security filtered out duplicates, they were left with 1.2 billion credentials. But still, a credential dumped that large would be the biggest credential dump ever found.
The New York Times ran with the story, but the security community was pretty skeptical. First, everyone wanted to see what was in the dump, but hold security wouldn't reveal this data to anyone. Later, hold security announced that for $120 fee, they would tell companies whether the dump included credentials from their websites.
Huh. So with hold security claiming they had one of the largest dumps ever and not sharing it with anyone except a few people who paid to search for their own names, it was just a little hard to trust. Alex Holden, the CEO of hold security, was interviewed by Forbes. This is what he said.
Let me try to clear up the criticisms here. There are two different pieces to this puzzle. First of all, we have 1.2 billion credentials that belong to about half a billion email addresses.
unique email addresses. And these are the individuals who entrusted their credentials to different web services websites. And these credentials were stored on those websites. Unfortunately, through no wrongdoing on the individual side, this information had been stolen by the hackers. So these individuals are the ultimate victims in this particular crime.
Later, hold security released a summary report of the dump. They said the dump was from 420,000 different websites that had been breached, some of which were Fortune 500 companies. The report listed some of the companies that were breached, and they called the group that stole this data cybervore, which means cyber thief in Russian.
420,000 websites is a huge proportion of the entire world wide web. So at this point, even I think this dump sounds a bit ridiculous to me, because it just doesn't add up. But let's switch gears for a second. Imagine you're part of a IT security team at the JP Morgan Chase Bank. You work for the biggest bank in the US and the sixth biggest bank in the world. Your bank pretty much dominates the financial sector in terms of investments and banking.
Imagine you're one of JP Morgan Chase's 250,000 employees, scattered across 171 offices in 39 different countries. And imagine you're part of the team that's responsible for protecting data in this bank, which has an annual revenue of $115 billion. Of which, about $10 billion is spent on tech and $250 million a year is spent on cybersecurity. There's about 1,000 people working with you in the IT security team at JP Morgan Chase.
Now I'm not sure if any company spends more money on security than JP Morgan Chase, but either way, they aren't messing around when it comes to protecting their networks. So, if you were on the IT security team of JP Morgan Chase and you saw that hold security released a summary report, would you take a look to see which companies had been breached?
Of course you do. It doesn't matter if it's real or not. Your company is spending every dollar it can to do everything to protect the network. You'd definitely be looking at this report. You'd be looking at every report that might have anything to do with JPMorgan Chase's IT security. So that's just what happened. An IT security analyst at JPMorgan Chase did read Hold Security's report. In it, Hold Security claimed the website for a charity race sponsored by JPMorgan called Corporate Challenge was breached.
This site had been used by JP Morgan employees to register for the race. It was hosted by a company called Simco Data Systems. As it happened, Simco Data Systems was also mentioned in the whole security report. It claimed that Simco had been breached too.
So, if JP Morgan Chase employees were registering at that site, then it's possible their data was stolen. And this caused the IT security analysts at JP Morgan Chase to look into this a little more.
So the security team at JPMorgan Chase contacted Simco data systems to investigate the claims made by hold security. Simco data dug around their network logs and confirmed that the corporate challenge website was hacked and breached. The hackers had stolen an SSL certificate from the site and the hack was executed through a few IP addresses that had been creeping around the network without any legitimate reason to be there.
Two texts from the GP Morgan Chase office in Columbus, Ohio went over to Simco Data Systems office in Michigan to get copies of any forensic data they could find. They wanted to know exactly what had been stolen and understand the indicators of compromise.
As the JP Morgan Chase security team was collecting data from Simco, they were using this data, including IP addresses, to search their own logs for any similar activity. They were looking for any trace of a breach and any sign of activity from the IP addresses associated with the Simco data breach. And sure enough, they found the same 11 IP addresses that had been used to execute the Simco breach had also been used to attack JP Morgan Chase.
What's more, some of these attacks against JPMorgan Chase had been successful. The biggest bank in America had been hacked, and they never even knew it happened.
At this point, JP Morgan Chase contacted the FBI and handed over these IP addresses to the Financial Services Information Sharing Analysis Center. This is an organization that circulates this kind of data to banks and financial institutes so they can check whether they have been breached. Up until this point, JP Morgan Chase had kept this whole situation under wraps while they were working to figure out what was going on. But this kind of breach is a huge deal and they weren't going to be able to keep quiet about this for long.
We don't know exactly how the hackers jumped from the charity's website into the bank's servers. But I've got a few theories. First, it's possible that the hacker gained access to this corporate challenge charity site. How? Possibly by hacking through SIMCO data systems, which was the hosting provider for the corporate challenge charity site. So if the hosting provider got hacked, then the hackers would have access to the back end of all the other websites that hosting provider hosts.
So if they got into the corporate challenge website that way, they could have accessed the credentials for all the GP Morgan employees that were registering on the site. And maybe some of those user name and passwords were the same user names and passwords used to log into GP Morgan Chase's network.
This kind of tactic would likely work because so many people reuse passwords on multiple sites. Any JP Morgan employee who used their JP Morgan network password on another site would have made their network vulnerable for this kind of attack. So that's one theory. The other is that this hacker crew might have targeted an IT admin at JP Morgan Chase through spearfishing or some other attack that got them remote access into the admin's computer.
And if a hacker was able to do that, they'd be able to steal that IT admins network credentials and do whatever they want from there.
Either way, what we know is that this hacker group did have a valid login to a JP Morgan server. And with that, they were able to get past the huge front gates of this super secure JP Morgan Chase network. But once they got past the front gates, they still needed to figure out where to go. It's as if they broke into a bank, but didn't know where the safe was. They were just wandering through the network. And they hadn't actually gained access to anything valuable yet.
There was an old server that the bank used to manage employee benefits data. It was still running just not used very often. See, there's 250,000 employees at JPMorgan Chase, and they're using about a half a million computers in this network. It's not easy for such a large company to manage half a million computers.
And in this case, the employee benefits server had been neglected. It wasn't updated with the latest security patches and features, and it wasn't set up for two-factor authentication, which would have required users to enter a time-sensitive token code with their password to get in.
The hackers discovered this server on the network and used their stolen credentials to log in. This is a perfect example of when two-factor authentication probably would have stopped these hackers from getting any further into the network. Anyway, once a skilled hacker establishes access to a network, they're going to want to create a persistent connection and elevate their privileges. They'll need a persistent connection in case their connection gets dropped, then they have a guaranteed way to get back into that server.
So the hackers created a back door into the JP Morgan Chase network. This was a point of access that only the hackers would know about, but the security team wouldn't be able to detect them. Once they did that, they began crawling around the network, looking for something in particular. They slowly made their way towards the systems they were after. They were good, hiding their tracks, doing things just the right way to avoid setting off alarms, and avoid being detected by antivirus scans.
For months, these hackers had been creeping around, quietly accessing databases and exporting data to their own servers as they went along, and all the while they were silent and invisible. In all, they breached over 90 of JP Morgan Chase's servers, which included multiple databases used to store customer information.
This story became public on August 27, 2014, when Michael Riley and Jordan Robertson reported on this hack in an article in Bloomberg. They revealed that there had been a successful breach at JPMorgan Chase, and they said it was the work of Russian hackers.
The accusation that this was a nation-state attack on US financial infrastructure grabbed the attention of the US financial system. Could it be that Kremlin-sponsored hackers had managed to get inside the networks of JPMorgan Chase, breach later after later of security, and make off with tons of customer data without JPMorgan Chase knowing anything about it?
It wasn't until the bank filed a disclosure with the Security Exchange Commission on October 2nd that we learned more details about this hack. And it was way worse than anyone thought. The hackers had access multiple customer databases and stole 83 million personal identifiable records of JPMorgan Chase's customers. These records were associated with 76 million households and 7 million small businesses, pretty much all located in the US.
To put that in a context, in 2014 there was something like 127 million US households. So that's around 60% of all US households that got their information stolen from this hack.
The idea that Russians were behind this hack and that they were probably state-sponsored wasn't all that surprising. I mean, just a few months before this, the US had put a load of heavy sanctions on Russia's financial infrastructure. See, in 2014, that was the year when Putin decided he wanted to take the Crimea Peninsula from Ukraine. Putin dispatched scores of masked armed soldiers to Crimea and they seized the territory raising Russian flags and then went on to take control of the cities and the Supreme Council building. The Supreme Council is sort of like the Crimean Parliament.
