OCR of the Document

View the Document >>

United States District Court for the Western Washington District at Seattle, “United States of America v. Dmytro Valerievich Fedorov, aka hotdima, superseding indictment", July 27, 2018. Unclassified.

Case Document 20-2 Filed 07 27 18 Page 1 of 32 Exhibit 4 Superseding Indictment Dkt United States v edorov CR1 Case Document 20-2 Eiiled 07 27 18 A Page 2 01 32 Presented to the Court by the for rnan of the Grand Jury In open Court 1n the presence of 1 the Grand Jury and FILED in the U S DISTRICT COURT at Seattle Washington 2 Jaguar 25 20 UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE - UNITED STATES OF AMERICA I Pla n ff 2 SUPERSEDING INDICTMENT 1 V VALERIEVICH FEDOROV aka hOtdIIna Defendant The Grand Jury charges that DEFINITIONS 1 IP Address An Internet Protecol address or simply address 15 a unique numeric address uSed by devices such as computers on the Internet An IP address Is a series of four numbers each In the range 0-255 separated by- periods gf I104 250 138 210 Every device attached to the Internet must be assigned an IP address so that Internet traf c sent from and directed togthat deyice may bee-directed properly from its sourcelto its destination Most Internet service providers control arrange of IP addresses Superseding Indictment United States Fedorov 5 UNITED STATES Arrow 7 No 1 - 2700 STEWART 5220 - WASHINGTON 98101 206 553-7970 Case Document 20-2 Filed 07 27 18 Page 3 of 327 2 Server A server is a cemputer that provides services for other'computers connected to it via a network or the Internet The Computers that use the server services are sometimes called clients Servers can be physically located anvahere with a network connection that may be reached by the clients for example it is not uncommon for a server to be located hundreds or even thousands of miles away from the client computers A serVer may be either a physical or virtual machine A physiCal server is a piece of computer hardware con gured as a server with its own power Source central 7 processing unit s and assoCiated software A virtual server is typically one Of many servers that Operate on a single physical server Each virtual server shares the hardware 7 resources of the physical server but the data residing on each virtual server is Segregated from the data 011 Other Virtual servers that reside on the same physical machine 3 Malware Malware IS malicious cemputer code running on a computer Relative to the owner authorized user of that computer malware 13 computer code that is running 011 the system that 18 unauthorized and present on the system Without the user - consent MalvVare can be designed to do a variety of things including logging every - keystroke on a computer stealing nancial information or user credentials passtOrds or commanding that cemputer to becomejpart of a network of rebot or bot computers known as a botnet In addition malware can be used to transmit data from the infected computer to another destinatiOn on the Internet as identi ed by an IP address Often times these destination IP addresses are computers controlled by cyber criminals i A The Carbanakmalware Carbanak is the name giVen by Computer security researchers to a particular malicious software malware program Carbanak has A been uSed to remotely access computers without authorization The Carbanak malware allows an attacker to spy on another person s computer and remotely control the computer Carbanak can record v1-deos of the victim 3 computer screen and send the recordings back to the attacker It can also letthe attacker use the victim computer to Superseding Indictment United States Fedorov 7 1 - i - - UNITED STATES ATTORNEY No CR18-OO4RSM700 STEWART STREET SUITE 5220 98101 206 553-7970 o GIL 1 Case Document 20-2 Filed 07 27 18 Page4of32f attack other computers and to steal les from the _victim'computer and-install other malware All of thisacan'be done without the legitimate user s knewledge or 'permiSSion 5 7 Bot A hot computer is a computer that has been infected with some kind of malicious software or code and 1s thereafter subject to control by someone other than the true owner The true owner of- the infected computer usually remains able to use the computer as he did before it was infected although speed or performance may be compromised Botnet A homet 1s a network of comprOmised computers knoWn as bots that are under the control of a cybercriminal or bot herder The bots are II harnessed by the bot herder through the surreptitious installation of malware that provides the bot herder with remote access to and centrol of the compromised computers A botnet may be used en maSSe in a Coordinated fashion to deliver a variety of Internet- based attacks including attacks brute force password attacks the transmission of i' spam emails the transmission cf phishing emails and hosting communication networks for cybercriminals g acting as a proxy server fer email communications 7 Phishing Phishing IS a criminal scheme in which the perpetrators use mass email messages and or fake websites to trick peOple into providing information such as network credentials usernames and passwords that may later be used to gain access to a Vietim systems PhisIhing schemes often utilize social engineering 7 techniques similar to traditional con-artist techniques 1n order to trick Victims into believing they are providing their information to a trusted vendor customer or other acquaintance Phishing emails are also often used to trick a victim into clicking on documents or links that contain malicious software that will compromise the victim s computer System - 8 Spear Phishing Spear phIishing IS a targeted form of phiShIing directed towards a speCi c individual organization or business Although often intended to steal data for maliciOus purposes cybercriminals may also use spear phishing schemes to I install malware on a targeted uSer 3 computer Superseding Indictment United States v Fedora i A I 715 me $011123 ART No CRIS 004RSM- 3 I I I 206 553-7970 KO- col-q as will Case Document 20-2 Filed 07 27 18 Page 5 of 32 9 - social Engineering Sociallengineering is a skill developed over time by people who seek to acquire protected information through manipulation of social 1 relationships People who are skilled in Social engineering can convince key individuals to divulge protected information or access Credentials that the social engineer deems valuable to the aChievement of his or her aims I I '10 PenuTesting Penetration testing or pen testing is the practice of testing a 7 computer system network or computer application to nd vulnerabilities that an attacker I may exploit COUNT 1_ 7 Conspiracy to Commit Wire and Bank Fraud 1 - OFFENSE 11 The allegations set forth 1n Paragraphs 1 through 10 of this oSuper seding- Indictment are re-alleged and incorporated as if fully set forth herein 12 Beginning at a time unknown but no later than september 2015 and continuingithrough on or after January 17 201-8 at Seattle within the Western DistriCt of '1 Washington and elsewhere VALERIEVICH FEDOROV aka- hotdima - and others known and unknOwn to the Grand Jury did knowingly and willfully combine - - - conSpire confederate and agree together to commit offenses against the United States to wit I I I to knowingly and willfully devise and execute and attempt to I execute a Scheme and arti ce to defraud and for obtaining money and property by means of materially falSe and fraudulent pretenses representation s and promises and in executing and attempting to execute this scheme and arti ce to knowingly cause to be transmitted in interstateand'fOreign commerce by'means of Wire communication