FBI and US secret service agents have arrested a man charged with the largest cyber-attack of financial firms in America’s history.
32-year-old US citizen, Joshua Samuel Aaron was held at New York’s JFK airport and will appear in court on Thursday.
He is one of three men accused of illegally accessing the personal information of 100 million people in 2012-15.
The other two suspects are Israeli nationals, Gery Shalon and Ziv Orenstein. They were arrested in Israel in July 2015, and extradited to the US in June 2016.
All three men were charged in November 2015.
Twelve major institutions were victims of the hacking, including JPMorgan, Chase, Scottrade, The Wall Street Journal, E*Trade Financial Corp, TD Ameritrade, and News Corp.
The suspects used the Heartbleed vulnerability to break into those companies’ servers and steal financial data of over 100 million customers.
Mr Aaron had been a fugitive living in Moscow, but flew to the US voluntarily to face the charges, his lawyer said.
In a statement on Wednesday, US Attorney Preet Bharara said: “Joshua Samuel Aaron allegedly worked to hack into the networks of dozens of American companies, ultimately leading to the largest theft of personal information from US financial institutions ever.”
They allegedly manipulated stock prices by selling shares of companies to individuals whose contact information they had stolen.
The men were also charged with running an illegal payment processing business that they used to collect $18million (an equivalent of £14.3million) in fees.
Prosecutors claim the men hacked into competitors’ systems to spy on them and then hacked into a credit card company investigating their payment processing business in order to avoid detection.
The company hit hardest by the breach was JPMorgan. More than 83 million of the bank’s customers had data stolen in the breach.