WEBVTT 00:00:01.228 --> 00:00:06.480 JACK: To build a successful business, you need a good business plan; a carefully thought-out, 00:00:06.480 --> 00:00:10.500 step-by-step guide to launch, develop, and expand. You need good people too, 00:00:10.500 --> 00:00:16.440 people you trust and can rely on. But the internet has changed how people become entrepreneurs. It’s 00:00:16.440 --> 00:00:21.000 made it easier to find good help and easier to find customers. Digital technology and 00:00:21.000 --> 00:00:25.320 the internet have created a whole range of new opportunities for businesses and entrepreneurs. 00:00:25.320 --> 00:00:31.020 But there’s a flip-side to these innovations, a darker side. You see, the criminal underworld has 00:00:31.020 --> 00:00:35.880 also benefited from the explosion of digital technology and the internet. Criminals make 00:00:35.880 --> 00:00:40.560 business plans, too. They build networks and work together to advance their elicit agendas. 00:00:40.560 --> 00:00:44.940 When greedy criminals set out to execute a business model armed with the powers 00:00:44.940 --> 00:00:51.240 of the internet and a hacker or two, they can achieve astounding criminal feats. The thing is, 00:00:51.240 --> 00:00:56.640 it’s not easy to catch a cyber-criminal. Hacking is mostly invisible. It’s quiet, secretive, 00:00:56.640 --> 00:01:01.560 and always done under the cover of the internet. It’s like the perfect burglary that takes place in 00:01:01.560 --> 00:01:05.880 pitch black. There’s no trace of the perpetrator on the CCTV camera footage, 00:01:05.880 --> 00:01:10.500 no fingerprints, and no leads. With hacking, it’s all digital. Whatever 00:01:10.500 --> 00:01:15.960 virtual fingerprints you might have left behind can be covered up, deleted, or hidden. 00:01:15.960 --> 00:01:21.180 This is why so many cyber-criminals get away with their crimes. This is a story 00:01:21.180 --> 00:01:28.200 about a group of very savvy businessmen who made a fortune exploiting people online. 00:01:28.200 --> 00:01:32.880 (INTRO): [INTRO MUSIC] 00:01:32.880 --> 00:01:39.840 These are true stories from the dark side of the internet. 00:01:39.840 --> 00:01:50.700 I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:01:50.700 --> 00:01:58.800 JACK: 00:01:58.800 --> 00:02:05.160 In July 2014, Hold Security, a small firm that specializes in external cyber-threat intelligence 00:02:05.160 --> 00:02:11.520 made an unbelievable discovery. This small firm which supposedly monitors the darkweb for hacker 00:02:11.520 --> 00:02:16.260 activity that may be a threat to their clients, reported to the New York Times claiming to have 00:02:16.260 --> 00:02:23.940 found a credential dump containing 4.5 billion usernames and passwords on the darkweb. Now, 00:02:23.940 --> 00:02:30.240 4.5 billion usernames and passwords is just a crazy amount of credentials. When Hold Security 00:02:30.240 --> 00:02:35.640 filtered out duplicates, they were left with 1.2 billion credentials. But still, 00:02:35.640 --> 00:02:39.900 a credential dump that large would be the biggest credential dump ever found. 00:02:39.900 --> 00:02:45.840 The New York Times ran with this story but the security community was pretty skeptical. First, 00:02:45.840 --> 00:02:49.440 everyone wanted to see what was in the dump but Hold Security wouldn’t 00:02:49.440 --> 00:02:55.140 reveal this data to anyone. Later, Hold Security announced that for a $120 fee, 00:02:55.140 --> 00:03:01.500 they would tell companies whether the dump included credentials from their websites. Huh. 00:03:01.500 --> 00:03:06.120 With Hold Security claiming they had one of the largest dumps ever and not sharing it with anyone 00:03:06.120 --> 00:03:12.060 except a few people who paid to search for their own names, it was just a little hard to trust. 00:03:12.060 --> 00:03:17.940 Alex Holden, the CEO of Hold Security, was interviewed by Forbes. This is what he said. 00:03:17.940 --> 00:03:24.120 ALEX: …had come with me. I tried to clear up the criticisms here. There are two different pieces 00:03:24.120 --> 00:03:30.660 to this puzzle. First of all, we have 1.2 billion credentials that belong to about half a billion 00:03:30.660 --> 00:03:37.800 e-mail addresses, unique e-mail addresses. These are the individuals who entrusted their 00:03:37.800 --> 00:03:45.300 credentials to different web services’ websites. These credentials were stored on those websites. 00:03:45.300 --> 00:03:51.480 Unfortunately through no wrongdoing on the individual side, these – this information 00:03:51.480 --> 00:03:58.980 had been stolen by the hackers. These individuals are the ultimate victims in this particular crime. 00:03:58.980 --> 00:04:03.780 JACK: Later, Hold Security released a summary report of the dump. They said 00:04:03.780 --> 00:04:10.320 the dump was from 420,000 different websites that had been breached, some of which were 00:04:10.320 --> 00:04:15.180 Fortune 500 companies. The report listed some of the companies that were breached 00:04:15.180 --> 00:04:21.540 and they called the group that stole this data CyberVor which means ‘cyber-thief’ in Russian. 00:04:21.540 --> 00:04:28.140 [MUSIC] 420,000 websites is a huge proportion of the entire world wide web. At this point, 00:04:28.140 --> 00:04:33.960 even I think this dump sounds a bit ridiculous to me ‘cause it just doesn’t add up. But let’s 00:04:33.960 --> 00:04:40.680 switch gears for a second. Imagine you are part of a IT security team at the JPMorgan Chase Bank. 00:04:40.680 --> 00:04:46.020 You work for the biggest bank in the US and the sixth-biggest bank in the world. Your bank pretty 00:04:46.020 --> 00:04:50.880 much dominates the financial sector in terms of investments and banking. Imagine you’re one of 00:04:50.880 --> 00:04:58.020 JPMorgan Chase’s 250,000 employees scattered across 171 offices in 39 different countries. 00:04:58.020 --> 00:05:00.720 Imagine you’re part of the team that’s responsible for [00:05:00] protecting 00:05:00.720 --> 00:05:07.380 data in this bank which has an annual revenue of 115 billion dollars, of which about ten 00:05:07.380 --> 00:05:14.280 billion is spent on tech and 250 million dollars a year is spent on cyber-security. There’s about 00:05:14.280 --> 00:05:18.600 1,000 people working with you in the IT security team at JPMorgan Chase. Now, 00:05:18.600 --> 00:05:24.420 I’m not sure if any company spends more money on security than JPMorgan Chase. But either way, they 00:05:24.420 --> 00:05:29.340 aren’t messing around when it comes to protecting their networks. If you were on the IT security 00:05:29.340 --> 00:05:35.580 team of JPMorgan Chase and you saw that Hold Security released a summary report, would you take 00:05:35.580 --> 00:05:41.340 a look to see which companies had been breached? Of course you do. It doesn’t matter if it’s real 00:05:41.340 --> 00:05:45.300 or not; your company is spending every dollar it can to do everything to protect the network. 00:05:45.300 --> 00:05:49.860 You’d definitely be looking at this report. You’d be looking at every report that might 00:05:49.860 --> 00:05:55.380 have anything to do with JPMorgan Chase’s IT security. That’s just what happened; an IT 00:05:55.380 --> 00:06:02.100 security analyst at JPMorgan Chase did read Hold Security’s report. In it, Hold Security claimed 00:06:02.100 --> 00:06:08.640 the website for a charity race sponsored by JPMorgan called Corporate Challenge was breached. 00:06:08.640 --> 00:06:15.120 This site had been used by JPMorgan employees to register for the race. It was hosted by a company 00:06:15.120 --> 00:06:20.820 called Simmco Data Systems. As it happened, Simmco Data Systems was also mentioned in 00:06:20.820 --> 00:06:26.700 the Hold Security report. It claimed that Simmco had been breached, too. Huh. So, 00:06:26.700 --> 00:06:34.080 if JPMorgan Chase employees were registering at that site, then it’s possible their data was 00:06:34.080 --> 00:06:41.640 stolen. This caused the IT security analysts at JPMorgan Chase to look into this a little more. 00:06:41.640 --> 00:06:46.200 [MUSIC] The security team at JPMorgan Chase contacted Simmco Data Systems 00:06:46.200 --> 00:06:50.700 to investigate the claims made by Hold Security. Simmco Data dug around their 00:06:50.700 --> 00:06:56.880 network logs and confirmed that the Corporate Challenge website was hacked and breached. 00:06:56.880 --> 00:07:01.860 The hackers had stolen an SSL certificate from the site and the hack was executed through a 00:07:01.860 --> 00:07:07.020 few IP addresses that had been creeping around the network without any legitimate reason to be there. 00:07:07.020 --> 00:07:12.420 Two techs from the JPMorgan Chase office in Columbus, Ohio went over to Simmco Data 00:07:12.420 --> 00:07:18.480 Systems’ office in Michigan to get copies of any forensic data they could find. 00:07:18.480 --> 00:07:24.420 They wanted to know exactly what had been stolen and understand the indicators of compromise. 00:07:24.420 --> 00:07:29.820 As the JPMorgan Chase security team was collecting data from Simmco, they were using this data, 00:07:29.820 --> 00:07:36.120 including IP addresses, to search their own logs for any similar activity. They were looking for 00:07:36.120 --> 00:07:40.740 any trace of a breach and any sign of activity from the IP addresses associated with the Simmco 00:07:40.740 --> 00:07:46.080 data breach. Sure enough, they found the same eleven IP addresses that had been used 00:07:46.080 --> 00:07:52.140 to execute the Simmco breach had also been used to attack JPMorgan Chase. What’s more, 00:07:52.140 --> 00:07:57.180 some of these attacks against JPMorgan Chase had been successful. The biggest 00:07:57.180 --> 00:08:04.980 bank in America had been hacked and they never even knew it happened. At this point, 00:08:04.980 --> 00:08:09.420 JPMorgan Chase contacted the FBI and handed over these IP addresses to the Financial 00:08:09.420 --> 00:08:14.340 Services Information Sharing Analysis Center. This is an organization that circulates this 00:08:14.340 --> 00:08:18.720 kind of data to banks and financial institutes so they can check whether they have been breached. 00:08:18.720 --> 00:08:23.580 Up until this point, JPMorgan Chase had kept this whole situation under wraps while they 00:08:23.580 --> 00:08:27.900 were working to figure out what was going on, but this kind of breach is a huge deal 00:08:27.900 --> 00:08:33.360 and they weren’t going to be able to keep quiet about this for long. [MUSIC] We don’t 00:08:33.360 --> 00:08:38.100 know exactly how the hackers jumped from the charity’s website into the bank’s servers, 00:08:38.100 --> 00:08:42.720 but I’ve got a few theories. First, it’s possible that the hacker gained access to this Corporate 00:08:42.720 --> 00:08:49.260 Challenge charity site. How? Possibly by hacking through Simmco Data Systems which was the hosting 00:08:49.260 --> 00:08:53.940 provider for the Corporate Challenge charity site. If the hosting provider got hacked, then the 00:08:53.940 --> 00:08:59.400 hackers would have access to the back end of all the other websites that hosting provider hosts. 00:08:59.400 --> 00:09:03.300 If they got into the Corporate Challenge website that way, they could have accessed the credentials 00:09:03.300 --> 00:09:08.340 for all the JPMorgan employees that were registering on the site. Maybe some of those 00:09:08.340 --> 00:09:13.500 username and passwords were the same usernames and passwords used to log into JPMorgan Chase’s 00:09:13.500 --> 00:09:18.540 network. This kind of tactic would likely work because so many people reuse passwords 00:09:18.540 --> 00:09:23.820 on multiple sites. Any JPMorgan employee who used their JPMorgan network password on another 00:09:23.820 --> 00:09:28.440 site would have made their network vulnerable for this kind of attack. That’s one theory. 00:09:28.440 --> 00:09:34.020 The other is that this hacker crew might have targeted an IT admin at JPMorgan Chase through 00:09:34.020 --> 00:09:39.120 spear phishing or some other attack that got them remote access into the admin’s computer. 00:09:39.120 --> 00:09:43.800 If a hacker was able to do that, they’d be able to steal that IT admin’s network credentials and 00:09:43.800 --> 00:09:49.800 do whatever they want from there. Either way, what we know is that this hacker group did have 00:09:49.800 --> 00:09:55.500 a valid login to a JPMorgan server. With that, they were able to get past the huge front gates 00:09:55.500 --> 00:10:00.840 of the super-secure JPMorgan Chase network. But once they got past the [00:10:00] front gates, 00:10:00.840 --> 00:10:06.000 they still needed to figure out where to go. It’s as if they broke into a bank but didn’t 00:10:06.000 --> 00:10:10.860 know where the safe was. They were just wandering through the network and they hadn’t actually 00:10:10.860 --> 00:10:16.140 gained access to anything valuable yet. There was an old server that the bank used to manage 00:10:16.140 --> 00:10:22.320 employee benefits data. It was still running, just not used very often. See, there’s 250,000 00:10:22.320 --> 00:10:26.700 employees at JPMorgan Chase and they’re using about a half a million computers in this network. 00:10:26.700 --> 00:10:32.880 It’s not easy for such a large company to manage half a million computers. In this case, 00:10:32.880 --> 00:10:38.100 the employee benefits server had been neglected. It wasn’t updated with the latest security patches 00:10:38.100 --> 00:10:43.620 and features, and it wasn’t set up for two-factor authentication which would have required users to 00:10:43.620 --> 00:10:49.800 enter a time-sensitive token code with their password to get in. The hackers discovered 00:10:49.800 --> 00:10:55.320 this server on the network and used their stolen credentials to log in. This is a perfect example 00:10:55.320 --> 00:10:59.460 of when two-factor authentication probably would have stopped these hackers from getting 00:10:59.460 --> 00:11:04.440 any further into the network. [MUSIC] Anyway, once a skilled hacker establishes access to a network, 00:11:04.440 --> 00:11:08.100 they’re gonna want to create a persistent connection and elevate their privileges. 