The current PM was booted out and a new one was voted in. Although there were some good reasons to doubt the fairness of this election, this was the most blatant land grab in Europe since World War II. Russia's invasion of Crimea stirred up a whirlwind of controversy, the US and EU and of course Ukraine strongly condemned Russia's tactics and said that Putin had violated multiple local and international laws.
So the US and EU imposed sanctions against Russia. And these sanctions threatened to tip the already fragile Russian economy into recession. The US and EU intended for these sanctions to force Putin to relent and relinquish control of the Crimean Peninsula back to Ukraine. But Putin wasn't having any of it. He denounced the US and EU for imposing these sanctions, which he said was just another example of a grasp of US foreign policy, and he warned that Russia may retaliate against these actions.
So it seemed possible that the hack on JPMorgan Chase was the first volley of Russia's retaliation. Here's a clip from CNN discussing the very idea. The FBI is investigating a series of cyber attacks against US banks thought to be coming from Russia. Hackers are believed to have accessed sensitive information from several financial institutions, including banking giant JPMorgan Chase. Could this be retaliation for Western sanctions against the Russians?
Christine Romans is here with more. Is this retaliation? Well, that's what the investigation is going to have to really zero in on here. Quite frankly, Alison, the U.S. official tells us that the location of the hacker still isn't clear, but given the sophistication of this, the cybersecurity community is saying this investigation appears to center, it should definitely center on Russia. Now, hackers from Russia are often top FBI suspects, and the timing of the hack has raised suspicions given recent U.S. sanctions against Russia, also still this big question, the motivation.
Still unclear if the attack was financially or politically motivated or if it was some sort of espionage. Banks have very tough security getting through that and getting account information, getting so much information, definitely not an easy task. Now in response to this breach, JP Morgan said, companies of its size experience cyber attacks every day and the bank has measures to protect itself. And again, the FBI US officials are investigating just what the cause was of this cyber attack.
For JPMorgan Chase, this attack came at the tail end of a really bad year. They lost a heap of staff in the previous months. In 2013, their chief information officer resigned and took a position as the CEO of a payment processor called First Data. And around this time, five other senior staff from JPMorgan Chase also quit.
This included the Information Officer and Chief of Security for their IT teams. In early 2014, a new Chief of Security was appointed, James Cummings. He helped to recruit a new Information Officer, Gregory Ratre. So, when this hack was carried out in July 2014, the top IT leadership had only been in place for about six months.
Both commings and rat-tray were former US Air Force and they were both convinced that this attack was state-sponsored and probably executed by Russians and they thought this hack represented a threat to US national security. I have to wonder though whether their military training and experience biased their interpretation of this hack
After all, they would have been used to dealing with state-sponsored attacks while in the military. So it's not like this hack couldn't have been what Cummings and Ratray thought it was, but the problem is the FBI's analysis just didn't match up with Cummings and Ratrays.
The FBI had several specialist units working on this hack. They pulled in their cybercrime unit, the Secret Service, and Homeland Security to investigate this attack. And all of this analysis wasn't enough to convince the FBI that the hack was executed by a nation state, or that there was a clear threat to national security.
So that set off this weird political drama over the data that had been stolen from JPMorgan Chase. See, there was this system in place that was supposed to capture any stolen data in a hack like this. Think of it like a CCTV system that you could rewind and watch back if you knew something bad happened. But according to Bloomberg sources, this system didn't have enough storage at the time of the attack. So even though they collected the data at the time of the attack, they didn't have it anymore.
And on top of that, maybe because of political drama around who committed this hack, JPMorgan Chase didn't want to hand over the data they did have from the hack to the FBI. Things were starting to get out of hand. And none of this was helping to solve the actual problem that millions of JPMorgan Chase customer records had been compromised.
Two weeks after the hack had been discovered, the assistant director of the FBI's Cyber Division, Joseph Demarest, at a conference call with JPMorgan Chase's COO, Matt Zames, James Cummings, and Gregory Ratray. Cummings and Ratray, the Air Force veterans from JPMorgan Chase's IT department, were pushing for the hack to be deemed a threat to national security. And if they got their way, the US Department of Justice would excuse them from any obligations to tell their customers about the hack.
The idea of this policy is that if a hack is a threat to national security, then it should be kept quiet as possible while it's being investigated. But in the end, the FBI thought it was more likely that this hack was done by a group of clever and skilled criminal actors rather than a nation-sponsored threat actor. JPMorgan Chase and the FBI reached a truce. JPMorgan Chase handed over all the data they collected during the hack so the FBI could conduct a thorough investigation.
But jeez, this was a bumpy ride to get there. Jordan Robertson, the journalist from Bloomberg, who originally broke this story, talks about what happened between JPMorgan and the FBI. One of the questions we set out to answer, eight months ago when this breach occurred, was why we were hearing such a different story from folks who were familiar with the banks investigation, which they said the Russian government was believed involved.
versus the law enforcement investigation, which was indicating a criminal attack. And the answer to that is the bank is staffing up on former senior military officials, cyber warriors, and they come to these problems with a very specific mindset about who's responsible for hacking. And there's a fundamental difference between
studying attacks on military infrastructure versus studying attacks on the private sector, and the private sector faces a lot more for-profit criminal activity than the military does, and that really animated the bank's investigation. Very interesting. Now the military approach, that's led to some problems, Jordan, right, that you found out, including some clashes internally, but also with the FBI as well, right?
Yeah, you know, what happens is, you know, you hire people who are really great at offensive cyber operations and they're great network attackers. Defending a network is a whole other matter and dealing with law enforcement beyond that is another matter entirely. And what we found was that the bank repeatedly clashed with the FBI and the Secret Service over information sharing.
At the Secret Service went so far as to threaten to subpoena the attack data because they believed they were not getting it in a timely fashion. And a senior FBI official had to intervene on his agent's behalf to facilitate that information sharing more quickly. So there were clashes at multiple levels and a lot of it traces back to this difference in mindset between the military and private sector.
So now the FBI were hunting down these hackers, using the IP addresses JP Morgan Chase and Simco data systems had found on it. It was hard for investigators to track this attack because the hackers deleted most of the log files that would have left breadcrumbs, revealing their activity in the network. Early in the investigation, it was suggested that the hackers spoke Russian, but I'm not sure whether they had any actual evidence of that.
Now what about these IP addresses the hackers were using? Well, investigators started tracing these back and found the IPs were from different countries all over the world. The computers that had launched these attacks were located in Russia, Egypt, Czech Republic, South Africa, and Brazil. And all of these IPs belonged to hosting providers who were in the business of renting servers to whoever wanted them.
This is a simple way to hide your tracks as an attacker. You don't want to do all this hacking from your own office or house. You want to rent a server on the other side of the planet and use that to carry out your hacks.
so that hackers had rented one server in Egypt, which they used on some of these hacks. And get this, the day after the news broke about JP Morgan Chase, the hackers stopped using that server in Egypt and cancelled that account. It seems like whoever was behind this was watching the news, and they knew they were about to be hunted.
While all these investigations were going on, there were reports coming out of other financial companies across the US. Slowly, these reports started to paint a bigger picture. GP Morgan Chase wasn't the only target. The same hackers had hit multiple other financial institutions.
By October 2014, investigators believed the same hackers had hit at least 12 or 13 other financial institutions. But from what I can tell, none of these companies have officially come forward about these breaches. But reports are naming some pretty specific banks, including Fidelity Investments, ADP, HSBC, Citigroup, and Bank of the West.
They had all found signs that these IP addresses from the JP Morgan Chase hack had also been sniffing around inside their network. Now the financial industry was really starting to get worried. Some of the banks only found evidence that the hackers had entered the network and had poked around, but others found signs that stuff was stolen. Here's journalist Emily Glaser from the Wall Street Journal.
Yes, so right now we know that Fidelity and E-Trade are on that list of 13 financial institutions including JP Morgan. We had reported earlier yesterday that Citigroup, HSBC, ADP, the payroll processor, and regional lender Regents Financial were also spotting traffic from alleged hackers linked to JP Morgan. So there is a lot going on here and it's very fluid.