certain signs signals and sounds as further described below in violation of Title 18 United I States Code Section 1343knowingly and willfully devise and execute and attempt- to execute a scheme and arti ce to defraud nancial institutions as de ned by Title 18 Superseding Indictment United States v Federov 73313131 STASTES NoTEWART TREET 1111's -8 OMRSM 4 - 98101 206 553-7970 Case Document20-2 Filed 07 27 18 Page '6 of 32 United States Code Section 20 and to obtain moneys funds and credits under the custody and control of the nancial institutions by means of materially false and 3 fraudulent pretenses representations and premises in Violation of Title 18 United States 8 Code Section 1344 1 and 2 II OBJECTIVES OF THE CONSPIRACY l3 Defendant VALERIEVICH EDOROV and others known and unknown to the Grand Jury were part of a nancially motivated cybercriminal I conspiracy known variously as IN 7 the Carbanak Group and the Navigator Group I referred to herein as FIN7 consists of a group of criminal actors engaged 111 a sophisticated malware campaign targeting the computer Systems of busineSSes primarily in the restaurant gaming and hespitality industries among others - 1' 14 The objectives of the conspiracy included hacking- into protected computer networks Using malicious software hereinafter malware designed to provide the conspiratorswith unauthorized access to and control of Iv10t1m computer systems The objectives of the conspiracy further included conducting surveillance of victim computer networks and installing additional malwar e on victim computer for the purpose of establishing perSistencIe stealing meney and property including payment card credit and debit track data nancial information and proprietary and non-public information The objectives of the conSpiracy further included using and selling the stolen data and information for nancial gain in Ia variety of ways including but not I limited to using stolen payment card data to cenduct fraudulent transactions across the United States and 1n foreign countries In MANNER AND MEANS OF THE CONSPIRACY 15 The manner and means used to accomplish the conspiracy included the following I Ia IN 7 developed and employed various malware designed to in ltrate comprOmise and gain control of the computer systems of victim companies 7 operating in the United States and elsewhere including within the Western of Superseding Indictment United States Peder-0v - I UNTTED STATES ATTORNEY I I I - 700 STEWART STREET SUITE 5220 - 206 553-7970 Case Document 20-2 Filed 07 27 18 Page 7 of 32 WashingtOn FIN 7 established and operated an infrastructure cf servers 10cated in various countries through WhiCh FIN7 members coordinated-activity to further the scheme This infrastruCture included but was not limited to the use of command and control servers accessed through Custom botnet Control panels that communiCated-With I and controlled compromiSed computer systems of victim companies b FIN7 created a front cOmpany doing business as Combi Security to legitimate COmbi Security purports to operate as a computer security pen-testing cempany based in Moscow Russia and Haifa Israel As part of advertisements and it public internet pages for Gombi Security IN7 portrayed Combi Security as a legitimate penetration testing enterprise that hired itself out to businesses for the purpose of testing their computer security systems c Under the guise of a legitimate computer security company FIN 7 doing business as Combi Security recruited individuals With computer programming skills falsely claiming that the prospective employees would be engaged in legitimate - pen-testing of client computer networks In truth and in fact as Defendant and his FIN7 co-conspirators well knew Combi Security was a front company used to hire and deploy hackers who were given tasks in furtherance of the FIN7 conspiracy _ d FIN7 targeted victims in the Western District of Washington and elsewhere using phiShing techniques to distribute malware designed to gain unauthorized access to take control of and exI ltr a te data from the computer systems of variOus' I businesses FIN 7 targeted Victims include more than 120 identi ed companies With thousands 0f individual lecations' of operation throughout the United States including - but not limited to the folloWing representative Victim companies i Victim- 1 referenced herein is the Emerald Queen Hotel and Casino EQC a hotel and casino owned and operated by a federally recognized Native 7 American Tribe with locations in Pierce County within the Western District of _Washington Supersediug Indictment United States v Fedorov 1 UNITED STATES ATTORNEY No CR18-OO4RSM 6 7 I - 700 STEWART STREET SUITE 5220 Same WASHINGTON 98101 206 55347970 boosioxm-awmi e Case Document 20-2 FiledWO7 2-7 18 Pages-0132 ii - Victim-2 referenced herein is a public corporation headquartered 1n Seattle within the Western District of Wasbiogton I with operations throughout the United States and elsewhere I Victim- 3 referenced herein 1s Chipotle Mexican Grill 3 U S based restaurant chain with thousands of locations 1n the United States ineluding 1n 1 the Western District of Washington and 1n Canada and multiple European countries iv- I V1ct1m 4 referenced herein is a U S i based pizza parlor chain with hundreds of locations predominantly 1n the Western United States including 1n the Western District of Washington Victim 5 referenced herein 1s a S -based federally insured credit union headquartered in the Western District of washingtoo vi Victim- 6 referenced herein 1s Jason Deli a U S based casual delicatessen restaurant chain with hundreds of locations 111 the United States I I vii Victim- 7 referenced herein is- an autOmotive retail and repair chain with hundreds of locations 1n the United States including 111 the Western District of Washington i I - Victiin 8 referenced herein 1s Red Robin Gourmet Burgers I I and Brews Red Robin a U S based casual dining restaurant chain founded in the I Western District of Washington with hundreds of locations 1n the United States including 1n the Western District of washington ix Victini- 9 referenced herein IS Sonic Drive-in Sonic a U S -based drive in- fast-food chain with thousands of locations 1n the United States including in the Western District of Washington I x I Victim- 10 referenced herein is Taco John s a U S -based fast-food restaurant chain with hundreds if locations 1n the United States 1nclud1ng 1n the Western District of Washington A e FIN 7 typically initiated its attacks by delivering directly and through intermediaries a phishing email with an attached malicious le using wires 1n Superseding Indictment United States v Fedorov aI UNITED STATES - No CR18-004RSM - 7 700 STEWART STREET SUITE 5220 I 98101 206 553-7970 - ICaIse Document 20-2 Filed 07 27 18 Page 9 of 32 interstate and foreign commerce toan employee of the targeted victimcompany The attached malicious le usually was a Micrdsoft Word doc or d'ocx or Rich Text File - i rtf doCUment with embedded malware FIN7 useda variety of malware deliyeryj mechanisms in its phishing attacMentIs including but not limited to Weaponized Microsoft Word macros malicious Object Linking and Embedding OLE objects - malicious visual basic scripts I0r avaScript and malicious embedded shortcut les In Some instances the phishing email or attached le contained a link to malware hosted on servers controlled by FIN7 - The phishing email through false representations and pretenses fraudulently induced the victim company employee to open the attachment or click on the link to' activate the malware For example when targeting a hotel chain the purported sender of