00:11:08.100 --> 00:11:12.000 They’ll need a persistent connection in case their connection gets dropped. Then 00:11:12.000 --> 00:11:16.920 they have a guaranteed way to get back into that server. The hackers created a back door 00:11:16.920 --> 00:11:21.600 into the JPMorgan Chase network. This was a point of access that only the hackers would 00:11:21.600 --> 00:11:25.620 know about but the security team wouldn’t be able to detect them. Once they did that, 00:11:25.620 --> 00:11:31.200 they began crawling around the network, looking for something in particular. They slowly made 00:11:31.200 --> 00:11:36.180 their way towards the systems they were after. They were good; hiding their tracks, doing things 00:11:36.180 --> 00:11:42.120 just the right way to avoid setting off alarms and avoid being detected by antivirus scans. 00:11:42.120 --> 00:11:48.180 For months, these hackers had been creeping around, quietly accessing databases and exporting 00:11:48.180 --> 00:11:53.940 data to their own servers as they went along. All the while, they were silent and invisible. 00:11:53.940 --> 00:12:01.200 In all, they breached over ninety of JPMorgan Chase’s servers which included multiple databases 00:12:01.200 --> 00:12:08.460 used to store customer information. This story became public on August 27th, 2014 when Michael 00:12:08.460 --> 00:12:13.920 Riley and Jordan Robertson reported on this hack in an article in Bloomberg. They revealed that 00:12:13.920 --> 00:12:18.960 there had been a successful breach at JPMorgan Chase and they said it was the work of Russian 00:12:18.960 --> 00:12:24.000 hackers. The accusation that this was a nation state attack on US financial infrastructure 00:12:24.000 --> 00:12:30.060 grabbed the attention of the US financial system. Could it be that Kremlin-sponsored hackers had 00:12:30.060 --> 00:12:35.340 managed to get inside the networks of JPMorgan Chase, breach layer after layer of security, 00:12:35.340 --> 00:12:41.580 and make off with tons of customer data without JPMorgan Chase knowing anything about it? 00:12:41.580 --> 00:12:46.680 It wasn’t until the bank filed a disclosure with the Security Exchange Commission on October 2nd 00:12:46.680 --> 00:12:52.140 that we learned more details about this hack. It was way worse than anyone thought. [MUSIC] The 00:12:52.140 --> 00:12:58.980 hackers had accessed multiple customer databases and stole 83 million personal identifiable records 00:12:58.980 --> 00:13:04.800 of JPMorgan Chase’s customers. These records were associated with 76 million households 00:13:04.800 --> 00:13:11.640 and seven million small businesses, pretty much all located in the US. To put that into context, 00:13:11.640 --> 00:13:19.080 in 2014 there was something like 127 million US households. That’s around 60% of all US 00:13:19.080 --> 00:13:25.380 households that got their information stolen from this hack. The idea that Russians were 00:13:25.380 --> 00:13:29.100 behind this hack and that they were probably state-sponsored wasn’t all that surprising. 00:13:29.100 --> 00:13:34.020 I mean, just a few months before this, the US had put a load of heavy sanctions on Russia’s 00:13:34.020 --> 00:13:39.600 financial infrastructure. See, in 2014, that was the year when Putin decided he wanted to take the 00:13:39.600 --> 00:13:45.360 Crimea Peninsula from Ukraine. Putin dispatched scores of mast armed soldiers to Crimea. They 00:13:45.360 --> 00:13:50.040 seized the territory, raising Russian flags, and then went on to take control of the cities and the 00:13:50.040 --> 00:13:54.840 Supreme Council building. The Supreme Council is sort of like the Crimean parliament. The current 00:13:54.840 --> 00:14:02.280 PM was booted out and a new one was voted in although there were some good reasons to doubt 00:14:02.280 --> 00:14:08.280 the fairness of this election. This was the most blatant land-grab in Europe since World War II. 00:14:08.280 --> 00:14:11.640 Russia’s invasion of Crimea stirred up a whirlwind of controversy. 00:14:11.640 --> 00:14:17.160 The US and EU and of course Ukraine strongly condemned Russia’s tactics and said that Putin 00:14:17.160 --> 00:14:22.920 had violated multiple local and international laws. The US and EU imposed sanctions against 00:14:22.920 --> 00:14:28.800 Russia. These sanctions threatened to tip the already fragile Russian economy into recession. 00:14:28.800 --> 00:14:34.680 The US and EU intended for these sanctions to force Putin to relent and relinquish control 00:14:34.680 --> 00:14:40.380 of the Crimean Peninsula back to Ukraine. But Putin wasn’t having any of it. He denounced the 00:14:40.380 --> 00:14:44.400 US and EU for imposing these sanctions which he said was just another example 00:14:44.400 --> 00:14:50.580 of aggressive US foreign policy, and he warned that Russia may retaliate against these actions. 00:14:50.580 --> 00:14:57.300 It seemed possible that the hack on JPMorgan Chase was the first volley of Russia’s retaliation. 00:14:57.300 --> 00:15:00.221 Here’s a clip from CNN discussing the very idea. 00:15:00.221 --> 00:15:04.560 ALISYN: [00:15:00] The FBI is investigating a series of cyber-attacks against US banks thought 00:15:04.560 --> 00:15:09.660 to be coming from Russia. Hackers are believed to have accessed sensitive information from several 00:15:09.660 --> 00:15:15.600 financial institutions including banking giant JPMorgan Chase. Could this be retaliation for 00:15:15.600 --> 00:15:21.660 western sanctions against the Russians? Christine Romans is here with more. Is this retaliation? 00:15:21.660 --> 00:15:24.720 CHRISTINE: Well, that’s what the investigation is gonna have to really zero in on here, 00:15:24.720 --> 00:15:28.920 quite frankly, Alisyn. The US official tells us that the location of the hacker still isn’t 00:15:28.920 --> 00:15:32.460 clear but given the sophistication of this, the cyber-security community is 00:15:32.460 --> 00:15:36.120 saying this investigation appears to center and should definitely center on Russia. Now, 00:15:36.120 --> 00:15:41.520 hackers from Russia are often top FBI suspects. The timing of the hack has raised suspicions given 00:15:41.520 --> 00:15:45.300 recent US sanctions against Russia. Also, still this big question; the motivation. 00:15:45.300 --> 00:15:49.320 Still unclear if the attack was financially or politically motivated or if it was some 00:15:49.320 --> 00:15:52.920 sort of espionage. Banks have very tough security. Getting through that 00:15:52.920 --> 00:15:58.260 and getting account information, getting so much information, definitely not an easy task. Now, 00:15:58.260 --> 00:16:02.280 in response to this breach, JPMorgan said companies of its size experience 00:16:02.280 --> 00:16:06.660 cyber-attacks every day and the bank has measures to protect itself. Again, 00:16:06.660 --> 00:16:11.220 the FBI US officials are investigating just what the cause was of this cyber-attack. 00:16:11.220 --> 00:16:18.240 JACK: [MUSIC] For JPMorgan Chase, this attack came at the tail-end of a really bad year. They 00:16:18.240 --> 00:16:23.580 lost a heap of staff in the previous months. In 2013, their chief information officer resigned 00:16:23.580 --> 00:16:28.800 and took a position as the CEO of a payment processor called First Data. Around this time, 00:16:28.800 --> 00:16:34.320 five other senior staff from JPMorgan Chase also quit. This included the information 00:16:34.320 --> 00:16:40.560 officer and chief of security for their IT teams. In early 2014, a new chief of 00:16:40.560 --> 00:16:45.240 security was appointed; James Cummings. He helped to recruit a new information officer, 00:16:45.240 --> 00:16:52.440 Gregory Rattray. When this hack was carried out in July 2014, the top IT leadership had 00:16:52.440 --> 00:16:58.200 only been in place for about six months. Both Cummings and Rattray were former US Air Force 00:16:58.200 --> 00:17:04.200 and they were both convinced that this attack was state-sponsored and probably executed by Russians. 00:17:04.200 --> 00:17:09.660 They thought this hack represented a threat to US national security. I have to wonder though whether 00:17:09.660 --> 00:17:15.600 their military training and experience biased their interpretation of this hack. After all, 00:17:15.600 --> 00:17:20.400 they would have been used to dealing with state-sponsored attacks while in the military. 00:17:20.400 --> 00:17:24.240 It’s not like this hack couldn’t have been what Cummings and Rattray thought it was, 00:17:24.240 --> 00:17:30.720 but the problem is the FBI’s analysis just didn’t match up with Cummings’ and Rattray’s. 00:17:30.720 --> 00:17:36.120 The FBI had several specialist units working on this hack. They pulled in their cyber-crime unit, 00:17:36.120 --> 00:17:41.220 the Secret Service, and Homeland Security to investigate this attack. All of this 00:17:41.220 --> 00:17:45.600 analysis wasn’t enough to convince the FBI that the hack was executed 00:17:45.600 --> 00:17:50.580 by a nation state or that there was a clear threat to national security. 00:17:50.580 --> 00:17:55.620 That set off this weird political drama over the data that had been stolen from JPMorgan Chase. 00:17:55.620 --> 00:18:00.780 See, there was this system in place that was supposed to capture any stolen data in a hack 00:18:00.780 --> 00:18:05.880 like this. Think of it like a CCTV system that you could rewind and watch back if you knew something 00:18:05.880 --> 00:18:11.040 bad happened. But according to Bloomberg sources, this system didn’t have enough storage at the time 00:18:11.040 --> 00:18:15.540 of the attack. Even though they collected the data at the time of the attack, they didn’t 00:18:15.540 --> 00:18:20.580 have it anymore. On top of that, maybe because of political drama around who committed this hack, 00:18:20.580 --> 00:18:26.160 JPMorgan Chase didn’t want to hand over the data they did have from the hack to the FBI. 00:18:26.160 --> 00:18:30.120 Things were starting to get out of hand and none of this was helping to solve 00:18:30.120 --> 00:18:34.440 the actual problem that millions of JPMorgan Chase customer records had been compromised. 00:18:34.440 --> 00:18:38.100 [MUSIC] Two weeks after the hack had been discovered, the Assistant Director of the 00:18:38.100 --> 00:18:43.200 FBI’s Cyber Division, Joseph Demarest, had a conference call with JPMorgan Chase’s COO 00:18:43.200 --> 00:18:48.660 Matt Zames, James Cummings, and Gregory Rattray. Cummings and Rattray, the Air Force veterans from 00:18:48.660 --> 00:18:53.040 JPMorgan Chase’s IT department, were pushing for the hack to be deemed a threat to national 00:18:53.040 --> 00:18:59.280 security. If they got their way, the US Department of Justice would excuse them from any obligations 00:18:59.280 --> 00:19:04.440 to tell their customers about the hack. The idea of this policy is that if a hack is a threat to 00:19:04.440 --> 00:19:09.060 national security, then it should be kept quiet as possible while it’s being investigated. 00:19:09.060 --> 00:19:14.400 But in the end, the FBI thought it was more likely that this hack was done by a group 00:19:14.400 --> 00:19:19.620 of clever and skilled criminal actors rather than a nation-sponsored threat 00:19:19.620 --> 00:19:25.620 actor. JPMorgan Chase and the FBI reached a truce. JPMorgan Chase handed over all the 00:19:25.620 --> 00:19:31.380 data they collected during the hack so the FBI could conduct a thorough investigation. 00:19:31.380 --> 00:19:38.100 But jeez, this was a bumpy ride to get there. Jordan Robertson, the journalist from Bloomberg 00:19:38.100 --> 00:19:42.840 who originally broke this story talks about what happened between JPMorgan and the FBI. 00:19:42.840 --> 00:19:46.140 JORDAN: In one of the questions we set out to answer eight months ago when this 00:19:46.140 --> 00:19:51.780 breach occurred was why we were hearing such a different story from folks who were familiar 00:19:51.780 --> 00:19:56.280 with the bank’s investigation, which they said the Russian government was believed involved, 00:19:56.280 --> 00:20:01.260 versus the law enforcement investigation which was indicating a criminal [00:20:00] attack. The 00:20:01.260 --> 00:20:08.220 answer to that is yeah, the bank is staffing up on former senior military officials, cyber-warriors, 00:20:08.220 --> 00:20:14.340 and they come to these problems with a very specific mindset about who’s responsible for 00:20:14.340 --> 00:20:20.280 hacking. There’s a fundamental difference between studying attacks on military infrastructure versus 00:20:20.280 --> 00:20:24.960 studying attacks on the private sector. The private sector faces a lot more for-profit 00:20:24.960 --> 00:20:30.120 criminal activity than the military does, and that really animated the bank’s investigation. 00:20:30.120 --> 00:20:34.560 HOST: Very interesting on the military approach. That’s led to some problems, Jordan, right, 00:20:34.560 --> 00:20:40.020 that you’ve found out; including some clashes internally but also with the FBI as well, right? 00:20:40.020 --> 00:20:45.840 JORDAN: Yeah. What happens is you hire people who are really great at offensive cyber operations 00:20:45.840 --> 00:20:50.700 and they’re great network attackers. Defending a network is a whole another matter and dealing 00:20:50.700 --> 00:20:55.740 with law enforcement beyond that is another matter entirely. What we found was that the bank 00:20:55.740 --> 00:21:01.500 repeatedly clashed with the FBI and the Secret Service over information-sharing. The Secret 00:21:01.500 --> 00:21:06.180 Service went so far as to threaten to subpoena the attack data because they believed they were 00:21:06.180 --> 00:21:12.480 not getting it in a timely fashion. A senior FBI official had to intervene on his agent’s behalf 00:21:12.480 --> 00:21:18.900 to facilitate that information-sharing more quickly. There were clashes at multiple levels 00:21:18.900 --> 00:21:23.820 and a lot of it traces back to this difference in mindset between the military and private sector. 00:21:23.820 --> 00:21:29.760 JACK: Now the FBI were hunting down these hackers using the IP addresses JPMorgan Chase and Simmco 00:21:29.760 --> 00:21:34.560 Data Systems had found on it. It was hard for investigators to track this attack because the 00:21:34.560 --> 00:21:38.880 hackers deleted most of the log files that would have left bread crumbs, revealing their activity 00:21:38.880 --> 00:21:43.740 in the network. Early in the investigation it was suggested that the hackers spoke Russian, 00:21:43.740 --> 00:21:47.760 but I’m not sure whether they had any actual evidence of that. [MUSIC] Now, 00:21:47.760 --> 00:21:51.960 what about these IP addresses the hackers were using? Well, investigators started tracing 00:21:51.960 --> 00:21:56.040 these back and found the IPs were from different countries all over the world. The computers that 00:21:56.040 --> 00:22:02.400 had launched these attacks were located in Russia, Egypt, Czech Republic, South Africa, and Brazil. 