The I already involved on site at JP Morgan. We reported Secret Service, NSA, Benjamin Loskey, the top New York financial watchdog and SDNY, the US Attorney based in Manhattan. So there are a lot of regulators and prosecutors either examining or investigating this.
So it's early 2015, seven months after the hack, and the JPMorgan Chase security team is still working on the investigation. Internally, they were calling it the Rio investigation. They hired outside experts, plus some tech executives to form a control board panel.
The job was to meet every two weeks and figure out just how this hack was going to affect JPMorgan Chase and their customers. And they also needed to make sure these hackers could never get in the systems again. The year all these financial companies got hacked was a pretty big year for large data breaches. Target was breached at the end of 2013 and they had 40 million customer credit card records stolen. eBay was hacked less than six months later in May 2014. Their customer database was breached.
In September 2014, while JP Morgan Chase was working on the Rio investigation, Home Depot discovered they'd been hacked too. A heap of credit card information from their customer database appeared on the dark web. Investigators suspected that the same people were behind both the target and Home Depot hacks, but they still had no idea who those hackers were. And the truth is, many hackers working on the scale don't ever get caught. But in the middle of 2015, things started to get weird for the Rio investigation.
On July 21st, the Israeli police made two coordinated arrests in Israel at the request of the FBI. Now remember that date, July 21st, 2015. It's gonna come up a few other times in the story. So the police arrived unexpectedly at the homes of 31-year-old Gary Shalom and 40-year-old Ziv Ornstein. They were both arrested and charged with securities fraud, which is basically illegal stock market manipulation.
Now, Gary Shalone is a bit of a flashy guy. He lives in a $6 million mansion in the very posh, Savion suburb of Tel Aviv. This is kind of like Israel's version of Beverly Hills, where all the celebrities live. His closets were full of expensive tailored suits, and the police found half a million dollars in cash in his house when he was arrested. Ziv Ornstein, who lived in Batheffer about 29 miles away, may have been wealthy too, but he was more low-key.
Both of these guys are Israeli citizens, and in 2009, they established a web marketing company called Webologic Limited. Gary was the manager of this company, and Ziv wasn't listed as being involved with Webologic, at least on the books. Still, the Wall Street Journal reported that there were 30 odd employees that worked there, and the all-new Ziv was really the guy in charge. As part of the securities fraud investigation, the Israeli police seized all electronic devices in both Gary and Ziv's house and the Webologic offices.
Now, there was this third guy involved in all this. The Israeli police also raided the house of 31-year-old Joshua Samuel Aaron at the same time, but when they went to his house, he wasn't home. He had been in Russia, but he was supposed to be back in Tel Aviv at the time of the arrest, but there was no sign of him at all. So they report back to the FBI that they didn't get Joshua, and so Joshua becomes a one-in-man.
And get this, at the same time that Gary and Zev are arrested in Israel, the FBI coordinated a simultaneous raid in Florida. They arrested Anthony Murgio and Yuri Lebadev for running an illegal Bitcoin exchange called coin.mx.
So what do these arrests have to do with major U.S. bank hacks? Well, on that same day, July 21st, Preet Bharara, U.S. Attorney of the Southern District of New York, unsealed an indictment against Gary, Ziv, and Joshua. Bloomberg News and The New York Times published some wild claims. They reported that a leaked internal FBI memo had linked Joshua, the man on the run from Israel police, and Anthony, the man arrested in Florida, to the GP Morgan Chase hack.
Memo said there was evidence of Joshua logging into the servers that were used for these hacks. On the same day, we also find out exactly what they stole. I mean, these people attempted to get into 12 banks, and they successfully got into a few of them. They must have done this for monetary gain, right? But did they steal any money?
No. I mean, I can think of a number of ways they could have stolen money. Obviously a bank, the size of JP Morgan Chase has a lot of money in its accounts. And the hackers could have moved some of that money around. Okay, but there's other ways they could have made money too, like the Chase Bank gift cards. Imagine if they got into the database of those, or prepaid debit cards, or they could have manipulated the bank's reward point system. Imagine if they set their own accounts to have like a billion reward points, and they could convert that to cash and just siphon money out that way.
What if they instructed a ton of accounts to buy a certain stock, driving up the price? There are a ton of things they could have done while in the bank's networks.
But all they did was steal customer database records. Specifically, they grabbed email addresses of bank customers. And I just don't understand that. Why go through all the effort of breaking into the biggest and possibly the most secure company in America just to steal 83 million customer records? There's something more to the story.
So things are pretty confusing at this point. We have three people who were supposed to be arrested in Israel, Gary, Ziv, and Joshua. They got Gary and Ziv, but Joshua wasn't home. Then at the same time, two people were arrested in Florida, Anthony and Yuri. The two Israelis were arrested on charges of securities fraud and the Florida men were arrested on charges connected with the GP Morgan Chase hack and something to do with a Bitcoin exchange. Finally, some news agencies started reporting on an FBI memo suggesting that all five men were connected with his hack.
So, were they the hackers or were they con men? What role did everyone play? It turns out the feds had started investigating this group shortly after the JP Morgan Chase hack was discovered. The forensic data that the FBI got from JP Morgan Chase had led authorities to Joshua. Somehow they got server logs that pointed them to his IP address, but they didn't know how involved he was, and they were pretty sure he wasn't in on it alone.
So they start digging around his life to see what he was doing and who he was associating with. And that's how they discovered Anthony, Gary, and Ziv. And these guys were looking pretty suspicious.
So Joshua was the prime suspect who led investigators to the door of the others. And he's an American citizen. He grew up in Potomac in Maryland. He enrolled in Florida State University in 2002 and studied business. And there is where he met Anthony Murgio, who was later arrested in Florida. While at university together, they became pretty good friends and being business students. They wanted to find ways to earn cash while in college.
So they set up a money-making scheme, writing Google Ads for affiliate commissions, and they did pretty well at it, too. They had other students working for them, and they were making thousands of dollars a month. Not bad for a couple college kids, actually. Joshua dropped out of his courses in 2005, but he stayed in touch with Anthony.
Now, from there, Anthony's story actually goes in a wild and crazy adventure, totally tangent to this one, which is another story worth telling, but it doesn't quite fit this story. I mean, he was arrested in connection with this story, but Anthony tells me he was only arrested so the feds could get information on Gary, because Anthony and Gary started a Bitcoin exchange together called Coin.MX, and they purposely hid from financial regulators, and even went so far as to take over a credit union to look legit.
So the Fed swooped in on Anthony for his illegal Bitcoin exchange and because they knew he was working with Gary. Okay, so back to Joshua, the man on the run. In 2013, Joshua set up an internet marketing business with a partner who had a history of defrauding stock markets. Apparently this guy had been banned for life from the financial industry regulation authority, from marketing useless stocks, sort of a pump and dump kind of thing. You buy up an unknown stock, try to inflate the price of it, and when it's at its peak, you dump it and make a massive profit.
But Joshua's partner got caught doing this and got banned. So after that fell apart, Joshua moved to Israel. And it seems that's where he met Gary Shalone and that relationship started. By 2014, Joshua and Gary were running their own stock fraud scam with Ziv Ornstein, who was one of Gary's associates. They had been running that WebO logic business together in Israel.
Now the feds didn't think it was actually Gary, Joshua, or even Ziv that carried out these hacks, but it looked like they were working with whoever did.
So as the feds investigated, Gary, Ziv, and Joshua, they find these guys are up to their necks in scams and plots and may have been connected to some serious hacking. By October 2014, internally, the feds have totally rejected the idea that these hacks were state sponsored by Russia. No, it wasn't the Russians. It was this collection of con men and fraudsters who've been operating huge scams under the radar for years.
So let's take a look at this indictment that was unsealed by Pete Barrera on July 21, 2015. It was a lawsuit brought by the SEC, the Securities and Exchange Commission. They're the U.S. federal agency that enforces security laws. This lawsuit was brought against Gary, Zev and Joshua, for six stock market scams they pulled off over the previous four years. And it included details about how much money they were making off these scams.
