cyber attack
U.S. Attorney for the Southern District of New York Preet Bharara points to a chart at a news conference in New York. REUTERS/Shannon Stapleton

Two Israelis and an American national have been accused of running a major computer hacking and fraud scheme that not only generated hundreds of millions of dollars in illegal profit, but also exposed the personal information of more than 100 million people. The three targeted 12 companies, including nine financial services companies and media outlets.

The companies targeted included JPMorgan Chase & Co, asset manager Fidelity and The Wall Street Journal. The hacking has been described as the largest cyber-attack of financial firms in the US history.

Gery Shalon, 31 of Savyon, Israel, Joshua Samuel Aaron, 31, a US citizen who lives in Moscow and Tel Aviv, and Ziv Orenstein, 40, from Bat Hefer, Israel, have been charged in a 23-count indictment with crimes dating from 2007 to the summer of 2015. Their activities included pumping up stock prices, running online casinos, payment processing for criminals, managing an illegal bitcoin exchange and the laundering of money through at least 75 shell companies and accounts around the world.

Speaking at a news conference in Manhattan, US Attorney Preet Bharara said: "By any measure, the data breaches at these firms were breathtaking in scope and in size. The charged crimes showcase a brave new world of hacking for profit."

"It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate," Bharara said. The US Securities and Exchange Commission has already filed civil charges related to securities fraud against Shalon, Aaron and Orenstein.

When the case was first announced in July, US Attorney General Loretta Lynch described it as "one of the largest thefts of financial-related data in history." Shalon and Aaron are alleged to have hacked the systems using a computer server in Egypt that was rented under an alias that Shalon often used.

Aaron remains at large and is the subject of an FBI "wanted" poster. He is believed to be living in Moscow. A fourth person, Anthony Murgio, 31 from Tampa, Florida was charged separately over the bitcoin exchange, Coin.mx while a co-defendent, Yuri Lebedev is said to be "in discussions" with the prosecutors, Bharara said.

A separate indictment was put forward in Atlanta against Shalon, Aaron and an unnamed third person. The indictment said brokerages E*Trade Financial Corp and Scotttrade Inc were targets and that the personal information of more than 10 million customers was compromised.

The indictment places Shalon as the ringleader, claiming that he orchestrated the hackings since 2012. He is also alleged to have run at least 12 illegal online casinos with Orenstein since 2007.

The both of them are accused of running payment processors IDPay and Todur through which they collected $18m if fees to process hundreds of millions of dollars of transactions for criminals. Shalon is also facing charges for running the illegal bitcoin exchange Coin.mx with Murgio and concealing at least $100m in Swiss and other accounts.

More about cyber attacks