OCR of the Document

View the Document >>

United States District Court for the Western Washington District at Seattle, "United States of America v. Andrii Kolpakov, superseding indictment", July 27, 2018. Unclassified.

Case Document 11-1 Filed 07 27 18 Page 1 of 33 Exhibit 5 Indictment Dkt United States v Kolpakov CR18-159RSM CD STATES OFIAMERICA vl i 00 -Case 2 18-cr-oo159-RSM Document 11-1 Filed 07 27 18 Page 2 of 33 Presented to the Court by the foreman of the Grand Jury in open Court in the presence of the Grand Jury and FILED in the US DISTRICT COURT at Seattle WashingtonI - UNITED STATES DISTRICT COURT FOR THE - WESTERN DISTRICT OF WASHINGTON AT SEATTLE - 159 up 7 PlaIntIff - ANDRII KOLPAKOV aka Andrey Kolpakov - aka Andny Kolpakov aka Andre Kolpakovf I aka Andrew Kolpakov aka fsantisimo aka santisimoz _ aka AndreyKS' 7 Defendant The Grand Jury Charges that DEFINITIONS I 1 IP Address An Internet Protocol address orsimply address is a unique numeric address used by devices 'sucha's computers on the Internet Every deVice attached to the Internet must be assigned an address so that Internet traf c sent from and directed to that device may be directed properly from it's Source to its IdestinatiOn Most Internet service providers control a rangeof IP addresses I I WASHINGTON 9810 - I 206 5537-7970 A Indictment United States v Kolpak'ov - 1 o 00 s oxun Case Document 11-1 Filed 07 27 18 Page 3 of 33 Server A server is a computer that provides serviCes for other computers I connected to it via a network or the Internet The computers that use the server s services are sometimes called clients Servers can be physically located anWhere with a I network connection that may be reached by theclients ferexample it is not uncommon I 5 '3 for a server to be located hundreds or even thousands of miles aWay from the client computers A'server may be either a physical or virtual machine A physical server is a - piece of computer hardware con gured as a server with its own power source central processing 3 and associated software A virtual server is typically one of many servers operate on a single physical server - Each virtualserver shares the hardware resources of the physical server but the data residing on each Virtual server-isi'segregated from the data onITOther virtual-servers that reside on the same physical machine- - 3 Malwarez Malware is malicious computer code running on a computer Relative to the owner authorized user of that computer malware is computer code that is running on the system that is unauthorized and present on the system without the user s consent Malware can be designedto do a variety of things including logging every I keystrOke on a' computer stealing nancial information or user credentials passwords or usernames or commanding that computer to become part of a network of robot or hot Computers known as a botnet In addition malware can be used to transmit data from the infectedcomputer to another destination on the Internet as identi ed by an IP address Often times these destinatioan addresses are computers controlledby cybercriminals 4 The Carbanak malware Carbanak is the name given by computer seCurity researchers to a particular malicious software malware program 'Carbanak has i been used to remotely access computers without authorization The Carbanaik malware allows an attacker tospy on another person s computer and remotely control the I computer Garb-anak 'can record videos of the victim s computer screen and send the - recordingsiback to the attacker It canalso let the attacker use the victim Computer to UNITED STATES ATTORNEY Indictment United States v Kolpakov - 2 700 STEWART STREET Sums 5220 206 553-7970 I I 98101 - OOQQLDAUJNHOKDOOQONM-ILWNH Indictment 1 United States v Kolpakov 3 Case Document 11-1 Filed 07 27 18 Page 4 of_ 33 - attack other'computer's and to steal les from the Vietimcomputer and install other malware All of thiscan be dene without the legitimate user s knowledge or perrniSSion i 5 But A hot computer is a computer that'hasbeen infected with some kind I of malicious software 0r code and is thereafter subject to controlby someone otherthan the true owner The true owner of the infected computer usually remains able to use the computer as he did before it was infected although speed or performance may be compromised 7 I I 6 Botnet A botnet lis a network of compromised computers knownas bots that are under the control of acybercriminal or bot herdert The bets are - harnessed by the bot herder through the surreptitious installation of malware that provides the bot herder with remote access to and control of the compromised computers A botnet may be used en masse in a coordinated fashion to deliver a variety of lntemet based attacks including attacks brute force pasSword attacks the transmiSSion of spam emails the transmission of phishing emails and hosting communication netWorks - for cybercriminals acting as a proxy sewer for email communications I - I 7 Phishing ' Phishingis a criminal scheme in which the perpetrators use I mass email messages and or fake websites to trick people into providing information such as network credentials elg usemames and passwords that may later be used to gain access to a Victim s Systems Phishing schemes often utilize social engineering techniques similar to 'traditiOnal eoneartist techniques in order to trick victims into I believing they are providing their information to a trusted vendor customer or other acquaintance Phishing emails are also Often used to trick a Victim into clicking on 7 documents 'or links that contain malicious softWare that will compromise victim s computer system8 Spear Phishingi Spear phishing is a targeted form of phiShing directed towards a specific individual organization or business Although often intended to steal data for'malicious purposes cybercriminals may also use Spear phishing schemesito install malware on a targeted user s computer i UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Case Document 11-1 Filed 07 27 18 Page 5 of733 9 Seeial Engineering Social engineering is a skill developed over time by people who seek to acquire protected information through manipulation of social relationShips People who are skilled in social engineering can convince key individuals to divulge protected information or access credentials that the social engineer deems valuableto the achievement of his or her aims 10 Pen-Testing Penetration testing or pen-testing is the practice of testing a computer system network or computer application to nd vulnerabilities that an attacker may exploit Conspiracy to Commit Wire and Bank Fraud 1 I 11 The allegations set forth in Paragraphs 1 through 10 and 21 through 25 of I this Indictment are re-alleged and incorporated as if fullyset fOIth herein 12 Beginning at a time unknoWn but no later than September-2015 and 7 continuing through on or after June '20 2018 at Seattle Within the Western District of i Washington elsewhere the defendant ANDRII KOLPAKOV aka Andrey I Kolpakov Andriy Kolpakov AndreKolpakov Andrew KolpakOV Sa_11tiSimo santisimozfi and AndreyKS and others known and unknown to the Grand Jury did knowingly and willfully combine conspire confederate and agree tOgether to commit offenses against the United States to witknowingly and willfully devise and execute and attempt to execute a scheme and arti ce to defraud and for obtaining money and property by i 1 means of materially false and'fraudulent pretenses representations and promises and in executing and attempting to execute this scheme andrarti ce to knowingly cause to be transmitted in interstate and foreign commerce by means of wire communication 'ce1tain I signs