Let's take a look at the first one. They were buying stocks in a company called Southern Home Medical Equipment, a U.S. company based in South Carolina that provided healthcare services across the country. In May 2011, Gary and Joshua bought the company's stock at 1.7 cents each, not quite two cents per share.
and they launched their own marketing campaign for this company, hyping it up, writing articles about how great it was and telling everyone that this company was about to go to the moon. Gary was the savvy business guy. He knew stocks inside and out, and Joshua was the marketer. He was great at selling anything. They successfully raised southern home medical equipment stock price from just under 2 cents per share to 33 cents per share before selling off their stocks in the company.
Their net value in that stock rose 1,800% in just six days. But the problem was that all the marketing they did for this company was made up. They had faked the numbers and the news about this company in order to temporarily inflate the stock price. That's why this kind of market manipulation is illegal.
If you've seen the Wolf of Wall Street, you may recognize this idea because that movie is about a similar kind of scheme. The Securities and Exchange Commission sent two lawyers down to review our files, so I set them up in our conference room and I had it bugged and the air conditioning turned up so high that it felt like Antarctica in there.
Then, while they were looking for a smoking gun in that room, I was gonna fire off a bazooka in here, offering up our latest IPO. An IPO is an initial public offering. It's the first time a stock is offered for sale to the general population. Now, as the firm taken the company public, we set the initial sales price and sold those shares right back to our friends. The, I, look, I know you're not following what I'm saying anyway, right? That's okay, that doesn't matter. The real question is this.
was all this legal. Absolutely not. But we were making more money than we knew what to do with.
Gary, Joshua, and Ziv were in the business of manipulating the stock market and getting people to buy stocks based on false information. These scams are called pump and dumps because the scammers try to pump up the value to make a quick profit by dumping the stocks at a higher price. And here's how they did it. First, they forged documents so that they could present themselves as stock brokers. So they were already working under false pretenses. Now, stock brokers are like middlemen between investors and the stock exchanges.
They help investors figure out what stock to buy, when to buy them, and they seek out good investment opportunities for their clients. These days, everything is digital and online. So Gary, Joshua and Ziv created newsletters, social media accounts, and websites to tell investors what shares to buy. These tools gave their investors the impression that if they followed Gary, Joshua, and Ziv's tips, their money would grow quickly.
Sometimes they would fake the data on these articles and predict that a stock was going to rise in value, but they would actually backdate that article to make it seem like other predictions came true. Their indictments showed that these guys were all using the classic scams. Since May 2011, they hit six microcap companies.
They targeted one after another with their tried and tested schemes. They hit each of these six companies using the same pump and dump formula. They'd buy the company while the stock was less than $5 each and then they'd create a bunch of false hype about these stocks resulting in a buyer surge that would drastically increase the trading volume and stock price within just a few days.
In 2011, they made about $460,000 doing just three companies. Then they upped their game. In February 2012, they hit a company called Mustang Alliance, which is a mining corporation. In just one week, they bought 2 million shares of Mustang Alliance, increased the share price over 65% and then sold the shares for a $2.2 million profit. Altogether, they collected $3.5 million in just a couple years running these scams.
But this wasn't their only racket. Gary was the head of operations and CEO of their company, Webo Logic. He had the final say on all these decisions, and he found a couple of stock promoters to bring in on these scams. Their job was to advertise and promote different stocks and shares all day long. And they would go hunting for companies that they knew could easily be promoted to be a pump and dump.
But they did more than that. So in case you didn't know, there's a big difference between being a public and private company. Basically, it has to do with who owns the company. A private company is owned by some group of people, usually the founders or management group or private investor. But a public company is a company that has sold some of its shares to the public through a stock exchange.
This means that part of the public company is literally owned by members of the public, the people who have purchased shares in the company. And that's why they're called shareholders. Also, private companies can't sell shares of their company on the stock market. And it's actually really hard for a private company to become a publicly trading company. It's a long process that takes years. Even for legit fast growing companies, they have to apply and be audited before they can be listed as a publicly trading company.
And when that finally happens, they have an event called an initial public offering or IPO. So I say all that because sometimes Gary would find private companies that seem like they would be easy to falsely promote. He worked out a system to help these companies go public so that he could run his pump and dump scams using their shares.
Over the years, Gary created heaps of shell corporations. These are companies with no staff, no revenue, no office. These corporations only exist on paper. And Gary would go through the long, rigorous process of getting these corporations to go public and be traded on the stock exchange.
which might have taken him years. But with publicly trading shell corporations ready to go, Gary was able to approach private companies, pretend to be a legit stockbroker, convince them to do a reverse merger with his shell corporation, and that would fast-track that company to be public trading on the stock market.
Now, this whole scheme is all upside for Gary. First, he's going to sell his shell corporation to some company. This could make him anywhere between a few thousand dollars to a few hundred thousand dollars. And because he created these shell companies, he was able to assign any amount of company shares to himself or his friends like Joshua Ziv. So if he did that, then before the actual scam even started, he would already have tons of shares in these companies.
So he would sell his shell corporation to a company, and then that company does a reverse merger with it. And now that company is suddenly a publicly trading company. He did all this under the guise of being a helpful stock broker, just here to help them navigate going public. Then once the reverse mergers were complete, and that private company was now publicly trading, Gary's fake marketing campaign would ramp up and make the stock of that company boom, that's the pump.
And right when the hype was about to fizzle out, Gary and Ziv and Joshua would sell all of their stocks, which they could have had from the very beginning. And that's the dump.
If Gary was the CEO of the scam operation, Ziv was his ops manager with some IT thrown in. Ziv bought up a heap of domains and built stockbroker websites that all looked legit. And he was the one who maintained all of the different brokerage accounts and the false documents for their schemes. He was the one keeping track of all the moving pieces. Joshua was like the communications and marketing manager. He wrote all the promotional materials that they used to market the companies.
And with this systematic approach, and with all the pieces ready to move, these scams were really just a matter of bombarding people with marketing and buying and selling stocks at the right times.
Now, at this point, you might be wondering, how is any of this connected to the breach at JPMorgan Chase? Well, we're almost there. Bear with me. See, over time as these guys were marketing stocks, they were starting to do some email marketing. They would send people emails that said, amazing opportunity, small cap investment can double your money in weeks. Don't blow your shot at financial freedom.
They would list a stock ticker symbol and make people feel like they had to buy this stock right away. You've probably seen these types of emails. I've received thousands of them myself. The way they work is at the center of these scammy emails just buys a huge list of email addresses and blasts out millions of emails at a time. And that's what Gary's crew was doing at first. And that was somewhat successful, but they wanted to take their scam to the next level.
They thought if they could get a list of email addresses of real stock market investors, their spam would be much more effective. I mean, who better to advertise a stock tip to than people who are actively trading on the stock market? Traders are always looking for a hot stock and they might just go ahead and buy some random stock that they saw in a scammy looking email.
And that brings us to JPMorgan Chase. It turns out that the whole JPMorgan Chase hack was about getting better leads for Gary's marketing campaign to make his pump and dump scams more profitable.
That's right. Gary, Ziv, and Joshua wanted millions of stolen JP Morgan Chase's customers' email addresses just to email them stock tips. Of all the absurd off-the-wall preposterous crimes, this one takes the cake. Three random scammers orchestrated a hack into the largest bank in the U.S. just to make money on their pump and dump scams. Unbelievable.
but their criminal activity went way beyond stock market manipulation. Stay with us because after the break, we'll hear what else they did. On the same day Gary and Ziv were arrested, July 21st, 2015, an Israeli newspaper reported that another indictment had named them both. But this time, it was for a huge illegal online gambling operation, an operation that was supposedly even bigger than the stock fraud scams they've been pulling.
When this report came out, the online gambling forums just lit up. It turned out that Gary and Ziv were behind the well-known dodgy online casinos, effective and revenue jet. These are actually groups of casinos, owned and operated by companies called NetAdd Management and Millower Limited, and it had dozens and dozens of online gambling websites. For years, the casino sites ran by these two companies had been getting called out by the gaming review sites as being scams.