00:22:02.400 --> 00:22:07.020 All of these IPs belonged to hosting providers who were in the business of renting servers to 00:22:07.020 --> 00:22:12.120 whoever wanted them. This is a simple way to hide your tracks as an attacker. You don’t want to do 00:22:12.120 --> 00:22:16.800 all this hacking from your own office or house. You want to rent a server on the other side of 00:22:16.800 --> 00:22:23.280 the planet and use that to carry out your hacks. The hackers had rented one server in Egypt which 00:22:23.280 --> 00:22:28.560 they used on some of these hacks. Get this; the day after the news broke about JPMorgan Chase, 00:22:28.560 --> 00:22:33.660 the hackers stopped using that server in Egypt and canceled that account. It seems 00:22:33.660 --> 00:22:39.540 like whoever was behind this was watching the news and knew they were about to be hunted. 00:22:39.540 --> 00:22:43.800 While all these investigations were going on, there were reports coming out of other 00:22:43.800 --> 00:22:49.500 financial companies across the US. Slowly, these reports started to paint a bigger picture. 00:22:49.500 --> 00:22:55.740 JPMorgan Chase wasn’t the only target. The same hackers had hit multiple other 00:22:55.740 --> 00:23:01.620 financial institutions. By October 2014, investigators believed the same 00:23:01.620 --> 00:23:08.040 hackers had hit at least twelve or thirteen other financial institutions. But from what I can tell, 00:23:08.040 --> 00:23:12.240 none of these companies have officially come forward about these breaches. But 00:23:12.240 --> 00:23:17.400 reports are naming some pretty specific banks including Fidelity Investments, 00:23:17.400 --> 00:23:25.320 ADP, HSBC, Citigroup, and Bank of the West. They had all found signs that these IP addresses from 00:23:25.320 --> 00:23:30.660 the JPMorgan Chase hack had also been sniffing around inside their network. 00:23:30.660 --> 00:23:35.940 Now the financial industry was really starting to get worried. Some of the banks only found 00:23:35.940 --> 00:23:40.860 evidence that the hackers had entered the network and had poked around, but others found signs 00:23:40.860 --> 00:23:45.780 that stuff was stolen. Here’s journalist Emily Glazer from the Wall Street Journal. 00:23:45.780 --> 00:23:50.700 EMILY: Yeah, so right now we know that Fidelity and E-Trader are on that list of thirteen 00:23:50.700 --> 00:23:56.400 financial institutions including JPMorgan. We had reported earlier yesterday that Citigroup, 00:23:56.400 --> 00:24:03.840 HSBC, ADP, the payroll processor, and regional lender Regions Financial were also spotting 00:24:03.840 --> 00:24:09.600 traffic from alleged hackers linked to JPMorgan. There is a lot going on here and it’s very fluid. 00:24:09.600 --> 00:24:17.820 FBI already involved onsite at JPMorgan, we reported, Secret Service, NSA, Benjamin Lawsky, 00:24:17.820 --> 00:24:25.020 the top New York financial watchdog, and SDNY, the US attorney based in Manhattan. There 00:24:25.020 --> 00:24:32.160 are a lot of regulators and prosecutors either examining or investigating this. 00:24:32.160 --> 00:24:38.340 JACK: It’s early 2015, seven months after the hack, and the JPMorgan Chase security team is 00:24:38.340 --> 00:24:43.800 still working on the investigation. Internally, they were calling it the Rio Investigation. They 00:24:43.800 --> 00:24:49.380 hired outside experts plus some tech executives to form a control board panel. [MUSIC] The job was 00:24:49.380 --> 00:24:53.460 to meet every two weeks and figure out just how this hack was going to affect JPMorgan 00:24:53.460 --> 00:24:57.600 Chase and their customers. They also needed to make sure these hackers could never get in the 00:24:57.600 --> 00:25:01.320 systems again. The year all these financial companies got hacked was a pretty big year 00:25:01.320 --> 00:25:05.580 for large [00:25:00] data breaches. Target was breached at the end of 2013 and they had forty 00:25:05.580 --> 00:25:11.040 million customer credit card records stolen. eBay was hacked less than six months later in May 2014. 00:25:11.040 --> 00:25:16.800 Their customer database was breached. In September 2014, while JPMorgan Chase was working on the Rio 00:25:16.800 --> 00:25:21.420 Investigation, Home Depot discovered they’d been hacked, too. A heap of credit card information 00:25:21.420 --> 00:25:26.340 from their customer database appeared on the darkweb. Investigators suspected that 00:25:26.340 --> 00:25:30.780 the same people were behind both the Target and Home Depot hacks but they still had no idea who 00:25:30.780 --> 00:25:36.000 those hackers were. The truth is, many hackers working on this scale don’t ever get caught. 00:25:36.000 --> 00:25:44.580 But in the middle of 2015, things started to get weird for the Rio Investigation. On July 21st, 00:25:44.580 --> 00:25:50.940 the Israeli police made two coordinated arrests in Israel at the request of the FBI. 00:25:50.940 --> 00:25:56.640 Now remember that date; July 21st, 2015. It’s gonna come up a few other times in this story. 00:25:56.640 --> 00:26:00.720 The police arrived unexpectedly at the homes of thirty-one year old Gery Shalon 00:26:00.720 --> 00:26:06.600 and forty-year-old Ziv Orenstein. They were both arrested and charged with securities 00:26:06.600 --> 00:26:13.020 fraud which is basically illegal stock market manipulation. Now, Gery Shalon is a bit of a 00:26:13.020 --> 00:26:18.420 flashy guy. He lives in a six million dollar mansion in the very posh Savyon suburb of Tel 00:26:18.420 --> 00:26:23.040 Aviv. This is kind of like Israel’s version of Beverly Hills where all the celebrities 00:26:23.040 --> 00:26:27.540 live. His closets were full of expensive tailored suits and the police found half a 00:26:27.540 --> 00:26:33.300 million dollars in cash in his house when he was arrested. Ziv Orenstein who lived in Bat Hefer, 00:26:33.300 --> 00:26:37.680 about twenty-nine miles away, may have been wealthy too, but he was more low-key. 00:26:37.680 --> 00:26:42.600 [MUSIC] Both of these guys are Israeli citizens and in 2009 they established a 00:26:42.600 --> 00:26:48.660 web marketing company called Webologic Ltd. Gery was the manager of this company and 00:26:48.660 --> 00:26:53.640 Ziv wasn’t listed as being involved with Webologic, at least on the books. Still, 00:26:53.640 --> 00:26:58.440 the Wall Street Journal reported that there were thirty odd employees that worked there and they 00:26:58.440 --> 00:27:03.300 all knew Ziv was really the guy in charge. As part of the securities fraud investigation, the Israeli 00:27:03.300 --> 00:27:09.660 police seized all electronic devices in both Gery and Ziv’s house and the Webologic offices. Now, 00:27:09.660 --> 00:27:15.000 there was this third guy involved in all this. The Israeli police also raided the house of thirty-one 00:27:15.000 --> 00:27:20.280 year old Joshua Samuel Aaron at the same time. But when they went to his house, he wasn’t 00:27:20.280 --> 00:27:25.020 home. He had been in Russia but he was supposed to be back in Tel Aviv at the time of the arrest. 00:27:25.020 --> 00:27:31.980 But there was no sign of him at all. They report back to the FBI that they didn’t get Joshua. So, 00:27:31.980 --> 00:27:37.380 Joshua becomes a wanted man. Get this; at the same time that Gery and Ziv are arrested in Israel, 00:27:37.380 --> 00:27:43.020 the FBI coordinated a simultaneous raid in Florida. They arrested Anthony Murgio and 00:27:43.020 --> 00:27:49.440 Yuri Lebedev for running an illegal Bitcoin exchange called Coin.mx. 00:27:49.440 --> 00:27:55.920 What do these arrests have to do with major US bank hacks? Well, on that same day, July 21st, 00:27:55.920 --> 00:28:00.720 Preet Bharara, US attorney of the Southern District of New York, unsealed an indictment 00:28:00.720 --> 00:28:05.940 against Gery, Ziv, and Joshua. Bloomberg News and the New York Times published 00:28:05.940 --> 00:28:11.820 some wild claims. They reported that a leaked internal FBI memo had linked Joshua, the man on 00:28:11.820 --> 00:28:17.280 the run from Israel police and Anthony, the man arrested in Florida, to the JPMorgan Chase hack. 00:28:17.280 --> 00:28:22.980 [MUSIC] The memo said there was evidence of Joshua logging into the servers that 00:28:22.980 --> 00:28:29.280 were used for these hacks. On the same day, we also find out exactly what they stole. I mean, 00:28:29.280 --> 00:28:33.120 these people attempted to get into twelve banks and they successfully got into a few of 00:28:33.120 --> 00:28:39.000 them. They must have done this for monetary gain, right? But did they steal any money? No. I mean, 00:28:39.000 --> 00:28:42.600 I can think of a number of ways they could have stolen money. Obviously a bank the size 00:28:42.600 --> 00:28:47.400 of JPMorgan Chase has a lot of money in its accounts. The hackers could have moved some 00:28:47.400 --> 00:28:51.240 of that money around. Okay, but there’s other ways they could have made money too, 00:28:51.240 --> 00:28:55.320 like the Chase Bank giftcards. Imagine if they got into the database of those 00:28:55.320 --> 00:28:59.640 or prepaid debit cards, or they could have manipulated the bank’s reward points system. 00:28:59.640 --> 00:29:04.260 Imagine if they set their own accounts to have like, a billion reward points. They could convert 00:29:04.260 --> 00:29:09.060 that to cash and just siphon money out that way. Or what if they instructed a ton of accounts to 00:29:09.060 --> 00:29:13.500 buy a certain stock, driving up the price? There are a ton of things they could have done while 00:29:13.500 --> 00:29:20.580 in the bank’s networks. But all they did was steal customer database records. Specifically, 00:29:20.580 --> 00:29:27.480 they grabbed e-mail addresses of bank customers. I just don’t understand that. 00:29:27.480 --> 00:29:33.360 Why go through all the effort of breaking into the biggest and possibly the most secure company 00:29:33.360 --> 00:29:43.920 in America just to steal 83 million customer records? There’s something more to this story. 00:29:43.920 --> 00:29:47.400 Things are pretty confusing at this point. We have three people who were supposed to be 00:29:47.400 --> 00:29:53.040 arrested in Israel; Gery, Ziv, and Joshua. They got Gery and Ziv but Joshua wasn’t home. Then, 00:29:53.040 --> 00:29:56.520 at the same time, two people were arrested in Florida; Anthony and Yuri. 00:29:56.520 --> 00:30:01.380 The two Israelis were arrested on charges of securities fraud and the Florida men were 00:30:01.380 --> 00:30:05.700 arrested [00:30:00] on charges connected with the JPMorgan Chase hack and something to do with a 00:30:05.700 --> 00:30:11.340 Bitcoin exchange. Finally, some news agencies started reporting on an FBI memo, suggesting 00:30:11.340 --> 00:30:18.180 that all five men were connected with this hack. Were they the hackers or were they conmen? What 00:30:18.180 --> 00:30:22.680 role did everyone play? It turns out the feds had started investigating this group shortly 00:30:22.680 --> 00:30:28.380 after the JPMorgan Chase hack was discovered. The forensic data that the FBI got from JPMorgan Chase 00:30:28.380 --> 00:30:34.140 had led authorities to Joshua. Somehow, they got server logs that pointed them to his IP address, 00:30:34.140 --> 00:30:39.540 but they didn’t know how involved he was and they were pretty sure he wasn’t in on it alone. 00:30:39.540 --> 00:30:45.300 They start digging around his life to see what he was doing and who he was associating with. 00:30:45.300 --> 00:30:52.920 That’s how they discovered Anthony, Gery, and Ziv. These guys were looking pretty suspicious. [MUSIC] 00:30:52.920 --> 00:30:58.200 Joshua was the prime suspect who led investigators to the door of the others. He’s an American 00:30:58.200 --> 00:31:04.020 citizen. He grew up in Potomac in Maryland. He enrolled in Florida State University in 2002 and 00:31:04.020 --> 00:31:09.780 studied business. There is where he met Anthony Murgio who was later arrested in Florida. While 00:31:09.780 --> 00:31:13.560 at university together, they became pretty good friends and being business students, they wanted 00:31:13.560 --> 00:31:19.320 to find ways to earn cash while in college. They set up a money-making scheme writing Google ads 00:31:19.320 --> 00:31:23.700 for affiliate commissions. They did pretty well at it, too. They had other students working for them 00:31:23.700 --> 00:31:28.380 and they were making thousands of dollars a month. Not bad for a couple college kids, actually. 00:31:28.380 --> 00:31:34.260 Joshua dropped out of his courses in 2005 but he stayed in touch with Anthony. Now from there, 00:31:34.260 --> 00:31:39.120 Anthony’s story actually goes in a wild and crazy adventure totally tangent to this one, 00:31:39.120 --> 00:31:43.620 which is another story worth telling but it doesn’t quite fit this story. I mean, 00:31:43.620 --> 00:31:47.580 he was arrested in connection with this story but Anthony tells me he was only 00:31:47.580 --> 00:31:52.620 arrested so the feds could get information on Gery, because Anthony and Gery started 00:31:52.620 --> 00:31:58.980 a Bitcoin exchange together called Coin.mx. They purposely hid from financial regulators 00:31:58.980 --> 00:32:04.200 and even went so far as to take over a Credit Union to look legit. The feds swooped in on 00:32:04.200 --> 00:32:09.060 Anthony for his illegal Bitcoin exchange and because they knew he was working with Gery. 00:32:09.060 --> 00:32:14.160 Okay, so back to Joshua, the man on the run. In 2013, Joshua set up an internet 00:32:14.160 --> 00:32:17.940 marketing business with a partner who had a history of defrauding stock markets. 00:32:17.940 --> 00:32:22.560 Apparently this guy had been banned for life from the Financial Industry Regulation Authority for 00:32:22.560 --> 00:32:27.300 marketing useless stocks, sort of a pump-and-dump kind of thing; you buy up an unknown stock, 00:32:27.300 --> 00:32:31.380 try to inflate the price of it, and when it’s at its peak, you dump it and make a massive 00:32:31.380 --> 00:32:37.140 profit. But Joshua’s partner got caught doing this and got banned so after that fell apart, 00:32:37.140 --> 00:32:43.800 Joshua moved to Israel. It seems that’s where he met Gery Shalon and that relationship started. 