Photo: Michael Appleton/New York Times/Redux
Cyber-security in Florida
Hacking as a business model
Three former FSU students are accused of being part of a wide-ranging criminal enterprise conducted through cyber-space.
Anthony Murgio grew up in Palm Beach County, where his parents were educators. He played sports at Palm Beach Gardens High School and studied in its business magnet program before graduating in 2002 and heading off for FSU, where he became president of his fraternity, Phi Sigma Kappa. On the side, Murgio sold cutlery — and discovered how much he liked making money.
“I made as much or as little as I wanted, and I chose to work all day and make tons of money for a college kid,” he said.
He later wrote he “learned a little bit” from studying for his marketing degree, but “most of my life and future was shaped by the connections and friends I hung around.”
One of those friends was Joshua Samuel Aaron, a frat brother of Murgio’s from suburban D.C. who showed him “the ropes to online marketing,” Murgio says on his personal web page.
By the time Murgio graduated with a marketing degree, he wasn’t selling cutlery. Within four years of his 2006 graduation, he had founded and sold several vacation rental online property management companies. He still owned online marketing businesses and a restaurant, club and lounge, and even made Tallahassee magazine’s 2010 list of top singles. His favorite outfit: “Really tight jeans that I can hardly sit down in.” Among his favorite movies: Boiler Room, the tale of 20-somethings who become millionaires peddling stocks.
But Murgio began having trouble. By 2012 he had filed for bankruptcy over business debts totaling more than $730,000; creditors got $471. In 2013, he was arrested for allegedly stealing more than $110,000 in sales tax money his Tapas Lounge collected in 2011 but didn’t turn over to the state. That charge wasn’t resolved until February 2015, when he entered a deferred prosecution program in Leon County that required him to pay $25,000 in restitution and stay out of trouble.
Murgio may have peaked in Tallahassee, but by then he was moving in much bigger circles. By 2013, prosecutors say, he had become a key player in a sprawling cyber-criminal enterprise with hundreds of employees in more than a dozen countries.
The group’s activities — including the 2014 hack of personal information of more than 83 million J.P. Morgan Chase customers that a federal indictment calls the “largest theft of customer data from a U.S. financial institution in history” — illustrate how lucrative and pervasive cyber-crime has become. They also illustrate how many ways criminals use the internet and the breadth of challenges faced by businesses and those in cyber-security who try to protect them.
Murgio’s introduction to largescale cyber-crime likely came through Aaron, who after leaving FSU wound up spending time in Israel, where he met a man named Gery Shalon. By 2011, Aaron, who gets top billing in a U. S. Securities and Exchange Commission civil complaint, along with Shalon and Ziv Orenstein, identified by investigators as Shalon’s “principal deputy,” were running a digital-age version of classic pump-and-dump stock schemes.
The SEC says they used “at least” 20 stock promotion websites and “vast email lists” in 2011 and 2012 to spam millions of people a day to pump up interest in penny stocks in which they held shares. Once investors began jumping in, they dumped the shares at a profit. Three of the five companies the SEC has publicly identified — Greenfield Farms Grassfed Beef, Mustang Alliances and IDO Security — were based in southeast Florida.
In early 2012, thanks to the pump by the Aaron group, Mustang’s stock went up 65% to $1.45 per share, and the trading volume increased 20-fold to 750,000 shares a day, the SEC says.They sold at least 1.9 million shares for more than $2.2 million, the SEC alleges.
Aaron, Orenstein and Shalon also are charged with hacking 12 financial service industry companies, stealing the data involving more than 100 million customers, 83 million of them from the 2014 Chase hack. Other targets included Dow Jones & Co., Scottrade and E*Trade.
Aaron’s role, according to the indictment, was identifying one company to hack and supplying his log-in credentials for several others. The actual hacking was done by others working for Shalon, the scheme’s mastermind, according to investigators. After breaking in, they took relatively innocuous data — names, emails, addresses — whose primary use appears to have been to get more names to spam to prime the pump in the pump-and-dump schemes.