The review sites actively warned players not to use Gary and Ziv's online casinos. In fact, in 2010, Casino Meister gave effective group the worst Casino Group award, citing their terrible customer service and failure to pay players their winnings.
all these sites under effective and revenue jet used gambling software called Rival and RTG for the games. These are the leading suppliers of casino games and online gambling, then they leased this gaming software to the independent casinos. So the games on effective and revenue jet were legitimate, well designed games, and that's how they attracted players to come to their sites to gamble. But to gamble on these sites, you need money to play. And when winners would actually win money, that's when Gary and Ziv would start pulling some shady business.
His casino sites started to develop a reputation for being really unreliable at paying out their players. When a player made a cash out withdrawal request, they were all kinds of delays. Security procedures would make players wait 90 days. Some players waited the 90 days for their money. Only to be told their cash out wasn't valid because they didn't play at the casino for the last few weeks.
Sometimes they wouldn't pay the whole amount, maybe just a percentage, just to keep the players guessing. But that would be as far as it went. Often players would just give up, take the loss, and move on to a different site. Or they'd end up gambling away their winnings and playing more games in the casino. By avoiding paying out the players, these sites were racking in tons of cash.
Like the JP Morgan Chase hack, this is an absurd scam that doesn't make any sense to me. An online casino, by its very nature, makes a ton of cash. The odds are always in the casino's favor to win, even without scamming anyone. Maybe you've heard the term, the house always wins. Yeah, that's about casinos. They are literally money printing machines for the owners. So why treat the players so poorly? Oh, the nerve of these guys, the greed is just astounding to me.
But it gets worse. Just after the arrest, the net ad management casinos network collapsed. Just stopped. None of the sites were loading at all, and the executive director of the gambling portal webmaster's association said that he got a notice that the effective was closing its operations effective immediately. It seems like as soon as the indictments came through, someone pulled the plug on the casinos. Their online casino empire had crumbled overnight.
At that time, Gary and Ziv were in custody in Israel, and the US was trying to get them extradited to face these stock fraud charges. Joshua was still nowhere to be found, and with his indictment unsealed, his name showed up on the FBI's most wanted list. But still, we don't know who actually conducted the hack against GP Morgan Chase and the other 12 financial institutions. Gary, Ziv, and Joshua were market manipulators, shady businessmen, and con artists.
But they weren't hackers. And we know they had the stolen email addresses from the GP Morgan Chase hack. But how did they get them? Breaking into GP Morgan Chase's network is not an amateur hacking project. Whoever did it really knew what they were doing. But if Gary or Ziv or Joshua weren't the hackers, then who was?
A year after JP Morgan Chase discovered they'd been hacked, several more financial companies received visits from the FBI informing them that their networks had been breached and they had evidence to prove it. So these companies started to send out letters to their customers. In October 2015, the online discount stockbroker e-trade sent a letter to all their customers explaining that their network had been breached and that customer's personal information had been compromised.
They said their database was breached which contained 31,000 e-trade customers' data. Scott Trade, another online stockbroker, revealed that they were also hit by these hacks. But their breach was way bigger. They believed that the personal information of 4.6 million of their customers had been stolen.
Dow Jones sent out letters too. They're not a financial institution in the way of a bank or broker is, but they're a big publisher of financial information. They've been going for 137 years. They published the Wall Street Journal, Market Watch, and Barons. In October 2015, they informed their customers of a data breach.
In their letter, they explained that the hackers may have been in the system for three years, but they'd only found evidence of the theft of 3,500 people's contacts or payment data. There were clues like IP addresses and the malware and the data that was stolen, which made authorities suspect that these hacks were all conducted by the same hackers.
A month later, all the evidence came out. On November 10th, 2015, Preet Bharara, the Attorney General of the Southern District of New York, unsealed a superseding indictment against Gary, Ziv, and Joshua, and it was a bombshell. Getting indicted for these stock scams probably seemed bad enough for these guys, but now they were really in trouble. Good afternoon. My name is Preet Bharara, and I'm the United States Attorney for the Southern District of New York.
Today, we announced criminal charges in one of the largest cyber hacking schemes ever uncovered. The charges involve cyber intrusions over several years targeting 12 different companies, seven financial institutions, two financial news publications, two software development firms, and a market risk intelligence company. By any measure, the data breaches of these firms were breathtaking in scope and in size.
The defendants allegedly stole personal information for over 100 million customers, including 83 million customers from one bank alone, the single largest theft of customer data from a U.S. financial institution ever. That bank was JP Morgan Chase as it has disclosed itself.
to hide their tracks, the defendants allegedly operated their criminal schemes through over 75 shell companies and used close to 200, I'm sorry, identification documents fraudulently, including 30 false passports from 17 different companies. The good news is that the FBI and the Secret Service have cracked this case and we aim to prove it in court.
At this point, the evidence of the case was getting massive. These guys have been running an international cyber crime enterprise. The new indictment accused them of 23 counts, which included computer fraud, hacking, wire fraud, securities fraud, money laundering, identity theft. It just went on and on. This one group had been running this whole system of interconnected illegal schemes. Scam on top of scam on top of scam. They were making hundreds of millions of dollars.
What the feds had uncovered here was huge. The scale of this is just incredible. I mean, it's really crazy. But let's stop for a minute and talk about the money. That's what Gary was doing all this for, right? Well, he was living the high life in his Tel Aviv mansion, passing himself off as a really successful businessman. And I guess that in a certain sense, he was a successful businessman. And he did have some legitimate business interests and investments that earned him good money.
But to live the kind of lifestyle he wanted, I guess he felt like he needed to keep chasing the next big payday.
Anyway, all these scams, the online casino, the stock fraud, the hacks, they were making Gary, Ziv, and Joshua hundreds of millions of dollars. And they couldn't just throw all that into a bank account. That definitely would have attracted some unwanted attention. Banks are required to report deposits of a certain size. And I'm sure that if Gary, Ziv, and Joshua had deposited their hundreds of millions of dollars, they would have triggered some sort of reporting policy.
So they needed a solution, a way to launder the money, convert their money from illicit and unusable to clean and spendable. And they came up with a couple of ways to do it. Remember those shell corporations that Gary was using to do reverse mergers with private companies for their stock scam? Well, this also came in handy for laundering a lot of money they were making.
Gary and Ziv were moving money around left, right and center, and they were transferring millions of dollars from their casino businesses to bank accounts and cypress and then shifting it all around through all the shell companies. They had their money laundering down to a science. All they had to do was fill their shell company's ledgers with transactions for goods and services that they had supposedly been providing their customers.
They could then use this dirty money to pay themselves for those made up goods and services. That way it would look like this money was just shell companies invoicing it and paying out legitimate customers. This left the shell companies with loads of money in their accounts and a nice audit trail that made everything look more legit. And at the end, they had clean money.
Gary had 75 different shell companies. He, Ziv, and Joshua had multiple bank accounts and brokerage accounts in countries all over the world. Obviously, none of them were set up in their own names. All three of these guys had aliases they would use. They had 30 different fake passports from across 70 different countries, keeping track of all these companies and accounts and the false documents and the different names.
That must have been a full-time operation just doing that. It's pretty impressive how they were able to manage all these moving pieces. Before they got caught, it probably seemed like it was worth all this work.
In 2011, the same year he started the pump and dump scams, Gary created two online payment processing companies called IDPay and Tudor. You can think of these as more like shady versions of PayPal. Gary used these payment processors to let his players deposit money into gaming accounts and his online casinos. These sites were the intermediaries between the players bank accounts and the casinos bank accounts. Each transaction would go through these payment processors, but Gary had to hide that money because it wasn't legal.
To turn that money into money he could actually use, he needed to make it look like it came from a legal source.
Gary and Ziv opened multiple bank accounts in different countries using fake IDs and fake documentation. They would send transactions made through IDPA and two-door into these accounts around the world. Now, credit card companies are not allowed to process payments that they believe might have come from illegal activity. So Gary and Ziv would code their transactions to make them look like simple online purchases from everyday retail websites like pet stores or wedding outlets.
If they could find banking officials in the countries they were depositing their money, they would bribe them to turn a blind eye. Basically, they did anything they could to prevent anyone from catching on to their operations. Of course, the players at Gary's online casinos had no clue what was going on in the background. Everything probably just seemed normal from their perspective.
