OCR of the Document

View the Document >>

United States District Court for the Western Washington District at Seattle, “United States of America v. Andrii Kolpakov, superseding indictment", July 27, 2018. Unclassified.

Case Document 11-1 Filed 07 27 18 Page 1 of 33 Exhibit 5 Indictment Dkt United States v Kolpakov CR18-159RSM CD 00 -CaseI Document 11-1 Filed 07 27 18 Page 2 of 33 Presented to the Court by the foreman of the Grand Jury in open Court in the presence of the Grand Jury and FILED in the S DISTRICT COURT at Seattle Washington June ZI 901$ UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE - UNITEDSTATES OFIAMERICA I i N0 1 8 1 5 9 JLK Plamt ff INDICTMENT ANDRII KOLPAKOV aka Andrey Kolpakovf - aka Andriy Kolpakov aka Andre Kolp akov aka Andrew KolpakoV aka santisimo aka santisimozf aka AndreyKSI Defendant The Grand Jury Charges that I DEFINITIONS I 1 IP Address An Internet Protocol address or address IS a unique numeric address used by devices sucha's computers on the Internet Every deVice attached to the Internet must be assigned an IP address so that Internet traf c sent- from and directed to that deVioe may be directed properly from its source to its destination MIIost Internet service providers control a range of IP addresses 1 Indictment I United States v Kolpakov - 1 I 1 UNITED STATES ATTORNEY 700 STEWART STREET Stars 5220 SEATTLE WASHINGTON 98103 - I 206 553 4970 Case Document 11-1 Filed 07 27 18 Page 3 of 33 2 Server A server is a computer that provides serviCes for other computers connected to it via a network or the Internet The computers that use the server s services are sometimes called clients Servers can be physically located anvahere with a network connection that may be reached by the clients fer example it is not uncommon 5 '3 for a server to be located hundreds or even thousands of miles aWay from the client computers A'server may be either a physical or virtual machine A physical server is a - piece of computer hardware con gured as a server with its own power source central processing unit s and associated software A virtual server is typically one of many servers that operate on a single physical server Each virtualserver shares the hardware resources of the physical server but the data residing on each Virtual server isi'segregated from the data on Other virtual servers that reside on the same physical machine-- 3 Malware Malware IS malicious computer code running on a computer Relative to the owner authorized user of that computer malware 18 computer code that 13 running on the system that 18 unauthorized and present on the system without the user 3 consent Malware can be designed to do a variety of things including logging every keystrOke on a computer stealing nancial information or user credentials passwords I or usernames or commanding that computer to become part of a network of robot or hot Computers known as a botnet In addition malware can be used to transmit data from the infectedcomputer to another destination on the Internet as identi ed by an IP address Often times these destination IP addresses are computers controlledby cybercriminals 4 The Carbanak malware Carbanak is the name given by computer seCurity researchers to a particular malicious software malware program Carbanak has i been used to remotely access computers without authorization The Carbanaik' malware allows an attacker tospy on another person s computer and remotely control the I computer Garb-anak 'can record videos of the victim s computer screen and send the recordingsiback to the attacker It can also let the attacker use the victim Computer to Indictment United States v Kolpakov - 2 UNITED STATES ATTORNEY 700 STEWART STREET Sums 5220 98101 - 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 4 of 33 - attack other'computer's and to steal les from the Vietim computer and install other malware All of this can be dene without the legitimate user s knowledge 0r permission 5 Bot A hot computer is a computer that has been infected with some kind of malicious Software or code and IS thereafter subject to control by someone otherthan the true owner The true owner of the infected computer usually remains able to use the computer as he did before it was infected although speed or performance may be I compromised I I 6 Botnet A botnet iis a network of compromised computers knownas bots that are under the control of a cybercriminal or bot herdert The bets are - harnessed by the bot herder through the surreptitious installation of malware that provides the bot herder with remote access to and control of the compromised computers A botnet may be used en masse in a coordinated fashion to deliver a variety of Internet based attacks including attacks brute force password attacks the of spam emails the transniiSsion of phishing emails and hosting communication netWorks - fer cybercriminals acting as a proxy server for email communications I 7 Phishing Phishing IS a criminal scheme in which the perpetrators use mass email messages and or fake websites to trick people into providing information such as network credentials eig usernames and passwords that may later be used to gain access to a Victim s Systems Phishing schemes often utilize social engineering techniques similar to traditional con artist techniques 1n order to trick Victims into believing they are providing their information to a trusted vendor customer or other acquaintance Phishing emails are also Often used to trick a Victim into clicking on I documents 'or links that contain malicious softWare that will compromise the Victim 3 computer system I I 8 Spear Phishing Spear phishing 1s a targeted form of phishing directed towards a speci c individual organization or business Although often intended to steal data for malicious purposes cybercriminals may also use Spear phishing schemesito install malware on a targeted user s computer Indictment United States Kolpakov 3 - UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEA-nus WASHINGTON 98101 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 5 of733 9 Soeial Engineering Social engineering is a skill developed over time by people who seek to acquire protected information through manipulation of social relationShips People who are skilled in social engineering can Convince key individuals to divulge protected information or access credentials that the social engineer deems valuableto the achievement of his or her aims 10 Pen-Testing Penetration testing or pen-testing is the practice of testing a computer system network or computer application to find vulnerabilities that an attacker may exploit i I i I i COUNT 1 Conspiracy to Commit Wire and Bank Fraud 1 OFFENSE 11 The allegations set forth 1n Paragraphs 1 through 10 and 21 through 25 of this Indictrnent are re-alleged and incorporated as if fully set fOI'th herein 12 Beginning at a time unknoWn but no later than September 2015 and 7 continuing through an or after June '20 2018 at Seattle Within the Western District of i Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpaki ov AndreKolpakov Andrew Kolpakov 3 santisimo santisimozf and AndreyKS and others known and unknown to the Grand Jury did knowingly and willfully combine conspire confederate and agree tOgether to commit offenses against the United States to wit i i a to knowingly and willfully devise and execute and attempt to execute a scheme and arti ce to defraud and for obtaining money and property by means of materially false and fraudulent pretenses representations and promises and In executing and attempting to execute this scheme andarti ce to knowingly canse to be transmitted in interstate and foreign commerce by means of wire