the phishing email might falsely claimto be interested in making - a hotel reservation Byway of irther eitample when targeting a restaurant chain the purported sender of the phishing email might falsely claim to be interested in placing a catering order or making a complaint about prior food service at the restaurant f In certain phishing attacks FIN7 directly and through intermediaries sent phishing emails to personnel at victim companies who had unique access to internal proprietary and hen public company informatiOn includinglimited to employees inVolveId with making lings with the United and 7 Exchange Commis'sion These emails used an email address that spoofed an email address associated with the 3 electronic ling System and induced the recipients to activate the maIWare contained in the emails attachmentsmany of the FIN7 attacks a FIN7 member or someone hired by FIN7 speci cally for such purpose would also call the victim company using Wires in interstate or foreign commerce to legitimize the phishing email and convince the victim company employee to open the attached document using social engineering techriidues I - For example - when targeting a hotel chain or a restaurant chain a conspirator Would make a follow-up call falsely claiming that the details of a reservation request catering-I order er customer Complaint could be found in the le attached to the previously 3 Indictment United States v Fedorov UNIT-ED STATES ATTORNEY No 004RSM- 8 i I 70 0 STEWART Smear Suns 5220 - 7 SEATTLE WASHINGTON 98101 206 553-7970 co 1 31- 1 Case Document 202 Filed 07 27 18 Page-1010f 32 delivered email to induce the employee at the victim company to read the phishing email open the attached le and activate the malware I I If the recipient activated the phishing email attachment or clicked on the link the recipient wouldIunWittingly activate the malware and the computer on which it was opened would become infected and connect to one or more command and II control servers contrOlle'd by FIN 7 to report details of the newly infected computer and I doWnload additional malware The command andcontrol infrastructure relied upon - variOus servers in multiple countries including but not limited to the United States typically leased using false information such as alias names and fictitious information IN7 typically would install additional malware including the CarbanakI malware to connect to additional FIN 7 Command and control servers to establish remote control of the victim computer j I Once a victim s computer was compromised FIN7 would incorporate the compromised machine or _I bot into a botnet FIN7 designed and used a custom botnet control panel to manage and issue commands to the compromised machines 1 I l Once a victim company s computers were incorporated into the FIN7 botnet and remotely controlled by malware the group used this remote control and access to among other things install and manage additiOnal malware II_ conduct surveillance map and navigate the compromised computer netWOrk compromise additional computers ex ltrate les and send and receive data For instance FIN7 often conducted surveillance on the victim 3 computer network by among other things capturing screen shots and videos of victim computer Workstations that provided the conspirators with additional information about the victim company computer network and non-public credentials for both generic company IacCounts and for actual company empIOyees - 1n FIN7 used its access tothe victim s computer network and information gleaned from surveillance of the victim s computer systems to install - Superseding Indictment United States v Fedorov - I 1 UNITED ISTATEIS ATTORNEY No CR18-OO4RSM 9 1 700 STEWART STREET 3011155220 SEATTLE WASHINGTON 98101 206 553-7970 including nancial inStitutions as de ned in Title 18 United States Code Section 20 Case Document 20-2 Filed 07 27 18 Page 11 of 32 I additional malware designed to target and extract particular information and property of value including payment Card data and proprietary and lien-public information For instance FIN 7 often utilized various off-the-shelt software and custom malware and a combination thereof to extract and transfer data to a loot folder on one or mere servers controlled by FIN7 7' i 7 n FIN7 frequently targeted victim companies With customers who use payment cards while making legitimate point-'ofesale purchases such as victim companies in the restaurant gaming and hospitality industries In those cases FIN-7 Con gured malware to extract copy and compile the payment card data and then to transmit the data from the victim Computer systems to servers controlled by FIN7 7 o i For example between approximately March 24 2017 and April 18 2017 FIN7 harvested payment card data from point of sale devices at certain Victim-3 restaurant locations including dozens of locations 1n the Western District of Washington - p FIN 7 stole millions of payment card numbers many of which have been offered for sale through vending sites including but not limited to Jokers StaSh i thereby attempting to generate millions of dollars of illicit pro ts q The payment Card data were offered for sale to alloW purchasers to falsely represent themselves as authorized users of the stolen payment cards and to use the stolen payment card information to purchase goods and services in fraudulent - transactions throughout the United States and the world including over the Internet reSulting in milliOns of dollars 1n losses to and thereby affecting merchants and banks For example on or abOut March 10 2017 stolen payment card data related to accounts i 1 held at Victim-5 a nancial institution headquartered 1n the Western District of Washington compromised through the computer network intruSion of a victim cempany Was used to make unauthorized purchases at a merchant in Puyallup Washington Superseding Indictment United States v Fedorov -- - UNTFED STATES ATTORNEY I No 004RSM700375me STREET $0112 5220 SEATTLE wxsmeros 98101 206 553-7970 Case Document 20-2 Page'12 of 32 I r FIN7 members employed varioustechniques to Conceal their identities including simu'ltaneouSly utilizing various leased Servers ii that had been leased - using false subscriber information in multiple countries s FIN7 member co conspirator F H served as a high-level systems administratOr for FIN 7 who maintained servers and communication channels used by the organization For example FIN7 members requested co -Conspirator F H to grant them -- 1 access to servers used by FIN7 to facilitate the malware scheme Co conspirator F also played a management role in the scheme by delegating tasks and by providing instruction to other members of the scheme FIN7 members typically communicated With one another and others through private communication channels to further their malicious activity Mong other channels 1N7 conspirators communicated using Jabber an instant messaging service that allows members to cominunicate across multiple platforms and that supports end-Ito- end 11 For example in Jabber communicatiOns With other FIN 7 members VALERIEVICH FEDOROV using his alias hotdima referenced using - I malware 1n connection With seVeral speci c victim companies discussed using the administratiVe control panels to receive data from compromised computers and identi ed several pen-testers working at his direction - 7 v I I FIN7 members often communicated through a private HipChatI server HipChat 1s a group chat instant messaging and le-sharing program FIN 7 I members used its HipChat server to collaborate on malware and victim business - intrusiOns to interview potential recruits and to upload and share ex ltrated