signalsand sounds as further described below in violation of Title 18 United 7 States Code Section 1343 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 WASHINGTON 98101 206 5 53-7970 Indictment United States v Kolpdkov - 4 Case Document 711-1 FiledO7 27 18 Pag-e60f 33 to knowingly'and will zlly devise and execute and attempt to execute a scheme and arti ce to defraud nancial institutions as de ned by Title 18 i United States Code Section 20 and to obtain moneys funds credits under the custody and Control of the nancial institutions by means of materially false and fraudulent pretenses representations and premises in Violation cf Title 18 United States Code Section 1344 1 and 2 II OBJECTIVES OF THE CONSPIRACY 13 The defendant and others known and unknown to the Grand Jury Were partof a nancially motivated cybercriminal conspiracy known variously as FIN7 the Carbanak Group and the Navigator Group referred to herein asif FIN7 consists of a group of criminal actors engaged in a sophisticated malware campaign targeting the 1 computer systems of businesses primarily in the restaurant gaming and hospitality industries among others I 14 networks using malicioussoftware hereinafter malware - designed to'provide the The objectives of the conspiracy included hacking into protected computer conspirators with unauthorized acCess to and control of victim computer systems The objectives of the conspiracy further included conducting surveillance of victim computer networks and installing additional malware on victim computer networks for the purposes of establishing persistence and stealing money and property including payment card credit and debit track data nancial information and proprietary and non- public information The'objectives of the conspiracy further included using and selling the stolen data'and information for nancial gain in aivariety of ways including but net limited to using stolen payment card data to conduct fraudulent transactions across the United States and in foreign countries MANNER AND MEANS OF THE CONSPIRACY 15 The manner and means used to accomplish the Conspiracy included the following i 7 UNITED STATES ATTORNEY i 7700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Indictment United States v Kolpakov - 5 7 7' Document 11-1 Filed 07 27 18 Page of 33 a FIN7 developed and employed various malWare designed-to infiltrate compromise and gain control of the computer s ystems of Victim Companies operating in the United States and elsewhere including within the Western District of 7 WaShington FIN 7 established'and operated an infrastructure of servers located in various countries through which FIN 7 members coordinated activity to further the scheme This infrastructure included but was not limited to the use of command and control servers accessed through custom hotnet control panels that communicated with and controlled compromised computer systems of victim companies b FIN7 created a front company doing business as Combi' Security to facilitate the malware scheme by seeking to make the scheme s illegal conduct appear legitimate Combi Security purports to operate as aconiputer securityjpen testing company based in MoScow Russia and Haifa Israel As part of advertisements and public internet pages for Combi Security FIN7 portrayed Combi Security as a legitimate penetration testing enterprise that hired itself out to businesses for the purpoSeof testing their computer security systems i 2' a Under the gUise of a legitimate computer security company doing business as Combi Security reoruited individuals with computer programing skills falsely claiming that the prospective employees would be engaged in legitimate pen-testing of client computer networks In truth and in fact as each defendant and his FIN7 co-conspirators well knew Combi Security was a front company used to hire and deploy hackers who were giVen tasks furtherance fof the conspiraCy I FIN7 targeted victims in the Western District of Washington and elsewhere usingphishing techniques to distribute malWare designed to gain unauthorized access to take control of and ex ltrate data from the computer systems of various businesses PM 7 s targeted victims include more than 120 identi ed Companies including but not limited to the following representative victim companies 7 Victim 1 referenced herein is the Emerald QueenHotel and 7 Casino EQC a hotel and casino owned and operated by a federallyirecogniZed Native UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Indictment United States v Kolpakov - 6 case Document 11-1 Filed 07 27 18 Page8-Of 33 American Tribe with locations in Pierce County within the Western Districtof ii VictimmZ referenced herein is_ a public corporation headquartered in Seattle within the Western District of Washington Washington with operations throughout the United States and elsewhere 1 Victim-3 referenced herein is Chipotle Mexican Grill a U S -based restaurant Chain with thousands of locations in the UnitedStates including in the Western District of Washington and in Canada andrnultiple European countries I 1 iv Victim-4 referenced hereinis- a U S - based pizza parlor chain with hundreds of locations predominantly in the Western United I States including in the Western District of Washington 7 v Victim 5 referenced herein is BECU a federally insured credit union headquartered in the Western District of Washington I - Victim-6 referenced herein-is Jason s Deli a- U S -based casual delicatessen restaurant chain with hundreds of locations in the United States vii Victim-7 referenced herein is_ an automotive retail and repair chain with hundreds of locations in the United States ineluding in the i_ I Western District Of Washington I I Victim-8 referenCed herein is Red Robin Gourmet Burgers and Brew-s Red Robin a casual dining restaurant chain founded in the Western District of Washington with hundreds of locations in- the United States including in the Western District-of Washington I Victim-9 referenced herein is Sonic Drive in Sonic a U S -based drive-in fast-food chain with thousands of locations in the United States A ineluding 'in'the Western District of Washington I 7 I x - Victim-10 referenced herein is Taco John s a U S -based fast-food restaurantichain with hundreds of locations in the United States including in the Western District of Washington 5 I Indictment United States vQKolpakov - 7 3 WEED STATES ATTORNEY - SEATTLE WASHINGTON 9810 I 206 553 7970 1-7 oo-xlan-thv IOWOO-qcxm-bmmi dc Case Document 11-1 Filed 07 27 18 Page 9 of 33 I 7 e FIN7 typically initiated its- attacks by deliVering directly and i 7 through intermediaries a phishing email with an attached malicious le using Wires in interstate and foreign commerce to an employee of the targeted-victim company The attachedmalicious le usually was a MicrosoftirWord doc or dccx or Rich Text File rtf document with embedded malware FIN7 used a variety of malware' delivery I mechanisms in its phishing attachments including bat not limited to weaponized 7 I Microsoft Word macros malicious Object Linking and Embedding OLE objects malicious visual basic scripts or avaSc'ript and malicious embedded _shortcut les I les In Some instances the phishing email or attached le contained a link to malware' hosted on servers controlled by FIN7 The phishing email through false representations - and pretenses fraudulently induced the victim company'employee to open theattachmenti or click on the link-to activate the malware For example when targeting a hotel chain the purported sender of the phishing email might falsely claim to be interested in making I a hotel reservation Bywayof further example when targeting a reStaurant