communication 'ce1tain I signs signalsand sounds as further described below in violation of Title 18 United States Code Section 1343 Indictrnent United States v Kolpdkov - 4 UNITED STATES ATTORNEY 700 8113me STREET SUITE 5220 Sam-us WASHINGTON 98101 206 553-7970 sooexrmm-hmmid Case Document 711-1 FiledO7 27 18 Pag-e6of 33 to knowingly and will illy devise and execute and attempt to execute a scheme and arti ce to defraud nancial institutions as de ned by Title 18 United States Code Section 20 and to obtain moneys funds and credits under the custody and Control of the nancial institutions by means of materially false and fraudulent pretenses representations and premises in Violation cf Title 18 United States A Code Section 1344 1 and 2 I I A II OBJECTIVES OF THE CONSPIRACY 13 The defendant and others known and unknown to the Grand Jury Were part of a nancially motivated cybercriminal conspiracy known variously as FIN7 the Carbanak Group and the Navigator Group referred to herein ast FIN7 consists of a group of criminal actors engaged in a sophisticated malware campaign targeting the 1 computer systems of businesses primarily in the restaurant gaming and hospitality industries among others i I I 14 The objectives of the conspiracy included hacking into protected computer networks using malicioussoftware hereinafter malware - designed to'provide the conspirators with unauthorized acCess to and control of Victim computer systems The objectives of the conspiracy further included conducting surveillance of victim computer networks and installing additional malware on Victim computer netWorks for the purposes of establishing persistence and stealing money and property including payment card credit and debit track data nancial information and proprietary and non- public information The objectives of the conspiracy further included using and selling the stolen data and information for nancial gain in a variety of ways including but net limited to using stolen payment card data to conduct fraudulent transactions across the United States and 1n foreign countries MANNER AND MEANS OF THE CONSPIRACY 15 The manner and means used to accomplish the conspiracy included the following Indictment United States v Kolpakov - 5 7 7 UNITED STATES ATTORNEY - i 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Case'2218-cr-00159-RSM Document 11-1 Filed 07 27 18 Page'7 of 33 a FIN7 developed and employed various malware designed to infiltrate compromise and gain control of the computer Systems of victim companies operating in the United States and elsewhere including within the Western DiStrict of 7 WaShington FIN 7 established'and operated an infrastructure of servers located in various countries through which FIN 7 members coordinated activity to further the scheme This infrastructure included but was not limited to the use of command and control servers accessed through custom hotnet control panels that communicated with and controlled compromised computer systems of victim companies b FIN7 created a front company doing business as Combi Security to facilitate the malware scheme by seeking to make the scheme 5 illegal conduct appear legitimate Combi Security purports to operate as a computer security pen-testing company based in Moscow Russia and Haifa Israel As part of advertisements and public internet pages for Combi Security FIN7 portrayed Combi Security as a legitimate penetration testing enterprise that hired itself out to businesses for the purpoSeof testing their computer security systems i 2' i Under the gUise of a legitimate computer security company FIN7 doing business as Combi Security reoruited individuals with computer progrmu ing skills falsely claiming that the prospective employees would be engaged in legitimate pen-testing of client computer networks In truth and in fact as each defendant and his FIN7 co-conspirators well knew Combi Security was a front company used to hire and deploy hackers who were giVen tasks in furtherance fof the 1N7 conspiraCy I FIN7 targeted victims in the Western District of Washington and elsewhere usingphiShing techniques to distribute malWare designed to gain unauthorized access to take control of and ex ltrate data from the computer systems of various businesses PM 7 s targeted victims include more than 120 identi ed Companies including but not limited to the following representative victim companies 7 i Victim 1 referenced herein is the Emerald QueenHotel and 7 Casino EQC a hotel and casino owned and operated by a federallyirecogniZed Native Indictment United State's v Kolpakov - 6 UNITED STATES ATTORNEY 700 STEWART STREET sum 5220 I SEATTLE WASHINGTON 98101 - 206 553-7970 Case 2 18jcr-001594RSM Document 11-1 Filed 07 27 18 Page8-Of 33 American Tribe With locations in Pierce County within the Western Districtof ii VictimmZ referenced herein is_ a public corporation headquartered in Seattle within the Western District of Washington Washington with operations throughout the United States and elsewhere Victim- 3 referenced herein IS Chipotle Mexican Grill a U S -based restaurant chain with thousands of locations 1n the United States including 1n the Western District of Washington and in Canada and multiple European countries I iv Victim-4 referenced herein is_ a U S - based pizza parlor chain with hundreds of locations predominantly in the Western United States including 111 the Western District of WashingtOn v Victim 5 referenced herein 1s BECU a U S -baSed federally insured credit union headquartered 1n the Western District of Washington - Vi Victim-6 referenced herein 1s Jason 5 Deli a- U S based casual delicatessen restaurant chain with hundreds of locations 1n the United States vii Victim-7 referenced herein is_ an automotive retail and repair chain with hundreds of locations 111 the United States ineluding 1n the i_ I Western District Of Washington Victim-8 referenced herein 1s Red Robin Gourmet Burgers and Brews Red Robin a U S -b_ased casual dining restaurant chain founded in the Western District of Washington with hundreds of locations 1n the United States including 1n the Western District of Washington ix Victirn- 9 referenced herein 13 Sonic Drive in Sonic a U S -based drive-in fast-food Chain with thousands of locations 1n the United States ineluding 1n the Western District of Washington x Victim-10 referenced herein 13 Taco John s a U S -based fast-food restaurant chain with hundreds of lecations 1n the United States including 111 the Western District of Washington Indictment United States v Kolpakov 7 i UNITED STATES ATTORNEY 1-7 SEATTLE WASHINGTON 98101 206 553 7970 oo-qmm-thHOW oochx m-meh-tc Case Document 11-1 Filed 07 27 18 Page 9 of 33 I 7 e FIN7 typically initiated its attacks by deliVering directly and i through intermediaries a phishing email with an attached malicious le using Wires in interstate and foreign commerce to an employee of the targeted-victim company The attachedmalicious le usually was a MicrosoftirWordeoc or doc x or Rich Text File rti document with embedded malware FIN7 used a variety of malware' delivery I mechanisms in its phishing attachments including bat not limited to weaponized 7 I Microsoft Word macros malicious Object Linking and Embedding OLE objects malicious visual basic scripts or JavaSc'ript and malicious embedded _shortcut les LNK les In some instances the phishing email or attached le contained a link to malware' hosted on servers controlled by FIN7 The phishing email through false representations - and pretenses fraudulently induced the victim company employee to open the attachment or click on the link to activate the malware For example when targeting a hotel chain the pulported sender of the