data - such as 7 - stolen payment card data As a syStemI administrator co-conspirator F H created - I HipChat user accounts for FIN7 members that allowed them to access the server W Co conspirator F H also created and participated 1n multiple HipChat _ rooms with other FIN7 members and partiCipated 1n the uploading and organization of Stolen payment card data and malware For example on or about March Superseding United States Fedorov 1 UNITED STATES ATTORNEY I - 13 No 11 I 700 STEWART STREET SUITE 5220 2 SEATTLE WASHINGTON 98101 - 206 553-7970 Case Document 20-2 Filed 07 27 18 Page 13 0f 32 I 14 2016 co-conspirator F H uploaded an archive that contained numerous data les - created by malware designed to steal data from point-of-sale systems that process payment cards The les contained payment card numbers stolen from a victim company- that had publicly reported a secmity breach that reSulted 1n the compromise of tens of thousands of payment cards By way of further example co-conspirator F H also set up and used a HipChat room titled MyF11e in which he was-the only participant and to which he Uploaded malware used by IN7 and stolen payment Card information I x FIN7 conspirators used numerous email hosted by a varietyII II of providers 1n the United States Iand elsewhere Which they often regiStered using false subscriber information y I FIN 7' conspirators frequently used the project management software 7 I JIRA hosted an private virtual servers in various countries to coordinate their malicious -I activity and to manage the assorted network intrusions IN7 members'typieally-created - I a project and then associated issues with the project each 1ssue akin to an isSue 7 directory or folder for a victim company which they used to collaborate and share details of the intrusion to post victim company intelligence such as network mapping information and Ito store and Share exfiltrated data 7 I 2 - For example on about September 7 2016 co-conspirator F created an issue for Victim-6 to which FIN7 conspirators posted les containing internal credentials for the victim company s compUter network aa By way if further example on multiple occasions in January 2017 VALERIEVICH FEDOROV and others posted to the FIN 7 issue created for Victim-7 information about the Victim company 3 internal netWOrk and uploaded ex ltrated data including stolen employee credentials Similarly on or about April 5 2017 VALERIEVICH FEDORIOV created an issue for another victim company Victim-9 and uploaded stolen user credentials from the Vietim company bb FIN7 censpirators knew that the scheme would involve the use of wires in both interstate and foreign commerce Ito accomplish the objectives of the Superseding Indictment United States v Fedorov 1 UNITED STATES ATTORNEY No CR18-004RSML 12 I I I I I 700 STEWART STREET Sons 5220 - - Seams WASHINGTON 98101 553- 7970 Case 1 Document 20-2 Filed 07 27 18 Page 14 of 32 scheme For example the Defendant and his FIN7 cO Conspirators knew that execution of the scheme necessarily caused the transmission cf wire communications between the United States and one or more servers controlled by IN 7 located 1n fereign countries I All 1n violation of Title 18 United States Code Section 1349 I I COUNTS 2- 15 Wire Fraud I 16 The allegations set forth 1n Paragraphs 1 through 15 of this Supersedmg Indictment are re-allege'd and incorporated as if Jlly set forth herein 9 - SCHEME AND ARTIFICE TO DEFRAUD 17 Beg-inning at a time unknown but no later than September 2015 and continuing through on or after January 17 2018 at Seattle within the Western 8' Washington and elsewhere VALERIEVICH FEDOROV and others known 8' and unknown to the Grand Jury devised and intended to devise a scheme and arti ce to I i defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises - 1 i 18 The esseHCe cf the scheme and arti ce to defraud was to obtain unauthorized access into and control cf the cemputer networks of victims through deceit and materially false and fraudulent pretenses and representations through the installation and use of malware designed to facilitate among other things the installation cf additional malware the sending and receiving of data and the surveillance of the victims computer networks The object of the scheme and arti ce to defraud was to steal money and property of value including payment card data and proprietary and non- - public information which was and could have been sold and used for nancial gain II MANNER AND MEANS OF SCHEME TO DEFRAUD l9 The manner and meansof the sCheme and arti ce to defraud are set forth in - i Paragraph 15 of Count 1 of this superseding Indictment United States v Fedorov I UNITED STATES ATTORNEY N0 CR18- l3 700 STEWART STREET SUITE 5220 - Seam - WASHINGTON 98101 - 206 553 7970 oeoqoa'cnnvumha Ch -b U h i oeuoxm-th-Ho Case Document 20-2 Filed 07 27 18 Page 15 of 32 EXECUTIONOFSCHEMETODEFRAUD i i i 20 On or about the dates set forth below within the Western District of 7 Washington and elsewhere VALERIEVICH FEDOROV and others known i and unknown to the Grand Jury having devised a scheme and arti ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises did knowingly transmit and cause to be transmitted writings signs signals pictures and sounds for the purpose of executing such-Scheme - by means of wire communication in interstate and foreign Commerce including the following transmissions 2 August 8 2016 Victim-1 A Pierce County i Emall from Just etravel@y oocom which traveled through a server located outside the State of Washington to a Victim-l employee i located within the State of Washington 3 - August 8 20-16 Victim-1 Pierce County 7 Email from frankj Ohnson@revital _ travel com Which traveled through a 1 _Washington to a Victim-1 employee serVer located outside the State of located Within the State of Washington 41 August 8 92016 Victim- 1- Pierce County Electronic communication between a Server located outside the State of Washington and Victim-1 computer 7 7' System located within the State of 7 Washington - 5 February21 2017 Victim-2 Seattle through a server located outside the Email purporting to be from a_ 7 government account which traveled State of washington to a Victim-2 employee located Within the State of Washington superseding Indictment United States v Fedorov 004RSM- 14 UNITED STATES ATTORNEY 700 STEWART STREET Sums 5220 WASHINGTON 98101 206 553-7970 ooqumnwquxeooqaaELTqEZE Case Document 20-2 Filed 07 27 18 Page 16 of 32- Victim-2 server IOCated outside the State of 6 February 23 2017 Seattle Washington and Victim-2 3 computer 9 - system located within the State of Washington - Electronic communication between a I Victim-3 - th I 4120 196th St SW server located outside State 0 7 March 24 2017 Washington and Victim-3 computer 1 Suite 150 wood system located Within the State ofI Washington 7 - Electronic communication between a Victim-3 server located outside the State of 8 7 March 25 2017 - 1415 Broadway Washington and Victim-3 5 computer Seattle system located Within the State of Washington I 1 1 Electronic communication between a I I 1 - Victim-'3 server located outside the State of 9 March 25 2017 - 800 156th Ave NE Washington and Victim-3 3 computer - 'BelleVue system located Within the State of Washington 1 1 Electronic communication between a- I I Victim 3 I server located outside the State of 10 March 25 2017 4 Bellis Fair Pkwy Washington and Victim 3 5 computer Bellingham system located within the State of - washington Electronic communication between a Vlctim-3 I I 775 Gilman' server lecat'ed Outside the State of 11 March 25 2017 - 7 Washington and Victim-3 3 computer -- Blvd Suite A - -- Is saquah