A0 91 Rev 08 09 Criminal Complaint for the Eastern District of Virginia 5 'Ir United States of America v ARDIT Case No 1 new-W -- a kla Th3Dir30torY De ndamrs CRIMINAL COMPLAINT I the complainant in this case state that the following is true to the best of my knowledge and belief On or about the date s 4 01 15 to or on about 8 11 15 in the extraterritorial jurisdiction of U S and in the Eastern District of Virginia the defendant s violated I Code Section Ojfense Description 18 U S C 1030 Unauthorized access to a computer 18 U S C 1028A Aggravated identity theft and 18 U S C 23393 Providing material support to a designated foreign terrorist group This criminal complaint is based on these facts See attached af davit El Continued on the attached sheet Reviewed by jg Compl inant signature AUSA E Haaland Special Agent Kevin M Gallagher Printed name and title ls lhcresa oll Buchanan mired States Magistrate Judge Sworn to before me and signed in my presence Date 10 06 2015 Judge 3 signature The Honorable Theresa C Buchanan City and state Alexandria VA U S Magistrate Judge Printed name and title IN THE UNITED STATES DISTRICT COURT FO EASTERN DISTRICT OF VIRGINIA 13 M 1 Alexandria Division i 5'5 2015 UNITED STATES OF AMERICA x v i No 1 15mj515 ARDIT FERIZI i a k a Th3Dir3 ctorY Defendant i AFFIDAVIT IN SUPPORT OF CRIMINAL COMPLAINT Kevin M Gallagher being duly sworn says I INTRODUCTION 1 I am a Special Agent SA with the Federal Bureau of Investigation FBI and have been so employed Since August 2009 I am currently assigned to the Washington Field Of ce I have training in the preparation presentation and service of criminal complaints and arrest and search warrants and have been involved in the investigation of numerous types of offenses against the United States including crimes of terrorism as set forth in 18 U S C 2331 et seq Prior to my current employment I was an independent contractor for approximately three years working as an intelligence analyst for two other government agencies within the intelligence community My knowledge about this investigation comes from my personal participation in this investigation a review of documents electronic media e-mails and other physical and documentary evidence and interviews of witnesses I have also relied on information provided to me by other agents and law enforcement of cials in the United States Where statements of others are set forth they are set forth in substance and in part Because this affidavit is being submitted for the limited purpose of establishing probable cause for the requested warrant it does not contain all information known to me or to the government relating to this investigation 2 Ardit Ferizi aka Th3Dir3ctorY a Kosovo citizen residing in Malaysia is believed to be the leader of a known Kosovar intemet hacking group Kosova Hacker s Security In or about April 2015 FERIZI used the Twitter account Th3Dir3ctorY to provide unlawfully obtained personally identi able information to an Islamic State of Iraq and the Levant member Tariq Hamayun Hamayun known as Abu Muslim Al-Britani In addition between in or about June 2015 and August 11 2015 FERIZI provided unlawfully obtained personally identi able information to a second known ISIL member unaid Hussain Hussain known as Abu Hussain al-Britani On August 11 2015 in the name of the Islamic State Hacking Division Hussain posted a public hyperlink on Twitter with the title Military AND Government personnel including Emails Passwords Names Phone Numbers and Location Information which provided ISIL supporters in the United States and elsewhere with the PII for over 1 000 US government personnel for the pUrpose of encouraging terrorist attacks against the identi ed individuals Some of these individuals reside in the Eastern District of Virginia For the reasons detailed belOw I submit that there is probable cause to believe that from at least in or about April 2015 continuing through August 11 2015 FERIZI gained unauthorized access to and obtained information from a protected computer in violation of 18 U S C 1030 I further submit that there is probable cause to believe that from at least in or about April 2015 continuing through on or about August 11 2015 FERIZI used the unauthorized access to steal the means of identi cation and other personal information of US military and other 2 government personnel including their names email addresses passwords and cities and states of residence and then knowingly possessed and transferred the means of identi cation and other stolen information with the intent to aid or abet unlawful activity constituting a violation of federal law particularly a felony violation enumerated in 18 U S C 23 all in violation of 18 U S C 1028A a 2 Speci cally the PH stolen by FERIZI was knowingly provided to ISIL to be used by ISIL members and supporters to conduct terrorist attacks against the US government employees