phishing email might falsely claim to be interested in making a hotel reservation By way of further example when targeting a reStaurant chain the purported sender of the phishing email might falsely claim to be interested 1n placing a catering order Or making a complaint about prior food service at the restaurant f In certain phishing attacks FIN7 directly and through intermediaries sent phishing emails to personnel at victim companies who had unique access to internal proprietary and non-public company information including but not limited 'to employees involved with making lings With the United States Securities and Exchange Commission These emails used an email address that spoofed an email address associated with the electronic ling system and induced the reCipients to activate the malware contained 1n the emails attachments In many of the FIN 7 attacks a FIN7 member or someOne hired by FIN7 specifically for such purpose would also call the victim company using- dies in interstate and foreign commerce to legitimize the phishing email and- convince the victim I company employee to open the attached document using social engineering techniques For example when targeting a hotel chain or a restaurant chain a conspirator would - 7 Indictment United States v Kolpaliciv - 3 - - UNITED STATES ATTORNEY STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Case Document 11-1- Filed 07 27 18 Page 10 of 33 make afollowgup call falsely claiming that the details of a reservation i order or customer complaint could be found in the le attached to the previously delivered email to induce the employee at the victim company to read the phishing email open the attached le and activate the malware 1 h If the recipient activated the phishing email attachment or clicked on the link the recipient would unwittingly activate the malware and the computer on which it was Opened would become infected and connect to one or more command-and 7' control servers centrolled by FIN7 to report details of the newly infected computerfand download additional malware The command and control infrastructure relied upon various servers in multiple countries including but not limited to the United States typically leased using false information such as alias names and ctitious information i FIN7 typically would install additional malware including the carbanak malware to connect to additional FIN7 command and control servers to establish remote control of the victim computer 1 j Once a victim s computer was compromised FIN7 would incorporate the compromised machine or bot into a botnet k FIN7 designed and used a eastern botnet control panel to manage - I - I and lssue commands to the compromised machines 1 Once a victim company s computers were incorporated into the FIN7 botnet and remotely controlled by FIN7 s malware the group used this remote control and access to among other things install and manage additional malwar-e conduct surveillance map and navigate the comprOmised computer network compromise additional computers ex ltrate les and send and receive data For instance FIN7 often conducted surveillance on the victim 3 computer network by among other things I capturing screen shots and videos of victim computer workstations that provided the I_con3pirators with additional information about the victim company computer-network I and non-public credentials for both generic company accounts and for actual cOmp'any employees Indictment United States v Kolpakov 9 1 - 1 UNITED STATES - - 700 STEWART STREET Sung 5220 SEATTLE WASHINGTON 98101 206 553-7970 Document 11-1 Filed 07 27 18 Page 11 of 33 7 m FIN7 used itsaccess to the victim s computer network and inforrnationjgleaned from surveillance of the victim s computer systems to install additional malware designed to target and extract particular information and preperty of value including payment card data and proprietary and non-public information For instance FIN7 often utilized-various off-the-shelf software and custom malware and a combination thereof to extract and transfer data to a loot folder on one or more servers i controlled by IN7 n IN7 frequently targeted victim companies with customers who use 7 payment cards while making legitimate point-of sale purchases such as victim companies in the restaurant gaming and hospitality industries In those cases FIN7 con gured malware to extract copy and compile the payment card data and then to transmit the data from the victim computer systems to servers controlled by FIN7 o For example between approximately March 24 2017 and April 18 2017 FIN7 harvested payment card data from point-of-sale devices at certain Victim 3 restaurant locations including dozens of locations in the Western District of washington p FIN7 stole millions of payment card numbers many of which have been offered for sale through vending-sites including but not limited to Joker s Stash thereby attempting to generate millions of dollars of illicit pro ts 1 The payment card data were offered for sale to allow purchasers to falsely represent themselves as authorized users of the stolen payment cards and to use the stolen payment Card information to purchase goods rind serVices in fraudulent transactions throughout the United States and the world resulting in millions of dollars in lossesto and thereby affecting merchants and banks including nancial institutions as de ned in Title 18 United States Code Section '20 For example 'on or about March 110 2017 stolen payment card data relatedto accounts held at Victim-5 a nancial institution headquartered in the western District 'of Washington compronuse dithrough the computer network intrusion of a victim company was used to make unauthOrized- purchases at a merchant in Puyallup Washington Indictment United States v Kolpakov - 10 i UNITED STATES ATTORNEY 700 STREET SUITE 5220 I SEATTLE 98101 206 553-7970 uncommon-hooww Case Document 11-1 Filed 07 27 18 Page 12 of 33 r FIN7 members employed various techniques toconceal their identities including simultaneously utilizing Various leased servers that had been leased '7 using false Subscriber informatiOn in multiple countries I s FIN7 operated as a structured enterprise with a hierarchical command structure under which dozens of members with diverse skillsets could coordinate their malicious activity Key members of the scheme ineluded but were not - limited to I i Fedir HlaIdyr a systems administrator who among other things maintained servers and communication channels used by the organization Fedir Hladyr played a leading managerial role by delegating tasks and by providing instruction to Other members of the scheme ii Fedorov a high- level pen-tester who supervised other hackers speci cally tasked with breaching the security of Victims computer systems without the victims knowledge or consent I I I ANDRII KOLPAKOV a hithevel Fpen-tester who supervised other hackers responsible for breaching the security of victims computer systems without the victims knowledge or consent t 1N7 members typically communicated with one aucther and others through private cominunication channels to further their malicious activity Among other I channels IN7 conspirators communicated using Jabber an instant messaging service that allows members to communicate across multiple platforms and that supports end-to- end I u 1 For example iniJabber Communications with other FIN7 members co-consPirator using his alias 5 hotdima referenced using malware in connection with several speci c victim companies discussed using the administrative control panels to receive data from compromised computers and identi ed several pen testers working at his direction Indictment United States