system located within the State of - Washington 1 Vic 11111-3 1 Electronic communication between a I I I 515 SE Everett server located outside the State of 12 - March 27 2017 7 7 Washington and Victim-3 s computer MallIWay Suite B 1 - system located Within the State of verett I - Washington - Electronic communication between a 1 V1et1m-3 I I 22704 SE 4th 1 server located outSide the State of 13 IApnl 11- 2017 - I - Su1te210 Washington and Victim-3 camputer I - IS system located Within the State of ammamiSh I Washington Superseding Indictment-l United States v FedorOVi A I UNITED STATES No CR18-004RSM-15 700 STEWART STREET SUITE 5220 Seam WASHINGTON 9810 1 206 55317970 Case Document 20-2 Filed 07 27 18 Page 17 of 32 Emal from Victim-4 employee located Within the State of Washington Electronic communication between a merchant located within the State of- 15 7 March 10 2017 E g ks i 7 A Washington and a payment processor - - pup I - server located outside the State of Washington_ All 1n violation of Title 18 United States Code Seetion 1343 COUNT 16 Conspiracy to Commit Computer Hacking 21 The allegations set forth in Paragraphs 1 through 20- of this Superseding Indictment are re alleged and incorpOrated as if fully set forth herein 7 I OFFENSE 22 Beginning at a time unknown but no later than Septemher 2015 and continuing through on or after January 17 2018 at Seattle Within the Western of Washington and elsewhere VALERIEVICH FEDOROV and others known and unknown to the Grand Jury did knoWingly and willfully combine conspire cOnfederate and agree together to commit offenses against the United States to Wit i Oliver_palmer@yahoo com which - - - Victim-4 traveled through a server located 14 - 4 April 11 2017 Renton - outside the State of Washington toa - a to knowingly and with intent to defraud access a protected computer without authorization and exceed authorized access to a protected computer and by means of such conduct further the intended fraud and obtain anything of value exceeding 000 00 111 any l-year period in violation of Title 18 United States Code Sections 1030 a 4 and and h to knowingly cause the transmission of a program inforrnatiOn code and com rand and as a result of such conduct intentionally cause damage W1thout authorization to a protected computer and the offense Caused less to one or more persons during a 1 year period aggregating at least 000 00 in value and damage affecting 10 or Superseding Indictment United States Fedo rbv 1- UNITED STATES ATTORNEY WASHINGTON 98101 No CR18 16 p Sumaszzo - 206 55317910 sqoo 1 ex u wax HI - Document 20-2 Filed 07 27 18 IIPage 18 of 32 more protected computers during a l-year period 111 violation of Title 18 United States Code Sections 1030 a 5 A and II OBJECTIVES OF THE CONSPIRACY 7 23 I The objectives of the conspiracy included hacking into protected computer networks using malware designed to provide the conspirators With unauthorized access to and control of victim computer systems The objectives cf the conspiracy n'ther included conducting surveillance of victim computer networks and installing additional malware' on the victim computer networks fer the purposes of establishing persistence and stealing payment card track data nancial informatiOn and proprietary private and non-public information with the intention of using and selling such stolen items either directly or indireCtly for nancial gain The obj eCtives of the Conspiracy lrther included installing malware that would integrate victim computers into a botnet that allowed the conspiracy to control alter and damage compromised computers MANNER AND MEANS OF THE CONSPIRACY i 24 The manner and means used to accomplish the conspiracy are set forth 1n Paragraph 15 of Count 1 Of this Superseding Indictment - IV OVERT ACTS I '25 In furtherance of the conspiracy and to achieve the objects thereof VALERIEVTCH FEDQROV and others known and unkn0wn to the Grand - Jury - did Commit and cause to be committed the fOllowing overt acts among others - in the Western cf Washington and elsewhere- a Co-conspirator F H served as a high level syStems administrator for I 1N7 who maintained servers and communication channels used by the organization including administrating HipChat rooms and the uploading and organization of stolen payment card data and malWare For exampleabout March 14 2016 co conspirator F H uploaded to a HipChat room shared with another IN 7 member an archive that contained numerous data les containing payment card numbers stolen from a victim company that had Superseding Indictment United States v edorav - UNITED STATES ATTORNEY I No 17 700 STEWART STREET SUIT-E 5220 - SEATTLE WASI-HNGTON 98101 206 553 7970 o 065 cyan-4 DJ payment cards Case DocumentIZOaZ led 07 27 18 Page 19 of 32 publicly reported a security breach that reSulted 1n the loss of tens of thousands abOut April 8 2016 co-cohspiiator F H created a HipChat room called My_ Files to which he had exclusive access and later uploaded data for approximately 100 stolen payment cards On or about July 19 2016 co conSpirator F H posted a HipChat room accessible to other FIN 7 members les related to a victim company including multiple screenshots from one or more victim Company computers that shovved I among other things internal cempany information and 'an administrator password I IiIv On or about November 22 2016 co-conspirator H uploaded to his Files HipChat room a le containing data for stolen payment cards b DMYT-RO VALERIEVICI-I FEDOROV served as a high-level pen- tester one tasked With finding vulnerabilities that an attacker may exploit who managed other pen-testers responsible for breaching the security of victims computer systems For example i I - VALERIEVICH FEDOROV created and I managed issues on FIN7 s private JIRA server relating to intrusions of multiple victim companies including but not limited to Victim-7 and Victim-9 to which FIN7 members __shared and stored intrusion infermation and ex ltrated-datan ii Using 3 private Jabber Server VALERIEVICH FEDOROV communicated under the alias hotdinia with other FIN7 members regarding his hacking efforts and his payment for such efforts VALERIEVICH FEDOROV accessed and controlled comprOmised computer systems through custom control panels - - 0 The conspiIaCy compromised illegally accessed had unauthorized communications with and'ex ltrated proprietary private and nan-public victim data and 5 Superseding Indictment United States v Fedorov WEED STAIES ATTORNEY I No CR18- 004RSM 18 700 3111me 1 SEATTLE WASHINGTON 98101 206 5531 1970 ne'ooqoxuuowcwv Case Document 20-2 Filed 07 27 18 PageZO 0132 - information from thecomputer systems of the Victim-l a hotel and casino in the I Western District of Washington Fer instance i On or abOut August 8 2016 the conspiracy directly and__ through intermediaries used the account just__ etravel@yahoo com to send a phishing email with the subject order to an employee of Victim l located 111 Tacoma Washington with an attached Microsoft Word doCumenIt that contained malware The email contained materially false representations designed to induce the targeted employee to open enable the malware and compromise the computer system - ii - I On or about August 8 2016 - the conspiracy directly and through intermediaries used the account frankjohnSon@revital traVel com to send a phishing email with the subject order to an employee of Victim-1 located 1n Tacoma Washington with an attached Microsoft IWord document that contained malware The email contained materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system I - Under the control of the conspiracy malWaIre a comprotnised computer of Victim-1 