A man who authorities say was the face of the largest theft of financial data in U.S. history surrendered Wednesday in New York, officials said.
Joshua Samuel Aaron, who had been living in Moscow, is charged in connection with the 2014 hack that exposed the records of more than 83 million JPMorgan Chase customers.
The FBI, the Secret Service and the Securities and Exchange Commission all sought the 32-year-old Aaron's capture on 16 counts of securities fraud, wire fraud, computer hacking, identity theft and several related conspiracy charges, federal prosecutors said.
Authorities have called the scheme "securities fraud on cyber-steroids."
Aaron — who agreed to return to the United States to face the charges at a hearing Thursday in U.S. District Court in Manhattan — was arrested Wednesday as soon as he arrived at John F. Kennedy International Airport in New York, federal authorities said.
Almost immediately, the word "CAPTURED" was slapped on to Aaron's FBI wanted poster.
Aaron's two alleged co-conspirators — Israeli citizens Gery Shalon, the alleged ringleader, and Ziv Orenstein — were extradited to the United States from Israel in June.
In a statement Wednesday, Preet Bharara, the U.S. attorney for Manhattan, described their alleged operation as "hacking as a business model."
According to a superseding federal indictment filed late last year, Aaron — using the alias "Mike Shields" — was the U.S. coordinator and public face of an operation that snatched the personal data of more than 100 million people at 12 major financial institutions from 2012 to 2015.
According to the indictment, many of the victims were investors who were scammed out of millions of dollars because of fraudulently inflated stock prices.
But, separately, financial institutions also lost millions of more dollars via penalties for fraudulent charges to credit and debit cards that the ring allegedly used, the indictment said.
By far, the hacking ring's biggest score was at JPMorgan Chase, where the three men allegedly obtained the data of more than 83 million customers in the summer of 2014, according to the FBI.
JPMorgan Chase later told the Securities and Exchange Commission that account numbers, passwords, user IDs, birthdates and Social Security numbers were all stolen.
But the ring — part of an even larger operation allegedly involving at least nine other people dating at least to 2007 — had tentacles in many other places, according to prosecutors.
They said the enterprise:
- Manipulated securities markets
- Created and manipulated fake companies
- Artificially pumped up stock prices with scam emails
- Ran online casinos
- Operated an illegal Bitcoin exchange
- Laundered money through at least 75 shell companies and accounts around the world
Prosecutors described a classic "pump and dump" operation, which they said often ran through legitimate financial accounts in Aaron's name.
The ring allegedly used data from the haul to scam investors into pouring money into their own fake businesses and into companies whose stock they'd legitimately bought cheaply — driving up the stock's value enough that the scammers could then sell at a profit.
If they're convicted of all charges, Aaron and Shalon could face as long as 117 years in federal prison. Orenstein is charged with fewer counts and could face up to 97 years.
All three face separate civil charges from the SEC.