And Gary had a bunch of like-minded friends, other criminals who needed to loan their money just as much as Gary did. And he was friends with people selling fake pharmaceuticals, malware, and fake antivirus software, whatever their business, if they wanted to collect payments via credit card, they needed a shady payment processor, and they would use Gary's ID pay and two-door. Of course, just like any payment processor, Gary would take a nice cut of each transaction.
But sometimes, the credit card companies did get suspicious. When that happened, the credit card companies would stop processing Gary's transactions and issue fines and penalties to whichever financial institution Gary got caught using. Gary would just pay these off and carry on where he could. It was just a minor inconvenience, a cost of doing business.
If they got questioned about this, they'd all act shocked and surprised as if they had no idea the transactions were for illegal goods and activities. If a bank got suspicious and closed one of Gary's accounts, he'd just find a new bank and open a new account. And it became a pretty constant process of finding new accounts and coming up with fake merchants to use for transactions to make them look legit. It was all very shady, but it was working.
In 2012, Gary did another astonishing move. There was this company called G2 Web Services. This is sort of a watchdog company that monitors payment processors to make sure they're above board and not fraudulent. Basically, the staff at G2 will go and do a test at payment processors to make sure they're trustworthy.
Well, Gary was using ID pay and two-door to process a lot of payments for his illegal activities. And he didn't want G2 to flag his payment processor as fraudulent. So he hired a hacker to break into G2 and get a list of credit cards that were used in test payment transactions. Then Gary would just block those credit card numbers from being used at ID pay and two doors so that nobody at G2 could even test the payment processing on his websites.
the audacity I've never heard of a hack like this to hack into a watchdog company just to make sure that they don't talk bad about you and to block them. It's just ridiculous.
in July, 2013. Two years after Gary first created IDP and two-door Brian Krebs published a report about potentially suspicious activity being conducted at IDP. A source had found IDP's customer database and discovered a bunch of fake antivirus sites were using this payment processor. These websites had addresses like spyblocker.com, malwaredefender.com, personalguard.com, and so many more of 50 domains.
Krebs investigated ID pay and he couldn't find anything about them. There were no records of this company existing at all. So he concluded that these websites were installing fake malware onto victims computers and then asked the victim to pay to get the virus removed. And these sites were using ID pay because a legitimate processor would never process sketchy transactions like this. If this is what was going on, then I guess we can add this bogus antivirus payment processing scam to the list of growing crimes that were committed by Gary and his friends.
One site on the list of IDP's customers was rxpartners.com. This was known to be an illegal pharmacy affiliate program. Hackers and spammers would sign up and earn cash for promoting illegal pharmacies. In 2013, how many people knew about Gary and his massive empire of hacking and scamming, and they didn't know he was the one behind IDP.
Well, Gary was focusing on making sure anti-fraud companies like G2 web services weren't onto him. He didn't realize that the feds were onto him. How did the feds get on Gary's trail? Well, a month before he was arrested, an undercover federal agent went on to one of his casinos' websites and deposited some money using his credit card to make a bet. When he checked his credit card statement, he found the transaction had been recorded as a payment to houseforpets.com.
which wasn't even a real website. This was the first thing that tipped off the feds, and from there, they quickly found a lot of evidence leading to Gary, Ziv, and Joshua. It was the hack on JPMorgan Chase that really brought down Gary's empire.
If you remember, the hackers successfully broke into the JP Morgan Chase's network and stole 86 million records and got out without raising a single alert. JP Morgan Chase had no idea they were breached, and that was by design. The hackers were extremely careful not to raise any red flags. The only reason JP Morgan Chase ever found out that they'd been breached was when they read that whole security report and found that sim code data was breached. And the evidence from that breach is how JP Morgan Chase figured out they were breached.
JP Morgan Chase was never supposed to find out that they were breached. So once it came out that JP Morgan Chase did know that they were breached, it was time for the hackers to start covering their tracks. Remember the cancelled Egyptian server rental? Yeah, they knew they were getting rumbled.
But again, JPMorgan Chase wasn't their first hack. They already got away with hacking six other US financial companies. On the same day of the big 23-count indictment was unsealed, a third indictment was unsealed also in Atlanta. This indictment was focused on the hacks, and it tells us exactly how they happened. The feds had confirmed that it was Gary pulling the strings on all these hacks, and they knew Joshua helped him out. But they also knew that neither Gary nor Joshua were hackers, capable of doing this.
So the indictment brought charges against Gary, Joshua, and an unidentified suspect, a John Doe, the mystery hacker. Okay, so with this indictment, we learned about how the hacker got into E-Trade and Scott trade. At first, the hacker got a regular login to E-Trade and poked around as just a normal user, looking for vulnerabilities on the site. I'm not sure what he found, but on that same day, three of E-Trade developers' servers got accessed by the hackers.
But nothing was stolen at that time. Almost a whole year passes. Then Gary tells the hacker the plan to steal customer data from the databases and gives the hacker servers around the world to use. Servers in South Africa, Romania, and the Czech Republic. These were not bulletproof servers, which were untouchable by the feds. But Gary told the hacker they were registered anonymously.
So, with the hacker ready, the infrastructure in place, and the plan figured out, Scott Trade was the first of the two to be hacked. On September 8th, 2013, Gary's hacker reported that he'd hit a wall. Scott Trade had antivirus in place, and he could only get access to one employee's computer without raising alarms. But this employee had no admin rights. So this slowed down the hacker. And for the next two months, he tried and failed to gain access.
But on November 22nd, the hacker asked Gary to get him a Scott trade user account, hoping he could use it to breach Scott trade systems. So Joshua and Gary provided the hacker with a regular user login. And from there, the hacker was able to find vulnerabilities in the site and exploit them to get access to Scott trade servers.
The next day, he was searching through Scott Trade's networks for customer databases, and he found them. He looked through a few of the records in the database, and he saw a customer name, phone numbers, and email addresses. Bingo. This is what he was looking for. He did a quick count to see how many records were in the database. There were six million customer details. Gary was very excited about this discovery, and of course, he wanted the email addresses of this database.
The hacker took one more look around the database server and he noticed he wasn't in there alone. But database admin was also logged into the customer database and actively running commands. Hacker got nervous. He needed to download these six million records. He was right there in front of it. But he wanted to do it in secrecy so that nobody would ever know he was there.
And he was nervous that if he downloaded the data while the other admin was there, he might draw unwanted attention. He couldn't afford for that admin to notice that something fishy was going on and at the same time he didn't want the admin to notice he was there and kick him out. So he waited nervously until that admin logged out. Then he quickly copied 6 million customer records to a server that the hacker controlled, covered his tracks and disconnected from Scott Trade's network.
Hacker gave Gary the password and location of the stolen database.
On November 25th, Gary sent the hacker a report of the customer data that was stolen from Scott Trade. The database included information of 4 million Scott Trade customers. 100,000 of them were residents of Georgia. The hacker then added more, around 200,000 to 300,000 bank customers of Scott Trade. Two days later, he breached more databases and added more data to the server. On November 27th, Gary's hacker reported that he now had 6 million records from Scott Trade.
They didn't waste any time before going to E-Trade. The very next day, the hacker breached E-Trade server, using a brute force attack to gain access to a video teleconferencing server on their network. And of course, once he got in, he got himself persistence and elevated his privileges. He installed a backdoor into the servers and started looking around the network for database servers. Four days later, the hacker breached another server on E-Trade's network and installed a reverse shell on it.
Four days after that, he gained access to three more internal servers and a core admin platform. This was the mother load. These servers contained all of the customer data for e-trade customers. The hacker began copying all the data stored on these servers. The reverse shell he had set up was exporting data for days after that. Gary's hacker would eventually steal 15 million customer records from e-trains network. And once he stole them, he would send them straight to Gary.
By December 16, one of Gary's associates had cleaned up and merged all the stolen customer records from E-Trade and Scott Trade into an enormous database. This was the customer information Gary wanted, a vast database containing the contact details of millions of potential investors, people who he knows are already investors.
Over the course of four months, Gary's hacker had been going in and out of multiple servers on both E-Trade and Scott Trades internal networks. And he hadn't set off any alarms. No security scans picked up on his activity. But at some point, E-Trade began to suspect their systems had been breached. They launched an internal investigation and they got law enforcement involved. But nothing came of it. They couldn't find any evidence that data was stolen.