communicated with a command and control server - located a foreign country For instance from August 8 2016 to August 9 2016 and from August 24 2016 to August 31 2016 a compromised Victims computer legged approximately 3 639 with various URLs all starting with I Irevital-I_ travel com at an IP address hosted in Russia I I d The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public victim data and information from the computer systems of Victim 6 a restaurant chain with locations 1n multiple states For instance - i On or about August 25 2016 the conSpiracy directly and through intermediaries used the account revital travel @yahoo com to send a phishing email to Ian employee of Victim-I6 with an attached Microsoft Word document that contained malware The email contained materially false representations designed to Superseding United States v Fedorov I UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE 9810 206 553 7970 Document 20-2 Filed 07 27 18 PageIZl of 32 induce the targeted'employee to enable the malware and compromise the'computer systemabout September 7 2016 co-conspirator F H created an issue _on the conspiracy 3 private JIRA server speci cally related to Victim 6 One or more IN 7 members posted les containing internal credentials for the Victim 6 computer network 7 I I e The censpiracy compromised illegally accessed had unauthorized - I communications with and ex ltrated proprietary private and non-public victim data and information from the Computer systems of Victim 7 an automotive retail and repair chain - with hundreds of locations 1n multiple states including Washington Fer instance 1 I i On or about January 18 2017 a FIN7 member created an fissue on the conspiracy 5 private IRA server speci cally related to Victim 7 That FIN 7 member and VALERIEVICH FEDOROV pested results from Several - network mapping tools used on Victim-7 3 internal network ii On or about January 20 2017 a FIN7 member posted ex ltrated data including multiple usemames and paSSwords with the title Server Passwords to the Victim- 7 issue 1 I On or about January 23 and January 24 2017 VALERIEVICH FEDOROV posted information about Victim-7 3 internal network and uploaded a le containing multiple IP addresses and information about Vietim 7 s servers to the Victim-7 JIRA issue iv 5 On or about January 27 2017 VALERIEVICH FEDOROV'Luploaded to the Victim-7 issue a le containing over 1 000 I usernames and passwords for generic cempany employee acCOunts The potentially compromised accounts related to approximately 700 Victim-73 locations throughout the United States including approximately 12 locations Iceated 1n the state of I Washington Superseding Indictment United States v Fedorov 9 UNITED STATES ATTORNEY No700 STEWART STREET Sum 5220 8131111143 WASHINGTON 98101 206 553 7970 Case Document'ZO-Z Filed 07 27 18 Page-22 of 32 f 7 The conspiracy compromised illegallyaccessed had unauthorized communications with and exfiltrated proprietary private and nonepublic-victim data and information from the computer systems of Victim-2 a Corporation headquartered in I Seattle Washington For instance i On or about February 21 2017 the conspiraCy directly and through intermediaries used an account purporting to be lings@sec gov but actually sent by secureservernet to- send a phishing email to an employee of Victim-2 lecated 1n Seattle Washington with an attached Microsoft word document that contained malWare - The email falsely purported to relate to a corporate ling with the SEC and contained materially false representations designed to induce the targeted employee to open the le enable the malware and compromise the computer systems ii From on or about February 21 2017 to approximately March 3 2017 the conspiracy illegally accessed and had communicati-Ons with the computer systems of Victim-2 located 1n Seattle Washington For instance between about February 23 2017 and February 24 2017 the victim computer made outgoing connections to and transferred internal data without authorization to an address located 111 a foreign country 1 1 On or about February 24 2017 a member posted to a issue created for Victim 2 a screenshot from the targeted 'employee 3 computer at Victim-2 which showed among other things an internal Victim-2 webpage available only to employees with a valid user account i i I iv Similarly a FIN7 member posted to the Victim 2 JIRA issue a teXt file containing the usernames and passwords of the targeted Victim-'2 employee including his her personal email account Linkedln account -and personal investment and nancial institution accOunts I - g i The conspiracy compromised illegally accessed had unauthorized communications with and e'x ltrated proprietary private and non-public victim data and information from the computer systems of Victim-3 a restaurant chain With thousands of - Superseding Indictment United States v Fedorov - i -- 1 UNITED STATES ATTORNEY i 760 STEWART STREET SUITE 5220 No CR1 SPOMRSM 21 1 - SEATTLE WASHINGTON 98101 206 553 47970 a mtg-mmaumwceijGEBBZS Case Document 20-27 Filed 07 27 18 Page 23 of 32 - locations including the State Of Washington From approximately March 24 2017 to April 18 2017 the conspiracy accessed computer systems of Victim-3 and implanted malWare designed to harvest payment card data from cards used on pointrof-sale devices i at restaurant lQCations nationwide including approximately 33 locations Within the 7 Western District of Washington I h The conspiracy compromised illegally accessed had unauthorized communiCationIs With and ex ltrated proprietary private and nOn-public victim data and information from the Computer systems of Victim-8 a reStaurantI chain with hundreds of locations 111 multiple states including Washington For instance I i 011 or about March 27 2017 the conspiracy directly and II through intermediaries used the account ray donovan84@yahoo com to send a phishing email to a Victim-8 employee With an attached Microsoft Word document that contained malware The email falsely purported to convey a customer complaint and contained additional materially false representations designed to indUCe the targeted employee to enable the malware and compromise the computer systemabout March 29 2017 a FIN7 member created an i issue on the conspiracy 8 private JIRA server speci cally related to Victim-8 and posted results 110111 several network mapping tools used on Victim-8 s internal netWork On or about March 31 2017 21 FIN7 member posted a link to the point-of-sale software management solution used by Victim-8 and a username and paSS'word to the Victim 8 JIRA issue The software management tool allows a company to manage point-of-sale systems at multiple locations The FIN7 memberalso uploaded several screenshots presumably from one Or more Victim computers at Victim- 8 which shoWed among other things the user logged into Victim-8 s account for the software management toolabout April 6 2017 a FIN7 member uploaded tothe I Victim 8 JIRA issue Ia le- 'containing hundreds of usernames and passWo rds for I approximately 798 Victim-8 locations including'3z7 locationsilocated in the Stateof Superseding Indictment United States v Fedorov I 1 UNITED STATES ATTORNEY No 22 I 5 I 700 STEWART Smear SUITE 5220 - Swims WASHINGTON 98101 206 553 1970 Document 20-2 Page-24 of32 Washington The le included network information telephone cOmmuniCations and locations of- alarm panels within restaurantsabout April 7 2017 a FIN7 member uploaded to the I A Victim-8 JIRA issue a similar le containing numerdus usernames and passwords for Victim-8 locations vi 7 On or about May 5 2017 a FIN7 member uploaded to the Victim-8 JIRA issue a file containing le