chain the a purported sender of the phishing email might falsely claim to be intereSted in placing a - catering order Or making a complaint about prior food service at the restaurant 7 I f In certain phishing attacks FIN7 directly and thrcugh intermediaries sent phishing emails to personnel at victim companies who had unique access to internal proprietary and non-public company information including but not limited to employees involved with making lings With the United States Securities and EXchange Commission These emails used an'email address that spoofed an email address associated with the electronic ling syStem and-induced the I recipients to activate the malware contained in the emails attachments - g In many of the FIN 7 attacks a FIN7 member orpsomeone hired by FIN7 speci cally for such purpose would also call the victim company using- res in interstate and foreign commerce to legitimize the phishing email and convince the victim I company employee to open the attached document using social engineering techniques For example when targeting a hotel chain or a restaurant chain a conspirator would - 7 Indictment United States v Kolpaltov - 8 UNITED STATES ATTORNEY SEATTLE WASHINGTON 98101 206 553-7970 STREET SUITE 5220 Case Document 11-1- Filed 07 27 18 Page 10 of 33 make afollowgup call falsely claiming that the details of a reservation order or customer complaint could be found in the le attached to the previously delivered email to induCe the employee at the victim company to read the phishing email open the attached le and activate the malware - a I h If the recipient activated the phishing email attachment or clicked on I the link the recipient would unwittingly activate the malware and the computer on which it was Opened would become infected and connect to one or more command-and 7' control servers centrolled by FIN7 to report details of the newly infected computerand download additional malware The command and control infrastructure relied upon various servers in multiple countries including but not limited to the United States typically leased using false information such as alias names and ctitious information i FIN7 typically would install additional malware including the carbanak malware to connect to additional FIN7 command and control servers to establish remote control of the victim computer j Once a victim s computer was c'ompromised FIN7 would incorporate theicompromised machine or bot into a botnet - k 7 FIN7 designed and used a eastern botnet control panel to manage I I a I and issue commands to the compromised machines 1 I Once a victim company s computers were incorporated into the FIN7 botnet and remotely controlled by FIN7 s malware the group used this remote control and access to among other things install and manage additional malware conduct surveillance map and navigate the comprOmised computer network compromise additional computers ex ltrate les and send and receive data For instance FIN7 often conducted surveillance on the victim s computer network by among'other things I capturing screen shots and videos of victim computer workstations that provided the IeonSpirators with additional information about the victim company computer-network I and non-public credentials for both generic company accounts and for actual cOmp'any employees UNITED STATES ATTORNEY Indictment United States v Kolpakov 700 STREET SUITE 5220 A 206 553-7970 98101 - Case-2 18-cr-00159-RSM Document 11-1 Filed 07 27 18 Page 1101533 my FIN7 used itsaccess to the victim s computer network and informationgleaned from surveillance of the Victim s computer systems to install additional malware designed to target and extract particular information and preperty of value including payment card data and- proprietary and non-public information For instance FIN7 often utilized-Various off-the-shelf software and custom malware and a combination thereof to extract and transfer data to a loot folder on one or more servers I i controlled by IN7 n IN7 frequently targeted victim companies with customers who use 7 payment cards while making legitimate point-of sale purchases such as victim companies in the restaurant gaming andfhospitality industries In those cases FIN7 con gured malware to extract copy and compile the payment card data and then to transmit the data from the Victim computer systems to servers controlled by FIN7 o For example between approximately March 24 2017 and April 1-8 2017 FIN7 harvested payment card data frOm point-of-sale devices-at certain Victim-Q3 restaurant locations including dozens of locations in the Western District of washington p FIN7 stole millions of payment card numbers many of which have been offered for sale through vending-sites including but not limited to Joker s Stash thereby attempting to generate millions of dollars of illicit pro ts 1 i The payinent card data were offered for sale to'allow purchasers to falsely represent themselves as authorized users of the stolen payment cards and to use the stolen payment Card information to purchase goods and serVices in fraudulent transactions throughout the United States and the world resulting in millions of dollars in lossesto and thereby affecting merchants and banks including nancial institutions as de ned in Title 18 United States Code Section '20 For lexample 'on or about March 110 2017 stolen payment card data relatedto accounts held at Victim-5 a nancial institution headquartered in the western District 'of Washington compromised-through the computer network intrusion of a victim company was used to make unautho zed- purchases at a merchant in Puyallup Washington Indictment United States v Kolpakov - 10 UNITED STATES ATTORNEY 98101 206 553-7970 700 STEWART STREET SUITE 5220 I Case Document 11-1 Filed 07 27 18 Page 12 of3-3 r FIN7 members employed various techniques toconceal their identities - including simultaneously utilizing Various leased servers that had been leased '7 using false Subscriber informatiom in multiple countries I I s I FIN7operated as a structured-enterprise with a hierarChical I command structure under which dozens of members with diverse skillsets could i I I coordinate their malicious activity Key members of the scheme ineluded but were not - limited to i i Fedir Hladyr a systems administrator who among other things maintained Servers and-communication channels used by the organization I Fedir I Hladyr played aleadingmanagerial role by delegating tasks and by providing instruction to Other members 'of the scheme I I I i ii Fedorov a high-level pen-tester who supervised other hackers speci cally tasked with breaching the security of ivictims computer systems without the Victims knowledge or consent i 7 KOLPAKOV a hithevel Fpen-tester who supervised other hackers responsible for breaching the security of victims computer systems without the victims knowledge or consent 7 t 1N7 members typically communicated with one another and others through private cominunication channels to further their malicious activityr other channels IN7 conspirators communicated using Jabber an instant'messaging service that allows members to communicate across multiple platforms and that'supports end-toFor example iniJabber Communications with other FIN7 members co-consPirator using his alias 5 hotdima referenced using malware in connection with several speci c victim companies discussed using the administrative control panels to receive data from compromised computers and identi ed several pen testers working at his direction I i Indictment United States v Kolpakov 11 UNITED STATES ATTORNEY - SEATTLE WASHINGTON 98101 - 206 553-7979 5220 Case Document 11-1 Filed 07 27 18 Page 13 of 33 7 v 1N7 