There were no logs that somebody copied the data because the hacker hid his tracks so he wouldn't get detected. Each raid concluded that if they had been breached, then the perpetrator had hidden their tracks really well. So the investigation just kind of stalled out. But they were right. Someone had been in the systems and it was Gary's mysterious hacker.
As E-Trade and Scott Trade were being hacked, Gary's online casinos were making considerable money. He was running at least 12 different casinos. In October 2013, they made him $78 million. Gary and Ziv had 270 employees in Ukraine and Hungary, working in call centers to help keep these casinos running. And they were responding to queries and trying to help keep players happy, but they were also giving the run-around to players who were trying to cash out their money.
Gary and Ziv needed to draw as many players to their casino as possible. The more people playing meant the more people they could scam out of their winnings. So to help that bit along, Gary called in his hacker. When people want to do some online gambling, they typically start with a Google search and visit the first few gambling websites that show up. They think, oh, this casino is the first result in Google, so it must be popular and trustworthy.
Knowing this, Gary started trying to get his hacker to find ways to improve the casino's search ranking on Google. Now, there's a whole lot that goes into search ranking. It's called SEO, search engine optimization, and what actually determines the ranking on Google search is a little bit mysterious. They use an algorithm of some kind, but in the SEO world, it's generally believed that to boost a site's ranking, you need more links to that website.
So much of SEO is based on the idea that the more websites in the internet that post links to your site means that your site becomes more popular in the search rankings. So Gary knew this. I wanted more links to his casinos and used a secret ingredient to get that.
Wanna take a guess on what that was? The secret ingredient is crime. He asked the hacker for help. And the hacker got the work to try to find a way to make tons of links to Gary's online casinos. And after a bit of searching, he started hacking into dormant, gambling-related WordPress blogs. I'm talking like thousands of them here. Blogs that hadn't been updated and it ages, and whoever owned them lost interest in it. All their plugins were out of date, the software hadn't been updated, and well, yeah, they were vulnerable to being hacked.
So, the hacker exploited a lot of these old WordPress blogs, and he created tons of links to the casino's websites. Compare this to hacking into banks, it was pretty easy. Once he finished, these sites had new posts mentioning Gary's casinos and how they were absolutely the best place to gamble on. And when these blogs got re-indexed by Google, these new posts made Gary's casinos rise up in the ranking and become more popular.
Now, whenever users searched Google for keywords like, best online casino, or where to play online casino games, these ancient blogs were starting to pop up with fresh results. And people always click on the first couple of results. That's just how it is. So people clicked on these old blogs, they saw tons of glowing reviews of Gary's casinos, and this hijacking of neglected blogs drove enormous amounts of traffic straight to Gary's online gambling sites.
And that wasn't all. Gary liked to be in control and know exactly what was going on. So he paid this hacker to visit his competitor's websites. He would have the hacker take down any competing gambling site he got annoyed at. The hacker would use a botnet to launch a huge denial of service attack on competitor casinos, interrupting service for those casino players. And of course, when gamblers can't get into their favorite gambling site, they might go looking for a different site to gamble on.
So the DDoS attacks that Gary was conducting could actually drive players to his casino too. Then Gary would find out what software the competitor casinos were using, and then ask the hacker to gain access to that software company to monitor what rival casinos were saying and doing. He also hacked into email accounts of executives at the companies that made online gambling software used by many casinos.
to let Gary in on deals that executives were making with each online casino. This allowed him to stay a step ahead of his competitors. If anything was going on, that might compromise one of his casinos, he would have an early warning. Gary was used to getting what he wanted, and he was quite happy to use sneaky, underhanded tactics to get his way. He was getting away with everything until it all caught up with him on July 2015, when Gary and Zev got arrested by the Israeli police.
Once the indictment was announced on November, everything went, well, a little bit quiet. The feds and prosecutors were working to prepare their cases. The first thing they were going to do was get Gary and Zev extra-dited to the US. This was a pretty long process, which took about a year. In June 2016, they were both extra-dited to New York and found themselves in a Manhattan prison. On June 9th, they appeared in Manhattan federal court. Both Gary and Zev pleaded not guilty to the long list of charges against them.
but there was still one guy out there, Joshua. Joshua was still somewhere in the wild and the FBI was searching everywhere for him. They suspected that he was hiding out in Russia and it made it pretty complicated to look for him there. But then Joshua just solved that problem for them. It turned out Joshua was in Moscow all along. And on December 14th, 2016, his attorney called the feds and said, Joshua's gonna turn himself in and he's flying into the JFK airport in New York.
And so Joshua did. He flew to New York and was arrested on the spot. You see, Joshua got himself in a bit of trouble with the Russians. He had flown into Russia via Ukraine on May 23rd, 2015 and had been staying in an apartment in Moscow. In May 2016, Wright, Esghiri, and Zev were about to be extradited from Israel to the US. Joshua was arrested by the Russian immigration police. They turned up at his apartment for a surprise spot check on his visa documents.
For Joshua to maintain his visa, he was supposed to fly out of the country and then come back every six months. And he hadn't been doing that because he was hiding out from the FBI. So the Russian immigration police put him in jail. On May 20th, a Russian judge fined him in equivalents of $80 and ordered him to leave Russia.
So Joshua had to leave Russia, but he wasn't interested in going to the US and getting arrested by the FBI. So he applied for refugee status so that he could stay in Russia.
So while he was waiting on his refugee status at an immigration office in Moscow, he talked to his lawyers and they changed his mind. They convinced him that it was better for him to come to the US and face his charges than to continue hiding out in Russia. But strangely enough, when Russia found out Joshua was wanted by the FBI, they offered him asylum.
they probably thought he would be useful for some sort of political or diplomatic leverage. Joshua had already made up his mind now. So he turned down the offer of asylum, but Russian immigration was now hesitant about letting him leave. So he was stuck in the immigration center while his lawyers were negotiating with Russians and the feds, both of which wanted Joshua in their custody at this point.
After about six months of this, in December 2016, everyone agreed and Joshua got on the flight to New York and was arrested.
By the time Joshua gave himself up, Gary had been in prison for almost two years. Gary pled not guilty and was looking at a lengthy court trial. Gary was the mastermind behind all these schemes. He had the valuable knowledge and connections with the underground criminals. Plus, he probably knew some stuff about Russian cybercrime networks. The feds recognized that Gary could be really valuable to them. So they offered him some plea deals.
They offered to release him if he agreed to plead guilty to all the crimes he did if he became an informant. On May 22, 2017, a big daily newspaper in Israel, the Calcalist reported that Gary had agreed to pay U.S. authorities $403 million in cash under forfeiture. His plea deal also meant that three criminal proceedings against him, plus an SEC civil lawsuit, were all dropped.
Now $403 million sounds like a lot, but the feds estimated he had earned over $2 billion. So Gary probably was walking away with some extra cash left in his pockets, but giving up his cash meant that he had to tell the feds where the money was. And wow, he had a lot of cash stashed all around the world. He had 81 different bank accounts around the world. Many of them were in Switzerland and some of these accounts had over $100 million in them.
There were accounts in Cyprus, Georgia, Virgin Islands, Luxembourg, Latvia. They were everywhere. On top of that, he had stashes of cash and jewelry worth millions and a $6 million house. Gary's plea deal wasn't straightforward. According to the Calcalist, it took six different law firms to negotiate it. Five of these law firms were in the US and one was in Israel. So while Gary agreed to pay hundreds of million dollars of his illegal profits to get out of prison, he had to give the feds more than money.
And it seems like he gave up a hacker, a 38-year-old Russian man named Peter Leveschov. Peter was from St. Petersburg, and he's the one who built the Kelios botnet, which infected 100,000 computers. This botnet was built to send massive amounts of spam emails. But the Kelios botnet was also available for hire. Anyone could use it to send tons of spam themselves. And Gary was definitely sending a lot of spam.
Peter was arrested on April 9, 2017, while on holiday with his family in Barcelona, Spain. He was accused of running the Kellios botnet and pleaded guilty of it in Connecticut in September, 2018. The counts against him included the distribution of fake spam emails promoting counterfeit pharmaceuticals and other frauds, including pump and dump stocks games. He's still awaiting his sentencing.