v Kolpakov 1'1 Vi UNITED STATES ATTORNEY - 5220 WASHINGTON 98101 - 206 553-7979 Case Document 11-1 Filed 07 27 18 Page 13 of 33 7 v 1N7 members often communicated through a private HipChat server HipChat is a group Chat instant messaging and le-sharing program IN7 members used its HipChat 'server to collaborate on malware and victim busineSS I intrusions to interview potential recruits and to upload and share ex ltrated data such as stolen payment card data As a system administrator co conspirator Fedir Hladyr created HipChat user accounts for FIN 7 members that allowed them to access the server i W Co-conspirator Fedir I-Iladyr also created and partiCipated in multiple HipChat rooms with other IN7 members and participated 1n the uploading and Organization of stolen payment card data and malware For example on or about March 14 2016 co-conspirator Fedir Hladyr uploaded an archiVe that contained numerous data files created by malware designed to steal data from point of sale systems that process - payment cards The les contained payment card numbers stolen from a victim company that had publicly reported a Security breach that resulted 1n the compromise of tens of thousands of payment cards By way of further example eo-conspirator ed1r Hladyr also set up and used a HipChat room titled MyFile in which he was the only I I participant and to which he uplOaded malware used by IN7 and stolen payment card informatidn - x FIN7 conspirators used numerous email accounts hosted by a variety of providers in the United States and elsewhere which they often registered using false subscriber information I 7 y FIN7 conSpirators frequently used the project management software JIRA hosted on private Virtual servers in various countries to coordinate their malicious activity and to manage the assorted network intrusions IIRA IS a project management and issue-tracking program used by software development teams FIN7 members i typically created a pro_ ect on the virtual IRA server and then associated issues with the project each Issue akin to an issue directory or felder for a Victim company which they used to collaborate and share details of the intrusion to post victim company Indictment United States v Kolpakov 12 i - i 5220 SEATTLE Wamoron98101 - 206 553-7970 Case Document 11-1 Filed- 07 27 18 Page 14 of 33 I intelligence such as network mapping information and to store and share ex ltrated dataFor eXample On about September 7 20 16 co-conspiratorFedir Hladyr created an issue for Victim-6 to which FIN7 conspirators including ANDRII KOLPAKOV posted les containing internal credentials for the victim company I computer networkfurther example on multiple occasions in January 2017 co COnspiratOr Fedorov and another FIN7 member posted to the FIN7 issue created for- Victim 7 1nforrnation about the victim company s internal network and uploaded ex -ltrated data including stolen employee credentials Similarly On or about g d h l April 5 2017 Fedorov created an issue for another victim company Victim-9 and uploaded stolen user credentials from the victim company DJ bb IN7 conspirators knew that the scheme would involve the use Of 5 wires in both interstate and foreign commerce to accomplish the objectives of the has LA scheme For example each defendant and his FIN7 co-conSpirators knew that execution I l of the scheme necessarily caused the transmission cf wire cemmunications between the United States and one or more servers controlled by 1N7 located 1n foreign countries All 111 violation of Title 18 United States Code Section 1349 OWDOO COUNTS 2 4 15 Wire Fraud 1 16 The allegations set forth in Paragraphs 1 through 15 of this Indictment are mm re- alleged and incorporated as if fully set forth herein 1 SCHEME AND ARTIFICE TO DEFRAUD 17 Beginning at a3 time Unknown but no later than September 2015 and - mints continuing through on or after June 20 2018 at Seattle within the Western District of I Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey - - Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov -1 00 Indictment United States v Kolpakov 13 - STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 ochxmawINH Case Document-ll-l Filed 07 27 18 Page 15 of33f SantisimOZ and AndreyKS and others known and unknown to the Grand Jury devised and intended to devise a scheme and arti ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises I l8 The essence of the scheme and arti ce to defraud was toobtain- unauthorized access into and control of the computer networks of victims through deceit I and materially false and fraudulent pretenses and representations through the installation and use of malware designed to facilitate ameng other things theinstallatiOn of additional malware the sending and receiving of data and the surveillanceof the victimS computer networks The object of the scheme and arti ce to defraud was to steal money and property of value including payment Card data and proprietary and none public information which was and could have been sold and used for nancial gain II MANNER AND NIEAN OF SCHEME TO DEFRAUD 19 The manner and means of the scheme and artifice to defraud are set forth 1n Paragraph 15 of Count 1 of this Indictment EXECUTION OF SCHEME TO DEFRAUD i 20 On or about the dates set forth below within the Western District of Washington and elsewhere the defendant and others known and unknown to the Grand Jury having devised a scheme and arti ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises did knowingly transmit and cause to bee-transmitted writings signs signals pictures and I sounds for the purpose of executing such-scheme by means of wire communication in interstate and foreign commerce including the following transmissions Email from - which traveled through 'a server Victim-1 located outside the State of Pierce County I Washington to a Vietimul employee I located Within the State of Washington i 2 August 8 2016 Indictment I United States v Kolpakov - 14 i UNITED STATES ATTORNEY 700 STEWART STREET Sum 5220 SEATTLE WASHINGTON 98101 206 553-7970 August 8 2016 Victim l Pierce County 2 from franlgohnson@rev1tal- Case Document 11-1 Filed 07 27 18 Page 16 of 33 travel com which traveled through a server locatedsoutside the State of Washington to a VictiIn-l employee located within the State of Washington 7 Electronic coMunication between a server located outside the State of Indictment United States v Kolpakov 15 August 8 2016 Washington computer ty system located within the State of 3' Washington Email purporting to be from a government account Which traveled 3 Victim-2 through a Server located outside the February 21 2017 Seattle State of Washington to a Victim 2 employee located within the State of Washington -- - Electronic communication between a Victim-2 server located'outside the State of February 23 2017 - Seattle Washington and V1ct1m 2 s computer- system located within the State of I Washington Electronic communiCation between a V10t1m 3 4120 196th St SW server located outside the State of 7 March 24 2017 and V1ct1m-3 computer u1te 1 50 system located within the State of Washington Electronic communication between a Victim 3 server located Outside the State of March 25 2017 1415 Broadway Washington and Victim-3 8 computer Seattle system located within the State of Washington Electronic communication between a - Victim 3 server located outside the State of March 25 2017 800 156th Ave NE WaShington and Victim-3 5 computer Bellev'ue system located Within the State of Washington 1 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 3 - 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 17 of33- I Electronic communication betWeen a - Victim-3 Server located