members often communicated through a private HipChat server HipChat is a group Chat instant messaging and le-sharing program IN7 members used its HipChat 'server to collaborate on malware and victim business I intrusions to interview potential recruits and to upload and share en ltrated data such as stolen payment card data As a system administrator co conspirator Fedir Hladyr created HipChat user accounts for FIN 7 members that allowed them to access the server i W Co-conspiratorFedir Hladyr also created and partiCipated in multiple HipChat rooms with otherlF members and participated in the uploading and I Organization of stolen payment card data and malware For example on or about March 14 2016 co-conspirator Fedir Hladyr uploaded an archiVe that contained numerous data files created by malware designed to steal data from point of sale systems that process - payment cards The les contained payment card numbers stolen from a victim company that had publicly reported a security breach that resulted in the compromise of tens of 7 thousands of payment cards By way of further example co-conspirator edir Hladyr also set up and used a HipChat room titled MyFile p inrwhich he was the only I I participant and to which he uplOaded malware used by IN7 and st0len payment card 7' information I 7 - x conspirators used numerous email accounts hosted by a variety of providers in the United States and elsewhere which they often registered using false subscriber information I 7 y I FIN7 conSpirators frequently used the project management software HRA hosted on private Virtual servers in various c duntries to coordinate their malicious activity and to manage the assorted network intrusions is project'management and issue-tracking program used software development teams FIN7 members i a typically created a project on the virtual server and then associated issues -withi the project each issue akin to an iSsue directory or felder for a Victim company which they used to collaborate and share details of the intrusion to poet victim company UNITED STATES ATTORNEY- Indictment United States v Kolpakov 12 5220 206 553-7970 SEATTLE WASHINGTON98101 - H Case Document 11-1 Filed 07 27 18 Page 14 of 33' 3 I intelligence such as network mapping information and to store and share ex ltrated dataFor example 011 about September 7 2016 co-conspiratorFedir Hl'adyr created an isSue for Victim-6 to which FIN7 conspirators including KOLPAKOV posted les containing internal credentials for the victim companfs I I I computer networkfurther example on multiple occasions January 2017 co COnspiratOr Fedorov and another FIN7 member posted to the issue created for- Victim 7 information about the victim company s internal network and o- uploaded ex -ltrated data including stolen employee credentials Similarly on or about g d April 5 2017 Fedorov created an issue for another victim company Victim-9 Hr i and uploaded stolen user credentials from the victim company I DJ bb conspirators knew that the scheme would involve the use or 5 wires in both interstate and foreign commerce to accomplish the objectives of the has LA scheme For example each defendant and his FIN7 co4conspirators knew that eneeution I l of the scheme necessarily caused the transmission Of wire communications between the pa United States and one or more servers controlled by 1N7 located foreign countries All in violation of Title 18 United States Code Section 1349 OWDOO Wire Fraud 1' 3 16 The allegations set forth in Paragraphs lthrough 15 of this Indictlnentare mi ww mmw n re-alleged and incorporated-ais- if fully'set forth herein 1 SCHEME AND ARTIFICE TO DEFRAUD 17 Beginning at a3 time Unknown but no later than September 2015 and - our continuing through on or after June 20 2018 at Seattle within the Western District of I Washington and elsewhere the defendant KOLPAKOV aka Andrey - Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakoir santisimo -1 00 Indictment United States v Kolpakov - 13 - - UNITED STATES ATTORNEY - - A 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Case Document-ll-l Filed 07 27 18 Page 15 of 33' SantisimOZ and AndreyKS and others known and unknown to the Grand Jury devised and intended to devise a scheme and arti ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises I 7 l8 The essence of the scheme and arti ce to defraud was toobtain- unauthorized access into and control of the computer networks of victims through deceit I and materially false and fraudulent pretenses and representations through the installation use of malware designed to facilitate ameng other things theinstallatiOn of additional malware the sending and receiving of data and the surveillanceof the victimS computer networks The object of the scheme and arti ce to defraud was to steal moneyand property of value including payment Card data and proprietary and none public information which was and could have been sold and used for nancial gain 11 MANNER AND MEANS OF SCHEME TO DEFRAUD 19 The manner and means of the scheme and artifice to defrandare set- forthin Paragraph 15 of Count 1 of this Indictment EXECUTION 0F SCHEME To DEFRAUD I i 20 On or about the dates set forth below within the Western District of Washington and elsewhere the defendant and others known and unknown to the Grand having devised a scheme and arti ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises knewingly transmit and cause to be-transmitted writings signs signals pictures and 7 sounds for the purpose of executing such-scheme means of wire communiCation in interstate and foreign commerce including the following transmissions Email from which traveled through 'a server lecated outsidethe'State of I Washington to a Victim-1 employee located within the State of Washington i I Victim-1 2 AugUSt 8 2016 Pierce County UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Indictment I United States v Kobakov - l4 Case Document 11-1 Filed 07 27 18 Page 16 of 33 3 August 8 2016 Victim l Pierce County Email from frank ohnson@revital- - i travel com which traveled through a server locatedsoutside the State of Washington to a Victini l employee located within the State of Washington 7 4 August 8 2016 I Victim-1 Pierce County Electronic coMunication between a server located outside the State of Washington and Victim-l 5 computer system located Within the State of 3' Washington Victim-2 I government account Which traveled Email purporting to be from a I through a Server located outside the 5 February 21 2017 Seattle State of Washington toa Victim 2 employee located within the State of i 7 Washington -- - Electronic communication between a 'r l_ Victim_2 server located'outside the State of 6 February 23 2017 - Seattle and Victim-2 s computer- - system located within the State of I Washington 7 Electronic communiCation between a g' Victlm 3 7 March 24 2017 4120 196til St SW server located outside the State rof Washington and Victim-3 s computer system located Within the State of I Washington Electronic communication between a Victim 3 server located Outside the State of 8 - March 25 2017 1415 Broadway washington and Victim-3 8 Computer i Seattle system located within the State of Washington 1 Electronic communication between a Victim 3 server located'outside the State of 9' March 25 2017 800 156th Ave NE Bellev'ue' Washington and Victim-3 s computer I i system located Within the State of Washington Indictment United States v Kolpakov 15 i UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 if 206 553-7970 momusmmuoomqmasms ZS Case Document 11-1 Filed 07 27 18 Page 17 of33- I Electronic communication betWeen a - Victim-3 Server located Outside the State of- - 10 - MarCh 25 2017 