Federal prosecutors are trying to bring down what they describe as a vast, multi-year, multinational hacking conspiracy, and they say a mutual fund shop was one of the victims. [See MFWire's living timeline for more updates and history on the great financial services hack.]

Preet Bharara U.S. Attorney for the Southern District of New York

Today U.S. Attorney Preet Bharara revealed a previously-sealed 68-page indictment, accusing Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein (each listed with one or more additional aliases) of masterminding a "cybercriminal enterprise operated through hundreds of employees, co-conspirators and infrastructure in over a dozen countries." The indictment says seven financial services companies, two financial news publishers, two software developers, and a "merchant risk intelligence firm" were all victimized by the alleged cybercriminal network. The scandal most-famously involves a cybersecurity breach of a giant bank, J.P. Morgan, but the Feds say a mutual fund shop was targeted, too. (The DoJ has posted the whole indictment online.)

The indictment describes "Victim-2" as "one of the world's largest financial services corporations, providing mutual fund, online stock brokerage and other services, with headquarters in Boston, Massachusetts." If you think that sounds like a certain 401(k) recordkeeping titan and mutual fund giant led by a family with the last name Johnson, you're not alone. Indeed, Bloomberg, Reuters (twice) and USA Today all point to Fidelity [profile] as one of the targets. And it sounds like the Fido tech team promptly fought the hackers off.

Here's what prosecutors claim happened to Victim-2:

... in April 2014, SHALON and his co-conspirators unlawfully accessed the network of Victim-2 by exploiting the so-called "Heartbleed" vulnerability, which had, at that time, just been widely identified as a previously unrecognized security vulnerability that exist in computer network servers on a widespread basis. While they succeeded in gaining access to Victim-2's network, shortly after they did so, Victim-2 recognized and repaired the Heartbleed vulnertability in its systems.

USA Today says that Fidelity declined to confirm whether or not it was "Victim-2".

"We have confirmed with the FBI that there is no indication that our customers were affected," a Fido spokesman told the paper.

The Boston Globe, CFO, the Chicago Tribune, the Financial Times, the Guardian, the New York Times, and the Wall Street Journal all also covered the unsealed indictment. The Feds claim that the cyberattacks were connected with illegal online casinos, payment processors for illegal drug suppliers, malware, an illegal Bitcoin exchange, and attempts to "artificially manipulate the price of certain stocks."

J.P. Morgan, online brokerages TD Ameritrade and Scottrade, and News Corp's Dow Jones unit all confirmed that they were victims of the alleged hacking conspiracy. 

Edited by: Neil Anderson, Managing Editor


Stay ahead of the news ... Sign up for our email alerts now
CLICK HERE