00:32:43.800 --> 00:32:52.200 By 2014, Joshua and Gery were running their own stock fraud scam with Ziv Orenstein who was one 00:32:52.200 --> 00:32:56.940 of Gery’s associates. They had been running that Webologic business together in Israel. 00:32:56.940 --> 00:33:02.460 Now, the feds didn’t think it was actually Gery, Joshua, or even Ziv that carried out these hacks. 00:33:02.460 --> 00:33:08.280 But it looked like they were working with whoever did. As the feds investigated Gery, 00:33:08.280 --> 00:33:12.480 Ziv, and Joshua, they find these guys are up to their necks in scams and plots, 00:33:12.480 --> 00:33:18.720 and may have been connected to some serious hacking. By October 2014, internally the feds 00:33:18.720 --> 00:33:23.220 have totally rejected the idea that these hacks were state-sponsored by Russia. No, 00:33:23.220 --> 00:33:28.620 it wasn’t the Russians. It was this collection of conmen and fraudsters who’ve been operating 00:33:28.620 --> 00:33:35.700 huge scams under the radar for years. [MUSIC] Let’s take a look at this indictment that was 00:33:35.700 --> 00:33:41.340 unsealed by Preet Bharara on July 21st, 2015. It was a lawsuit brought by the SEC, 00:33:41.340 --> 00:33:47.220 the Securities and Exchange Commission. They’re the US federal agency that enforces security laws. 00:33:47.220 --> 00:33:53.160 This lawsuit was brought against Gery, Ziv, and Joshua for six stock market scams they 00:33:53.160 --> 00:33:57.480 pulled off over the previous four years. It included details about how much money 00:33:57.480 --> 00:34:01.320 they were making off these scams. Let’s take a look at the first one. They were 00:34:01.320 --> 00:34:05.700 buying stocks in a company called Southern Home Medical Equipment, a US company based 00:34:05.700 --> 00:34:10.380 in South Carolina that provided healthcare services across the country. In May 2011, 00:34:10.380 --> 00:34:17.760 Gery and Joshua bought the company’s stock at 1.7 cents each, not quite two cents per share. 00:34:17.760 --> 00:34:22.200 They launched their own marketing campaign for this company, hyping it up, writing articles 00:34:22.200 --> 00:34:25.920 about how great it was and telling everyone that this company was about to go to the moon. 00:34:25.920 --> 00:34:30.960 Gery was the savvy business guy. He knew stocks inside and out, and Joshua was the marketer. He 00:34:30.960 --> 00:34:35.700 was great at selling anything. They successfully raised Southern Home Medical Equipment’s stock 00:34:35.700 --> 00:34:40.920 price from just under two cents per share to thirty-three cents per share before selling off 00:34:40.920 --> 00:34:49.800 their stocks in the company. Their net value in that stock rose 1,800% in just six days. But the 00:34:49.800 --> 00:34:55.560 problem was that all the marketing they did for this company was made up. They had faked the 00:34:55.560 --> 00:35:00.540 numbers and the news about this company in order to temporarily inflate the stock price. That’s 00:35:00.540 --> 00:35:05.220 why this kind of market manipulation [00:35:00] is illegal. If you’ve seen the Wolf of Wall Street, 00:35:05.220 --> 00:35:09.780 you may recognize this idea because that movie is about a similar kind of scheme. 00:35:09.780 --> 00:35:14.940 JORDAN: The Securities and Exchange Commission sent two lawyers down to review our files so I 00:35:14.940 --> 00:35:19.920 set them up in our conference room, and I had it bugged and the air conditioning turned up so high 00:35:19.920 --> 00:35:25.020 that it felt like Antarctica in there. Then, while they were looking for a smoking gun in that room, 00:35:25.020 --> 00:35:32.640 I was gonna fire off a bazooka in here, offering up our latest IPO. An IPO is an initial public 00:35:32.640 --> 00:35:37.260 offering. It’s the first time a stock is offered for sale to the general population. Now, 00:35:37.260 --> 00:35:41.280 as the firm taking the company public, we set the initial sales price and sold those 00:35:41.280 --> 00:35:46.860 shares right back to our friends. Look, I know you’re not following what I’m saying anyway, 00:35:46.860 --> 00:35:53.400 right? That’s okay. That doesn’t matter. The real question is this; was all this legal? 00:35:53.400 --> 00:35:57.180 Absolutely not, but we were making more money than we knew what to do with. 00:35:57.180 --> 00:36:02.220 JACK: Gery, Joshua, and Ziv were in the business of manipulating the stock market and getting 00:36:02.220 --> 00:36:07.020 people to buy stocks based on false information. These scams are called pump-and-dumps because the 00:36:07.020 --> 00:36:12.480 scammers try to pump up the value to make a quick profit by dumping the stocks at a higher price. 00:36:12.480 --> 00:36:16.440 Here’s how they did it. [MUSIC] First, they forged documents so that they could present themselves 00:36:16.440 --> 00:36:22.200 as stock brokers. They were already working under false pretenses. Now, stock brokers are 00:36:22.200 --> 00:36:27.540 like middlemen between investors and the stock exchanges. They help investors figure out what 00:36:27.540 --> 00:36:31.860 stock to buy, when to buy them, and they seek out good investment opportunities for their clients. 00:36:31.860 --> 00:36:37.020 These days, everything is digital and online so Gery, Joshua, and Ziv created newsletters, 00:36:37.020 --> 00:36:40.440 social media accounts, and websites to tell investors what shares to buy. 00:36:40.440 --> 00:36:43.860 These tools gave their investors the impression that if they followed Gery, 00:36:43.860 --> 00:36:48.540 Joshua, and Ziv’s tips, their money would grow quickly. Sometimes they would fake 00:36:48.540 --> 00:36:51.600 the data on these articles and predict that a stock was going to rise in value, 00:36:51.600 --> 00:36:57.240 but they would actually backdate that article to make it seem like all their predictions came true. 00:36:57.240 --> 00:37:03.060 Their indictments show that these guys were all using the classic scams. Since May 2011, 00:37:03.060 --> 00:37:09.300 they hit six microcap companies. They targeted one after another with their tried-and-tested schemes. 00:37:09.300 --> 00:37:13.560 They hit each of these six companies using the same pump-and-dump formula. They’d buy the 00:37:13.560 --> 00:37:17.820 company while the stock was less than five dollars each and then they’d create a bunch of false hype 00:37:17.820 --> 00:37:22.260 about these stocks resulting in a buyer surge that would drastically increase the trading volume and 00:37:22.260 --> 00:37:29.880 stock price within just a few days. In 2011, they made about $460,000 doing just three companies. 00:37:29.880 --> 00:37:35.580 Then they upped their game. In February 2012, they hit a company called Mustang Alliance which 00:37:35.580 --> 00:37:40.260 is a mining corporation. In just one week, they bought two million shares of Mustang Alliance, 00:37:40.260 --> 00:37:46.380 increased the share price over 65%, and then sold the shares for a 2.2 million dollar profit. 00:37:46.380 --> 00:37:53.160 Altogether, they collected 3.5 million dollars in just a couple years running these scams. 00:37:53.160 --> 00:37:57.660 But this wasn’t their only racket. Gery was the head of operations and CEO of their company, 00:37:57.660 --> 00:38:01.620 Webologic. He had the final say on all these decisions and he found a couple 00:38:01.620 --> 00:38:05.400 of stock promoters to bring in on these scams. Their job was to advertise and 00:38:05.400 --> 00:38:09.180 promote different stocks and shares all day long. They would go hunting for companies 00:38:09.180 --> 00:38:14.880 that they knew could easily be promoted to be a pump-and-dump. But they did more than that. 00:38:14.880 --> 00:38:19.260 In case you didn’t know, there’s a big difference between being a public and private company. 00:38:19.260 --> 00:38:24.420 Basically, it has to do with who owns the company. A private company is own by some group of people, 00:38:24.420 --> 00:38:29.160 usually the founders or a management group, or private investor. But a public company is 00:38:29.160 --> 00:38:34.440 a company that has sold some of its shares to the public through a stock exchange. This 00:38:34.440 --> 00:38:37.680 means that part of the public company is literally owned by members of the public, 00:38:37.680 --> 00:38:41.160 the people who have purchased shares in the company. That’s why they’re called 00:38:41.160 --> 00:38:45.660 shareholders. Also, private companies can’t sell shares of their company on the stock market 00:38:45.660 --> 00:38:49.860 and it’s actually really hard for a private company to become a publicly-trading company. 00:38:49.860 --> 00:38:54.240 It’s a long process that takes years. Even for legit, fast-growing companies, 00:38:54.240 --> 00:38:59.940 they have to apply and be audited before they can be listed as a publicly-trading company. 00:38:59.940 --> 00:39:03.180 When that finally happens, they have an event called an initial public offering, 00:39:03.180 --> 00:39:09.480 or IPO. I say all that because sometimes Gery would find private companies that seem like they 00:39:09.480 --> 00:39:18.000 would be easy to falsely promote. He worked out a system to help these companies go public so that 00:39:18.000 --> 00:39:24.720 he could run his pump-and-dump scams using their shares. [MUSIC] Over the years, Gery created heaps 00:39:24.720 --> 00:39:30.120 of shell corporations. These are companies with no staff, no revenue, no office. These corporations 00:39:30.120 --> 00:39:34.620 only exist on paper and Gery would go through the long, rigorous process of getting these 00:39:34.620 --> 00:39:40.140 corporations to go public and be traded on the stock exchange which might have taken him years. 00:39:40.140 --> 00:39:46.800 But with publicly-trading shell corporations ready to go, Gery was able to approach private 00:39:46.800 --> 00:39:51.480 companies, pretend to be a legit stockbroker, convince them to do a reverse merger with his 00:39:51.480 --> 00:39:57.360 shell corporation, and that would fast-track that company to be public trading on the stock market. 00:39:57.360 --> 00:40:01.800 Now, this whole scheme is all upside for Gery. First, he’s going to sell his shell corporation 00:40:01.800 --> 00:40:05.280 to [00:40:00] some company. This could make him anywhere between a few thousand dollars 00:40:05.280 --> 00:40:09.600 to a few hundred thousand dollars. Because he created these shell companies, he was able to 00:40:09.600 --> 00:40:15.840 assign any amount of company shares to himself or his friends like Joshua or Ziv. If he did that, 00:40:15.840 --> 00:40:21.180 then before the actual scam even started, he would already have tons of shares in these companies. 00:40:21.180 --> 00:40:25.320 He would sell his shell corporation to a company and then that company does a reverse merger with 00:40:25.320 --> 00:40:29.340 it, and now that company is suddenly a publicly-trading company. He did all this 00:40:29.340 --> 00:40:34.620 under the guise of being a helpful stockbroker just here to help them navigate going public. 00:40:34.620 --> 00:40:39.360 Then once the reverse mergers were complete and that private company was now publicly trading, 00:40:39.360 --> 00:40:44.220 Gery’s fake marketing campaign would ramp up and make the stock of that company boom. 00:40:44.220 --> 00:40:51.060 That’s the pump. Right when the hype was about to fizzle out, Gery and Ziv and Joshua would sell 00:40:51.060 --> 00:40:57.360 all of their stocks which they could have had from the very beginning, and that’s the dump. 00:40:57.360 --> 00:41:03.060 If Gery was the CEO of this scam operation, Ziv was his ops manager with some IT thrown in. 00:41:03.060 --> 00:41:08.040 Ziv bought up a heap of domains and built stockbroker websites that all looked legit. He 00:41:08.040 --> 00:41:11.820 was the one who maintained all of the different brokerage accounts and the false documents for 00:41:11.820 --> 00:41:16.440 their schemes. He was the one keeping track of all the moving pieces. Joshua was like the 00:41:16.440 --> 00:41:19.920 communications and marketing manager; he wrote all the promotional materials that they used 00:41:19.920 --> 00:41:24.660 to market the companies. With this systematic approach and with all the pieces ready to move, 00:41:24.660 --> 00:41:29.340 these scams were really just a matter of bombarding people with marketing and buying 00:41:29.340 --> 00:41:35.700 and selling stocks at the right times. Now, at this point you might be wondering how is 00:41:35.700 --> 00:41:40.320 any of this connected to the breach at JPMorgan Chase? Well, we’re almost there. Bear with me. 00:41:40.320 --> 00:41:44.820 See, over time as these guys were marketing stocks, they were starting to do some e-mail 00:41:44.820 --> 00:41:49.260 marketing. They would send people e-mails that said ‘Amazing opportunity! Small cap 00:41:49.260 --> 00:41:52.740 investment can double your money in weeks. Don’t blow your shot at financial freedom.’ 00:41:52.740 --> 00:41:57.060 They would list a stock ticker symbol and make people feel like they had to buy this 00:41:57.060 --> 00:42:00.960 stock right away. You’ve probably seen these types of e-mails. I receive thousands of them, 00:42:00.960 --> 00:42:05.280 myself. The way they work is that the sender of these scammy e-mails just buys a huge list 00:42:05.280 --> 00:42:10.020 of e-mail addresses and blasts out millions of e-mails at a time. That’s what Gery’s crew was 00:42:10.020 --> 00:42:14.280 doing at first and that was somewhat successful, but they wanted to take 00:42:14.280 --> 00:42:18.540 their scam to the next level. [MUSIC] They thought if they could get a list of e-mail 00:42:18.540 --> 00:42:24.780 addresses of real stock market investors, their spam would be much more effective. 