directories on a cempromised computer vii On or about May 8 2017 a FIN 7 member uploaded to the Victim-8 issue ex ltrated les related to a password management system from a compromised computer which contained the credentials usernames and passwords of a particular employee I On or about May 15 2017 a FIN7 member uploaded to the Victim 8 issue screenshots of a compromised computer that showed the 7 i employee accessing Victim-8 s security infrastructure management sOftWar'e using that same employee 3 credentials 7 i The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and nonwpublic victim data and information from the computer systems of one or more locations Of Victim-9 a feet-food restaurant chain with thousands of locations throughout the United States including I Washington For instancevarious dates the conspiracy directly and through I intermediaries sent phishing emails with an attached le that eontained malware to multiple Victim-9 locations For instance on or about April 7 2017 the conspiracy used the account oliver_palmer@yahoo com to send a phiShing email to a Victim-9 location in the State of Oregon The email contained materially false repreSentations designed to induce the targeted emplOyee to open the le enable the'm'alwa're and compromise the computer system Superseding Indictment Ur zitediS tates v Fedorov 3 UNITED STATES ATTORNEY No CR18-004RSM - 23 100 STEWART Smear Suns 5220 SEATTLE WASHINGTON 98101 206 5534970 1 me 1 1 Case Document 20-2 Filed 07 27 18 Page 25 0f 32 _1 11 on or about April 5 2017 VALERIEVICH created an issue on the conspiracy s private JIRA server speci cally 1 related to Victim 9 One or more FIN 7 members posted usernames and passwords for 7 7 7 I Victime locations including aiVictim-9 location in'VancoUVer Washington 1 The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated preprietary private and non-public victim data and information from the computer systems of One or more locations of Victim-4 a pizza parlor chain With hundreds of locations including 1n Washington For instanCe ii On or about April 11 2017 the conspiracy directly and through intermediaries used the account ol1ver_palmer@yahoo com to send a phishing email With the subject claim to an employee of a Victim-4 located in Renton Washington with an attached Rich Text Format rtf document that contained malware The email falsely purported to convey a customer complaint and contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system i ii On or about April 11 2017 the conspiracy directly and through intermediaries used the account oliver_p_almer@yahoo cem to send a phishing 1 7 email with the subject claim to an employee of a Victim-4 located 1n Vancouver Washington With an attached Rich Text Format itt document that contained malware 1 The email falsely purported to convey a customer complaint and contained additional materially false representations designed to induce the targeted employee to enable the 'malware and compromise the computer system On or about May 25 2017 the conspiracy directly and through intermediaries uSed the account Adrian 1987clark@yahoo com to send a 7 7 phishing email With the subject takeout order to an employee of a Victim-4 located in i - or around Spokane WaShington with an attached'Rich Text Format th document that contained malware The email falsely stated that the sender-had a large takeout order and Superseding Indictment United Statas v Fedorov 1-1 UNITED STATES ATTORNEY No 7 24 - - 700 STEWARTSIREET 311111352211 - 206 553-7970 For instance I Case Document 20 2 Filed 07 27 13 Page 26 of 32 contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system k The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public Victim data and information from the computer systems of one or more locations of VictimelO a fast- - food restaurant chain with hundreds of locations in various states including Washington 7 i I On or about May 24 2017 a IN7 member created an issue on the conspiracy private JIRA server speci cally related to Victim-10 - One or more FIN 7 members posted information relating to the intrusion cf computer sySterns and ex ltrated data including les containing and screenshOts from one or more compromised computers ii On or abOut June 12 2017 the conspiracy directly and through intermediaries used the account Adrian l987clark@yahoo com to send a phishing email with the subject order catering to an employee of a Victim-10 located in Iowa with an attached Rich Text Format rtf document that containedimalware The 7' email falsely stated that the sender had a'catering order for the following'day and I contained additional materially false representations designed to induce the employee to enable the malware and compromise the computer system From on or about June 12 2017 to a date unknown the consPiracy illegally accessed and had with the computer systems of the - Vietim-IO located 1n Iowa For instance the conspiracy transferred without r_ authorization the proprietary private and non-publicVi ctim data and infOrmation including usernames and passwords to a JIRA server managed by FIN7 located a foreign country All inviolation of Title 18 United States Code Section 371 3 Superseding Indictment United States v edorov 7 WEED STATES ATTORNEY No 25 7 - 700 STEWART smnr 3unn5220 - 7 98101 206 553-7979 Case Document 20-2 FiledrO7 27 1 8 Page 27 0132 1 9 7 - 1' Accessing a Protected Computer 1n Furtherance of Fraud - 7' 26 I The allegations set forth in Paragraphs 1 through 25 of this superseding Indictment are re-alleged and incorporated as if fully set- forth herein i 1 27 On or about the dates listed belOw within the Western District of 7 washington and el-sevVhere VALERIEVICH others known and unknown tothe Grand Jury knowingly and with intent to defraud accessed a 3 protected computer without authorization and in excess of authorized access and by means cf such conduct furthered the intended fraud and obtained something of value speci cally payment card data and proprietary and non-public infOrmation whereby the 1 obj ect of the fraud and the thing obtained consisted of more than the use of the Computers and the value of such use was mere than $5 000 111 a 1-year penod as listed below 18 February 21 2017 through March 3 2017 Victim-2 19 March 24 2017 through April 18 2017 Victim 3 All in violation of Title 18 United States Code Sections 1030 c 3 A and 2 7 'COUNTszo-zzr 1 Intentional Damage to a'Protected Computer 28 The allegations set forth 1n Paragraphs 1 through 27 of this Supersedlng Indictment are re-alleged and incorporated as if fully set forth herein 29 On or about the dates listed below within the Western District of i Washington and elsewhere VALERIEVICH FEDOROV and others known and unknown to the Grand Jury knowingly caused the tranSmissiOn of a program 1 information code and command and as a result of such conduct intentionally caused damage without authorizatiOn ito a protected computer speci cally the protected computer system of the victim listed below and the offense caused 1033 to oneormore Superseding Indictment United States v Fedorov - I a UNITED STATES ATTORNEY No 26 - 1 700 STEWART 81115111811111 5220' Seams 98101 i 206 553 7970 Document 20-2 Filed O7 27 18 Page 28 of 32 persons during a l-year period aggregating at least 000 00 value and ii damage affecting 10 or more protected computers during a 1-year period 8 233 21 February 21 2017 through March 3 2017 Victim-2 22 March 24 2017 through April 18 2017 Victim-3 All 1n violation of Title 18 United States Code Sections 2 COUNT 23 Access Device Fraud 30 The allegations set forth in Paragraphs 1 through 29 of this Stiperseding Indictment