4 Bellis Fair PkWy Washington and Victim-3 s computer Bellingham system located within the State of - I- Washington I Victim_3 Electronic Communication between a I - 77 5 Gilman server located outside the State of 11 II March 25 2017 B1 - d A Washington and Victim-3 scomputer I ssaqlga system located within the State Of Washington I Victims - 1 Electronic communication between a 515 SE Everett server located outsidethe State of I I 12 March 27 2017 I Mall Way Suite - and Victlm-3 s computer Eva mt system located withm the State of - - Washington Victim_3 Electronic communication between a I - - 22704 SE 4th St server located outside the State of 13 11 2017 I t 2'10 - and V1ct1m 3 s computer Saunig mis h system located within the State of Washington Email from I which I - Victim-4 - traveled through a server lo cated 14 Apnl 11 2017 Renton - outside the State Of Washington to a Victim-'4 employee located within the State of Washington Electronic communication between a Victim_5 merchant located within the State of 15 March 10 2017 Pu 11 Washington and aIpayment processor ya up 7 server located outside the State of waShington All in violation of Title '18 United States Code Section 1343 COUNTIG I I Conspiracy to Commit Computer Hacking I I 21 The allegations set forth in Paragraphs 13through of this Indictment are Indictment United States v Kolpakbv - 16 re-alleged and incorporated as if fully set-forth herein UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 - 206 553-7970 o Ch Um 93 Case Document 11-1 Fileng7 27 18 Page 18 of33 I OFFENSE a 22 Beginning at a time unknown but no latergthan' September 2015 and I I Continuing-through on or'zafter June 20 2018 at Seattle Within the Western District of Washington and elsewhere the defendant ANDRII aka fAndrey Kolpakov Andriy Kolpakov V V EAndre Kolpakov Andrew Kolpakov santiSimo _ santisimoz and AndreyKS and others known and unknown to the Grand Jury did knowingly and willfully Combine conspire confederate and agree together to commit offenses against the United Statesand with intent to defraud access a protected computer i 7 Without authorization and exceed authorized access to a protected computer and by means of such conduct further the intended fraud and obtain anythingof value exceeding $5 000 00 in any l-year period violation of Title 18 United States Code Sections 103 and and i i if b to knowingly cause the transmission of aprogram info nation code and command and as a result of such conduct intentionally cauSe damage without authorization to a protected computer and cause 1038 to one or more persons a 1- 7 year period aggregating at least $5 000 00 in value and damage affecting 10 or Incre protected computers during a l-year period in violation of Title 18 United States Code Sections and n OBJECTIVES OF THECONSPIRACY 23 networks using malware designed to provide the c'onSpiratOrs with unauthorized access The objectives of the conspiracy included hacking into protectedcomputer to and control of victim computer systems The objectives cf the conspiracy further included conducting surveillance 'of victim computer netWorks and inStalling additional malware ongthe victim computer networks for the purposes of establishing persistence I 9 i and stealing payment 'card track data nancial information - and proprietary priVate and non-public information with the intention of using and selling such stolen items either directly or indirectly for nancial gain The objectives of the conspiracy further UNITED STATES ATTORNEY 700 STEWART STREET Sums 5220 SEATTLE WASHINGTON 98101 206 553-79707 Indictment United States v K01pak0v - l7 22Indictment UnitedStates v Kolpakov 18 Case Document 11-1 Filed 07 27 18 Page 19 of 33 included installing malware that would integrate victim computers into a botnet that allowed the conspiracy to control alter and damage compromised Computers m MANNER AND MEANS OF THE CONSPIRACY I 24 I The manner and meansused to accomplish the conspiracy are set forth in Paragraph 15 of Count 1 or this Indictment I I IV OVERT ACTS I I 25 In furtherance of the conspiracy and teachieve the objects thereOf the defendant and others known and unknown to the Grand Jury did commit and cause to be - committed the following overt acts among others in the Western District of Washington I and elsewherepart of its command and control infrastructure FIN7'useda number of physical seniors in different countries to host Virtual communication servers In addition to other channels of communication FIN 7 members used virtual Hip'Chat JIRA Mumble and Jabber servers to collaborate and coordinate their attacks b For example FIN7 maintained a virtual Jabber server through which members could communicate priVately Among other Jabber communications made in furtherance of the conspiracyabout April 14 2016 a FIN7 member informed ANDRII KOLPAKOV that a particular individual and edir Hladyr were the main directors of the groupabout April 15 2016 a FIN7 member informed ANDRII KOLPAKOV that a particular individual was the chief manager on or about January 12 2017 a FIN7 member introduced himself to a new INI7 recruit explained him the member s salaryiw0uld be paid and indicated that ANDRII KOLIPIAKOV would be his supervisorabout May 29 201 7 ANDRII KOLPAKOV informed Fedorov that KOLPAKOV had success illy'located point-of-salei'data and accounting technology on a victim company s network UNITED STATES ATTORNEY 700- STEWART STREET SUITE 5220 205 553-17970 SEATTLE WASHINGTON 98101 Case Document 11-1 Filed 07 27 18 Page 20 of 33 V On or about September 18 2017 and Fedorov dismissed the le types used in phishing emails and KOLPAKQV informed Fedorov of the deveIOpment of an enhanced malware le that can actiyate without being double-clicked upon by the phishing email reCipient' i Victim-1 I The conspiracy compromised illegally acCessed had unauthorized communications with and eX ltrated proprietary priVate and-inon public victim data and inforrnation from the computer systems of Victim-1 a hotel and casino the Western District of Washington For instanceabout August 2016 the conspiracy directly and through intermediaries used the account to send a phishing email with the subject order - to an employee of Victim-l located Tacoma Washington with an attached Microsoft Word document that contained malware The email contained materially false representations designed torinduce the targeted employee to open enable the malware and compromise the computer systemabout August 8 2016 the conspiracy directly and through intermediaries used the account to send a phishing email With the Subject order to an employee of Victim-l'located in Tacoma Washington with an attached Microsoft Word document that contained malware The 7 email contained materially false representations designed to induce the targeted employee to enable the malware and comproiniSe the computer system I 7 - Under the control of theiconspiracy s malware a Compromised computer of Victim 1 communicated with a comrrland and control server located in a foreign country Fer instance from August 8 2016' to August-9 2016 and from August 24 2016 to August 31 2016 a compromised Victim- 1 computer logged approximately 3 639 communications- with various URLs all Starting With revital- travelcom at an'IP address hosted in Russia UNITED STATES ATTORNEY - 700 STREET Sum 5220 SEATTLE WASHINGTON 98101 206 553-7970 Indictment United States v KolpakOV - 19 Case Documentll-l Filed 07 27 18 Page 21 of 33 Victim-6 I d The conspiracy compromised illegally accessed hadiunauthor ized communications with and ex ltrated proprietary private and non-public victim data and information from the computer systems of Victim-6 -a restaurant Chain with locations in multiple states For instanceabout August 25 2 016 the conspiraCy directly and through intermediaries used the account revitaltravel @yahoo com to- send a phishing email to an employee of Victim-6 with an attached Microsoft Word document that contained malWare The email contained materiallyfalse representations designed to induce the targeted employee to enable the malware and compromise the computer systemabout September7 2016 co-conspirator Fedir Hladyr created an issue on the conspiracy s private JIRA server speci cally related to Victim- 6 to which ANDRII KOLPAKOV subsequently uploaded comments and stolen I information pertaining to Victim-6 s network Structure and administrative credentials Victim-7 e I - The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public victim data and I information from the computer systems of Victim-7 an automotive retail and repair chain with hundreds of locations in multiple states including Washington For instance i On or about January 18 2017 a FIN7 member created Ean islsue on the conspiracy s private JIRA server speci cally related to Victim '7 to which that individual and Fedorov subsequently posted reSults from several network mapping tools used on Victim-7 siinte rnal networkaboutJanuary 20 2017 a FIN7 member posted ex ltrated data including multiple usernames and passtords with the title Server Passwords to the Victim-7 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970 Indictment United States v Kolpakov 20 7 NO 00 4 ON D Case Document 11-1 Filed 07 27 18 Page 22 of 33 On or about January 23 and January 24 2017 Fedorov posted information about Victim-7 s internal netWork and uploaded a le -- containing multiple IP addresses and information about Victim 7 s seryers to the Victim- 7 JIRA issue orabout January 27 2017 Fedorov uploaded to I the Victim-7 issue a le containing over 1 000 usernames and passwords for generic company accounts and employee accounts The potentially compromised accounts related to approximately 700 Victimu7 locations throughout the United States inCluding approximately 12 locations located in the state of Washington Victim-2 f The conspiracy compromised illegally accessed had unauthorized 3 communications with and ex ltrated preprietary private and non-public victim data and information from the computer systems of Victim-2 a corporation headquarteredin Seattle Washington For instanceorabout February 21 2017 the conspiracy directly and through intermediaries used an account purporting to be lings@sec gov but that I I I actually was sent by 'secureservernet to send a phishing email to an employee of Victim-9 2 located in Seattle Washington With an attached Microsoft Word document that i contained malware The email falsely purported to relate to a corporate ling with the 7 SEC and contained materially false representations designed to induce the targeted employee to openthe le enable the malware and compromise the computer system I ii From on or about February 21 2017 to approximately March 3 2017 the conspiraCy illegally accessed and had communications with the computer systems of Victim-2 located in Seattle Washington For instance between about February 23 2017 and February 24 2017 the Victim computer made outgoing connections to and transferred internal data without authorization to an IP address 5 located in'a foreign country UNITED STATES ATTORNEY Indictment United States v Kolpakov - 21 - STREET Stars 5220 206 553 7970 Case Document 11-1 Filed 07 27 18 Page 23 of 33 on or about February 24 2017 a FIN7 member posted to a issue created for Victim-2 a screenshot from the targeted employee s computer at Victim-2 which showed among other things an internal Victim 2 webpage available only to employees with a valid user account - 1 iv Similarly a member posted to the Victim 2 JIRA issue a text le containing the usernames and passwords of thetargeted Victim-2 employee including his her personal email account LinkedIn account and personal investment and nancial institution accounts 1 7 Victim-3 I 7 g The conspiracy compromised illegally accessed had unauthOrized communications with and ex ltrated proprietary private and non-public victim idata'and information from the Computer systems of Victim-3 a restaurant chain with thousands of locations including the State of Washington From approximately March 24 2017 to 7 April 18 2017 the conspiracy accessed computer systems Victim-3 and implanted I malware designed to harvest payment card data from cards used On point-of sale devices ii at restaurant locations nationwide includingapproximately 33' locations Within the _Western District iof Washington Victim-8 I h The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary priVate and non-public victim and information from the computer systems of Vietim S a restaurant chain with hundreds of locations in multiple states including Washington For instance On or about March 27 2017 the conspiracy directlyand through intermediaries used to send a phishing email to a Victim-8 employee with an attached Microsoft word document that contained- malWare _ The email-falsely purported-to convey acustomer complaint and contained additional materiallyifalse representations designed to induce the targeted employee to enable the malware andcompromise the computer system 7 - UNITED STATES ATTORNEY Indictment 1 United States v Kolpakov - 22 r700 STEWART Sons 5220 I 206 553-7970 - it i Case Document 11-1 Filed 07 27 18 Page 24 of 33 ii 1 On or about March 29 2017 a FIN7 member created an If isSue 'on the conspiracy s private serverspeci cally related to Victim 8 and I posted results from several network mapping tools used on Victim-8 s internal netWork On or about March 31 2017 a FIN7 memberposted a link to the point-of-sale software management solution used by Victim-8 and a-username and z 0 password to the VictimuS JIRA issue The software management tool allows a A 1' company to manage point of salei systems at multiple locations The FIN7 member also uploaded several screenshots presumably from one or more Victim computers at Vietim 8 which showed among other things the user logged into Vietim-S s account for the software management toolabout April 6 2017 a member uploaded to the I Victim 8 JIRA issue a le containing hundreds of usernames and passwords for approximately 798 Victim-8 locations including 37 locations located in the State 'of Washington The le included network information telephone communications and locations of alarm panels within restaurantsabout April 7 2017 a FIN7 member uploaded to the - Vietim S JIRA issue a similar le containing numerous usernames and passwords for Victim 8 locationsabout May 0 5 2017 a FIN7 member uploaded to the Victim-8 JIRA issue a le containing le directories on a compromised computer vii On or about May 8 2017 a FIN 7 memberuploaded to the Victim 8 JIRA issue ex ltrated les related to a password management system from a' compromised computer which contained the credentials usernames and passwords of a particular employee0151a about May 15 2017 a FIN7 member- uploaded a the Victim 8 JIRA issue sereenshOts of a compromised computer that showed the employee accessing Victim 8 s security infrastructure management software using that same employee s credentials I UNITED STATES ATTORNEY I 700 STEWART STREET Stars 5220 SEATTLE 98101 206 553-7970 Indictment United States v Kolpakov - 23 00 Case Document 11-1 Filed'O7 27 18 Page 25 of Victim-9 I i The conspiracy compromised illegally accessed had Unauthorized- and exfiltrated proprietary private andinon-public victimdata informationfrom the computer systems of one or more locations of Victim-9 a