00:42:24.780 --> 00:42:29.400 I mean, who better to advertise a stock tip to than people who are actively trading on 00:42:29.400 --> 00:42:33.720 the stock market?Traders are always looking for a hot stock, and they might just go ahead 00:42:33.720 --> 00:42:38.820 and buy some random stock that they saw in a scammy-looking e-mail. That brings us to 00:42:38.820 --> 00:42:44.880 JPMorgan Chase. It turns out that the whole JPMorgan Chase hack was about getting better 00:42:44.880 --> 00:42:53.160 leads for Gery’s marketing campaign to make his pump-and-dump scams more profitable. That’s right; 00:42:53.160 --> 00:43:00.600 Gery, Ziv, and Joshua wanted millions of stolen JPMorgan Chase’s customers’ e-mail addresses 00:43:00.600 --> 00:43:08.100 just to e-mail them stock tips. Of all the absurd, off-the-wall, preposterous crimes, 00:43:08.100 --> 00:43:13.500 this one takes the cake. Three random scammers orchestrated a hack into the 00:43:13.500 --> 00:43:21.780 largest bank in the US just to make money on their pump-and-dump scams. Unbelievable. 00:43:21.780 --> 00:43:29.580 But their criminal activity went beyond just stock market manipulation. 00:43:29.580 --> 00:43:35.400 On the same day Gery and Ziv were arrested, July 21st, 2015, an Israeli newspaper reported that 00:43:35.400 --> 00:43:40.620 another indictment had named them both. But this time it was for a huge, illegal online 00:43:40.620 --> 00:43:45.540 gambling operation, an operation that was supposedly even bigger than the stock fraud 00:43:45.540 --> 00:43:49.860 scams they had been pulling. When this report came out, the online gambling forums just lit 00:43:49.860 --> 00:43:55.200 up. It turned out that Gery and Ziv were behind the well-known, dodgy online casinos Affactive 00:43:55.200 --> 00:43:59.880 and RevenueJet. These are actually groups of casinos owned and operated by companies called 00:43:59.880 --> 00:44:05.880 Netad Management and Milore Ltd, and it had dozens and dozens of online gambling websites. For years, 00:44:05.880 --> 00:44:10.080 the casino sites ran by these two companies had been getting called out by the gaming review sites 00:44:10.080 --> 00:44:15.960 as being scams. The review sites actively warned players not to use Gery and Ziv’s online casinos. 00:44:15.960 --> 00:44:21.480 In fact, in 2010, Casinomeister gave Affactive Group the Worst Casino Group Award, 00:44:21.480 --> 00:44:26.100 citing their terrible customer service and failure to pay players their winnings. 00:44:26.100 --> 00:44:30.420 Now, all these sites under Affactive and RevenueJet used gambling software called 00:44:30.420 --> 00:44:35.760 Rival and RTG for the games. These are the leading suppliers of casino games and online 00:44:35.760 --> 00:44:40.740 gambling. Then they lease this gaming software to the independent casinos. The games on Affactive 00:44:40.740 --> 00:44:45.240 and Revenue Jet were legitimate, well-designed games and that’s how they attracted players to 00:44:45.240 --> 00:44:50.340 come to their sites to gamble. But to gamble on these sites, you need money to play. When 00:44:50.340 --> 00:44:55.500 winners would actually win money, that’s when Gery and Ziv would start pulling some shady business. 00:44:55.500 --> 00:45:02.100 [MUSIC] His casino sites started to develop a reputation for being really unreliable at 00:45:02.100 --> 00:45:06.840 paying out their players. When a player made a cash-out withdrawal request, [00:45:00] there 00:45:06.840 --> 00:45:10.200 were all kinds of delays. Security procedures would make players wait 00:45:10.200 --> 00:45:14.700 ninety days. Some players waited the ninety days for their money only to be told their 00:45:14.700 --> 00:45:18.720 cash-out wasn’t valid because they didn’t play at the casino for the last few weeks. 00:45:18.720 --> 00:45:22.560 Sometimes they wouldn’t pay the whole amount; maybe just a percentage just to keep the players 00:45:22.560 --> 00:45:27.780 guessing. But that would be as far as it went. Often, players would just give up, take the loss, 00:45:27.780 --> 00:45:31.500 and move on to a different site or they’d end up gambling away their winnings and playing more 00:45:31.500 --> 00:45:38.460 games in the casino. By avoiding paying out the players, these sites were racking in tons of cash. 00:45:38.460 --> 00:45:44.700 Like the JPMorgan Chase hack, this is an absurd scam that doesn’t make any sense to me. An online 00:45:44.700 --> 00:45:50.280 casino by its very nature makes a ton of cash. The odds are always in the casino’s favor to win, 00:45:50.280 --> 00:45:54.960 even without scamming anyone. Maybe you’ve heard the term ‘the house always wins.’ Yeah, 00:45:54.960 --> 00:46:00.240 that’s about casinos. They are literally money-printing machines for the owners. 00:46:00.240 --> 00:46:06.120 Why treat the players so poorly? Ugh, the nerve of these guys. The greed is just astounding to 00:46:06.120 --> 00:46:11.760 me. But it gets worse. Just after the arrests, the Netad Management casino’s network collapsed; 00:46:11.760 --> 00:46:15.720 just stopped. None of the sites were loading at all and the executive director of the Gambling 00:46:15.720 --> 00:46:20.280 Portal Webmaster’s Association said that he got a notice that the Affactive was closing 00:46:20.280 --> 00:46:25.080 its operations, effective immediately. It seems like as soon as the indictments came through, 00:46:25.080 --> 00:46:30.320 someone pulled the plug on the casinos. Their online casino empire had crumbled overnight. 00:46:30.320 --> 00:46:35.340 [MUSIC] At that time, Gery and Ziv were in custody in Israel and the US was trying to 00:46:35.340 --> 00:46:40.560 get them extradited to face these stock fraud charges. Joshua was still nowhere to be found and 00:46:40.560 --> 00:46:46.080 with his indictment unsealed, his name showed up on the FBI’s Most Wanted list. But still, 00:46:46.080 --> 00:46:50.880 we don’t know who actually conducted the hack against JPMorgan Chase and the other twelve 00:46:50.880 --> 00:46:56.520 financial institutions. Gery, Ziv, and Joshua were market manipulators, shady businessmen, 00:46:56.520 --> 00:47:01.980 and con artists, but they weren’t hackers. We know they had the stolen e-mail addresses from 00:47:01.980 --> 00:47:07.080 the JPMorgan Chase hack, but how did they get them? Breaking into JPMorgan Chase’s network 00:47:07.080 --> 00:47:12.360 is not an amateur hacking project. Whoever did it really knew what they were doing. 00:47:12.360 --> 00:47:21.720 But if Gery or Ziv or Joshua weren’t the hackers, then who was? 00:47:21.720 --> 00:47:26.880 A year after JPMorgan Chase discovered they’d been hacked, several more financial companies received 00:47:26.880 --> 00:47:31.260 visits from the FBI informing them that their networks had been breached and they had evidence 00:47:31.260 --> 00:47:37.080 to prove it. These companies started to send out letters to their customers. In October 2015, the 00:47:37.080 --> 00:47:42.060 online discount stockbroker E-Trade sent a letter to all their customers explaining that their 00:47:42.060 --> 00:47:46.740 network had been breached and that customers’ personal information had been compromised. They 00:47:46.740 --> 00:47:53.100 said their database was breached which contained 31,000 E-Trade customers’ data. Scottrade, another 00:47:53.100 --> 00:47:58.440 online stockbroker, revealed that they were also hit by these hacks, but their breach was way 00:47:58.440 --> 00:48:04.920 bigger. They believe that the person information of 4.6 million of their customers had been stolen. 00:48:04.920 --> 00:48:09.300 Dow Jones sent out letters, too. Now, they’re not a financial institution in 00:48:09.300 --> 00:48:14.520 the way of a bank or a broker is, but they’re a big publisher of financial information. They’ve 00:48:14.520 --> 00:48:18.360 been going for 137 years. They published the Wall Street Journal, MarketWatch, 00:48:18.360 --> 00:48:24.480 and Barrons. In October 2015, they informed their customers of a data breach. In their letter, 00:48:24.480 --> 00:48:29.400 they explain that the hackers may have been in the system for three years but 00:48:29.400 --> 00:48:34.800 they’d only found evidence of the theft of 3,500 people’s contacts or payment data. 00:48:34.800 --> 00:48:39.540 There were clues like IP addresses and the malware and the data that was stolen which 00:48:39.540 --> 00:48:44.520 made authorities suspect that these hacks were all conducted by the same hackers. A month later, 00:48:44.520 --> 00:48:50.160 all the evidence came out. On November 10th, 2015, Preet Bharara, the attorney general of 00:48:50.160 --> 00:48:54.840 the Southern District of New York, unsealed a superseding indictment against Gery, Ziv, 00:48:54.840 --> 00:48:59.580 and Joshua. It was a bombshell. Getting indicted for these stock 00:48:59.580 --> 00:49:03.960 scams probably seemed bad enough for these guys, but now they were really in trouble. 00:49:03.960 --> 00:49:08.520 PREET: Good afternoon. My name is Preet Bharara and I’m the United States attorney 00:49:08.520 --> 00:49:13.560 for the Southern District of New York. Today we announce criminal charges in one of the largest 00:49:13.560 --> 00:49:19.560 cyber-hacking schemes ever uncovered. The charges involve cyber-intrusions over several 00:49:19.560 --> 00:49:26.040 years targeting twelve different companies; seven financial institutions, two financial 00:49:26.040 --> 00:49:32.280 news publications, two software development firms, and a market risk intelligence company. 00:49:32.280 --> 00:49:39.360 By any measure, the data breaches of these firms were breathtaking in scope and in size. 00:49:39.360 --> 00:49:43.500 The defendants allegedly stole personal information for over 100 million customers 00:49:43.500 --> 00:49:49.680 including 83 million customers from one bank alone, the single-largest theft of customer data 00:49:49.680 --> 00:49:57.000 from a US financial institution ever. That bank was JPMorgan Chase, as it has disclosed itself. 00:49:57.000 --> 00:50:01.620 To hide their tracks, the defendants allegedly operated their criminal schemes through over 00:50:01.620 --> 00:50:05.940 seventy-five shell companies and used close to twenty – two-hundred, I’m sorry, 00:50:05.940 --> 00:50:10.260 identification [00:50:00] documents fraudulently including thirty false passports 00:50:10.260 --> 00:50:15.120 from seventeen different companies. The good news is that the FBI and 00:50:15.120 --> 00:50:19.606 the Secret Service have cracked this case and we aim to prove it in court. 00:50:19.606 --> 00:50:26.580 JACK: [MUSIC] At this point, the evidence of the case was getting massive. These guys have been 00:50:26.580 --> 00:50:31.560 running an international cyber-crime enterprise. The new indictment accused them of twenty-three 00:50:31.560 --> 00:50:36.960 counts which included computer fraud, hacking, wire fraud, security fraud, money laundering, 00:50:36.960 --> 00:50:41.520 identity theft. It just went on and on. This one group had been running this whole system 00:50:41.520 --> 00:50:47.040 of interconnected, illegal schemes; scam on top of scam on top of scam. They were making 00:50:47.040 --> 00:50:53.280 hundreds of millions of dollars. What the feds had uncovered here was huge. 00:50:53.280 --> 00:50:57.900 The scale of this is just incredible. I mean, it’s really crazy. But let’s stop for a minute 00:50:57.900 --> 00:51:01.740 and talk about the money. That’s what Gery was doing all this for, right? Well, he was living 00:51:01.740 --> 00:51:06.660 the high life in his Tel Aviv mansion, passing himself off as a really successful businessman. 00:51:06.660 --> 00:51:10.680 I guess that in a certain sense he was a successful businessman and he did have some 00:51:10.680 --> 00:51:15.180 legitimate business interests and investments that earned him good money. But to live the 00:51:15.180 --> 00:51:20.460 kind of lifestyle he wanted, I guess he felt like he needed to keep chasing the next big payday. 00:51:20.460 --> 00:51:26.400 Anyway, all these scams; the online casino, stock fraud, the hacks, they were making Gery, Ziv, 00:51:26.400 --> 00:51:30.540 and Joshua hundreds of millions of dollars and they couldn’t just throw all that into a bank 00:51:30.540 --> 00:51:35.040 account. That definitely would have attracted some unwanted attention. Banks are required to 00:51:35.040 --> 00:51:40.020 report deposits of a certain size and I’m sure that if Gery, Ziv, and Joshua had deposited 00:51:40.020 --> 00:51:45.360 their hundreds of millions of dollars, it would have triggered some sort of reporting policy. 00:51:45.360 --> 00:51:49.860 They needed a solution, a way to launder the money, convert their money from illicit and 00:51:49.860 --> 00:51:54.240 unusable to clean and spendable. They came up with a couple of ways to do it. 00:51:54.240 --> 00:51:58.620 [MUSIC] Remember those shell corporations that Gery was using to do reverse mergers with private 00:51:58.620 --> 00:52:03.000 companies for their stock scam? Well, this also came in handy for laundering a lot of 00:52:03.000 --> 00:52:07.920 money they were making. Gery and Ziv were moving money around left, right, and center. They were 00:52:07.920 --> 00:52:12.720 transferring millions of dollars from their casino businesses to bank accounts in Cyprus, 00:52:12.720 --> 00:52:16.680 and then shifting it all around through all the shell companies. They had their money-laundering 00:52:16.680 --> 00:52:21.360 down to a science. All they had to do was fill their shell companies’ ledgers with transactions 00:52:21.360 --> 00:52:26.100 for goods and services that they had supposedly been providing their customers. They could then 00:52:26.100 --> 00:52:29.280 use this dirty money to pay themselves for those made-up goods and services. 00:52:29.280 --> 00:52:33.780 That way, it would look like this money was just shell companies invoicing it and 00:52:33.780 --> 00:52:38.100 paying out legitimate customers. This left the shell companies with loads of money in 00:52:38.100 --> 00:52:42.120 their accounts and a nice audit trail that made everything look more legit. At the end, 00:52:42.120 --> 00:52:47.940 they had clean money. Gery had seventy-five different shell companies. He, Ziv, and Joshua 00:52:47.940 --> 00:52:51.780 had multiple bank accounts and brokerage accounts in countries all over the world. Obviously, 00:52:51.780 --> 00:52:55.500 none of them were set up in their own names. All three of these guys had aliases they would use. 00:52:55.500 --> 00:53:00.540 They had thirty different fake passports from across seventy different countries. Keeping 00:53:00.540 --> 00:53:05.040 track of all these companies and accounts and the false documents and the different names; 00:53:05.040 --> 00:53:07.140 that must have been a full-time operation just doing that. 00:53:07.140 --> 00:53:11.520 It’s pretty impressive how they were able to manage all these moving pieces. Before 00:53:11.520 --> 00:53:15.900 they got caught, it probably seemed like it was worth all this work. 00:53:15.900 --> 00:53:21.900 [MUSIC] In 2011, the same year he started the pump-and-dump scams, Gery created two online 00:53:21.900 --> 00:53:26.880 payment processing companies called IDPay and Todur. You could think of these as more 00:53:26.880 --> 00:53:31.560 like shady versions of PayPal. Gery used these payment processors to let his players deposit 00:53:31.560 --> 00:53:36.660 money into gaming accounts in his online casinos. These sites were the intermediaries between the 00:53:36.660 --> 00:53:40.440 players’ bank accounts and the casinos’ bank accounts. Each transaction would go through 00:53:40.440 --> 00:53:46.020 these payment processors, but Gery had to hide that money because it wasn’t legal. To turn that 00:53:46.020 --> 00:53:51.060 money into money he could actually use, he needed to make it look like it came from a legal source. 