Back in 2014, before Sony Pictures and Ashley Madison were denuded for the world to see, the JPMorgan Chase hack felt like the biggest hack. It affected 76 million households! And it was what we imagined to be the hacking motherlode: banking information. The hackers were reported to have gotten deep into the bank's networks, getting information about checking and savings accounts. At any moment, people who banked with Chase or traded through J.P. Morgan imagined digital money flying out of their accounts.
But then, almost nothing happened. The New York Times reported at the time that JPMorgan Chase saw no rise in fraud. Reporters and security experts were perplexed. Bloomberg and the Times both pointed the finger at Russia, citing anonymous sources who suggested that, given the lack of obvious financial motives, this was some kind of nation-state warfare. But now, authorities in New York have charged the people they allege are behind the hack, and none of them are Russian.
This week, the Department of Justice charged three men with the massive hack: two Israeli citizens and one American, who recruited, according to Bloomberg, a former Florida State frat brother into the scheme. They performed the hack, reports Reuters, through a server they rented in Egypt.
What's remarkable about the massive digital infiltration of the bank is just how boring the hackers' grand scheme was. From the DOJ's press release:
[I]n an effort to artificially manipulate the price of certain stocks publicly traded in the United States, [the] co-conspirators sought to market the stocks, in a deceptive and misleading manner, to customers of the victim companies whose contact information they had stolen in the intrusions.
In other words, the point of stealing information from millions of JPMorgan Chase customers? To spam them with messages about penny stocks.
To artificially manipulate the trading volume and prices of dozens of stocks, among other things, at pre-arranged times, [the co-conspirators] disseminated materially misleading, unsolicited messages by various means – including by email (“spam”) to up to millions of recipients per day – that falsely touted the stock in order to trick others into buying it. [The co-conspirators] engaged in the U.S. Financial Sector Hacks in part to acquire email and mailing addresses, phone numbers, and other contact information for potential victims to whom they could send such deceptive communications. [The] co-conspirators generated tens of millions of dollars in unlawful proceeds from the securities market manipulation schemes.
To the hackers, a bank made an attractive target because it possessed a list of email addresses of people who have money, and are interested in stocks. They could have legally obtained the same information by buying a similar list from a digital marketing firm.
The only link to Russia would be a quote prosecutors ascribe to one of the alleged hackers. Via Reuters:
According to prosecutors, [Gery] Shalon was sure this would work because Americans liked buying stocks. "It's like drinking freaking vodka in Russia," he allegedly told an accomplice.
And the 31-year-old American charged is believed to be currently living in Moscow, making, as we know from Edward Snowden's example, extradition by U.S. authorities difficult.
Manhattan's federal prosecutor Preet Bharara calls the scheme "a brave new world of hacking for profit" where people no longer hack "merely for a quick payout, but hacking to support a diversified criminal conglomerate."
Another way to look at it is that we live in a brave new world of shoddy security, where companies that hold our sensitive information aren't taking the care they should to protect it. And a world in which hackers who just want a list of email addresses to spam can get it by breaking in to the computers of the largest bank in the world.