fast food restaurant chain with thousands of locations throughout the United States including 7 waShington For instanceThe conspiracy directly and through intermediaries sent phishing emails with an attached le that contained malWare to multiple Victim-9 locations For instance on or about April 7 2017 the conspiracy used the account to send a phishing email to a'Victim-9 lOcation in the State of - Oregon --The email contained materially false representations designed to induce the targeted employee to open the le enable the malware and compromise the computer systemabout April 5 2017 Fedorov created an issue on the conspiracy s private server specifically-related to Victim 9 to Which one or more FIN7 members subsequently posted usernames and pass-vvordsl for Victim-9 locations including a Victim-9 location in VancouVer washington 7 i Victim-4 7 j The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non public victim data'and information from the computer systems of one or more locations of Victim-4 a pizza parlor chain With hundreds of IOCations including in Washington For instance on or about April 11 2017 the censpiracy directly and through intermediaries used the account to send a phishing email With the subject claim to an employee of a Victim 4' 10Cated in Renton - Washington with an attached Rich Text Format rtf doCument that Contained malware The email falsely P111130de 60 convey a customer complaint and contained additional UNITED STATES ATTORNEY Indictment United States v Kallialrov 24 700 STEWART STREET SUITE 5220 98101 - 206 553 7970 Case Document 11-1 Filed 07 27 18 Page26 of 3-3 materially false representations designed to induce the targeted employee to-enable malware and compromise the Computer systemor about April 11 2017 the conspiracy directly and through intermediaries used theaccount oliverjalmer@yahoo com to send a phishing email with the subject claim to an employee of a Victim-4 located in Vancouye'r WaShington With an attached Rich Text Format rtf docUment that contained malWare The email falsely purported to convey a cuStomer complaint and contained additional 7 materially false representations designed to induce the targeted employee to enable the - malware and compromise the computer systemabOut May 25 2017 the conspiracy directly and through intermediaries used the account Adrian 1987c1ark@yahoo com to send a I phishing email with the subject takeout order to an employee of a Victim 4 located in or around spokane Washington with an attached Rich Text document that I contained malware The email falsely stated that the sender had a' large takeout order-and contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system i Victim-10 k The conspiracy compromiSed illegally accessed had unauthorized communications with and ex ltrated proprietary private and nOn-public victim data and i information from the computer systems of one or more locatidns of Victim 1'0 a fast food restaurant chain with hundreds of locations in various states including Washington For instanceabout May 24 2017 a IN7 member created an i issue on the conspiracy s private JIRA serverspeci cally related to Victim-10 to which other FIN7 members subseQHently posted information relating to the intrusion 0f computer systems and ex ltrated les containing passwords and screenshots from one or more compromised computers UNITED STATES ATTORNEY - - 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 205 553-7970 Indictment United States v Kolpakov - 25 Case Documentll-l Filed 07 27 18 Page 27 of 3-37 ii 'j On or about June 12 2017 the conspiracy directly and through interrnediaries used the account Adrian 1987c1ark@yahoo com to send a phishing email with the subject 5order catering to an employee of a Victim-10 located V in Iowa with an attached RiCh Text Format rtf document that contained imalware The email falsely stated that the sender had a catering order for the following day'and contained additional materially false representations designed to induce the employee to enable the malware and compromise the computer system I 7 From on or about June 12 2017 to a date unknown the conspiracy illegally accessed and had communications with the computer systems of the-t - Victim-10 located in Iowa For instance the conspiracy transferred without authorization proprietary private and non-public victim data and information including I usernames and passwords to a JIRA server managed by FIN7 located in a foreign country On or about June 14 2017 a FIN7 member uploaded a-variety of infonnation ineluding recommendations for attack vectors FIN7 members could use to-a ceess Victim- 105s internal network I I I Allin Violation of Title 18 United States Code Section 371 COUNTS 17 419 Accessing a Protected Computer in Furtherance of Fraud 26 The allegations set forth in Paragraphs 1 through 25 Of this Indictment are re-alleged and incorporated as if fully set forth herein I 27 On or about the dates listed below within the WestemDistrict'of I 'Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey Kolpakcv Andriy Kolpakov Andre Kolpakov Andrew Kolpakov Santisimo I Santisimoz and AndreyKS and others known and unknown to the GrandJury knewingly and With intent to defraud accessed a protected computer Without authorization and in excess of lauthOrized access - and by' means of such conduct furthered - the intended fraud and obtained semething of value specifically payment card data and UNITED STATES ATTORNEY Indictment United States v Kolpakov - 26 7 3 - 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 i 206 553-7970 - more than $5 000 in a l-year period as listed below computers during a 1 year period Case Document 11-1 Filed 07 27 18 Page 28 of33 proprietary and non public information whereby the object of the and the thing obtained conSisted of more than the use Of the computers and the Value ofSuch use Was 2016 throi 2 Au V1i- 8 1 1 18 February 21 2017 through March-3 2017 Victim-2 19 MarCh 24 2017 through April 18 2017 Victim-3 A11 in violation of Title 18 United States Code Sections 1030 a 4 1030 b and 2 - COUNTS 20 - 22 7 Intentional Damage to a-Protected Computer 7 7 28 The allegations set forth in Paragraphs 1 through 27 of this Indictmentare-i re-alleged and incorporated as if fully set forth hereinabout the dates listed below within the Western DistriC't of Washington and elsewhere the defendant ANDRJI KOLPAKOV aka Andrey Kolpakov 7 7 AndriyKolpakov Andre Kolpakov Andrew Kolp'akov i santisiino _ santisimoz and AndreyKS others known and unknown to the Grand Jury knowingly caused the transmission of a program infomation code and command and as a result of such cenduct intentionally caused damage without authorization to a protected computer speci cally the protected computer system of theVictim listed below and the offense caused loss to one or more persons during a 1-year period aggregating at'least $5 000 00 in value and ii damage affecting 1-0 or more protected 8 26 through Oeto 20 21 February 21 2017 through March 3 2017 Victim-2 - - 22- March 24 2017 through April 18 2017 Victim-3 All in violationof Title 18 United States Code Sections 1030 a 5 A 1030 8 1030 c 4 B and 27 Indictment United States v Kolpakov - 27 SEATTLE WASHINGTON 98101 206 553-7970 Case Document 11-1' Filed 07 27 18 Page 29 of 33 Access DeviceFraud I 3 The'allegatiOns set forth in Paragraphs 1 through 29 of this Indictment are re alleged and incorporated as if fully set forth herein 1 I 31 Beginning at a time continuing throughaon or after June 20 2018 within the Western District of Washington and elsewhere athe defendant ANDRII 7 - KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov I Andrew Kolpakov and