whose names and locations were published Prior to that in or about April 2015 FERIZI transferred PII containing credit card information to ISIL Based on the information contained in this Af davit I believe FERIZI conspired attempted to provide and provided material support to ISIL a designated foreign terrorist organization in violation of 18 U S C 2339B 4 I expect that FERIZI will be arrested outside of the United States and will be rst brought to the Eastern District of Virginia 11 BACKGROUND REGARDING ISIL AND JUNAID HUSSAIN 5 On October 15 2004 the US Department of State designated Al-Qa ida in Iraq then known as Jam at al Tawhid wa al-Jihad as a Foreign Terrorist Organization under Section 219 of the Immigration and Nationality Act and as a Specially Designated Global Terrorist Entity pursuant to Executive Order 13224 6 On May 15 2014 the US Department of State amended the designation of Al-Qa ida in as a Foreign Terrorist Organization under Section 219 of the Immigration and Nationality Act and as a Specially Designated Global Terrorist Entity under Executive Order 13224 to list the name Islamic State of Iraq and the Levant as its primary 3 name The Department of State also added the following aliases to the ISIL listing the Islamic State of Iraq and al-Sham ISIS the Islamic State of Iraq and Syria ISIS ad Dawla al-Islamiyya f1 al Iraq wa sh-Sham Daesh Dawla a1 Islamiya and Al Furqan Establishment for Media Production Although the group has never called itself AL-Qa ida in Iraq this name has frequently been used by others to describe it To date ISIL remains a designated FTO In an audio recording publicly released on or around June 29 2014 ISIL announced a formal change of its name to the Islamic State 7 On or about September 21 2014 ISIL Spokesperson Abu Muhammad al-Adnani called for attacks against citizens civilian or military of the countries participating in the United States-led coalition against ISIL 8 Junaid Hussain also known by the nom de guerre or kunya Abu Hussain al-Britani was a British hacker and well-known member of ISIL On or about August 24 2015 Hussain was killed in an airstrike in Raqqah Syria a city which I know ISIL considers to be its capital 1 RELEVANT LAW 9 I am advised that 18 U S C 1030 a 2 C provides Whoever intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from any protected computer shall be punished not more than ve years 10 Also I am advised that section 103 provides Whoever with intent to extort om any person any money or other thing of value transmits in interstate or foreign commerce any communication concerning any threat to damage a protected computer to obtain information without 4 access or demand or request money or other thing of value in relation to damage to a protected computer shall be punished not more than ve years A computer is de ne-d as an electronic magnetic optical electrochemical or other high speed data processing device performing logical arithmetic orlstorage mctions and includes any data storage facility or communications facility directly related to or operating in conjunction with such device The term protected computer includes a computer which is used in or affecting interstate or foreigi commerce or communication 18 U S C 1030 e 1 and 11 I am also advised that 18 U S C 1028A a 2 provides Whoever during and in relation to any felony violation enumerated in section 2332 g 5 B de ning Federal crimes of terrorism knowingly transfers possesses or uses without lawful authority a means of identi cation as de ned in 18 U S C 1028 d 7 of another person shall be guilty of a separate felony 12 Additionally I am advised that 18 U S C 2339B provides Whoever knowingly provides material support or resources to a foreign terrorist organization 2 or attempts or conspires to do so shall be guilty of a felony To violate this paragraph a person must have knowledge that the organization is a designated terrorist organization as de ned in subsection that the organization has engaged or engages in terrorist activity as de ned in section 212 a 3 B cf the Immigration and Nationality Act or that the organization has engaged or engages in terrorism as de ned in section 140 d 2 of the Foreign Relations Authorization Act Fiscal Years 1988 and 1989 Material support or resources means any property tangible or intangible or service including currency or monetary instruments or nancial securities nancial services lodging training expert advice or assistance safe houses false documentation or identi cation communications 2 I am advised that the term terrorist organization means an organization designated as a terrorist organization under section 219 of the Immigration and Nationality Act 18 U S C 2339B g 6 As stated above ISIL is a designated foreign terrorist organization 5 equipment facilities weapons lethal substances explosives personnel 1 or more individuals who may be or include oneself