This post has been updated with information from an amended criminal complaint filed Thursday afternoon.
Hackers allegedly targeted 15 financial institutions, including JPMorgan Chase & Co., Citigroup Inc. and E-Trade, as part of a nearly two-year-long scheme to hack into customer accounts online to steal at least $15 million, U.S. authorities announced this week.
“Cybercriminals penetrated some of our most trusted financial institutions as part of a global scheme that stole money and identities from people in the United States,” New Jersey U.S. Attorney Paul J. Fishman said in a statement.
Eight men have been charged with conspiracy to commit wire fraud, conspiracy to commit money laundering and conspiracy to commit identity theft. The group’s two leaders come from Ukraine -- one was arrested as he arrived on an international flight at Kennedy Airport in New York on Tuesday. The leaders allegedly received help from three men in Brooklyn, two in Massachusetts and one in Atlanta. Four of the eight have been apprehended, authorities said Wednesday.
The other compromised banks and financial services providers were Aon Hewitt, Automated Data Processing Inc., Electronic Payments Inc., Fundtech Holdings, iPayment Inc., Nordstrom Bank, PayPal, TD Ameritrade Corp., the U.S. Defense Department’s Defense Finance and Accounting Service, TIAA-CREF, USAA and Veracity Payment Solutions Inc.
In a criminal complaint, authorities allege that the defendants transferred money from victims’ bank accounts to pre-paid debit cards. They took the debit cards to ATMs to cash them out or used them to make purchases across the country. Much of the money that was cashed out was wired to the two leaders.
Some of those debit cards were secured in the names of individuals who had their identities stolen by the defendants, the complaint says That allowed the group to file fraudulent tax returns in an attempt to obtain undeserved refunds.
An amended complaint, filed Thursday against the defendants who have yet to appear in court, offered more details. Using “a variety of unlawful means,” the group gained access to the login credentials of more than 130 ADP customers. They used the information to hack into the accounts, transferring about $4 million. In a similar way, they obtained at least 40 Chase accounts, moving $60,000 to prepaid American Express debit cards.
One of the group’s alleged leaders, 33-year-old Oleksiy Sharapka, had been previously imprisoned in the U.S. for a similar conspiracy. But he was deported to Ukraine amid his sentence, and he allegedly began the new scheme shortly after.