Russian Charged in JPMorgan Chase Hack Extradited to USAndrei Tyurin Perpetrated Biggest Bank Customer-Data Heist in History, Feds Say
A Russian national who's been accused of hacking into JPMorgan Chase's network in 2014 and stealing personal information on more than 83 million customers has been extradited to the United States to face hacking, wire fraud and other charges.
The U.S. Department of Justice says Andrei Tyurin, 35, was extradited from the Eastern European country of Georgia. He appeared in Manhattan federal court on Friday and pleaded not guilty, Bloomberg reported.
The charges filed against Tyurin include one count of conspiracy to commit computer hacking, one count of wire fraud, four counts of computer hacking, one count of conspiracy to commit securities fraud, one count of conspiracy to violate the Unlawful Internet Gambling Enforcement Act, one count of conspiracy to commit wire fraud and bank fraud and aggravated identity theft.
Tyurin is a newly named figure in the Chase hacking case, previously referred to in court documents only as an unnamed co-conspirator. He allegedly worked with a team that prosecutors say was led by three men: Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein. They allegedly executed a wide-ranging criminal operation that included online gambling, stock manipulation and payment processing fraud, the Justice Department says.
In 2016, Israel agreed to extradite Israeli nationals Shalon and Orenstein to the United States. Maryland-born Aaron, who was living in Moscow, returned to the U.S. in December 2016, surrendering to authorities at Kennedy Airport. All three have pleaded not guilty to the charges against them.
Massive Customer Data Heist
U.S. prosecutors say the JPMorgan Chase intrusion was the "largest theft of customer data from a U.S. financial institution in history." The other victims including brokerage firms, financial news companies, software development firms and a merchant risk intelligence company.
The attacks collectively compromised the personal information of more than 100 million people, according to a superseding indictment filed against Tyurin. He and his group are alleged to have collected hundreds of millions of dollars from fraud derived from the intrusions and other fraud.
Between 2007 and 2015, the group illegally traded pharmaceutical products as well as counterfeit and malicious software and as ran illegal online internet gambling operations, prosecutors allege.
Chase Hack Like 'Opening A Book'
The group's biggest alleged hack attack was against JPMorgan Chase, one of the largest financial institutions in the U.S. The first strike came in June 2015, when Tyurin and the group registered a domain name in Chase's name and rerouted "internet traffic that was intended for Victim-1 to go instead to a server under Tyurin and CC-1's [co-conspirator 1] control," the indictment says.
According the indictment, Tyurin told his colleague that he had gained access to Chase's network, including many databases and servers.
The indictment doesn't describe how he allegedly gained access. But press reports at the time indicated that multiple zero-day vulnerabilities - software flaws for which no patches were yet available - had been exploited (see New JPMorgan Chase Breach Details Emerge).
In April 2014 - just a few months prior to the attack against Chase - Tyurin gained access to a second, unidentified victim using the SSL/TLS vulnerability nicknamed Heartbleed, the indictment says. But it adds that he was locked out after the company fixed the vulnerability shortly thereafter.
Tyurin allegedly told his colleague that hunting around Chase's databases was like "opening a book in the middle ... to look for a sentence not knowing where exactly" to start, the indictment says. Three days later, he wrote that he'd found details for 85 million customers. He eventually reported back that he'd downloaded 90 percent of the Chase data.
'Like Drinking Freaking Vodka'
Between 2011 and 2015, after Tyurin and his group stole personal information, they then contacted some of those data theft victims and purported to offer investment advice and stock recommendations, prosecutors allege.
Initially, Tyurin asked his colleague if buying stocks in the U.S. was popular, to which his colleague responded: "It's like drinking freaking vodka in Russia," according to the indictment.
The group used the fake investment and stock advice to perpetrate a "pump-and-dump" scheme, the indictment says. In some cases, the group allegedly bought outstanding shares and also persuaded others to buy certain stocks, causing share prices to rise.
"The co-conspirators' massive coordinated sales typically placed downward pressure on the stock's price and caused its trading volume to plummet, exposing unsuspecting investors to significant losses," the indictment says.
In just one instance, the group dumped their inflated stock and generated $2 million, after which the stock's price subsequently dropped, it says.
Gaming Payment Processing Systems
One of the difficulties in running pharmaceutical, bogus software and gambling schemes is ensuring that victims can use their payment cards to pay for goods and services and that payment card providers do not decline the transactions. Tyurin and his group are also accused of helping to ensure that payments for illicit products and services did go through, as well as evading a system designed to detect suspicious or prohibited payments.
The suspects allegedly did this by lying to financial institutions about the purpose of the payments, including miscoding any transactions that would have violated regulations. The group also "colluded with corrupt international officials who willfully ignored its criminal nature," the indictment alleges.
One of the countries where transactions were routed was Azerbaijan, the indictment says.
Prosecutors say that payment card companies eventually caught on, however, and ended up imposing millions of dollars in penalties against any institutions that they deemed to have been part of the payment processing chain. But the criminal group then allegedly paid these fines on behalf of the banks that got hit with the penalties.
The alleged hacking group later hacked into a U.S. company that specializes in merchant risk and compliance for card payments, according to court documents. Their goal was to figure out how to evade blocks, and they gained insight after compromising email accounts for the company's employees, the indictment says.
The suspects also learned which test-card numbers the unnamed risk and compliance firm was using to make undercover purchases and used that knowledge to ensure their systems declined any transactions made using the test-card numbers, the indictment says.
(Executive Editor Mathew Schwartz also contributed to this story.)