and transportation except medicine or religious materials Expert advice or assistance means advice or assistance derived from scienti c technical or other specialized knowledge 18 U S C 2339A b 1 2339B g 4 IV STATEMENT OF PROBABLE CAUSE A FERIZI Is Th3Dir3ctorY 13 On April 5 2015 @Th3 Dir3ctorY using the name Ardit Ferizi publicly tweeted a link to a June 2013 article from the InfoSec Institute as shown in the screenshot below Ardit Ferizi Fem z Getting to Know Kosova Hacker s Security Crew plus an Exclusive interview with Th8 DirSCtorY #infosec via @lnfosecEdu 13 0 WES 1 3 1214 AM - SApr 2015 Photo Screenshot of April 5 2015 Tweet with a link to the June 2013 InfoSec Institute Article on KHS and @Th3Dir3ctorY 14 According to the interview of Th3Dir3 ctorY by the InfoSec Institute the user of Twitter account @Th3Dir3ctorY is the leader of a group of ethnic Albanian hackers from Kosovo calling themselves Kosova Hacker s Security which is responsible for 3 The InfoSec Institute founded in 1998 and based in Illinois is a training institute for technology professionals focused on information assurance information technology auditing database project management coding and related vendor training InfoSec Institute also publishes research and articles including interviews with hacking organizations 6 compromising government and private websites in Israel Serbia Greece the Ukraine and elsewhere Photo Banner for Kosova Hackers Security KHS 15 According to the article as of the time of publication KHS claimed responsibility for having hacked more than 20 000 websites including 90% of Serbian government websites Interpol based in France including taking its site down for two days in October 2012 and research domain researcheribmcom located in Somers New York in May 2012 KHS also claimed responsibility for having posted more than 7 000 Israeli credit card numbers in January 2012 Again according to the article hackers calling themselves Th3Dir3 ctorY and ThEta Nu also claimed responsibility for compromising Microsoft s Hotmail servers in 2011 KHS itself has con rmed its involvement in these attacks in other open sources 16 On or about July 10 2015 @Th3Dir3ctorY posted a tweet identifying himself as Owner of Kosova Hacker s Security Pentagon Crew and again used the name Ardit erizi Arqlt Ferizl Owner Of Kosova Hackers Security PentagonCrew Photo Screenshot of @Th3Dir3ctorY s Twitter profile as of July 10 20l5 17 According to Twitter records the @Th3 Dir3ctorY account was registered on September 1 2012 using Microsoft email account laj metal@hotmail com from an Internet Protocol4 address allocated to IPKO Telecommunications LLC in Albania a telecommunications company that provides services in the adjacent country of Kosovo This registration information is consistent with @Th3Dir3ctorY s association with KHS an organization which claims to be associated with Kosovo Moreover the investigation has revealed that ERIZI is a citizen of Kosovo 4 Devices directly connected to the internet are identi ed by a unique number called an Internet Protocol or IP address This number is used to route information between devices Generally when one device requests information om a second device the requesting device speci es its own IP address so that the responding device knows Where to send its response In other words an IP address is similar to a phone number and indicates the online identity of the communicating device IP addresses are allocated by an international organization the Internet Assigned Numbers Authority 8 18 Based on my investigation I know that FERIZI currently resides in Malaysia on a student visa and that as of spring 2015 FERIZI was studying at Limkokwing University in Malaysia I believe that FERIZI entered Malaysia in or about early 2015 19 IP logs-for Twitter account @Th3Dir30torY reveal that all logins to @Th3Dir3ctorY between June 15 2015 and August 14 2015 originated with intemet service providers in Malaysia I B ABU MUSLIM A MEMBER OF ISIL IS THE USER 0F TWITTER ACCOUNT 20 The Twitter account @Muslim_Sniper came to the attention of the FBI following the May 2015 shooting incident at the Draw Mohammad Contest in Garland Texas On May 3 2015 two roommates om Phoenix Arizona Elton Simpson and Nadir Soo red at a security guard outside the contest venue Garland police red back and when one of the two men pulled out what appeared to be a hand grenade police shot and killed both men Based on my investigation including my review of publicly available social media postings I believe that Simpson and Soo were supporters of ISIL 21 Twitter records demonstrate that the user of @Muslim_Sniper had been in communication with @atawaa'kul a Twitter account believed to have been used by Simpson prior to the May 3 2015 incident and that the two users had discussed issues of security 22 According to those records the user of @Muslim_Sniper_D publicly identi