Outside the State of- - 10 - MarCh 25 2017 4 Bellis Fair PkWy Washington and Victim-3 s computer Bellingham system located within the State of - - Washington I Victim-3 Electronic Communication between a I - 77 5 NW Gilman server located outside the State of 11 March 25 2017 B1 - d 't A Washington and V10t1m 3 scomputer lssaqliilali system located within the State Of Washington I Victim-3 - 1 Electronic communication between a 515 SE Everett server located outsidethe State of 12 March 27 2017 I Mall Way Suite - land Victim-3 3 computer Eveitett system located withm the State of - - Washington Vic tim-3 Electronic communication between a - - 22704 SE 4th St server located outside the State of 13 11 2017 I 2'10 - and Victim-3 s computer Saunigamisah system located within the State of Washington Email from I which I - Victim-4 - traveled through a server lecated 14 Apnl 11 2017 Renton - outside the State Of Washington to a Victim-'4 employee located within the State of Washington Electronic communication between a Victim-5 merchant located within the State of 15 March 10 2017 Pu 11 Washington and aIpayment processor ya up 7 server located outside the State of waShington All in violation of Title '18 United States Code Section 1343 21 re-alleged and incorporated as if fully set-forth herein COUNT 16 Conspiracy to Commit Computer Hacking Indictment United States v Kolpakov - 16 The allegations set forth in Paragraphs 1 through 20 of this Indictment are UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 o Ch Um 93 Case Document 11-1 Filed707 27 18 Page 18 of33 I OFFENSE 7 22 Beginning at a time unknown but no latergthan' September 2015 and I Continuing-through on or'Z-after June 20 2018 at Seattle Within the Western District of Washington and elsewhere the defendant ANDRII aka fAndrey Kolpakov Andriy Kolpakov V V EAndre Kolpakov Andrew Kolpakov santiSimo _ santisimoz and AndreyKS and others known and unknown to the Grand Jury did knowingly and willfully combine conspire confederate and agree together to commit offenses against the United Statesand with intent to defraud access a protected compute-rt 8' Without authorization and exceed authorized access to a protected computer and by 8 means of such conduct further the intended fraud and obtain anything of Value exceeding 000 00 in any 1-year period in violation of Title 18 United States Code Sections 1030 a 4 and and b to knowingly cause the transmission of a program information code and command and as a result of such conduct intentionally cause damage without authorization to a protected computer and cause less to one or more persons during a 1- 7 year period aggregating at least $5 000 00 in value and damage affecting 10 or mere protected computers during a l-year period in violation of Title 18 United States Code Sections 1030 a 5 A and 11 OBJECTIVES OF THECONSPIRACY 23 The objectives of the conspiracy included hacking into protectedcomputer networks using malware designed to provide the c onSpiratOrs with unauthorized access to and control of Victim computer systems The obj eCtives of the conspiracy further included conducting surveillance of victim computer networks and inStalling additional malware onsthe victim computer netwOrks for the purposes of establishing persistence 9 and stealing payment 'card track data nancial mfonnation and proprietary private and non-public information with the intention of using and selling such stolen items either directly or indirectly for nancial gain The objectives of the conspiracy further Indictment United States v Kolpakov 17 UNITED STATES ATTORNEY - - 700 STEWART STREET Sums 5220 SEATTLE WASHINGTON 98101 206 553-79707 22Case Document 11-1 Filed 07 27 18 Page 19 of 33 included installing malware that would integrate victim computers into a botnet that allowed the conspiracy to control alter and damage compromised Computers 111 MANNER AND MEANS OF THE CONSPIRACY 24 The manner and means used to accomplish the conspiracy are set forth 1n Paragraph 15 of Count 1 Of this Indictment - IV OVERT ACTS 25 In furtherance of the conspiracy and to achieve the objects thereOf the defendant and others known and unknown- to the Grand Jury did commit and cause to be - committed the following overt acts among others 1n the Western District of Washington I and elsewherepart of Its command and control infrastructure FIN7 used a number of physical servers in different countries to host Virtual communication servers In addition to other channels of communicatiOn FIN 7 members uSed virtual HipChat JIRA Mumble and Jabber servers to collaborate and coordinate their attacks b For example FIN7 maintained a virtual Jabber server through which members could communicate privately Among other Jabber communications made-1n furtherance of the conspiracy I On or about April 14 2016 a FIN7 member informed ANDRII KOLPAKOV that a particular individual and edlr I-Iladyr were the main directors of the groupabout April 15 2016 a FIN7 member informed ANDRII KOLPAKOV that a particular individual was the chief manager On or about January 12 2017 a FIN7 member introdu'Ced himself to a new IN7 recruit explained the member s salary wOuld be paid and indicated that ANDRII KOLPAKOV would be his supervisor iv On or about May 29 2017 ANDRII KOLPAKOV informed Fedorov that KOLPAKOV had successfully located point-of-sale data and accounting technology on a victim company s network Indictment United States v Kolpakbv 18 i 3' UNITED STATES ATTORNEY 700- STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 20 of 33 V 011 or about September 18 2017 ANDRII KOLPAKOV and Fedorov discussed the le types used In phishing emails and KOLPAKQV informed Fedorov of the development of an enhanced malware le that can activate without being double-clicked upon by the phishing email reCipient i i Victim-1 The conspiracy compromised illegally accessed had unauthorized communications with and eX ltrated proprietary priyate and-non public victim data and information from the computer systems of Victim-1 a hotel and casino in the Western District of Washington For instanceabout August 8 2016 the conspiracy directly and through intermediaries used the account to send a phishing email with the subject order to an employee of Victim-1 located in Tacoma - Washington with an attached Microsoft Word document that contained malware The email contained materially false representations designed to induce the targeted employee to open enable the malware and compromise the computer system i i ii On or about August 8 2016 the conspiracy directly and through intermediaries used the account frankjohnson@revital-travel corn to send a - phishing email with the Subject order to an employee of Victim-1 located in Tacoma Washington with an attached Microsoft Word document that contained malware The 7 email contained materially false representations designed to induce the targeted employee to enable the malware and compromiSe the computer system I Under the control of the conspiracy malware' a Compromised computer of Victim 1 communicated with a cominand and control server located in a foreign country For instance from August 8 2016 to August-9 2016 and from August 24 2016 to August 31 2016 a compromised Victim- 1 computer logged approximately 3 639 communications with various URLs all Starting With revital- travelcom at an'IP address hosted in Russia Indictment United States v KolpakOV - 19 - UNITED STATES ATTORNEY - - 700 STREET Surrn 5220 SEATTLE WASHINGTON 98101 206 553-7970 Case Document ll-l Filed 07 27 18 Page 21 of 33 Victim-6 7 d The conspiracy compromised illegally accesSed had unauthorized communications with and ex ltrated proprietary private and non-public