Murgio re-enters the picture in 2013 as founder of West Palm Beachbased bitcoin exchange Coin.mx. He envisioned it, according to an email obtained by investigators, as a “worldwide payment system” through which people could convert real currency into digital currency.
To develop it, Murgio brought in Yuri Lebedev, who attended FSU from 1999 to 2008 and earned graduate degrees in physics, computer science and mathematics and a doctorate in computational mathematics. He would become the “founding father and the architect” of its computing platform, according to the criminal complaints against him and Murgio.
The FBI says that from October 2013 SECURITY CYBER to January 2015, Coin.mx exchanged at least $1.8 million for bitcoins for tens of thousands of customers, taking a piece of the exchanges for itself. Coin.mx was featured on the online Ron Paul Channel with the former congressman, who hosted an extended interview of a Coin.mx employee. Murgio has a picture of himself and Paul on his Facebook page.
In reality, Shalon owned and controlled Coin.mx, the indictment says. Murgio, in a separate indictment, is accused of wire fraud, running an unlicensed money transmitting business, money laundering and corrupting a credit union official.
Murgio and Shalon allegedly took over a tiny Jackson, N.J.-based federal credit union for low-income locals, put Lebedev on its board and used it as a captive bank that processed automated electronic credit and debit transactions for Coin.mx. The Helping Other People Excel (HOPE) credit union had no full-time employees, only 96 members and $290,927 in assets. But by October 2014, the institution was processing more than $30 million a month in electronic credit and debit transactions, according to the FBI.
Part of Coin.mx’s business was facilitating payments for what’s called ransomware — the “current scourge of the internet,” says Stu Sjouwerman, founder of KnowBe4, a Clearwater firm that trains employees on avoiding getting hacked.
Ransomware is software hidden in a link or email that’s sent like spam. Clicking on the link unleashes the ransomware, which encrypts data on the victim’s computer or server, rendering it useless. If there’s a data backup, all is well. If not, the only pragmatic solution is to pay the ransom to anonymous accounts to get the data decrypted.
The ransom is typically around $500 — high enough to be worth the attacker’s time and low enough that it’s easier to pay than not. “It’s often done by bitcoin,” says Fred Touchette, security research manager at AppRiver, a Gulf Breeze email and web security firm.
Murgio’s indictment cites one instance of ransomware: In 2014, the computer network of an unidentified business became infected by a type of ransomware called Cryptowall after an employee clicked on an ad on a website. To get its data back, the business was directed to several bitcoin operators, one of which was Coin.mx, which handled the transaction.
“The bitcoin exchange has been an easy place to launder money,” says Touchette. “I hate to say it” — because he agrees with the principal of digital currency — “it’s going to come with the territory.”
All told, Shalon’s various enterprises earned “hundreds of millions of dollars in illicit proceeds,” prosecutors say. “The charged crimes showcase a brave new world of hacking for profit,” said Manhattan U.S. Attorney Preet Bharara, in announcing the indictment. “It is no longer hacking merely for a quick profit but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
The charges against Murgio and Aaron surprise people who knew them. Giancarlo Cangelosi, who worked as a barman at Murgio’s restaurant, says he could see Murgio going for a fast buck but “not to the level of what’s alleged. I would doubt it.”
After Murgio and Lebedev were arrested in July over Coin.mx, prosecutors petitioned judges several times to continue their cases, often a sign defendants are cooperating. Murgio finally was indicted in November; Lebedev has been indicted on one charge stemming from the credit union takeover.
Murgio, 31, and Lebedev, 37, are free on bail. Shalon, 31, and Orenstein, 40, were arrested in Israel and await extradition. Aaron, 31, who lived both in Tel Aviv and Moscow and reportedly was in Russia when the arrests were made, is on the FBI Cyber’s Most Wanted list.
Efforts to obtain comment from Murgio and Lebedev weren’t successful.
Boiler Room, the film on Murgio’s favorite movie list for Tallahassee magazine, ends with a young hustler cornered by the feds and agreeing to help take down the bucket shop. Murgio’s personal web page, dating from the last quarter of 2014, several months before his arrest, says this, “Trusting people is my Achilles heel. More to come on what the real story is in a bit.”