ed himself as Tarici Hamayun According to my investigation Hamayun 37 years old was a car mechanic who volunteered for the Taliban and fought in Pakistan before joining ISIL in Syria Twitter records con rm that @Muslim_Sniper__D originated from an ISP providing service in Raqqah Syria 23 On April 21 2015 Hamayun using Twitter account @Muslim_'Sniper_D published a tweet that read God Willingly will be making the best Electronics LAB in the Islamic state would be producing sophisticated 24 On April 22 2015 Hamayun using Twitter account @Muslim_Sniper_D published a tweet that read is my favourite weapon after Sniping 11 hit the enemy amp disappear in thin air just like a Ghost Its sic a Must C TRANSFER OF PII TO ISIL MEMBER ABU MUSLIM AL-BRITANI 25 On or about April 26-27 2015 there was a Twitter exchange between the accounts @Muslim_Sniper__D and @Th3Dir3 ctorY During this exchange FERIZI as the user of @Th3Dir3ctorY provided Hamayun the user of @MuslimHSnipeLD with screen shots of what appears to be unlawfully obtained credit card information belonging to 27 Americans 18 British and 22 French citizens including names addresses zip codes birth dates and credit card information such as the type number expiration date and Card Veri cation Value Based on the context of this exchange I believe that FERIZI provided this information intending it to be used by and for ISIL - 26 In the conversation FERIZI asked the user of @Muslim_Sniper__D to con rm that he was speaking with britani abu britani to which Hamayun replied Yes brother 1m muslirn al britani Hamayun moreover con rms his association with Abu Hussain Al-Britani which is as described above the nom de guerre of ISIL member unaid Hussain who was based in Syria Harnayun told FERIZI that Abu Hussain a1 Britani Junaid Hussain is my friend he told 10 me a lot about This exchange indicates that as of on or about April 26 2015 FERIZI and Hussein were already in communication with one another 27 At the end of this exchange the user of @Muslim_Sniper_D Hamayun wrote the following message to the user of Twitter account @Th3Dir3 ctorY FERIZI Pliz sic brother come and join us in the Islamic state Emphasis added D TRANSFER OF PII T0 ISIL MEMBER HUSSAIN AL-BRITANI 28 On August 11 2015 Hussain using Twitter account @AbuHussain_l 6 re tweeted a post from the Twitter account @IS_Hacking_DiV which had in the name of the Islamic State Hacking Division publicly tweeted a link to PH belonging to approximately 1 351 U S military and other government employees As detailed below there is probable cause to believe that FERIZI provided these 1 351 names to ISIL 2 9 On or about June 13 2015 FERIZI accessed Without authorization a protected computer namely a server Victim Server belonging to an identi ed intemet hosting company the Hosting Company which maintained the website belonging to a U S retailer that sells goods via the intemet to customers in multiple states Victim Company The Victim Server is physically located in Phoenix Arizona Some of the customers whose information was obtained reside in EDVA Based on my conversations with other FBI agents it is a dedicated server meaning that no companies other than the Victim Company utilize this server The Victim Server is leased by the Victim Company and owned by the Hosting Company 30 FERIZI subsequently used his unauthorized access to the Victim Server to obtain the PH of approximately 100 000 people Sometime between June 13 2015 and August 11 201-5 FERIZI provided the P11 of approximately 1 351 U S military and other government personnel to 11 ISIL intending it to be used by and for ISIL and knowing that ISIL would use the PII against the US personnel including to target the US personnel for attacks and violence Earlier in or about March 2015 ISHD acting in'the name of ISIL posted a Kill List including the purported names and addresses of 100 American service members 31 On August 11 2015 Hussain re-posted the following tweet by IHSD US Military AND Government HACKED by the Islamic State Hacking Division 3m nan-u Ira-turn 13 435 19 Tweets Tweets 8 replies AbuHussainAleani Ann 3mm 1mm Hacking a - alumna-mil NEW Military Md HACKED by Islam Sarto WVI Hacking 1 FAK L m gm H Hlv 1 WI - mum Uta 15 mlhang it not spent under the shades cideam Photo Screenshot of @AbuHussain_l6 Abu Hussain Al Britani Twitter pro le as of August 11 2015 32 The tweet contained a hyperlink to a 30-page document The beginning of the document warned the Crusaders who were conducting a bombing campaign against the muslims that we are in your emails and computer systems watching and recording your every move we have your names and addresses we are in your emails and social media accounts we are extracting con dential data and passing on your personal information to the soldiers of the khilafah who soon with the permission of Allah will strike at your necks in your own lands The next 27 pages