victim data and information from the computer systems of Victim-6 a restaurant Chain with locations in multiple states For instanCe I On or about August 25 2016 the conspiraCy directly and through ihterlnediaries used the account revitaltravel @yahoo com to- send a phishing email to an employee of Victim-6 with an attached Microsoft Word document that contained malWare The email contained materiallyfalse representations designed to induce the targeted employee to enable the malware and compromise the computer systemabout September7 2016 co-conspirator Fedir Hladyr created an issue on the conspiracy s private JIRA server speci cally related to Victim- 6 to which ANDRII KOLPAKOV subsequently uploaded comments and stolen information pertaining to Victim-6 s network structure and administrative credentials Victim-7 A e The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public victim data and information from the computer systems of Victim-7 an automotive retail and repair chain with hundreds of locations in multiple states including Washington For instance i On or about January 18 2017 a FIN7 member created an issue on the conspiracy private JIRA server speci cally related to Victim 7 to which that individual and Fedorov subsequently posted results from several network mapping tools used on Victim-7 internal network ii On or about January 20 2017 a FIN7 member posted ex ltrated data including multiple usernames and passWords with the title Server Passwords to the Victim-7 iSSue Indictment United States v Kolpakov 20 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 NO 00 4 ON D H Case Document 11-1 Filed 07 27 18 Page 22 of 33 On or about January 23 and January 24 2017 Fedorov posted information about Victim-7 s internal netWork and uploaded a le -- containing multiple IP addresses and information about Victim 7 s seryers to the Victim- 7 JIRA issue orabout January 27 2017 Fedorov uploaded to I the Victim-7 issue a le containing over 1 000 usernames and passwords for generic company accounts and employee accounts The potentially compromised accounts related to approximately 700 Victimu7 locations throughout the United States inCluding approximately 12 locations located in the state of Washington Victim-2 f The conspiracy compromised illegally accessed had unauthorized 3 communications with and ex ltrated proprietary private and non-public victim data and information from the computer systems of Victim-2 a corporation headquarteredin Seattle Washington For instance i On or about February 21 2017 the conspiracy directly and through intermediaries used an account purporting to be lings@scc gov but that I I actually was sent by secureservernet to send a phishing email to an employee of Victim 2 located in Seattle Washington With an attached Microsoft Word document that 1 contained malware The email falsely purported to relate to a corporate ling with the SEC and contained materially false representations designed to induce the targeted employee to openthe le enable the malware and compromise the computer system I ii From on or about February 21 2017 to approximately March 3 2017 the consPiraCy illegally accessed and had communications with the computer systems of Victim-2 located 111 Seattle Washington For instance between about February 23 2017 and February 24 2017 the victim computer made outgoing connections to and transferred internal data without authorization to an IP address located in'a foreign country Indictment United States v Kolpakov 21 UNITED STATES ATTORNEY - STREET Stars 5220 206 553 7970 scooqoxpu-huomtCase Document 11-1 Filed 07 27 18 Page 23 of 33 011 or about February 24 2017 a FIN7 member posted to a IRA issue created for Victim72 a screenshot from the targeted employee s computer at Victim-2 which showed among other things an internal Victim 2 webpage available - only to employees with a valid user account 7 iv Similarly a FIN7 member posted to the Victim 2 JIRA issue a text le containing the usernames and passwords of thetargeted Victim-2 employee including his her personal email account LinkedIn account and personal investment and nancial institution accounts 1 i 7 Victim-3 7 g The conspiracy compromised illegally accessed had unauthOrized communications with and ex ltrated proprietary private and non-public victim data and information from the computer systems of Victim-3 a restaurant chain with thousands of locations including the State of Washington From approximately March 24 2017 to 7 April 18 2017 the conspiracy accessed computer systems of Victim-3 and implanted malware designed to harvest payment card data from cards used 011 point-of sale devices ii at restaurant locations nationwide including approximately 33 locations w1thin the _Western District of Washington Victim-8 h The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-pliblic victim data and 1 information from the computer systems of Vietim S a restaurant chain with hundreds of 1 locations in multiple states including Washington For instance On or about MarCh 27 2017 the conspiracy directly and through intermediaries used to send a phishing email to a Victim-8 employee with an attached Microsoft Word document that contained- malWare _ The email-falsely purported-to convey acustomer complaint and contained additional materiallyifalse representations designed to induce the targeted employee to enable the malware andcompromise the computer system 7 i Indictment United State v Kolpakov - 22 - UNITED STATES ATTORNEY I - 1 700 STEWART STREET Some 5220 SEATTLE 98101 - 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 24 of 33 ii _ On or about March 29 2017 a FIN7 member created an I issue on the conspiracy 8 private JIRA server speci cally related to Victim 8 and I posted results from several network mapping tools used on Victim 8 s internal netWork 011 or about March 31 2017 a FIN7 member posted a link to the point-of-sale software management solution used by Victim 8 and a usemame and password to the Victimu8 JIRA issue The software management tool allows a 1' company to manage point of salei systems at multiple locations The FIN7 member also uploaded several screenshots preSumably from one or more victim computers at Vietim 8 which showed among other things the user logged into Vietim-S s account for the software management toolabout April 6 2017 a FIN7 member uploaded to the Victim 8 JIRA issue a le containing hundreds of usernames and passwords for approximately 798 Victim-8 locations including 37 locations located in the State 'of Washington The le included network information telephone communications and locations of alarm panels within restaurants I I v On or about April 7 2017 a PIN 7 member uploaded to the Vietim S JIRA issue a similar le containing numerous usernames and passwords for Victim 8 locationsabout May 0 5 2017 a FIN7 member uploaded to the Victim-8 JIRA issue a le containing le directories on a compromised computer vii On or about May 8 2017 21 FIN 7 memberuploaded to the Victim 8 issuef ex ltrated les related to a password management system from a compromised computer which contained the credentials usernames and passwords of a particular employee i 1 on or about May 15 2017 11 FIN7 member uploaded to the Victim 8 JIRA issue sereenshOts of a compromised computer that showed the employee accessing Victim 8 5 security infrastructure management software using that same employee credentials Indictment United States v Kolpakov - 23 UNITED STATES ATTORNEY - 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 00 Case Document 11-1 Filed'07 27 18 Page 25 of 33 Victim 9 i The conspiracy compromised illegally accessed had unauthorized and exfiltrated proprietary