00:53:51.060 --> 00:53:56.400 Gery and Ziv opened multiple bank accounts in different countries using fake IDs and 00:53:56.400 --> 00:54:00.000 fake documentation. They would send transactions made through IDPay and 00:54:00.000 --> 00:54:04.620 Todur into these accounts around the world. Now, credit card companies are not allowed to 00:54:04.620 --> 00:54:10.260 process payments that they believe might have come from illegal activity. Gery and Ziv would 00:54:10.260 --> 00:54:14.820 code their transactions to make them look like simple online purchases from everyday retail 00:54:14.820 --> 00:54:20.040 websites like pet stores or wedding outlets. If they could find banking officials in the 00:54:20.040 --> 00:54:24.840 countries they were depositing their money, they would bribe them to turn a blind eye. Basically, 00:54:24.840 --> 00:54:29.460 they did anything they could to prevent anyone from catching onto their operations. Of course, 00:54:29.460 --> 00:54:33.240 the players at Gery’s online casinos had no clue what was going on in the background. 00:54:33.240 --> 00:54:38.400 Everything probably just seemed normal from their perspective. Gery had a bunch 00:54:38.400 --> 00:54:42.900 of like-minded friends, other criminals who needed to launder money just as much as Gery 00:54:42.900 --> 00:54:48.240 did. He was friends with people selling fake pharmaceuticals, malware, and fake antivirus 00:54:48.240 --> 00:54:52.140 software. Whatever their business, if they wanted to collect payments via credit card, 00:54:52.140 --> 00:54:59.100 they needed a shady payment processor and they would use Gery’s IDPay and Todur. Of course, just 00:54:59.100 --> 00:55:04.920 like any payment processor, Gery would take a nice cut of each transaction. But sometimes the credit 00:55:04.920 --> 00:55:08.580 card companies did get suspicious. [00:55:00] When that happened, the credit card companies 00:55:08.580 --> 00:55:13.320 would stop processing Gery’s transactions and issue fines and penalties to whichever financial 00:55:13.320 --> 00:55:18.600 institution Gery got caught using. Gery would just pay these off and carry on where he could. 00:55:18.600 --> 00:55:23.820 It was just a minor inconvenience; a cost of doing business. If they got questioned about this, 00:55:23.820 --> 00:55:27.780 they’d all act shocked and surprised as if they had no idea the transactions were for 00:55:27.780 --> 00:55:31.860 illegal goods and activities. If a bank got suspicious and closed one of Gery’s accounts, 00:55:31.860 --> 00:55:36.840 he’d just find a new bank and open a new account. It became a pretty constant process of finding new 00:55:36.840 --> 00:55:40.860 accounts and coming up with fake merchants to use for transactions to make them look legit. 00:55:40.860 --> 00:55:49.080 It was all very shady but it was working. In 2012, Gery did another astonishing move. There 00:55:49.080 --> 00:55:54.120 was this company called G2 Web Services. This is sort of a watchdog company that monitors 00:55:54.120 --> 00:55:58.740 payment processors to make sure they’re above board and not fraudulent. Basically, 00:55:58.740 --> 00:56:03.780 the staff at G2 will go and do a test at payment processors to make sure they’re trustworthy. 00:56:03.780 --> 00:56:08.700 Well, Gery was using IDPay and Todur to process a lot of payments for his 00:56:08.700 --> 00:56:14.100 illegal activities. He didn’t want G2 to flag his payment processor as fraudulent, 00:56:14.100 --> 00:56:20.400 so he hired a hacker to break into G2 and get a list of credit cards that were used 00:56:20.400 --> 00:56:26.040 in test-payment transactions. Then Gery would just block those credit card numbers from being 00:56:26.040 --> 00:56:33.000 used at IDPay and Todur so that nobody at G2 could even test the payment processing on his websites. 00:56:33.000 --> 00:56:39.060 The audacity! I’ve never heard of a hack like this; to hack into a watchdog company just 00:56:39.060 --> 00:56:45.900 to make sure that they don’t talk bad about you and to block them, it’s just ridiculous. 00:56:45.900 --> 00:56:50.400 In July 2013, two years after Gery first created IDPay and Todur, 00:56:50.400 --> 00:56:55.440 Brian Krebs published a report about potentially suspicious activity being conducted at IDPay. 00:56:55.440 --> 00:57:00.780 A source had found IDPay’s customer database and discovered a bunch of fake antivirus sites 00:57:00.780 --> 00:57:06.120 were using this payment processor. These websites had addresses like spyblocker.com, 00:57:06.120 --> 00:57:11.640 malwaredefender.com, personalguard.com, and so many more of fifty domains. Krebs investigated 00:57:11.640 --> 00:57:16.320 IDPay and he couldn’t find anything about them. There were no records of this company existing 00:57:16.320 --> 00:57:21.420 at all, so he concluded that these websites were installing fake malware onto victims’ 00:57:21.420 --> 00:57:26.820 computers and then asked the victim to pay to get the virus removed. These sites were using 00:57:26.820 --> 00:57:31.500 IDPay because a legitimate processor would never process sketchy transactions like this. 00:57:31.500 --> 00:57:36.480 If this is what was going on, then I guess we can add this bogus antivirus payment processing 00:57:36.480 --> 00:57:40.680 scam to the list of growing crimes that were committed by Gery and his friends. 00:57:40.680 --> 00:57:46.260 One site on the list of IDPay’s customers was rxpartners.com. This was known to be an 00:57:46.260 --> 00:57:51.420 illegal pharmacy affiliate program. Hackers and spammers would sign up and earn cash for 00:57:51.420 --> 00:57:57.000 promoting illegal pharmacies. In 2013, not many people knew about Gery and his massive 00:57:57.000 --> 00:58:00.600 empire of hacking and scamming, and they didn’t know he was the one behind IDPay. 00:58:00.600 --> 00:58:06.780 While Gery was focusing on making sure anti-fraud companies like G2 Web Services weren’t onto him, 00:58:06.780 --> 00:58:12.960 he didn’t realize that the feds were onto him. How did the feds get on Gery’s trail? 00:58:12.960 --> 00:58:18.300 [MUSIC] Well, a month before he was arrested, an undercover federal agent went on to one of his 00:58:18.300 --> 00:58:22.920 casino’s websites and deposited some money using his credit card to make a bet. When he checked his 00:58:22.920 --> 00:58:31.200 credit card statement, he found the transaction had been recorded as a payment to houseforpets.com 00:58:31.200 --> 00:58:36.060 which wasn’t even a real website. This was the first thing that tipped off the 00:58:36.060 --> 00:58:43.380 feds and from there, they quickly found a lot of evidence leading to Gery, Ziv, and Joshua. 00:58:43.380 --> 00:58:48.180 It was the hack on JPMorgan Chase that really brought down Gery’s empire. If you remember, 00:58:48.180 --> 00:58:52.020 the hackers successfully broke into the JPMorgan Chase’s network and stole 86 00:58:52.020 --> 00:58:57.060 million records and got out without raising a single alert. JPMorgan Chase had no idea they 00:58:57.060 --> 00:59:01.500 were breached and that was by design. The hackers were extremely careful not to raise any red flags. 00:59:01.500 --> 00:59:05.160 The only reason JPMorgan Chase ever found out that they’d been breached was 00:59:05.160 --> 00:59:08.760 when they read that Hold Security report and found that Simmco Data was breached, 00:59:08.760 --> 00:59:13.800 and the evidence from that breach is how JPMorgan Chase figured out they were breached. JPMorgan 00:59:13.800 --> 00:59:18.480 Chase was never supposed to find out that they were breached, so once it came out that JPMorgan 00:59:18.480 --> 00:59:22.140 Chase did know that they were breached, it was time for the hackers to start covering their 00:59:22.140 --> 00:59:27.360 tracks. Remember the canceled Egyptian server rental? Yeah, they knew they were getting rumbled. 00:59:27.360 --> 00:59:32.580 But again, JPMorgan Chase wasn’t their first hack. Uh-uh. They already got away 00:59:32.580 --> 00:59:36.840 with hacking six other US financial companies. On the same day of the big 00:59:36.840 --> 00:59:41.460 twenty-three count indictment was unsealed, a third indictment was unsealed also in Atlanta. 00:59:41.460 --> 00:59:46.380 This indictment was focused on the hacks and it tells us exactly how they happened. 00:59:46.380 --> 00:59:51.120 The feds had confirmed that it was Gery pulling the strings on all these hacks 00:59:51.120 --> 00:59:55.560 and they knew Joshua helped him out. But they also knew that neither Gery nor Joshua 00:59:55.560 --> 01:00:00.480 were hackers capable of doing this. The indictment brought charges against Gery, 01:00:00.480 --> 01:00:07.800 Joshua, and an unidentified suspect, a John Doe, the mystery hacker. [01:00:00] Okay, 01:00:07.800 --> 01:00:13.440 so with this indictment, we learned about how the hacker got into E-Trade and Scottrade. At first, 01:00:13.440 --> 01:00:17.760 the hacker got a regular login to E-Trade and poked around as just a normal user, 01:00:17.760 --> 01:00:22.620 looking for vulnerabilities on the site. I’m not sure what he found but on that same day, 01:00:22.620 --> 01:00:29.400 three of E-Trade developer servers got accessed by the hackers. But nothing was stolen at that time. 01:00:29.400 --> 01:00:35.820 Almost a whole year passes, then Gery tells the hacker the plan to steal customer data from the 01:00:35.820 --> 01:00:41.040 databases and gives the hacker servers around the world to use; servers in South Africa, 01:00:41.040 --> 01:00:45.240 Romania, and the Czech Republic. These were not bulletproof servers which were 01:00:45.240 --> 01:00:51.240 untouchable by the feds, but Gery told the hacker they were registered anonymously. 01:00:51.240 --> 01:00:54.600 With the hacker ready, the infrastructure in place, and the plan figured out, 01:00:54.600 --> 01:01:01.140 Scottrade was the first of the two to be hacked. [MUSIC] On September 8th, 2013, Gery’s hacker 01:01:01.140 --> 01:01:07.140 reported that he’d hit a wall. Scottrade had antivirus in place and he could only get access 01:01:07.140 --> 01:01:12.960 to one employee’s computer without raising alarms. But this employee had no admin rights, 01:01:12.960 --> 01:01:19.980 so this slowed down the hacker. For the next two months, he tried and failed to gain access. 01:01:19.980 --> 01:01:25.080 But on November 22nd, the hacker asked Gery to get him a Scottrade user account, 01:01:25.080 --> 01:01:30.060 hoping he could use it to breach Scottrade’s systems. So, Joshua and Gery provided the hacker 01:01:30.060 --> 01:01:36.600 with a regular user login. From there, the hacker was able to find vulnerabilities in the site and 01:01:36.600 --> 01:01:42.540 exploit them to get access to Scottrade’s servers. The next day, he was searching through Scottrade’s 01:01:42.540 --> 01:01:48.000 networks for customer databases and he found them. He looked through a few of the records 01:01:48.000 --> 01:01:53.880 in the database and he saw customer name, phone numbers, and e-mail addresses. Bingo. This is 01:01:53.880 --> 01:01:57.720 what he was looking for. He did a quick count to see how many records were in the database. 01:01:57.720 --> 01:02:03.420 There were six million customer details. Gery was very excited about this discovery and of course, 01:02:03.420 --> 01:02:07.440 he wanted the e-mail addresses of this database. The hacker took one more look 01:02:07.440 --> 01:02:12.360 around the database server and he noticed he wasn’t in there alone. A database admin was 01:02:12.360 --> 01:02:16.680 also logged into the customer database and actively running commands. The hacker got 01:02:16.680 --> 01:02:20.820 nervous. He needed to download these six million records. He was right there in front of it, 01:02:20.820 --> 01:02:26.280 but he wanted to do it in secrecy so that nobody would ever know he was there. He was nervous that 01:02:26.280 --> 01:02:30.840 if he downloaded the data while the other admin was there, he might draw unwanted attention. 01:02:30.840 --> 01:02:35.340 He couldn’t afford for that admin to notice that something fishy was going on and at the same time, 01:02:35.340 --> 01:02:40.980 he didn’t want the admin to notice he was there and kick him out. So, he waited nervously until 01:02:40.980 --> 01:02:46.740 that admin logged out. Then he quickly copied six million customer records to a server that 01:02:46.740 --> 01:02:50.940 the hacker controlled, covered his tracks, and disconnected from Scottrade’s network. 01:02:50.940 --> 01:02:57.600 The hacker gave Gery a password and location of the stolen database. On November 25th, 01:02:57.600 --> 01:03:02.640 Gery sent the hacker a report of the customer data that was stolen from Scottrade. The database 01:03:02.640 --> 01:03:08.400 included information of four million Scottrade customers. 100,000 of them were residents of 01:03:08.400 --> 01:03:14.460 Georgia. The hacker then added more, around 200,000 to 300,000 bank customers of Scottrade. 01:03:14.460 --> 01:03:20.100 Two days later, he breached more databases and added more data to the server. On November 27th, 01:03:20.100 --> 01:03:25.500 Gery’s hacker reported that he now had six million records from Scottrade. 01:03:25.500 --> 01:03:29.460 They didn’t waste any time before going to E-Trade. The very next day, 01:03:29.460 --> 01:03:33.540 the hacker breached E-Trade’s server using a brute force attack to gain access to a video 01:03:33.540 --> 01:03:38.040 teleconferencing server on their network. Of course, once he got in, he got himself 01:03:38.040 --> 01:03:42.540 persistence and elevated his privileges. He installed a back door into the servers and 01:03:42.540 --> 01:03:47.040 started looking around the network for database servers. Four days later, the hacker breached 01:03:47.040 --> 01:03:52.200 another server on E-Trade’s network and installed a reverse shell on it. Four days after that, he 01:03:52.200 --> 01:03:57.540 gained access to three more internal servers and a core admin platform. This was the motherload. 01:03:57.540 --> 01:04:02.460 These servers contained all of the customer data for E-Trade customers. The hacker began 01:04:02.460 --> 01:04:07.500 copying all the data stored on these servers. The reverse shell he had set up was exporting 01:04:07.500 --> 01:04:12.840 data for days after that. Gery’s hacker would eventually steal fifteen million 01:04:12.840 --> 01:04:18.720 customer records from E-Trade’s network. Once he stole them, he would send them straight to Gery. 01:04:18.720 --> 01:04:24.180 By December 16th, one of Gery’s associates had cleaned up and merged all the stolen customer 01:04:24.180 --> 01:04:28.800 records from E-Trade and Scottrade into an enormous database. This was 01:04:28.800 --> 01:04:32.640 the customer information Gery wanted; a vast database containing the contact 01:04:32.640 --> 01:04:38.100 details of millions of potential investors, people who he knows are already investors. 01:04:38.100 --> 01:04:43.500 Over the course of four months, Gery’s hacker had been going in and out of multiple servers 01:04:43.500 --> 01:04:48.720 on both E-Trade and Scottrade’s internal networks. He hadn’t set off any alarms. No 01:04:48.720 --> 01:04:53.400 security scans picked up on his activity but at some point, E-Trade began to suspect their 01:04:53.400 --> 01:04:57.480 systems had been breached. They launched an internal investigation and they got law 01:04:57.480 --> 01:05:02.760 enforcement involved. But nothing came of it. They couldn’t find any evidence that data was 01:05:02.760 --> 01:05:07.800 stolen. There were no logs that somebody copied the data because [01:05:00] the hacker hid his 01:05:07.800 --> 01:05:12.960 tracks so he wouldn’t get detected. E-Trade concluded that if they had been breached, then 01:05:12.960 --> 01:05:18.720 the perpetrator had hidden their tracks really well, so the investigation just kinda stalled out. 01:05:18.720 --> 01:05:23.100 But they were right; someone had been in the systems and it was Gery’s mysterious hacker. 01:05:23.100 --> 01:05:27.300 [MUSIC] As E-Trade and Scottrade were being hacked, Gery’s online casinos were making 01:05:27.300 --> 01:05:32.580 considerable money. He was running at least twelve different casinos. In October 2013, 01:05:32.580 --> 01:05:42.120 they made him 78 million dollars. Gery and Ziv had 270 employees in Ukraine and Hungary working 01:05:42.120 --> 01:05:46.860 in call centers to help keep these casinos running. They were responding to queries and 01:05:46.860 --> 01:05:50.760 trying to help keep players happy, but they were also giving the runaround to players who 01:05:50.760 --> 01:05:56.520 were trying to cash out their money. Gery and Ziv needed to draw as many players to their casino as 01:05:56.520 --> 01:06:01.200 possible. The more people playing meant the more people they could scam out of their winnings. 01:06:01.200 --> 01:06:08.220 To help that bit along, Gery called in his hacker. When people want to do some online gambling, 01:06:08.220 --> 01:06:11.880 they typically start with a Google search and visit the first few gambling websites that show 01:06:11.880 --> 01:06:16.980 up. They think oh, this casino is the first result in Google so it must be popular and trustworthy. 01:06:16.980 --> 01:06:21.780 Knowing this, Gery started trying to get his hacker to find ways to improve the casino’s 01:06:21.780 --> 01:06:25.440 search ranking on Google. Now, there’s a whole lot that goes into search ranking. 01:06:25.440 --> 01:06:30.300 It’s called SEO, search engine optimization, and what actually determines the ranking on Google’s 01:06:30.300 --> 01:06:35.400 search is a little bit mysterious. They use an algorithm of some kind but in the SEO world, it’s 01:06:35.400 --> 01:06:41.100 generally believed that to boost a site’s ranking, you need more links to that website. So, much of 01:06:41.100 --> 01:06:45.540 SEO is based on the idea that the more websites on the internet that post links to your site means 01:06:45.540 --> 01:06:51.180 that your site becomes more popular in the search rankings. Gery knew this and wanted more links to 01:06:51.180 --> 01:06:57.000 his casinos. He used a secret ingredient to get that. Want to take a guess on what that was? 01:06:57.000 --> 01:06:58.920 HANS: The secret ingredient is crime. 01:06:58.920 --> 01:07:02.940 JACK: He asked the hacker for help and the hacker got to work to try to find a way to 01:07:02.940 --> 01:07:07.320 make tons of links to Gery’s online casinos. After a bit of searching, he started hacking 01:07:07.320 --> 01:07:12.120 into dormant gambling-related WordPress blogs. We’re talking like, thousands of them here, 01:07:12.120 --> 01:07:16.920 blogs that hadn’t been updated in ages and whoever owned them lost interest in it. All 01:07:16.920 --> 01:07:21.900 their plugins were out of date, the software hadn’t been updated and well, yeah, they were 01:07:21.900 --> 01:07:27.840 vulnerable to being hacked. The hacker exploited a lot of these old WordPress blogs and he created 01:07:27.840 --> 01:07:32.880 tons of links to the casinos’ websites. Compare this to hacking into banks; it was pretty easy. 01:07:32.880 --> 01:07:37.680 Once he finished, these sites had new posts mentioning Gery’s casinos and how they were 01:07:37.680 --> 01:07:42.600 absolutely the best place to gamble on. When these blogs got re-indexed by Google, these new posts 01:07:42.600 --> 01:07:47.880 made Gery’s casinos rise up in the ranking and become more popular. Now whenever users 01:07:47.880 --> 01:07:52.860 searched Google for keywords like ‘best online casino’ or ‘where to play online casino games’, 01:07:52.860 --> 01:07:58.140 these ancient blogs were starting to pop up with fresh results. People always click on 01:07:58.140 --> 01:08:02.160 the first couple of results. That’s just how it is. So, people clicked on these old blogs, 01:08:02.160 --> 01:08:08.220 they saw tons of glowing reviews of Gery’s casinos, and this hijacking of neglected blogs 01:08:08.220 --> 01:08:13.980 drove enormous amounts of traffic straight to Gery’s online gambling sites. That wasn’t all. 01:08:13.980 --> 01:08:18.780 Gery liked to be in control and know exactly what was going on, so he paid this hacker to 01:08:18.780 --> 01:08:23.400 visit his competitors’ websites. [MUSIC] He would have the hacker take down any competing gambling 01:08:23.400 --> 01:08:28.080 site he got annoyed at. The hacker would use a botnet to launch a huge denial-of-service attack 01:08:28.080 --> 01:08:33.660 on competitor casinos, interrupting service for those casino players. Of course, when gamblers 01:08:33.660 --> 01:08:38.460 can’t get into their favorite gambling site, they might go looking for a different site to gamble 01:08:38.460 --> 01:08:44.100 on. The DDoS attacks that Gery was conducting could actually drive players to his casino, too. 01:08:44.100 --> 01:08:48.660 Then Gery would find out what software the competitor casinos were using and then ask the 01:08:48.660 --> 01:08:53.640 hacker to gain access to that software company to monitor what rival casinos were saying and doing. 01:08:53.640 --> 01:08:58.080 He also hacked into e-mail accounts of executives at the companies that made 01:08:58.080 --> 01:09:03.600 online gambling software used by many casinos, just let Gery in on deals that executives were 01:09:03.600 --> 01:09:08.640 making with each online casino. This allowed him to stay a step ahead of his competitors. If 01:09:08.640 --> 01:09:14.280 anything was going on that might compromise one of his casinos, he would have an early warning. 01:09:14.280 --> 01:09:19.020 Gery was used to getting what he wanted and he was quite happy to use sneaky, 01:09:19.020 --> 01:09:24.240 underhanded tactics to get his way. He was getting away with everything until it all 01:09:24.240 --> 01:09:30.480 caught up with him on July, 2015 when Gery and Ziv got arrested by the Israeli police. 01:09:30.480 --> 01:09:35.280 Once the indictment was announced on November, everything went, well, a little bit quiet. 01:09:35.280 --> 01:09:39.720 The feds and prosecutors were working to prepare their cases. The first thing they 01:09:39.720 --> 01:09:43.920 were going to do was get Gery and Ziv extradited to the US. This was a pretty 01:09:43.920 --> 01:09:48.960 long process which took about a year. In June 2016, they were both extradited to New York 01:09:48.960 --> 01:09:53.760 and found themselves in a Manhattan prison. On June 9th, they appeared in Manhattan Federal 01:09:53.760 --> 01:10:00.420 Court. Both Gery and Ziv pleaded not guilty to the long list of charges against them. 01:10:00.420 --> 01:10:06.120 But there was still one guy out there; Joshua. Joshua was still somewhere in the wild and the FBI 01:10:06.120 --> 01:10:11.160 was searching [01:10:00] everywhere for him. They suspected that he was hiding out in Russia. It 01:10:11.160 --> 01:10:17.820 made it pretty complicated to look for him there. But then Joshua just solved that problem for them. 01:10:17.820 --> 01:10:25.200 It turned out Joshua was in Moscow all along and on December 14th, 2016, his attorney called 01:10:25.200 --> 01:10:31.260 the feds and said Joshua’s gonna turn himself in and is flying into the JFK Airport in New York. 01:10:31.260 --> 01:10:36.180 So, Joshua did. He flew to New York and was arrested on the spot. You see, 01:10:36.180 --> 01:10:41.880 Joshua got himself in a bit of trouble with the Russians. He had flown into Russia via Ukraine 01:10:41.880 --> 01:10:48.240 on May 23rd, 2015 and had been staying in an apartment in Moscow. In May 2016, 01:10:48.240 --> 01:10:54.600 right as Gery and Ziv were about to be extradited from Israel to the US, Joshua was arrested by the 01:10:54.600 --> 01:11:00.000 Russian immigration police. They turned up at his apartment for a surprise spot check on his Visa 01:11:00.000 --> 01:11:05.520 documents. For Joshua to maintain his Visa, he was supposed to fly out of the country and then come 01:11:05.520 --> 01:11:10.860 back every six months. He hadn’t been doing that because he was hiding out from the FBI. 01:11:10.860 --> 01:11:17.340 The Russian immigration police put him in jail. On May 20th, a Russian judge fined him an equivalence 01:11:17.340 --> 01:11:24.420 of $80 and ordered him to leave Russia. Joshua had to leave Russia but he wasn’t interested in going 01:11:24.420 --> 01:11:30.600 to the US and getting arrested by the FBI. He applied for refugee status so that he could stay 01:11:30.600 --> 01:11:36.060 in Russia. [MUSIC] While he was waiting on his refugee status at an immigration office in Moscow, 01:11:36.060 --> 01:11:40.560 he talked to his lawyers and they changed his mind. They convinced him that it was 01:11:40.560 --> 01:11:46.500 better for him to come to the US and face his charges than to continue hiding out in Russia. 01:11:46.500 --> 01:11:52.980 But strangely enough, when Russia found out Joshua was wanted by the FBI, they offered him asylum. 01:11:52.980 --> 01:11:56.700 They probably thought he would be useful for some sort of political or diplomatic 01:11:56.700 --> 01:12:01.380 leverage. Joshua had already made up his mind though so he turned down the offer of asylum, 01:12:01.380 --> 01:12:06.660 but Russian immigration was now hesitant about letting him leave. So, he was stuck 01:12:06.660 --> 01:12:11.640 in the immigration center while his lawyers were negotiating with Russians and the feds, 01:12:11.640 --> 01:12:16.980 both of which wanted Joshua in their custody at this point. After about six months of this, 01:12:16.980 --> 01:12:24.960 in December 2016, everyone agreed and Joshua got on the flight to New York and was arrested. 01:12:24.960 --> 01:12:30.360 By the time Joshua gave himself up, Gery had been in prison for almost two years. Gery plead not 01:12:30.360 --> 01:12:34.740 guilty and was looking at a lengthy court trial. Gery was the mastermind behind all these schemes. 01:12:34.740 --> 01:12:39.420 He had the valuable knowledge and connections with the underground criminals. Plus, he probably knew 01:12:39.420 --> 01:12:44.160 some stuff about Russian cyber-crime networks. The feds recognized that Gery could be really 01:12:44.160 --> 01:12:50.400 valuable to them, so they offered him some plea deals. They offered to release him if he 01:12:50.400 --> 01:12:57.960 agreed to plead guilty to all the crimes he did if he became an informant. On May 22nd, 01:12:57.960 --> 01:13:03.240 2017, a big daily newspaper in Israel, The Calcalist, reported that Gery had agreed to 01:13:03.240 --> 01:13:10.620 pay US authorities 403 million dollars in cash under forfeiture. His plea deal also meant that 01:13:10.620 --> 01:13:17.580 three criminal proceedings against him plus an SCC civil lawsuit, were all dropped. [MUSIC] Now, 403 01:13:17.580 --> 01:13:24.180 million dollars sounds like a lot, but the feds estimated he had earned over two billion dollars. 01:13:24.180 --> 01:13:30.240 Gery probably was walking away with some extra cash left in his pockets. But giving up his cash 01:13:30.240 --> 01:13:36.000 meant that he had to tell the feds where the money was and wow, he had a lot of cash stashed 01:13:36.000 --> 01:13:40.860 all around the world. He had eighty-one different bank accounts around the world. Many of them were 01:13:40.860 --> 01:13:45.780 in Switzerland and some of these accounts had over 100 million dollars in them. There were accounts 01:13:45.780 --> 01:13:51.540 in Cyprus, Georgia, Virgin Islands, Luxembourg, Latvia. They were everywhere. On top of that, 01:13:51.540 --> 01:13:55.920 he had stashes of cash and jewelry worth millions, and a six-million-dollar house. 01:13:55.920 --> 01:14:01.140 Gery’s plea deal wasn’t straightforward. According to The Calcalist, it took six 01:14:01.140 --> 01:14:06.720 different law firms to negotiate it. Five of these law firms were in the US and one was in Israel. 