of the document contained the names e mail addresses e mail passwords locations 12 and phone numbers for approximately 1 351 U S military and other government personnel The nal three pages of the document contained what appear to show credit card numbers and addresses for three federal employees and ii Facebook exchanges between U S military members One of the Facebook exchanges includes what appears to be a discussion between two service members Service Member 1 and Service Member Under this exchange the creator of the document wrote Went to Iraq and returned in a body bag Hell is the abode of the disbelievers Based on my review of public-source documents I know that Service Member-1 a veteran of combat in Iraq and Afghanistan was in fact killed in 2008 albeit in an accident after returning to the United States E FIRST KNOWN OFFER 0F HACKING-RELATED ASSISTANCE TO ISIL ASSOCIATES 33 The April 26-27 2015 communication in' which FERIZI sent PII to Hamayun was not the first in which FERIZI communicated with ISIL members supporters and offered them his computer expertise On April 19 2015 using @Th3Dir3ctorY FERIZI posted a publicly available tweet directed to ISIL-af liated accounts which read @the_trave1er01 @ksasisti @AbuBakrS Shani brother wait till im sic making the script which 11 can upload and never get deleted DEDICATED l3 Ardit Ferizi Follow @the_trave er01 @ksesisti brother wait till im making the sCript which can upload and never get deleted DEDICATED SERVERS ens PM - 19 an 9015 Photo Screen shot of theApril 19 7 2015 Tweet by FERIZI aka @Th3Dir3ctorY showing intent to support ISIL 34 I believe this tweet re ects intention to create and provide a script or computer program aimed at assisting ISIL to publicly post communiqu s and or propaganda in a fashion which would supposedly make it difficult for such content to be removed by service providers or law enforcement 35 All three accounts referenced in the above tweet by @Th3Dir3 ctorY have been suspended by Twitter date unknown Based on searches of cached tweets all appear to contain messages possibly explaining the suspensions I For example on April 18 2015 according to a public posting on pastebin5 Twitter user @the_trave1er01 utilizing the name Abu Naseeha was suspended by Twitter after posting the Al-Furqan ISIL video of beheadings of Christians and Kurdish Pershmerga On April 18 2015 Twitter user @AbuBakrS Shani re-tweeted the following by @Liberation_X a Twitter account @Liberation_X Egypt Sinai 3high ranking army commanders join islamic state in 5 Pastebin is a web application Where users can store plain text They are most commonly used to share short source code snippets for review via Internet Relay Chat 14 Sinai In April 2015 @ksasisti tweeted Muwahideen6 of Shaytat tribe denounce declare their enmity to the people from their blood who've allied with Assad followed by another tweet which read They also ask Sh Abubakr Baghdad7 to let them ght the lth from their tribe who allied with Bashar Assad F FERIZI IS THE SOURCE OF THE HACKED PII HE SENT TO ISIL 36 On August 13 2015 an employee of the Victim Company reported an unauthorized access to their website More speci cally the employee contacted an FBI agent and informed the agent that an account using the username which I believe to be an acronym for Kosova Hackers Security had access to customer details from their databases According to the Victim Company customer information stored in the database included names addresses cities states countries phone numbers email accounts and usernames and passwords 37 On August 17 2015 the FBI was provided with an exchange between an employee of the Victim Company and technicians at the Hosting Company that owns the server on which the Victim Company s website resides 38 According to the exchange beginning as early as June 13 2015 an unauthorized user gained access to the Victim Company s website and created a user account with the initials KHS 39 During an exchange that occurred on July 13 2015 the Hosting Company technician veri ed to the Victim Company that the Hosting Company was witnessing ongoing 6 Muwahideen is an alternate spelling for mujahedeen or muj ahideen a term used to describe guerrilla ghters in Islamic countries especially those who are ghting against non-Muslim forces In this instance I believe it is used to refer to those who ght for ISIL 7 Abu Bakr a1 Baghdadi is the leader 15 outbound cyber-attacks against their infrastructure The Hosting Company veri ed that the attacks were originating from the account utilizing usemame and provided information about the account discussed below 40 According to the Password last set entry which states 6 13 2015 7 28 19 I believe the account was created on or before June 13 2015 According to the Last logon entry at 7 15 2015 11 32 01 AM I believe KHS had accessed the Victim Server as recently as the day of the exchange