private and non-public Victimdata and informationfrom the computer systems of one or more locations of Victim-9 a fast food restaurant chain with thousands of locations throughout the United States including 7 Washington For instance 7 i The conspiracy directly and through intermediaries sent phishing emails with an attached le that contained malWare to multiple Victim-9 locations For instance on or about April 7 2017 the conspiracy used the account oliver_palmer@yahooco1n to send a phishing email to a Victim-9 location 1n the State of Oregon --The email contained materially false representations designed to induce the targeted employee to open the le enable the malware and compromise the computer system I ii I On or about April 5 2017 Fedorov created an issue on the conspiracy 3 private JIRA server specifically related to Victim-9 to which one or more FIN7 members subsequently posted usemames and passWordsl for Victim-9 locations including a Victim-9 location in VancouVer Washington 7 i i Victim-4 j The conspiracy compromised illegally accessed had unauthorized communications With and ex ltrated proprietary private and non public Victim dataand information from the computer systems of one or more locations of Victim-4 a pizza parlor chain with hundreds of locations including 1n Washington Fer instance i on or about April 11 2017 the conspiracy directly and through intermediaries used the account corn to send a phishing email With the subject claim to an employee of a Victim 4 heated 1n Kenton - Washington with an attached Rich Text Format rtf dOCument that Contained malware The email falsely purported to convey a customer complaint and contained additional Indictment United States v Kellialrov 24 - - 7 7 UNITED STATES ATTORNEY 7 1 700 STEWART STREET Sun's 5220 98191 - 206 553 7970 Case Document 11-1 Filed 07 27 18 Page'26 of33 materially false representations designed to induce the targeted employee to-enable the-9 malware and compromise the Computer system i 7 ii On or about April 11 2017 the conspiracy directly and through intermediaries used the account ol1ver_palmer@yahoo com to send a phishing email with the subject claim to an employee of a Victim-4 located Vancouver WaShington With an attached Rich Text Format rtf doc ment that contained malvvare The email falsely purported to convey a cuStomer cemplaint and contained additional 7 materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system I On or abOut May 25 2017 the conspiracy directly and through intermediaries used the accOunt Adrian 1987clark@yahoo com to send a phish1ng email with the subject takeout order to an employee of a Victim 4 located in or around spokane Washington with an attached Rich Text Format' rtf document that contained malware The email falsely stated that the sender had a large takeout order- and contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system I Victim-10 k The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and nOn-public victim data and i information from the computer systems of one or more locatidns of Victim 1'0 a fast food restaurant chain with hundreds of locations in various states including Washington For instanceabout May 24 2017 a FIN7 member created an i issue on the conspiracy private JIRA server speci cally related to Victim-10 to which other FIN7 members subsequently posted information relating to the intrusion 0f computer systems and ex ltrated data including les containing passwords and screenshots from one or more compromised computers Indictment United States v Kolpakov - 25 - - UNITED STATES ATTORNEY - - - 1 700 8113me STREET SUITE 5220 SEATTLE WASHINGTON 98101 205 553-7970 Case Documentll-l Filed 07 27 18 Page about June 12 2017 the conspiracy directly and through intermediaries used the account Adrian 1987c1ark@yahoo com to send a phishing email with the subject order catering to an employee of a Victim-10 located in Iowa with an attached RiCh Text Format rtf document that contained malware The email falsely stated that the sender had a catering order for the following day'and contained additional materially false representations designed to induce the employee to enable the malware and compromise the computer system 7 From on or about June 12 2017 to a date unknown the conspiracy illegally accessed andhad communications with the computer systems of the-' - Victim-10 located in Iowa For instance the conspiracy transferred without I authorization proprietary private and non-public victim data and information including usernames and passwords to a JIRA server managed by FIN7 located in a foreign country On or about June 14 2017 a FIN7 member uploaded a variety of infonnation including recommendations for attack vectors FIN7 members could use to access Victim- 10 s internal network I All in violation of Title 18 United States code section 371 COUNTS 17 -19 Accessing a Protected Computer in Furtherance of Fraud 26 The allegations set forth in Paragraphs 1 through 25 Of this Indictment are re-alleged and incorporated as if fully set forth herein 27 On or about the dates listed below within the Western District of 'Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov Santisimo Santisimoz and AndreyKS and others known and unknown to the GrandJury knewingly and With intent to defraud accessed a protected computer without authorization and 1n excess of authOrized access and by means of such conduct furthered the intended fraud and obtained something of value Specifically payment card data and Indictment United States v Kolpakov - 26 UNYFED STATES ATTORNEY - 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 - 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 28 of 33 proprietary and non public information whereby the object of the fraud and the thing obtained conSisted of more than the use Of the computers and the Value of-Such use Was - more than $5 000 in a 1-year period as listed below August8 2016 through October 41 2016 Vlctim-l 18 February 21 2017 through March 3 2017 Victim-2 19 MarCh 24 2017 through April 18 2017 Victim-3 1111 in violation of Title 18 United States Code Sections 1030 a 4 1030 b and 2 W22 Intentional Damage to a Protected Computer 28 The allegations set forth 1n Paragraphs 1 through 27 of this Indictment are- re-alleged and incorporated as if fully set forth herein 1 7 29 On or about the dates listed below within the Western DistriC't of Washington and elsewhere the defendant ANDRJI KOLPAKOV aka Andrey Kolpakov V V Andriy Kolpakov Andre Kolpakov Andrew Kolpakov i santisiino _ santisimoif and AndreyKS and others known and unknown to the Grand Jury knowingly caused the transmission of a program information code and command and as a result of such Conduct intentionally caused damage without authorization to a protected computer speci cally the protected computer system of thevictirn listed below and the offense caused loss to one or more persons during a 1-year period aggregating at least 000 00 in value and ii damage affecting 1-0 or more protected computers during a 1 year period 20 1 8 20 6 through October 4 1 21 February 21 2017 through March 3 2017 I Victim-2 22 March 24 2017 through April 18 2017 Victim-3 All in violation of Title 18 United States Code Sections 1030 a 5 A 1030 1 1030 c 4 B and 2 I Indictment United States v Kolpakov- 27 UNITED STATES ATTORNEY - - 700 STEWART STREET SUITE 52-20 SEATTLE WASHINGTON 98101 206 553-7970 'Case Document 11-1' Filed 07 27 18 Page 29 of 33 COUNT23 Access Device Fraud '30 The allegatiOns set forth in Paragraphs 1 through 29 of this Indictment are re alleged and incorporated as if fully set forth herein 31 Beginning at a time unknown and continuing through on or after