A Russian national has admitted to carrying out the largest-known computer hack on a US bank. His 2014 breach of JPMorgan Chase generated hundreds of millions of dollars in illicit revenue and stole the data of more than 80 million JPMorgan clients.
Andrei Tyurin, 35, whose last name is also spelled Tiurin, also pleaded guilty to hacks against other US financial institutions, brokerage firms, and other companies. In all, he pleaded guilty in federal court to computer intrusion, wire fraud, bank fraud, and illegal online gambling as part of a securities-fraud scheme carried out by co-conspirators.
Prosecutors said that the from 2012 to mid-2015, Tyurin carried out a massive computer-hacking campaign that stole data belonging to more than 100 million customers of the targeted companies. The 2014 intrusion on JPMorgan alone resulted in the theft of more than 80 million customer records, making it the largest—or at least one of the largest—data hacks against a US financial institution.
Tyurin carried out the hacks at the direction of co-conspirator Gery Shalon, who used the stolen data to further a variety of schemes, including securities fraud. One scheme involved artificially inflating the price of certain publicly traded stocks by marketing them in a deceptive and misleading manner to customers of companies Tyurin had hacked.
Tyurin also carried out attacks on numerous US and foreign companies to further other criminal enterprises operated by Shalon and other co-conspirators. Those enterprises included unlawful Internet gambling businesses and international payment processors.
“Nearly all of these illegal businesses, like the securities-market manipulation schemes, exploited the fruits of Tyurin’s computer-hacking campaigns,” prosecutors said in Monday’s release. “Through these various criminal schemes, Tyurin, Shalon, and their co-conspirators obtained hundreds of millions of dollars in illicit proceeds.”
Tyurin pleaded guilty to one count each of conspiracy to commit computer hacking, wire fraud, conspiracy to violate the Unlawful Internet Gambling Enforcement Act, conspiracy to commit wire fraud and bank fraud, conspiracy to commit wire fraud, and conspiracy to commit computer hacking. When combined, the charges carry a maximum penalty of 95 years in prison. According to Bloomberg News, federal prosecutors will recommend that Tyurin serve 15 to 20 years. Sentencing is scheduled for February 13, 2020.
Bloomberg News also reported that the defendant agreed to forfeit more than $19 million, an amount that was reached based on the amount he was to be paid. Other companies hit in the same campaign, according to Bloomberg, included Fidelity Investments, E-Trade, and Dow Jones.
The sophistication and scale of the hacks led US investigators to initially suspect the campaign was sponsored by the Russian government or the government of another well-resourced country. Investigators eventually concluded the attacks were the work of a for-profit criminal enterprise.