Authorities arrested four people in Israel and Florida, andrevealed a complex securities fraud scheme tied to the computerhacks of JPMorgan Chase & Co. and other financialinstitutions.

Behind the alleged crimes described Tuesday is a remarkablestory of unpredictable alliances in modern computer crimeinvolving, if true, a multilayered organization with tentaclesreaching Moscow, Tel Aviv, and West Palm Beach.

Officials in Israel this morning picked up two men charged inthe U.S. with running a multimillion-dollar stock manipulationscheme. A third person remains at large. In another case inFlorida, officials arrested two men for operating an unlicensedmoney-transfer business using bitcoins.

Though these are separate cases, some of the individuals arelinked. A principal in the alleged securities-fraud scheme is abusiness associate of one of those charged in the Florida bitcoinoperation, a friendship dating back more than a decade to theirdays at Florida State University.

The two are also identified in a previously unreported FBI memothat connects them to the investigation of the hack of JPMorgan aswell as to incidents at Fidelity Investments Ltd. and E*TradeFinancial Corp. JPMorgan officials argued initially that one of thelargest U.S. bank hacks in history was the work of the Russiangovernment.

None of the documents outlining the charges mention the JPMorganhack, nor do prosecutors tie the securities fraud andmoney-transfer schemes to each other.

However, a person familiar with the investigation said that datastolen from JPMorgan, including tens of millions of emails andnames of customers, may have been sought for promoting stocksthrough a massive spam campaign.

The alleged pump-and-dump scheme was several years old by thetime of the Wall Street hacks. At least five stocks weremanipulated in 2011 and 2012, according to the grand juryindictment unsealed Tuesday in Manhattan federal court.

The stock fraud is described as a “pump-and-dump” scheme inwhich promotional emails were sent to victims, encouraging them tobuy “hot” stocks, according to a parallel complaint filed by theU.S. Securities and Exchange Commission (SEC). The perpetratorssecretly sold their own holdings, it said, earning at least US$2.8million in illegal profits.

Two Israelis and an American are charged with the fraud. Twounidentified men from New Jersey and Florida, described asco-conspirators and not charged, picked the publicly tradedcompanies as targets for manipulation, prosecutors said. In somecases, they sought to press private companies to go public so theycould be targeted.

The men charged are Gery Shalon and Ziv Orenstein, both Israelicitizens, and Joshua Samuel Aaron, a U.S. citizen who resided inboth the U.S. and Israel.

According to the indictment, Aaron acted as the conduit betweenthe unnamed U.S. conspirators and Shalon, the scheme's main Israeliarchitect.

Aaron wasn't arrested.

Elements of the case apparently began to unravel this month.Investigators had hoped to arrest Aaron in Tel Aviv, where he liveswith his wife, according to people familiar with the probe. Aaronand his wife were in St. Petersburg as recently as Sunday, based onsocial-media posts from her account. In Russia, Aaron is outsidethe reach of U.S. law-enforcement authorities. Investigators mayhave determined that he was no longer likely to return toIsrael.

Connection Between Pump-and-Dump and BitcoinFraud

One of Aaron's friends from his Florida State days is AnthonyMurgio, a 31-year-old from West Palm Beach, Florida.

Murgio is charged in a complaint also filed in Manhattan federalcourt on Tuesday, alongside the securities complaints. Prosecutorssay Murgio created a bitcoin-exchange business in 2013 thatlaundered at least $1.8 million in the digital currency for tens ofthousands of customers, including hackers receiving payment for“ransomware” attacks on PCs.

The documents allege that Murgio operated the exchange with anaccused co-conspirator, Yuri Lebedev, under the guise of a frontcompany, the Collectables Club Private Member Association, whichlists Murgio's West Palm Beach address. Lebedev was alsocharged.

Prosecutors allege that Murgio tried to keep Coin.mx'sactivities hidden and used multiple Russian payment processors to“wash” illicit funds.

Both Murgio and Aaron traveled frequently to Russia, and aperson involved in the investigation said there were links betweenthe suspects and members of Russia's cyber underground.

ThoughU.S. officials didn't connect the alleged criminal activities ofMurgio and Aaron, the men were linked in the FBI's October memo tothe hack of the three financial institutions. Bloomberg Newslearned their identities earlier this year but held off reportingabout them at the request of the FBI, which said the informationwould compromise the investigation.

Upon learning that Murgio and Aaron were accused of crimes, afriend from Florida State expressed dismay at the alleged schemes.“That's absurd,” said Bryan Ravit, a Phi Kappa Sigma brother ofMurgio who lives in Winter Park, Florida.