between the Victim Company and the Hosting Company C UsersAdministrator net user KHS User name KHS Full Name KHS Comment User's comment Country code 000 System Default Account active 'Yes Account expires Never Password last set 6 13 2015 7 28 19 AM Password expires Never Password changeable 6 13 2015 7 28 19 AM Password required Yes User may change password Yes Workstations allowed All Logon script User pro le Home directory Last logon 7 15 2015 11 32 01 AM Logon hours allowed All Local Group Memberships Administrators Users Global Group memberships None 41 The Hosting Company also identi ed that the le being run by KHS on July 15 2015 was DUBrute exe located at the following directory v2 2 VNC - Scanner GUI v1 2DUBrute v2 2 16 42 On August 19 2015 the Victim Company contacted an FBI agent to report a threatening message it had received The message which was from an Albanian Hacker with a contact email threatened the Victim Company for deleting the hacker s les from their server From my experience I believe that the user of was referring to the DUBrute exe malware placed on the server which granted the user KHS unfettered access to information stored on the Victim Server 43 The following is an excerpt of the email sent om an employee of the Victim Company to the FBI I work for owner of Victim Company for his store Victim Company The server was hacked again today and left a note on main page - 8 Hi Administrator Is third time that your deleting my les and losing my Hacking JOB on this server One time i alert you that if you do this again i will publish every client on this Server I don't wanna do this because i don't win anything here I 'So why your trying to lose my access on server haha Why you're spending your time with one thing that you can't do Please don't do the same mistake again because bad things will happen with you i didn't touch anything on your webhosting les please don't touch my les Want to contact me Here Greetings 'om an Albanian Hacker #SkyNet 8 Main page refers to the primary page of the website operated by the Victim Company 1 7 44 On August 20 an employee of the Victim Company wrote an email to identifying him herself as an employee of the Victim Company stating Please dont attack our servers In response the user of wrote ZBTC and will leave your server also make a report for method how am getting access to your servers Emphasis added 45 The employee replied 2 bitcoin mean didnt get you whats that On August 21 2015 the user of sent a message to the Victim Company including information on what Bitcoins were and instructions on where the Victim Company should transmit the Bitcoin to When i get money here I will make full report for server and method iwill protect and remove all bugs on your shop I believe that KHS demanded the two Bitcoin worth approximately $500 for KHS to relinquish his access to the Victim Server and to provide a report to the administrator on the method he was using to gain that access 46 In August the Victim Company provided the FBI with consent to review all information related to the Victim Company s website which is stored on the Victim Server owned by the Hosting Company 47 FBI review of the image of the Victim Server reveals an originating IP address of 210 186 111 14 This is an IP assigned to a Malaysian-based ISP that is frequently used by FERIZI The image shows that on July 8 2015 at approximately 3 15 Universal Time Coordinate U TC the Victim Server was showing signs of a Structured Query Language SQL injection 18 attack I learned from speaking with other FBI agents that SQL injection is a technique often used against retailer websites that inserts malicious code into a database entry eld thereby causing for example the database to send its content to the attacker I believe that KHS has used this method of hacking in the past I 48 Records for Facebook account 100003223 062873 associated with the vanity name ardit ferizi0l believed to be used by FERIZI reveal that the account was accessed from the same IP respOnsible for the aforementioned SQL injection attack on the Victim Server on July 7 2015 at approximately 06 49 UTC the day prior to the initial unauthorized intrusion and July 8 2015 at approximately which is roughly six hours after the initial unauthorized intrusion 49 Furthermore FBI analysis of the Facebook records revealov-er 1200 discrete actions attributed to 210 186 111 14 occurring between July 6 2015 and July 13 2015 including but not limited to account Logins Session Terminations and sent messages 50 Twitter records demonstrate that the @Th3Dir3 ctorY account attributed to FERIZI was logged into from the same IP responsible for the SQL injection attack on the Victim Server at approximately 17 15 UTC the day prior to the initial unauthorized intrusion and at approximately 17 09 UTC on July 8 2015 approximately 13 hours after the initial unauthorized intrusion 51 Furthermore