How Hackers Made $100 Million Stealing Email Addresses

SSNs and bank account numbers were untouched. They only wanted email addresses.

Back in 2012, financial institution JPMorgan Chase reported that its customer data servers had been hacked, compromising over 83 million customer records. To date, it was the largest such data breach against an American financial institution; however, investigators reported that no account information had been accessed, and no funds has been removed. All that the hackers were apparently after was the contact information of JPMorgan Chase customers.

Recently, a similar data breach of online trading giant Scottrade had also been reported. The hack had extracted the customer records of 4.6 million Scottrade clients over the course of two years. Dow Jones also reported a breach of about 10 million customer records, but like the other two, no financial information was stolen. Just customer data — email addresses and names.

Until yesterday, Federal investigators were baffled as to why these corporate data breaches stopped at the user data, referring to the hacks as “unusual.” But now, according to an unsealed report, investigators from the Department of Justice have not only identified and arrested two of the three individuals responsible for these hacks, but they’ve also unearthed the methods through which they were able to extricate hundreds of millions of dollars in illegal funds — all from customer contact information.

Why Only Contact Info?

Traditionally, when a major financial institution is breached, hackers are after sensitive information like bank account info, Social Security Numbers, and credit card numbers; however, Gery Shalon, Ziv Orenstein, and Joshua Aaron (the men responsible for the data breaches) were after something different: customer contact information. According to the report, the three men and their criminal organization specifically targeted institutions that attracted particular customer profiles, namely customers who were likely to buy and sell stocks or participate in online gambling. Through some very effective email marketing and promotional tactics, the defendants successfully developed a massive contact list of potential victims to defraud. Once they had obtained the list, the defendants ran some fairly basic cons that, until now, had never been accomplished at the cyber level.

Pump-and-Dump

One of the trio’s most effective scheme is one common to fraudulent stock trading practices, better known as a “pump-and-dump” scheme. Essentially, the trio purchased several penny stocks, which are stocks that are valued at less than one dollar (USD). They then used their email list to encourage potential marks to purchase these stocks as a way to inflate the price; the stocks’ inherent value did not necessarily increase, but because potentially millions of people were investing in them, the increased demand forced the price upward. When the stock price had reached a certain level, the trio then sold their shares of the stocks, making massive amounts of profit as a result. Their contacts, meanwhile, were left with near-valueless penny stocks for which they had overpaid.

Illegal Online Casinos

As was mentioned before, the over the course of nearly nine years, the trio had operated several illegal Internet casinos, through which they made away with several millions of dollars, or more specifically, about $1 million in unlawful profit each month.

Unlicensed Bitcoin Exchange

The trio operated an unlicensed money exchange with two Florida men — Anthony Murgio and Yuri Lebedev — through a registered federal credit union. The online exchange failed to meet federal registration and reporting requirements as outlined by the United States Treasury Department. The defendants also stand accused of exchanging cash for Bitcoins of victims of ransomware, a malicious software designed to block a user’s access to his computer until a ransom is paid.

The defendants were able to evade surveillance by operating through one of those shell companies alluded to earlier. Through this shell company, they were able to deceive major financial institutions into believing that the processed funds were completely legal. As of January 2015, the group had successfully laundered over $1.8 million for Bitcoins.

Processing Payments for Illegal Pharmaceutical Suppliers

The defendants are also responsible for processing payments for illegal prescription drug organizations. The illegal drug trade includes the manufacturing and distribution of fake, stolen, or banned medicines or medical devices. End-users of these drugs risk their money, health, and even lives by taking these unregulated drugs, which could very well likely contain improper mixtures or doses of active ingredients.

How to Protect Yourself

It should be clear by now, that you don’t need to have your Social Security Number of bank account information to be stolen in order to be defrauded out of all of your money. Even something as simple as your email address, phone number, or full name, in the wrong hands, can lead to serious consequences. As corporate data hacks are becoming the weapon of choice among hackers in 2015 and possibly 2016, here are few things you can do to protect yourself:

Do NOT open or respond to suspicious emails: Even emails that claim to be from legitimate companies, emails that identify information about you that only your bank or financial institution would know could be coming from a questionable source. If you have any questions about the legitimacy of one of these emails, call your bank and ask them about their email marketing practices. Chances are your bank would not ask you to invest your money in specific stocks.

Watch the news for more data breaches: Banks aren’t the only institutions at risk here. Other corporations, even retailers like Target, have all been the victims of corporate data hacks. While businesses have the responsibility to protect their customer data, customers must also be responsible about where they give their information. If you’ve done business with a company that’s experienced a data hack, talk to your bank’s fraud resolution department, and ask about updating your account information. They’ll even send you a new card if there’s any suspicion that your account has been compromised.

Get Help from an identity theft protection company: Even though a sizable portion of these hackers’ ill-gotten gains were more or less voluntarily given through stock purchases and online gambling bids, working with a top identity theft protection company is still one of the best ways to prevent your information from being stolen and misused.