“They are very stand-up guys,” Ravit said in an interview. “Iwould trust them with my life.”

None of those charged with securities fraud or in the bitcoinscheme could be reached for comment.

Connections Also to Hacking at Major Banks andBrokerages

Among the surprising twists of the JPMorgan investigation isthat hackers appear to have broken into the digital version of FortKnox to steal relatively innocuous data—specifically, emails ofJPMorgan's customers that could be used for spam.

The cybercriminals behind the JPMorgan hacks mowed through dataat several major banks and brokerages, including Fidelity andE*Trade, for more than a year beginning in the fall of 2013,according to cybersecurity firms and the FBI memo. They contributedto a hodgepodge of scams, mainly securities fraud and spamming emails, according to one person familiar with theinvestigation.

It's not clear whether the JPMorgan hackers sought data otherthan the names, addresses, and emails eventually removed from thebank's main data center. U.S. officials believe the cyberattackswere done with the help of expert hackers in Russia, according to asecond person familiar with the case.

One reason to target brokerage houses is to commitaccount-takeover fraud. Criminals steal users' logins and passwordsto hijack their trading accounts and use their money to pump up thevalue of penny stocks and other thinly traded securities. Suchschemes are often accompanied by spamming campaigns to inflatefurther the value of the shares. The criminals, who also own thestocks, can then cash out of the shares in their own accounts, aclassic “pump and dump.”

Trish Wexler, a spokeswoman for JPMorgan, declined to comment.The bank has said that it discovered no fraud againstaccount-holders related to the attack.

Fidelity has multiple layers of security and has no indicationthat customer accounts or information were affected, a spokesmansaid. A representative for E*Trade didn't immediately respond to arequest for comment.

Over almost three months, intruders at JPMorgan had unrestrictedaccess to its main data center, which controls critical functionsfor the bank and the broader U.S. financial system. They accessedat least 100 servers and stole 40 gigabytes of data, defying thesecurity of a company that spent $250 million to protect itscomputers in 2014.

Sandwiched between last year's attack on Sony by North Korea andthe sack of Target Corp's payment registers in late 2013, theJPMorgan breach quickly took its place in a menacing list of cybermilestones. It sparked a fight between U.S. investigators and abank security team staffed with former Pentagon cyber warriors, whosaw something darker than mere criminal behavior.

The case may now become an object lesson in the complexities oftracing cyberattacks to the true culprits. In June, JPMorganreassigned Chief Information Security Officer Greg Rattray amidstaff discord over his handling of the breach. Rattray and hisboss, Jim Cummings, a former head of the U.S. Air Force'scyber-combat unit, were the chief advocates of the theory that theRussian government was involved in the breach, BloombergBusinessweek reported in February.

JPMorgan declined to make Cummings and Rattray available forcomment.

Accused Hackers Are Digital Misfits

While bank officials ran their own investigation into themassive breach, FBI officials focused early on an oddballcollection of digital misfits.

Murgio wrote in a personal blog that he and Aaron had operatedan online marketing company with a global clientele. Murgio ran aseries of unsuccessful restaurant ventures and had been previouslyaccused of stealing $110,000 in state sales tax collected from hisbusiness customers. He received a deferred prosecution, and thecharges were dropped after he paid the taxes owed to Florida.

Named one of Tallahassee's top 100 singles in 2010, Murgiolisted his favorite outfit as “really tight jeans that I can hardlysit down in” and Ayn Rand's “Atlas Shrugged” as his favoritebook.

After losing a long battle with the landlord of a downtownTallahassee nightclub blocks from the Florida State Universitycampus, Murgio, who ran the club, had a confrontation with policein October 2011 over a noise complaint.

Six months later, he filed for Chapter 7 protection in U.S.Bankruptcy Court for the Northern District of Florida, citing$539,000 in debt.

His debts persisted. On a March 2013 application for indigentstatus in the tax case, Murgio reported $350,000 in debt and saidhis only monthly income was $1,200 in veterans benefits.

Around that time, Murgio began taking frequent trips to Russia,posting videos of himself in Russian bars and with beautiful girls,one marked #Likealittleexcitedboy.

On social media, friends asked why he was suddenly spending somuch time in Russia. Two of the visits coincided with the computerbreaches: He was in Moscow in April 2014, when Fidelity was hacked,and again in early August, when hackers were active in JPMorgan,according to his posts.

–With assistance from Keri Geiger and Hugh Son in New York,Susannah Nesmith in Miami, and Tom Schoenberg in Washington.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.