FBI analysis of Twitter records reveal at least nine total logins to @Th3Dir30torY from IP 210 186 111 14 between July 5 2015 and July 13 2015 52 FBI review of the Victim Server revealed that the full names email addresses passwords and cities and states of residence for the 1 351 US military and other government l9 personnel included in the release by Hussain and the ISHD on August 11 2015 were found on the Victim Server 53 On September 10 2015 FERIZI sent himself via Facebook a le called FBI analysis shows that the data from le 100 001 PII records was imported into a spreadsheet and subsequently truncated to remove the trailing string characters followed by the l pipe symbol so that the data could be compared against normal email address formats For example the data row was truncated to remove 22483m thus leaving which could then be used to compare against any matching email addresses from those posted online by ISIL on August 11 2015 Utilizing this process the records from the csv le were reduced from approximately 100 000 to 98 890 records The data was subsequently sorted and records not following normal email formats g suffix were removed Any records not having a pre x before the were likewise removed Additionally all duplicative records were subsequently eliminated There were 8 475 duplicate records leaving 91 525 unique email addresses contained in the csv le The records from the Victim Server belonging to 1 351 customers of the Victim Company were then imported into the spreadsheet for comparison In a similar manner any duplicate email address records were eliminated leaving 1 351 records which were subsequently compared against the 91 525 remaining email addresses contained in the csv Of the 1 351 unique records posted by ISIL on August 11 2015 1 089 records matched those records contained in the csv le and 262 records did not match 54 Furthermore a review of the Facebook records revealed a conversation between FERIZI and another Facebook user account Butrint Komoni on or about August 22 2015 in 20 which Facebook account Butrint Komoni asked FERIZI what happened with the Victim Company s website to which FERIZI replied the network came in I called you man I believe FERIZI is con rming his unauthorized access to the Victim Server 55 Given the above I believe that FERIZI the user of the Facebook account 100003223062873 obtained the P11 belonging to the U S military and other government personnel by unlawfully accessing the Victim Server and provided that information to ISIL for use including publication and for use against the owners of the P11 V - CONCLUSION 56 Based upon the facts detailed above respectfully submit that there is probable cause to believe that from on or about April 2015 to August 11 2015 out of the jurisdiction of any particular State or district Ardit ERIZI a Intentionally accessed the Victim Server a protected computer without authorization and exceeded authorized access to the Victim Server and thereby obtained information from a protected computer and the offense was committed in furtherance of a criminal act in violation of the laws of the United States speci cally the criminal act of providing material support to a designated foreign terrorist organization as prohibited by 18 U S C 2339B all in violation of Title 18 United States Code Section 103 00100 and b With intent to extort om persons money and other things of value transmitted in interstate and foreign commerce a communication containing a threat to cause damage to a protected computer and threat to obtain 21 information from a protected computer without authorization and to impair the con dentiality of information obtained from a protected computer without authorization all in violation of Title l8 United States Code Section 103 and Knowingly transferred possessed and used without lawful authority a means of identi cation of another person consisting of among other things names birth dates and credit card information during and in relation to a felony violation enumerated in section that is providing material support to ISIL a designated foreign terrorist organization as prohibited by 18 U S C 2339B knowing that the means of identi cation belonged to another actual person in violation of Title 18 United States Code Section 1028A a 2 22 d Knowingly provided and conspired and attempted to provide material support to ISIL a designated foreign terrorist organization namely property and services including himself as personnel expert advice and assistance in computer hacking and the PH of US military and government personnel in violation of 18 U S C 2339B KevinM Gallagher Special Agent Federal Bureau of Investigation Swo to and subscribed before me this day of WI 2015 oar 'i'ht sa Carroll Buchanan zz States Magistrate Judge The Hon Theresa Carroll Buchanan United States Magistrate Judge 23 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu