Illegal bitcoin exchange operator pleads guilty in case tied to JPMorgan Chase hack
UPDATE, 6/27/17: Anthony Murgio was sentenced to 66 months (over five years) in prison.
In Bitcoin’s short and distinguished history of multimillion-dollar frauds, Anthony Murgio’s illegal Coin.mx Bitcoin exchange stands as one of the most ambitious and catastrophic schemes to ever come crashing down in a Manhattan court room.
On Monday, Murgio became the third individual associated with Coin.mx to plead guilty to charges including bribery, fraud, money laundering, operating an unlicensed money transmitting business and identity theft. He agreed not to appeal a sentence of 12 and a half years or less.
In Coin.mx’s two-year history, Murgio processed over $10 million in illegal Bitcoin transactions that he attempted to hide completely through a front company called “Collectables Club” which pretended to financial institutions to be a memorabilia company. Another front company was called “Currency Enthusiasts.”
While three have pleaded guilty, the investigation into Coin.mx has led to the arrest of nine, including the alleged mastermind behind hacks against a dozen of the United States’ biggest financial institutions, among them JP Morgan Chase, E*Trade and Scottrade. The Justice Department called the 2014 JPMorgan Chase breach, which impacted personal data in 83 million accounts, the “largest theft of customer data from a U.S. financial institution in history.”
Overall, prosecutors say more than 100 million people had their data stolen by Israeli Coin.mx owner Gery Shalon, Israeli Ziv Orenstein and American Joshua Aaron. They orchestrated the cyberattacks and used Coin.mx — and over 75 other companies around the world — to launder the stolen money, prosecutors say. The hacking was part of a complex securities fraud and stock manipulation scheme.
Murgio’s connection to the hack comes through Aaron. The men were fraternity brothers in college. Aaron showed Murgio the ropes of a few smaller-time online money making schemes, prosecutors say. Aaron immigrated to Israel and then Russia where he was arrested earlier this year on illegal immigration charges.
But while Murgio is connected to Coin.mx and the others to the stock manipulation, the identity of the actual hacker behind the attacks on JPMorgan Chase and other American firms remains unknown as yet. Aaron’s travels to Russia lend credence to the theory that the attacker is Russian.
A 2015 Bloomberg report identified the hacker as “a Russian master of digital break-ins known to federal agents and U.S. spy agencies who have tracked him for years, according to three people familiar with the investigation.”
Murgio’s guilty plea and Aaron’s return to American custody may signal a break, however small, for U.S. investigators building a case against the hacker behind the keyboard on some of the biggest cyberattacks of all time.
The question is what comes next. Russia does not extradite its citizens to the United States. Moscow’s government and intelligence agencies have been known to be deeply intertwined with the country’s organized crime which, in turn, closely cooperate on cyber operations for the last decade.
The system of mutual action and protection between Moscow and Russian organized crime makes any conclusion here difficult to divine, doubly so as relations between Washington and Moscow have become increasingly cold and impossible to predict. President-elect Trump’s warmer tone toward Russia injects yet another wild card into the equation.
“Through their criminal schemes, between in or about 2007 and in or about July 2015, Shalon and his co-conspirators earned hundreds of millions of dollars in illicit proceeds, of which Shalon concealed at least $100 million in Swiss and other bank accounts,” Preet Bharara, the United States Attorney for the Southern District of New York, said in a 2015 statement when arrests around the case began.
Coin.mx operator Murgio’s defense tried and failed last year to dismiss charges of illegally transmitting money by calling into question Bitcoin’s status as money. The judge called the “property” versus “currency” argument at the heart of Murgio’s tactic “irrelevant to the inquiry here.”
Launched in 2013 and shuttered in 2015, Coin.mx had a muddy reputation among Bitcoin users because of a bad user interface, buggy code and customer service reps who, with seemingly no appreciation for life’s deep ironies, loudly threatened dozens of customers with fraud lawsuits.
But in a time when many Bitcoin exchanges were new and going through turbulent adolescences, Coin.mx saw success especially among the criminal crowd. It was regularly recommended by dark net denizens because Murgio’s operation allowed users to rapidly buy large amounts of Bitcoin. It was such a large part of their business that Coin.mx employees even offered customer service directly on dark net market forums.
And then came the massive bribery scheme.
Engineered by Murgio and an alleged co-conspirator — Yuri Lebedev, whose trial begins next month — Coin.mx allegedly paid over $150,000 in bribes to take control of Helping Other People Excel Federal Credit Union (“HOPE FCU”). Prosecutors describe HOPE FCU as a “captive bank” that was then used to conduct illegal Coin.mx business after late 2014. Among HOPE FCU’s most important tasks was attempting to obstruct closer examination of the bank and exchange by the National Credit Union Administration (“NCUA”) by lying about everything from the bank’s finances to the individuals who had just taken charge. Trevon Gross, who allegedly took the bribes and then worked with Murgio and Lebedev on the scheme, is set to stand trial next month alongside Lebedev.
“Anthony Murgio took a new age approach to an age-old crime of fraud,” U.S. Attorney Bharara said in a statement on Monday. “As he admitted in his guilty plea today, Murgio used Coin.mx, an internet-based Bitcoin exchange, to process over $10 million in Bitcoin transactions in violation of federal anti-money laundering laws, and then obstructed a regulatory examination to hide his scheme.”
Coin.mx was based in Florida, had a business address in Texas and moved money around the world but it ended up being Bharara, the United States Attorney for the Southern District of New York, whose office scored the conviction alongside all the other related prosecutions.
The office’s unofficial but emphatic worldwide jurisdiction has seen Bharara rack up an enormous headcount for Bitcoin-related crimes based around the country and world because of one underlying fact: The crimes are connected, thanks to the internet, to New York City. That’s often all it takes to end up in Bharara’s crosshairs.
The superseding indictment against Murgio is available here.