Four men reportedly arrested in connection to JPMorgan Chase hack

According to The New York Times and Bloomberg News, four men in Florida and Israel have been arrested in connection to the 2014 hack against JPMorgan Chase, which resulted in gigabytes of bank data being exfiltrated. The news outlets, citing anonymous sources, did not fully explain how all the suspects were connected.

The United States Attorney in Manhattan announced that the two Florida men were arrested Tuesday and were formally charged with operating an unlicensed Bitcoin exchange, coin.mx.

However, their criminal complaints make no mention of JPMorgan Chase. The two Israelis were named as Gery Shalon and Ziv Orenstein and were arrested by authorities there. A fifth man, Joshua Samuel Aaron, an American living in Israel, is reportedly still at large.

The New York City-based federal prosecutor did not immediately respond to Ars' request for comment. A search of federal court records did not reveal any criminal complaints filed against the Israelis.

The Florida duo, Anthony Murgio and Yuri Lebedev, are formally accused of running Coin.mx and “knowingly exchanged cash for people whom they believed may be engaging in criminal activity,” according to federal prosecutors. Among other violations, coin.mx is accused of being a Bitcoin site used to acquire bitcoins to pay for ransomware.

The pair also apparently used a fraudulent organization, called Collectible Club, and somehow acquired “beneficial control” of an unnamed, very small New Jersey-based credit union and used it to process electronic bank payments. Prosecutors further described it as a “captive bank.”

Federal prosecutors wrote in newly unsealed criminal complaints that the fake group, Collectible Club, seems to have been set up as a way to “trick the major financial institutions through which they operated into believing their unlawful Bitcoin exchange business was simply a members-only association of individuals who discussed, bought, and sold collectible items, such as sports memorabilia.”

As FBI Special Agent Joey DeCapua explained in the affidavit:

From speaking with representatives of the National Credit Union Association and reviewing NCUA records, I learned that while the Credit Union normally handled the modest banking needs of a small group of primarily low-income local residents, and had little or no experience with the business of ACH processing, by October 2014, the Payment Processor was processing over $30 million a month in ACH transactions through its account at the Credit Union. The NCUA learned of the unusual size and scope of the activity and, in part because the Credit Union did not have the AML policies or procedures in place to handle such voluminous payment processing, forced the Credit Union to stop allowing such processing; the NCUA separately required the Credit Union to remove the new Board members.

The NCUA did not immediately respond to Ars' request for comment.

Murgio also apparently did a poor job of covering his digital tracks. The FBI affidavit and criminal complaint also describes that the coin.mx domain name was registered in his name, using his e-mail address and phone number.

Similarly, the domain name of collectpma.com, the URL for Collectible Club, is registered to a Chris Smith. A quick online search reveals that the e-mail address connected to that domain is associated with Anthony Murgio.