are re alleged and incorporated as if fully set forth herein 1 31 Beginning at a time unknown and continuing through on or after January 17 2018 Within the Western District of Washington and elsewhere VALERIEVICH FEDQROV and others known and unknown to the Grand Jury knowingly and with intent to defraud possessed fteen or more counterfeit and 7 unauthorized access devices namely payment card data account numbers and other means of account access that can be used alone and in conjunction with another access 7 device to obtain money goods services and any other thing of value 'and that can be used to initiate a transfer of funds said activity affecting interstate and foreign commerce All in violation of Title 18 United States Code Sections 1029 c 1 A and 2 24'- Aggravated Identity Theft 32 The allegations set forth 1n Paragraphs 1 through 31 of this Superseding - - Indictment are re alleged and incorporated as if fully set forth herein i 33 Beginning at a time unknown but no earlier than on or about February 21 2017 and no later than March 3 2017 and continuing through on or after November 21 2017 at Seattle within the Western District of Washington and elseWhere Superseding Indictment United States Fedorov UNITED STATES ATTORNEY No 27 700_ STEWART STREET SUITE 5220 - SEATTLEWASHINGTONQSIOIH 206 553-7970 i Ii ti Im Luigi-dc mumm-Ari cowacxu Case - Document 20-2 Filed 07 27 18 Page 29 of 32 I VALERIEVICH FEDOROV and others known and unknown to the Grand Jury did knowingly transfer possess and use without lawful authority a means of identi c atiOn of another person to Wit the name username and passWord of a real person J Q an employee of Victim-2 during and 111 relation to a felony violation enumerated in 18 U S C 1028A c that 1s conspiracy to commit wire and bank fraud in Violation of 18 U S 1349 as charged in Count 1 and wire fraud in violation of 18 U S C 1343 as i 1 charged in Counts 5 and 6 knoWing that the means of identification beIOnged to another actual person All 1n violation of Title 18 United States Code Sections 1028A a and 2 Aggravated Identity Theft 341 I The allegations set forth 1n Paragraphs 1 through 33 of this Supe'rseding Indictment are re alleged and incorporated as if fully set forth herein - 35 Beginning at a time unknown but no later than on or about May 8 and continuing through on Or after November 21 2017 within the Western District of Washington and elsewhere VALERIEVICH FEDOROV and others known and unknown to the Grand Jury did knowingly transfer possess and use Without lawful autho11ty a means of identi cation of another person to Wit the name emp10yee credentials username and password Of a real person N M an empIOyee of Victim 8 during and in relation to a felony violation enumerated 111 1 8 U S C 1028A c that is conspiracy to commit wire and bank fraud inviolation of 18 U S C 1349 as charged in Count 1 knowing that the means of identi cation belonged to another actual person All in violation of Title 18 United States Code Sections 1028A a and 2 COUNT 26' 7 Aggravated Identity Theft 36 The allegations set forth in Paragraphs 1 through 35 of this Superseding' Indictment are re - alleged and inCorporated as if fully set forth herein - Superseding Indictment-l United States v Fedorov 'l I i I - STATES ATTORNEY No CR18- 004RSMSEATTLE WASHINGTON 98101 206 553-1910 Case Document 20-2 Filed 07 27 18 Page 30 of 32 37 Beginning at a time unknown but no later than-011 01 about January 27 a 1 2017 and continuing through onior after November 21 2017 Within the W SternIDisuict - of Washington and elsewhere VALERI-EVICH EDORQV and others - known and unknown to'tIhe Grand Jury did mowingly transfer possess and use without i lawful authority a means of identi cation of another person to Wit the name username andpasswerdofrealpersons BC C H E L J M AP RO T T 7 employees of Victim-7 during and in relatiOn to a felony violation enumerated in 18 U S C 1028A e that IS conspiracy to commit Wire and bank fraud in violation of 18 U S C 1349 as charged 1n Count 1 knowing that the means of identificatiOn 1 I belonged to another actual person I All 1n violation of Title 18 United States Code Sections l028A aI and 2 1 1 38 The allegations contained 111 Counts 1 through 15 of this superseding I I Indictment are hereby realleged and incorporated by reference for the purpose of alleging 1 - forfeitures pursuant to Title 18 United States Code Section and Title 28 United States Code Section 2461 0 Upon conviction of any of the offenses chargedui'n I Counts 1 through 15 the defendant VALERIEVICH FEDORQV shall forfeit to the United States any property real or personal which constitutes or is derived from proceeds traceable to such offenses including- but not limited td a judgment for a sum of money representing the property described 1n this paragraph 39 The allegations contained in Counts 16 through 22 of this Supersedmg I I Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18 United States Code Sections 982 a 2 B and 1030 1 Upon conviction of any cf the offenses charged in Counts 16 through 22 the defendant shall'forfeit tothe United States any preperty Constituting or derived from proceeds the defendant obtained direCtly or indirectly as the result of such offenses and shall also forfeit the defendant interest in any personal property that was used or intended to be used to commit or to facilitate the commission cf Supersedjng Indictment United States v edorov - UNITED STATES ATTORNEY No_ 29 I I r 700 STEWART STREET SUITEISZZO 98101 tom-MN A Case Document 20-2 Filed 07 27 18 Page 31 of'32 such offenses including but not limited to a judgment for a 'sum of money representing the property described 1n this paragraph 7 40 7' The allegations contained 1n Count 23 of this supersedlng Indictment are hereby realleged and inCorporated by reference for the purpose of alleging forfeitures i - pursuant to Title 18 United States COde Sections 981 and and Title 28 United States Code Seetion 2461 0 Upon conViction of the offense charged in '1 Count 23 the defendant VALERIEVICH FEDOROV shall forfeit to the United States any property real or personal which constitutes or is derived from proceeds traceable to such offense arid shall also forfeit any personal property used or intended to be used to commit such Offense including but not limited to a judgment for a sum of money representing the property described 111 this paragraph SubStitute Assets 41 If any Of the property described above as a result of any act or omisSion of- the defendant cannot be located upon the exercise of due a b has been transferred or sold to ordepoSited with a third party 5 i c 7 has been placed beyond the jurisdiCtion of the court - d 7' has been substantially diminished 1n valuehas been cemmingled with other property which cannot be 2di'vid edvi- without dif culty 8 itpe iift tot lg gegg United States Fedorov SEATTLE WASHINGTON 98101 206 553-7970 Case Document 20-2 Filed 07 27 18 Page 32 of 32 Code SeCtion 2461 0 i I ANNETTE L YE United States Att rn An ANDREW C FRIEDMAN Assistant United States Attorney CIS FRANZ Ass stant United ates Attorney Assistant United States Attorney Trial Attorney Computer Crime and Intellectual Property Section Superseding Indictr'n ent United States v edorov No CR18-004RSM - 31 A TRUE BILL DATED the United States of America shall be entitled to forfeiture of substitute property pUrsuant to Title 21 United States Code - Section 853 p as incorporated by Title 28 United States 2V I 12 9 A Signature of FereperSOn redacted pursuant to Delicv of the Judicial Conference FOREPERSON UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 - SEATTLE 98101 206 553-7970