June 20 2018 within the Western District of Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov santisimo Wsantisimozf and AndreyKS and others known and unknan to the Grand Jury knowingly and with intent to defraud possessed fifteen or more counterfeit and unauthorized access devices namely payment card data account numbers and other means Of account access that can be used alone and in conjunction with another access device to obtain money goods services and any other thing of 7 value and that can be used to initiate a transfer of funds said activity affecting interstate and foreign commerce 7 All 111 violation of Title 18 United States Code Sections 1029 c l A and 2 Aggravated Identity Theft 1 32 The allegations set forth in Paragraphs 1 through 31 of this Indictment are re-alleged and incorporated as if fully set forth herein 33 Beginning at a time unknown but no earlier than on or'abOut February 21' 2017 and no later than March 3 2017 and continuing through on or after November 21 2017 at Seattle within the Western District of Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov santisimo santisimoz and AndreyKS and- I others known and unknown to the Grand Jury did knowingly transgfer possess and use without lawful authority a means cf identi cation of another person to wit the name Indictment United States v Kolpakov - 28 7 8 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98 10 I 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 30 of 33 username andpa's'sword of a real person Q an employee of Victim-2 during and in relation to a felony violation enumerated in 18 U S C 1028A c that is conspiracy to commit wire and bank fraud in Violation of 18 U S C 1349 as charged'in Count 1 and wire fraud in violation of 18 U S C 1343 as charged 1n Counts 5 and 6 knowing that the means of identi cation belonged to another actual person A11 in violation of Title 18 United States Code Sections 1028A a and 2 COUNT 25 Aggravated Identity Theft I 34 The allegations set forth 1n Paragraphs 1 through 33 of this Indictment are re-alleged and incorporated as if fully set forth herein 35 Beginning at a time unknown but no later than on or about May 8 2017 and continuing through on or after November 21 2017 within the Western District of i 2 Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey 7 Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov santisimo santisimoz and AndreyKS and others known and unknown to the Grand Jury did knowingly 'transfer 'possess and use withoutlawful authority a means of identi cation of another person to wit the name employee credentials username and password of a real person N M an employee of Victim 8 during and 1n relation to a felony violation enumerated 1n 18 U S C 1028A c that 1s conspiracy to commit wire and bank fraud in Violation of 18 U S 1349 as charged 1n Count 1 knowing that the means of identi cation belonged to another actual person A11 1n Violation of Title 18 United States Code Sections 1028A a and 2 COUNT 26 Aggravated Identity Theft 36 The allegations set forth in Paragraphs 1 through 35 of this Indictment are re-alleged and incorporated as if fully set forth herein Indictment United States v Kolpakov - 29 2' 7 1 UNITED STATES ATTORNEY - 700 STEWART SUITE 5220 98101 206 553-7970 omq mmA-wwp Case Document 11-1 Filed 07 27 18 Page 31 of 33 37 - Beginning at a time Unknown but no later than on or about January 27 2017 and continuing through on or after November 21 2017 within the Western District of Washington and elsewhere the defendant ANDRII KOLPAKOV 7 aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov _ Andrew Kolpakov santisimo santisimozf and AndreyKS and others known and unknown to the Grand Jury did knowingly transfer possess and use without lawful authority a means of identi cation I of another person to wit the name username and password of real persons E L M A P R O and L D employees and in relation to-Ia 7 felony viOlation enumerated in 18 U S C 1028A c that is conspiracy to commit wire and bank fraud in violation of 18 U S C 1349 as charged in Count 1 knowing that the means of identi cation belonged to anotheractual person All in Violation of Title 18 United-States Code Sections 1028A a and 2 FORFEITURE ALLEGATION 38 i The allegations contained in Counts 1 through 15 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18 United States Code Section 981 a 1 C and Title 28 United States 7 Code Section 2461 0 Upon conviction of any of the offenses charged 1n Gonnts l_ through 15 the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov santisimo santisimOZ and AndreyKS shall forfeit to the United States any property real or personal which constitutes or is derived from proceeds traceable to such offenses including but not limited to a judgment for a sum of money representing the property described 1n this paragraph i 39 7 The allegations contained in Counts 16 through '22 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18 UnitedStates Code Sections 982 a 2 B Upon conviction of any of theoffenses charged in Counts 16 through 22 the defendant shall Indictment United States v Kolpak'ov - 30 7 UNITED STATES ATTORNEY- 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 93101 206 553-7970 Case Document 11-1 led 07 27 18 Page-32 of33 forfeit to the United States any property constituting Or derived from proceeds the defendant obtained directly or indirectly as the result of such offenses and shall also - forfeit the defendant s interest 1n any personal property that was used 0r intended to be used to commit Or to facilitate the commissiOn of such offenses includingbut not limited to a judgment for a sum of money representing the property described in this paragraph I 40 II The allegations contained 1n Count 23 of this Indictment are hereby I realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to- Title 18 United States Code Sections 981 a 1 C and and Title 28 United States Code Section 2461 c Upon conviction of the offense charged 111 Count- 23 the defendant shall forfeit to the United States any property real or personal which constitutes or is derived from proceeds traceable to such offense and shall also ferfeit any personal property used or intended to be used to commit such offense including but not limited to a judgment fora sum of - money representing the property described in this paragraph Substitute Assets 41 If any of the property described above as a result of any act or omission of the defendant cannot be located upon the exercise of due diligence a I b has been transferred or sold to or deposited with a third party - has been placed beyond the jurisdiction of the court d has been substantially diminished 111 value or I I e has been commingled with other property which cannot be divided without dif culty I i I Indictment United States v Kenna tax - 31' I 5- UNITED STATES 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7979 Case DoCument 11-1 Filed 07 27 18 Page 33 of 33 the United States of America shall be entitled to forfeiture of substitute property pursuant 7 to Title 21 United States Code Section 853 p as incorporated by Title 28 United States Code Section 2461 0 7 z Tea-vb 29 DATED Signature of Foreperson redacted pursuant to policv ofthe Judicial Conference OREPERSON 1xva'achIETTEL Hg s s 2 United States Att rney 13 4 ANDREW C FRIEDMAN 15 Assistant United States Attorney 18 C13 FRANZE AKAMURA Assi ant United St esAttorney 19 4 21 22 Assistant United States Attorney 7 23 CL 1 ANTHONY TEELUCKSINGH 25 Trial Attorney 26 Computer Crime and Intellectual Property Section Indictment United States v Kolpakov - 32 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 9810-1 206 553-7970