01:14:06.720 --> 01:14:11.340 While Gery agreed to pay hundreds of million dollars of his illegal profits to get out of 01:14:11.340 --> 01:14:17.580 prison, he had to give the feds more than money. It seems like he gave up a hacker, 01:14:17.580 --> 01:14:25.020 a thirty-eight year old Russian man named Peter Levashov. Peter was from St. Petersburg and 01:14:25.020 --> 01:14:30.660 he’s the one who built the Kelihos botnet which infected 100,000 computers. This botnet was built 01:14:30.660 --> 01:14:37.320 to send massive amounts of spam e-mails. But the Kelihos botnet was also available for hire; anyone 01:14:37.320 --> 01:14:44.040 could use it to send tons of spam themselves, and Gery was definitely sending a lot of spam. Peter 01:14:44.040 --> 01:14:50.220 was arrested on April 9th, 2017 while on holiday with his family in Barcelona, Spain. He was 01:14:50.220 --> 01:14:55.740 accused of running the Kelihos botnet and pleaded guilty of it in Connecticut in September 2018. 01:14:55.740 --> 01:15:00.060 The counts against him included the distribution of fake spam e-mails, 01:15:00.060 --> 01:15:04.500 promoting counterfeit pharmaceuticals, and other frauds including pump-and-dump stock schemes. 01:15:04.500 --> 01:15:10.140 He’s still awaiting his sentencing. [01:15:00] It’s not clear what Gery told feds about Peter, 01:15:10.140 --> 01:15:13.680 whether he just straight-up ratted Peter out or what happened there. 01:15:13.680 --> 01:15:20.580 But the question everyone had was hey, this Peter guy, is that Gery’s mystery hacker? 01:15:20.580 --> 01:15:26.280 At first, I thought it was but no, he wasn’t. Peter wasn’t Gery’s hacker. That was someone 01:15:26.280 --> 01:15:32.640 else entirely. [MUSIC] In December 2017, law enforcement flew into the airport of Georgia, 01:15:32.640 --> 01:15:36.720 an Eastern European country. They were there at the request of the US 01:15:36.720 --> 01:15:41.460 authorities and they went to the capital to arrest thirty-five-year-old Andrei Tyurin. 01:15:41.460 --> 01:15:47.160 Andrei is a Russian citizen but the US had been tracking him and knew he was flying into Georgia 01:15:47.160 --> 01:15:52.740 from Moscow, and they wanted him in custody before he could disappear. Andrei was a well-known, 01:15:52.740 --> 01:15:57.960 high-level Russian hacker. The feds believed he was the hacker working with Gery in his 01:15:57.960 --> 01:16:02.340 empire of scams, and they spent the last two years trying to track him down and detain him. 01:16:02.340 --> 01:16:07.440 Once in custody in Georgia, the feds set out to get him extradited to the US. Now, Russia does 01:16:07.440 --> 01:16:12.360 not like giving up its hackers, but there’s not much they can do when it’s outside their country. 01:16:12.360 --> 01:16:17.760 That’s why the US arrested him in Georgia, because you can get him extradited out of Georgia. 01:16:17.760 --> 01:16:23.100 Now, some Russian hackers have a double motive for hacking. They work on a freelance basis, 01:16:23.100 --> 01:16:28.620 taking jobs from whoever is willing to pay their fee. But they may also be looking to 01:16:28.620 --> 01:16:33.840 pass any juicy information they find to the Russian government or anyone else who’s willing 01:16:33.840 --> 01:16:40.620 to pay for this information. Regardless of who’s paying for the hack, the hacker’s always the first 01:16:40.620 --> 01:16:45.900 person to get their eyes on the data. Sure, the hacker will upload a copy to whoever hired them, 01:16:45.900 --> 01:16:50.400 but there’s nothing stopping them from uploading a copy to someone else, too. 01:16:50.400 --> 01:16:55.740 Although the FBI had ruled out the possibility that the JPMorgan Chase hack was executed by 01:16:55.740 --> 01:16:59.640 the Russian government, US intelligence had apparently found some evidence to 01:16:59.640 --> 01:17:05.940 suggest Andrei was getting some protection from the FSB, Russia’s intelligence agency. 01:17:05.940 --> 01:17:11.640 It hasn’t been confirmed but some evidence suggests that the FSB tried to recruit Andrei 01:17:11.640 --> 01:17:16.860 while other bits of evidence suggest he may have had a bigger role in the operation run by FSB. 01:17:16.860 --> 01:17:22.140 Either way, it took almost a year for feds to get through the red tape and bring Andrei 01:17:22.140 --> 01:17:29.280 onto US soil and book him into a federal prison. [MUSIC] Now, a quick aside about US attorneys; 01:17:29.280 --> 01:17:33.540 this case was being handled in the Southern District of New York and Preet Bharara was 01:17:33.540 --> 01:17:37.320 the US attorney for that district. When the US government brings this case to trial, 01:17:37.320 --> 01:17:41.640 a federally-appointed attorney handles the case. But when Trump was elected president, 01:17:41.640 --> 01:17:46.980 he had Jeff Sessions order all forty-six US attorneys from Obama’s administration to resign. 01:17:46.980 --> 01:17:52.140 Preet Bharara had met with Trump a few days earlier and did not get the impression that he 01:17:52.140 --> 01:17:57.840 was being fired, so Preet refused to resign, but Trump fired him the next day. The Trump 01:17:57.840 --> 01:18:02.880 administration appointed Geoffrey Berman as the new US attorney for the Southern District of New 01:18:02.880 --> 01:18:08.640 York. On September 7th, 2018, Geoffrey Berman announced that Andrei had been extradited from 01:18:08.640 --> 01:18:13.260 Georgia to New York. This was a massive win for the feds; getting an indicted Russian 01:18:13.260 --> 01:18:19.080 hacker extradited into the US for cyber-crimes is not something that happens very often. Oh, 01:18:19.080 --> 01:18:23.100 and as for the US attorney for the Southern District of New York, Jeffrey Berman, 01:18:23.100 --> 01:18:29.940 Trump fired him, too. I guess Trump didn’t like that Berman was investigating Rudy Giuliani, 01:18:29.940 --> 01:18:34.320 Trump’s personal attorney regarding some suspected criminal activity. 01:18:34.320 --> 01:18:38.640 Trump put Jay Clayton in place to be the current US attorney for the 01:18:38.640 --> 01:18:44.400 Southern District of New York. Clayton has never been a federal prosecutor before but 01:18:44.400 --> 01:18:49.560 he was the chairman of the Security and Exchange Commission. This case has now 01:18:49.560 --> 01:18:55.740 passed through the hands of three different US attorneys for the Southern District of New York. 01:18:55.740 --> 01:19:01.020 Andrei was charged with ten counts including computer hacking, conspiracy, wire fraud, 01:19:01.020 --> 01:19:05.760 and identity theft all relating to Gery’s enterprises. The same day they got him into 01:19:05.760 --> 01:19:10.860 New York, he was put in front of a judge to state his plea, not guilty. Andrei wouldn’t 01:19:10.860 --> 01:19:15.060 admit to anything. On September 25th, there was an initial pretrial conference hearing. 01:19:15.060 --> 01:19:19.740 The prosecution presented their evidence to Andrei through a Russian interpreter. The 01:19:19.740 --> 01:19:25.500 evidence against him, which was mostly in Russian, was pretty damning. They had almost 3,500 pages 01:19:25.500 --> 01:19:31.560 of online chats between Andrei and Gery all discussing the hacks and scams. The evidence 01:19:31.560 --> 01:19:37.380 took up nearly two terabytes of storage. They also had evidence from devices seized from Gery 01:19:37.380 --> 01:19:42.360 and Ziv when they were arrested in Israel which all pointed to Andrei being involved in this. 01:19:42.360 --> 01:19:46.500 They had the data from the hacked companies too, like logs and records from the hack, 01:19:46.500 --> 01:19:50.940 and that resulted in another few terabytes of data which was not looking good for Andrei. 01:19:50.940 --> 01:19:57.120 The data from the JPMorgan Chase hack was over three terabytes just on its own. The prosecution 01:19:57.120 --> 01:20:01.560 and defense had to agree on a way to deal with all this digital evidence. You can’t just print 01:20:01.560 --> 01:20:05.880 all that out; it’s just too much information and it’s not like it’s just some long text document. 01:20:05.880 --> 01:20:09.600 Lots of this evidence [01:20:00] was complex technical data. Prosecutors and 01:20:09.600 --> 01:20:13.740 defense attorneys aren’t computer experts, so they needed to get all this data into a 01:20:13.740 --> 01:20:18.540 format that they understood that could be used in the court case like this. The prosecution 01:20:18.540 --> 01:20:23.280 and defense worked together to figure out how they were gonna do that. What followed 01:20:23.280 --> 01:20:27.780 was a long line of adjourned court dates and pretrial hearings. For a full year, 01:20:27.780 --> 01:20:36.000 nothing moved in terms of court appearances. Then suddenly, Andrei’s case ended in one day. 01:20:36.000 --> 01:20:42.600 On September 23rd, 2019, Andrei submitted a change of plea. He was now pleading guilty. 01:20:42.600 --> 01:20:46.320 Andrei admitted to conspiracy to commit computer hacking, wire fraud, 01:20:46.320 --> 01:20:53.820 unlawful internet gambling conspiracies, and conspiracy to commit wire fraud and bank fraud. 01:20:53.820 --> 01:20:57.840 [BEEPING] In pleading guilty to these four counts against him, he was admitting to hacking 01:20:57.840 --> 01:21:03.900 eight different US financial institutions between June 2012 and August 2014. These 01:21:03.900 --> 01:21:10.440 include JPMorgan Chase, Fidelity, Dow Jones, E-Trade, and Scottrade. Publicly at least, 01:21:10.440 --> 01:21:15.240 Andrei’s conviction was the first in this entire case. His lawyer said that Andrei was hired by 01:21:15.240 --> 01:21:18.840 the masterminds of the schemes to hack these computer networks under their instructions. 01:21:18.840 --> 01:21:24.180 Because he pleaded guilty, there was no need to have a trial. On Jan 7 2021, 01:21:24.180 --> 01:21:29.460 the court sentenced Andrei to 12 years in prison for his involvement with this. 01:21:29.460 --> 01:21:35.040 It’s believed that Andrei earned over $19 million dollars from his hacking activity. 01:21:35.040 --> 01:21:40.620 Gery is believed to be out of prison and living somewhere in the US. Until his forfeiture is 01:21:40.620 --> 01:21:44.820 completely paid, he’s not allowed to fly out of the country. Information about his court 01:21:44.820 --> 01:21:51.900 hearings or progress on his remaining charges are hard to come by. I mean, if Gery is an informant, 01:21:51.900 --> 01:21:55.860 then that means that a lot of his court documents are going to be sealed, and a 01:21:55.860 --> 01:22:04.980 lot of his court documents are sealed. It’s just one of those things I don’t have a visual into. 01:22:04.980 --> 01:22:19.620 Ziv, though, has been convicted of something. He is currently waiting to be sentenced. The 01:22:19.620 --> 01:22:27.060 fact that he hasn’t been in any news about any of these cases could mean that all three 01:22:27.060 --> 01:22:29.760 are cooperating with US authorities. 01:22:29.760 --> 01:22:40.500 It’s possible that they are providing information in exchange for leniency in their own cases, 01:22:40.500 --> 01:22:44.040 but unless their cases are unsealed, we might not ever find out. Altogether, 01:22:44.040 --> 01:22:49.560 these schemes made a colossal amount of money. It really was a sprawling, interconnected network of 01:22:49.560 --> 01:22:55.020 scams building on top of each other, scaling up, leveling up, and expanding outward. The whole 01:22:55.020 --> 01:23:01.320 story is full of surprises and by the end, it’s mind-bogglingly complex; a web of illegal schemes, 01:23:01.320 --> 01:23:06.960 hacking fraud, money laundering, carried out by some shady businessmen and conmen joining forces 01:23:06.960 --> 01:23:12.660 with a hacker. Just as the schemes themselves were large-scale, so too was the network of people and 01:23:12.660 --> 01:23:17.820 resources Gery had built to operate it all. The story has it all; the villains, the hacks, 01:23:17.820 --> 01:23:23.580 the underground illegal acts, and finally a hammer of justice that brings it all crashing down. 01:23:23.580 --> 01:23:30.000 The hack into JPMorgan Chase wasn’t random, a one-off attack. It was done by someone who 01:23:30.000 --> 01:23:38.520 seemed to have an insatiable appetite for more; more hacking, more data, more scams, more money. 01:23:38.520 --> 01:23:43.920 Sure, there’s an element of glamour to Gery Shalon’s story. The money, the fancy watches, 01:23:43.920 --> 01:23:49.620 the mansion, but there’s also an element of desperation. I mean, what was the point 01:23:49.620 --> 01:23:57.180 of all this besides just wanting more? How many hundreds of millions of dollars more did he need? 01:23:57.180 --> 01:24:01.500 From my point of view, it’s like none of these schemes seemed big enough for him. 01:24:01.500 --> 01:24:06.660 No amount of money seemed satisfying enough and at the end, it kinda seems like it was 01:24:06.660 --> 01:24:17.160 all an endless desire that eventually led to the destruction of Gery Shalon’s empire. 01:24:17.160 --> 01:24:21.780 (OUTRO): [OUTRO MUSIC] 01:24:21.780 --> 01:24:25.980 If you love Darknet Diaries, stories from the dark side of the internet, 01:24:25.980 --> 01:24:33.960 then support it. Go to patreon.com/darknetdiaries and join the group of the most amazing people, the 01:24:33.960 --> 01:24:39.540 people who keep my network running. I talked with one Patreon member the other day and he told me he 01:24:39.540 --> 01:24:45.780 drove for eight hours while listening to the show. What’s funny is he only had to go to the store to 01:24:45.780 --> 01:24:49.560 get some bread but the show was so addicting that he kept driving around just to listen. 01:24:49.560 --> 01:24:53.880 If that’s the kind of listener you are, then consider giving back to the show by 01:24:53.880 --> 01:25:00.480 supporting it at patreon.com/darknetdiaries. Join today and I’ll grant you special access 01:25:00.480 --> 01:25:06.900 to bonus content and an ad-free feed. Thank you. This show is made by me, the spider-buyer, 01:25:06.900 --> 01:25:11.700 Jack Rhysider. This episode was written by the crime-traveler, Fiona Guy. Sound design 01:25:11.700 --> 01:25:16.320 and original music was created by the graphical interface Andrew Meriwether; editing help this 01:25:16.320 --> 01:25:22.440 episode by the window-gazing Damienne. Our theme music is by the sound system Breakmaster Cylinder. 01:25:22.440 --> 01:25:32.760 Even though back in my day we didn’t have USB; we only had USA, this is Darknet Diaries. [01:25:00]