It's not clear what Gary told feds about Peter, whether he just straight up ratted Peter out or what happened there. But the question everyone had was, hey, this Peter guy, is that Gary's mystery hacker? At first, I thought it was. But no, he wasn't. Peter wasn't Gary's hacker. That was someone else entirely.
In December 2017, law enforcement flew into the airport of Georgia, an Eastern European country. They were there at the request of the U.S. authorities, and they went to the capital to arrest 35-year-old Andre Tyran. Andre is a Russian citizen, but the U.S. had been tracking him and knew he was flying into Georgia from Moscow, and they wanted him in custody before he could disappear.
Andrade was a well-known high-level Russian hacker. The feds believed he was the hacker working with Gary in his empire of scams, and they spent the last two years trying to track him down and detain him. Once in custody in Georgia, the feds set out to get him extradited to the US. Now, Russia does not like giving up attackers, but there's not much they can do when it's outside their country. So that's why the US arrested him in Georgia, because you can get him extradited out of Georgia.
Now, some Russian hackers have a double motive for hacking. They work on a freelance basis, taking jobs from whoever is willing to pay their fee. But they may also be looking to pass any juicy information they find to the Russian government or anyone else who's willing to pay for this information.
So, regardless of who's paying for the hack, the hacker is always the first person to get their eyes on the data. Sure, the hacker will upload a copy to whoever hired them, but there's nothing stopping them from uploading a copy to someone else too. Although the FBI had ruled out the possibility that the JPMorgan Chase hack was executed by the Russian government, US intelligence had apparently found some evidence to suggest Andre was getting some protection from the FSB, Russia's intelligence agency,
It hasn't been confirmed, but some evidence suggests that the FSB tried to recruit Andrei, while other bits of evidence suggest he may have had a bigger role in the operation run by FSB. Either way, it took almost a year for feds to get through the red tape and bring Andrei onto US soil and book him into a federal prison.
Now a quick aside about U.S. attorneys, this case was being handled in the southern district of New York. And pre-Barara was the U.S. attorney for that district. So when the U.S. government brings this case to trial, a federally appointed attorney handles the case. But when Trump was elected president, he had Jeff Sessions order all 46 U.S. attorneys from Obama's administration to resign.
Preet Bharara had met with Trump a few days earlier and did not get the impression that he was being fired. So Preet refused to resign. But Trump fired him the next day. The Trump administration appointed Jeffrey Berman as the new U.S. attorney for the Southern District of New York.
So, on September 7, 2018, Jeffrey Berman announced that Andre had been extradited from Georgia to New York. And this was a massive win for the Feds, getting an indicted Russian hacker extradited into the US for cyber crimes was not something that happens very often.
Oh, and as for the U.S. Attorney for the Southern District of New York, Jeffrey Berman, Trump fired him too. I guess Trump didn't like that Berman was investigating Rudy Giuliani, Trump's personal attorney regarding some suspected criminal activity.
So Trump put Jay Clayton in place to be the current U.S. attorney for the Southern District of New York. Clayton has never been a federal prosecutor before, but he was the chairman of the Security and Exchange Commission. So this case has now passed through the hands of three different U.S. attorneys for the Southern District of New York.
Andrei was charged with 10 counts, including computer hacking, conspiracy, wire fraud, and identity theft, all relating to Gary's enterprises. The same day they got him into New York, he was put in front of a judge to state his plea, not guilty. Andrei wouldn't admit to anything. On September 25, there was an initial pretrial conference hearing. The prosecution presented their evidence to Andrei through a Russian interpreter.
The evidence against him, which was mostly in Russian, was pretty damning. They had almost 3,500 pages of online chats between Andre and Gary, all discussing the hacks and scams. The evidence took up nearly two terabytes of storage, and they also had evidence from devices seized from Gary and Ziv when they were arrested in Israel, which all pointed to Andre being involved in this.
They had the data from the hacked companies too, like logs and records from the hack, and that resulted in another few terabytes of data, which was not looking good for Andre. The data from the JP Morgan Chase hack was over three terabytes just on its own. The prosecution and defense had to agree on a way to deal with all this digital evidence. I mean, you can't just print all that out. It's just too much information. And it's not like it's just some long text document. Lots of this evidence was complex technical data. Prosecutors and defense attorneys aren't computer experts.
So they needed to get all this data into a format that they understood that could be used in the court case like this. So the prosecution and defense worked together to figure out how they were going to do that, and what followed was a long line of adjourned court dates and pretrial hearings for a full year nothing moved in terms of court appearances. And then suddenly, Andre's case ended in one day.
On September 23, 2019, Andre submitted a change of plea. He was now pleading guilty. Andre admitted to conspiracy to commit computer hacking, wire fraud, unlawful internet gambling conspiracies, and conspiracy to commit wire fraud and bank fraud.
So in pleading guilty to these four counts against him, he was admitting to hacking eight different US financial institutions between June 2012 and August 2014. These include J.P. Morgan Chase, Fidelity, Dow Jones, E-Trade, and Scott Trade. Publicly, at least, Andre's conviction was the first in this entire case. His lawyer said that Andre was hired by the masterminds of the schemes to hack these computer networks under their instructions.
Because he played a guilty, there was no need to have a trial. On January 7, 2021, the court sentenced Andrei to 12 years in prison for his involvement with this. It's believed that Andrei earned over $19 million from his hacking activity.
Gary is believed to be out of prison and living somewhere in the US until his forfeiture is completely paid. He's not allowed to fly out of the country. Information about his court hearings or progress on his remaining charges are hard to come by. I mean, if Gary is an informant, then that means that a lot of his court documents are going to be sealed. And a lot of his court documents are sealed. So it's just one of those things I don't have a visual into.
On October 22nd, 2020, Ziv was sentenced. Now, by this time he had been in prison for 11 months, his sentence was to let him go. The judge ordered his prison time to be equal to his time served, which meant the 11 months he already did in prison, the judge thought that was good enough. On top of that, they required him to forfeit $1.8 million.
But yeah, I'm surprised by this sentence. I think it's minimal for such an extraordinary amount of criminal activity. My guess is that Ziv cooperated, which means he gave up some names of other criminals in order to get his sentence shortened. But that's just my guess.
Altogether, these schemes made a colossal amount of money. It really was sprawling, interconnected network of scams, building on top of each other, scaling up, leveling up, and expanding outward. The whole story is full of surprises, and by the end, it's mind-bogglingly complex. A web of illegal schemes, hacking fraud, money laundering, carried out by some shady businessmen and con men, joining forces with a hacker,
Just as the games themselves were large scale, so too was the network of people and resources Gary had built to operate at all. The story has it all, the villains, the hacks, the underground illegal acts, and finally a hammer of justice that brings it all crashing down. The hack into JP Morgan Chase wasn't random, a one-off attack. It was done by someone who seemed to have an insatiable appetite for more, more hacking, more data, more scams, more money.
Sure, there's an element of glamour to Gary Shalom's story. The money, the fancy watches, the mansion. But there's also an element of desperation. I mean, what was the point of all this besides just wanting more? How many hundreds of millions of dollars more did he need?
From my point of view, it's like none of these schemes seemed big enough for him. No amount of money seemed satisfying enough. And at the end, it kind of seems like it was all an endless desire that eventually led to the destruction of Gary Shalom's empire.
If you love darknet diaries, stories from the dark side of the internet, then support it. Go to patreon.com slash darknet diaries and join the group of the most amazing people, the people who keep my network running. I talked with one patreon member the other day and he told me he drove for eight hours while listening to the show.
What's funny is he only had to go to the store to get some bread, but the show was so addicting that he kept driving around just to listen. If that's the kind of listener you are, then consider giving back to the show by supporting it at patreon.com. Join today and I'll grant you special access to bonus content and an ad-free feed. Thank you.
This show is made by me, the spider buyer, Jack Recider. This episode is written by the crime traveler, Fiona Guy. Sound design and original music was created by the graphical interface, Andrew Merryweather, editing help this episode by the window gazing, Damien. Our theme music is by the sound system, break master cylinder. And even though, back in my day, we didn't have USB. We only had USA. This is Darknet Diaries.