Andrest and others knownand to the Grand knowingly and with intent to defraud possessed fteen or more counterfeit and unauthorized access devices namely payment card data numbers and other means cf account access that can be used alone and in conjunction with another access device to obtain money goods services and any other thing of 7 value and that can be used to initiate a transfer of funds said activity affecting interstate and foreign cornmerce I I I I Allin violation of Title 18 United States Code Sections 1029 a 3 1029 c 1 A and 2 Aggravated Identity Theft 7 32 The allegations set forth in Paragraphs 1 through 31 of this Indictment are re-alleged and incorporated as if fully set forth herein 1 A 33 Beginning at a time unknown but no earlier than on o'r'abOut February 21' 2017 and no later than March 3 20 17 and continuing through on or after November 21 20 17 at Seattle Within the Western District of Washington and elsewhere ithe pl defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov fAndre '3 Andrew Kolpakov i santisirno santisimoi and - I others known and unknown to the Grand Jury did anWingly transfer possess and use without lawful authority a means cf identi cation of another'person to wit the-name Indictment United States v Kolpakov - 28 UNITED STATES ATTORNEY SEATTLE WASHINGTON 98 10 I 206 553-7970 700 STEWART STREET SUITE 5220 1 scooqcxm-A wmt Case Document 11-1 Filed 07 27 18 Page 30 of 33 username ahdpastord of a real person Q an employee of Victim-2 during and in relation to a felony violation enumerated in 718 U S C 1028A c that is conspiracy to commit Wire and bank fraud in Violation of 18 U S C 1349 as charged'in Count 1 _a_nd wire fraud in violation of 18 U S C 1343 ascharged in Counts 5 and that the means of identi cation'belonged to another actual person 7 I All in violation of Title 18' United States Code Sections Aggravated Identity Theft I 34 The allegations set forth in Paragraphs 1 through 33 of this Indictment are re-alleged and incorporated as if fully set forth herein 35 Beginning at a time unknown but no later than on or about May 8 2017 and continuing through on or after November 21 2017 within the Western District of i - Washington - and elsewhere the defendant ANDRII KOLPAKOV aka Andrey 7 Kolpakov i Andrileolpakov Andre Kolpakov Andrew Kolpakovf santisimo santisimoz and AndreyKS and others known and unknown to the Grand Jury did knowingly transfer 'possess and use withoutlawful authority a means of identi cation of another person to wit the name employee credentials usemarne and password of a real person N M an employee of Victim 8 during and in relation to a felony violation enumerated in 18 U S C 1028A c that is conspiracy to commit wire and bank fraud in violation of 18 U S C 1349 as charged in Count 1 knowing that the means of identi cation belonged to another actual person Allin Violation of Title 18 United States Code Sections-1028A Aggravated Identity Theft 36 The allegations Set ferth in Paragraphs 1 through 35 of this Indictment are re-alleged and incorp-Orated as if fully set forth herein UNITED STATES ATTORNEY - 700 STEWART SUITE 5220 SEATTLE 98101 206 553-7970 Indictment United States v Kolpakov - 29 omq mmA-wwt Indictment United States v Kolpak'ov - 30 Case Document 11-1 Filed 07 27 18 Page 31 of 33 37 - Beginning at a time Unknown but no later than on or about January 27 2017 and continuing through on or after November 21 2017 within the Western District of Washington and elsewhere the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov _ _Andrew Kolpakov santisiirio - santisimoz and others known and unknown to the Grand Jury did knowingly transfer possess and use without lawful authority a means of identi cation I of another person to wit the name username and password of real persons E L M A P R O and L D employees of Victim-7 during and in relation to-a 7 felony violation enumerated in 18 U S C 1028A c that is conspiracy to commit wire and banh fraud in violation of 18 U S C 1349 as charged in Count 1 knowing that the means of identi cation belonged to anotheractual person All in Violation of Title 18 United-States Code Sections 1028A a and 2 FORFEITURE ALLEGATION 38 i The allegations contained in Counts 1 through 15 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18 United StateS-Code Section 981 a 1 C and Title 28 United States 7 Code Section 2461 0 Upon conviction of any of the offenses charged in Connts through 153 the defendant ANDRII KOLPAKOV aka Andrey Kolpakov Andriy Kolpakov Andre Kolpakov Andrew Kolpakov santisimo _ saittisimOZ and AndreyKS shall forfeit to the United States any property real or personal which constitutes or is derived from proceeds traceable to such offenses including but not limited to a judgment for a sum of money representing the property described in this paragraph A '7 39 7 The allegations contained in Counts 16 through '22 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeituresr pursuant to Title 18 UnitedStates Code Sections 982 a 2 B Upon conviction of any of theoffenses charged in Counts 16 through 22 the defendant shall SEATTLE WASHINGTON 93101 206 553-7970 Indictment United States v Kobakov - 31 i I Case Document 11-1 Filed 07 27 18 Page-32 of 33 forfeit to the United States any property constituting Or derived from proceeds the defendant obtained directly or indirectly as the result of such offenses shall also - forfeit the defendant s interest any personal property that was used 0r intended to be used to commit Or to facilitate the commissiOn of such offenses includingbut not limited to a judgment for a sum of money representing the property described in this paragraph I 40 realleged and inCorporated by reference for'the purpose of alleging forfeitures pursuant to - Title 18 United States Code Sections-981 and 1029 c 1 C and Title 28 i United States Code Section 2461 c Upon conviction of the offense charged in Count-s The allegations contained in Count 23 of this Indictment archereby 23 the defendant shall forfeit to the United States anyproperty real or personal which constitutes or is derived from proceeds traceable to such offense and shall also ferfeit' any personal property used or intended to be used to commit such offense including but not limited to a judgment for a sum of money representing the property described in this paragraphT Substitute Assets 41 If any of the property described above as a result of any act or omission of the defendant I I cannot be located upon the exercise of due diligence a b has been transferred or sold to or deposited with a third party 'i has been placed beyond the jurisdiction of the court d has been substantially diminished in value or I e has been commingled with other property which cannot'be divided without dif culty I i UNITED STATES ATTORNEY r700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7979 Case DoCument 11-1 Filed 07 27 18 Page 33 of 33 the United States of America shall be entitled to forfeiture of substitute property pursuant 7 to Title 21 United States Code Section 853 p as'incorporated by Title '28 United States Code Section 2461 0Tow-b A 29 DATED Signature of Foreperson redacted pursuant to policv ofthe Judicial Conference OREPERSON United States Att rney 13 14 OK ANDREW C FRIEDMAN 15 Assistant United States Attorney 13 159 18 CIS FRANZE AKAMURA Assi ant United St es Attorney usuamm H I 22 Assistant United States Attorney 7 23 0 ex ANTHONY TEELUCKSINGH 25 Trial Attorney 26 Computer Crime and Intellectual Property Section Indictment United States v Kolpakov - 32 UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 9810-1 206 553-7970 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu