OCR of the Document

View the Document >>

United States District Court for the Western Washington District at Seattle, “United States of America v. Fedir Oleksiyovych Hladyr, superseding indictment", July 27, 2018. Unclassified.

maximum 9 Case Document 47-2 Filed 07 27 18 Page 2 of 33 Presentedto- the Court by the foreman of the Grand Jury in Open Court in the presence of the Grand Jury and FILED in the US DISTRICT COURT at Seattle Washington W COOL Clerk By - Deputy UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE - UNITED STATES 0F AMERICA - No CR1-7-276RSL Plam ff SUPERSEDIISIGETDICTMENT FEDIR HLADYR aka Fedor Gladyr aka Fedir Oleksiyovych Gladyr - aka Gladyr Fedir Oleksiyovych aka Gladyr Fedor Oleksiyovich aka Fedor aka das aka Fyodor aka AronaXus Defendant I The Grand Jury charges that 7 DEFINITIONS 1 7 IP Address An Internet Protocol address or simply address IS a unique numeric address used by devices such as computers on the Internet An IP address is a series of four numbers each in the range 0-255 separated by periods egg 104 250 138 210 Every device attached to the Internet must be assigned an IP address 7 7 I so that Internet traf c sent from and directed to that device may be directed properly Superseding Indictment United States v HIadyr - - UNITED STATES ATTORNEY No CR17-276RSL 1 - 700 STEWART STREET SEATTLE WASHINGTON 98101 7 206 553- 7970 uncommon-mm N Case Document47-2 Filed 07 27 18 Page ofi33 from it's'source to its destination Most Internet service providers control a range of IP addresses - 2 1 Server A server is a COmputer that provides services for other cemputers connected to it Via a network or the Internet The Computers that use the serVer services A are sometimes called clientsf Servers can be physically located anywhere with a A A network connection that may be reached by the clients for example it is not uncommon - i for a server to be located hundreds or even thousands of miles away frOm the client computers A server may be either a physical or virtual machine A physical server is a piece of computer hardware con gured as a server with its oW11 pewer source central I processing unit s and associated sOftwa re A virtual server is typically one of many servers that operate on a single physical server Each virtual server shares the hardware 3 3 resources of the physical server but the data residing on each virtual server is segregated from the data on other virtual serVe'rs that reside on the same physical machine 3 Malware Malware lS malicious computer Code running on a computer Relative to the oWner authorized user of that computer malware is computer cede that 13 7 7 running on the system that is unauthorized and present on the System without the user - consent Malware can be designed to do a variety of things including logging every keystroke on a computer stealing nancial information or user credentials passwords or usernames or commanding that computer to become part of a network of robot Or bot computers known as a botnet In addition malware can be used to transmit data from the infected cemputer to another destination on the Internet as identi ed by an IP address Often times these destination IP addresses are computers controlled by cyber criminalsThe Carbanak malwarez Carbanak is the name 'giVen by computer security researchers to a particular malicious softWare malware program Carbanak has been used to re'mOtely access computer's without authorization The 'Carbanak malWaIf allows an attaCker to spy on another person s computer andrernotely control the I computer Carbanak can record videos of the victim s computer screen and send the Superseding Indictment United States Hladyr - UNITED STATES ATTORNEY No A 7 700 STEWART STREET SUITE 5220 SEATTLE 98101 206 553-71970 Case Document-472 Filed 07 27 18 Page 4 of 33 recordings back to the attacker 'It can also let the attacker use the Victim computer to 7 attack other Computers and to steal les from the victim computer and install other malware All of this can be dene without the legitimate user s knowledge or permiSsion 5 - Bot A bet computer is a computer that has been infected With seine kind 7 of malicious software or code and 1s thereafter subject to control by someone other than the true oWner The true owner of the infected computer usually remains able to use the computer as he did before it was infected althOugh speed or performance maybe compromised 7 I 7 I 6 Botnet A botnet is a network of compromised computers known as bots thata're under the control of a cybercriminal or bot herder The bots are harnessed by the bot herder through the surreptitious'installation of malware that provides i the bot herder with remote access to and control or the compromised cemputers A 'botnet may be used en masse in a coordinated fashion to deliver a Variety Of Internet- based attacks including attacks brute force pastord attacks the transmission of spam emails the transmission of phishing emails and hosting communication networks it for cybercriminals e acting as a proxy server for email communications 7 Phishing Phishing 1s a criminal scheme 1n which the perpetrators use mass email messages and or fake Websites to trick people into providing information such -- as network Credentials usernames and passwords that may later begused to gain access to a victim s systems Phishing schemes Often utilize social engineering techniques similar toitradition'al con-artist techniques in Order to trick victims into- believing they are providing their information to a trusted vendor customer or Other acquaintance Phishing emailsare also often used to trick a Victim into clicking on documents or links that contain malicioirs software that will cempromise the victims computer system I 8 Spear Phishing Spear phishing rs a targeted form of phishing directed towards a Speci c individual organization or business Although often intended to steal Superseding Indictment United States v Hladyr 1 I 730 ISHED sug s 52 - 7 TEWART N0 275RSL 3 SEATTLE WASHINGTON 98101 206 553-7970 ooqoxm-wah- owooqmm-hwmma Case 2 17ecr-00276-RSM Document 47-2 Filed 07 27 18 Page 5 off33 data for malicious purpoSes cybercriminals may also'use spear phishing schemes-to install malware 011 a targeted user s computer i 9 Social Engineering Social engineering is a skill developed over time by people who seek to acquire protected information through manipulation of social- I relationShips People who are skilled 1n social engineering can convince key individuals I to divulge protected information or access credentialsithat the social engineer deems valuable to the achievement of his or her aims 10 Pen-Testing Penetration testing or pen-testing is the practlce of testing a 9 computer system network or computer application to nd vulnerabilities that an attacker 1 2 may exploit 1 Conspiracy to Commit Wire and Bank Fraud 1 OFFENSE 11 The allegations set forth in Paragraphs 1 through 10 of this Superseding Indictment are re-alleged and incorporated as if fully set forth herein 12 -I Beginning at a time unknown but no later than September I201 5 and continuing through on or after January 10 20198 at Seattle within the -WesternI District of Washington and elsewhere FEDIR OLEKSIYOVYCH HLADYR aka Fedor Gladyr aka _ Fedir Qleksiyovych IGladyr Gladyr Fedir Gladyr Fedor Oleksiyovich aka I Fedor aka aka Fyodor aka ArIonaXus and others if known and unknown to the Grand Jury did-knowingly and willfully combine conspire confederate and agree together to commit Offenses against the United States to Wit 4 a 3 to knowingly and willfully devise and execute and attempt to I execute a scheme and artifiCe to defraud and for obtaining money and property by means of materially false and fraudulent pretenSes representatibns and promises and 1n executing and attempting to execute this scheme and arti ce to knowingly cause to be transmitted in interstate and foreign Commerce by means of wire communication '0ertain - Superseding Indictment United States Hladyr - I - 737 UNITED STATES ATTORNEY I No 4 I I 700 STEWART $112331 5111135220 SEATTLE WASHINGTON 98101 206 553 47 970 qumUI-bm Nl I Case Document 47-2 Filed 07 27 18 Page 6 of 33 '7 'signs signals and sounds as further described below in violation of Title 18 UIiited_ States Code Section 1343 b to knowingly and willfully devise and execute and attempt to exeCute a scheme and arti ce to defraud nancial institutions as de ned by Title 18 United States Code Section 20 and to obtain moneys funds and credits under the 7 7' custody and control of the nancial institutions by means of materially false and fraudulent pretenses representations and promises in violation of Title 18 United States Code Section l344 1 and 2 II OBJECTIVES OF THE CONSPIRACY l3 Defendant FEDIR OLEKSIYOVYCH HLADYR and others 101an and unknown to the Grand Jury were part of a nancially motivated cyberCriininal conspiracy knOWn' variously as FIN7 the Carbanak Group and the Navigator Group referred to herein as FIN7 consists of a group of criminal actors engaged in a sephisticated malware campaign targeting the computer systems of businesses primarily in the restaurant gaming and hospitality industries among others I 7 14 The objectives of the conspiracy included hacking into protected computer networks using malicious software hereinafter malware designed to provide the conspirators with unauthorized access to and control of victim computer systems The objectives of the conspiracy further included conducting surveillance of victim computer 7 networks and installing additional malware on victim computer netw0rks for the purpose i ii of establishing persistence stealing money and property including payment credit and debit card track data nancial information and proprietary and non-public information The objectives of the censpiracy further included using and selling the stolen data and information for nancial gain in a variety of ways including but not limited to using stolen paymentcard data to actress the i United States and in foreign countries Superseding Indictment United States v Hladyr 7 UNHED STATES - No 7-276RSL- 5 700 STEWART STREET 31111135220 3mm WAsmNoroN 931-01 206 55317970 - omk th-W Ni d 7 Case Document 47-2 Filed 07 27 18 Page 7-of33v MANNER AND MEANS OF THE CONSPIRACY 15 The manner and means used to accOmplish the conspiracy included the following a FIN 7 developed and employed various malware designed to in ltrate compromise and gain control of the computer systems of Victim companies operating in the United States and elsewhere including within the Western District of 1 Washington IN 7 established and operated an infrastructure of servers located 1n various countries through which FIN 7 members Coordinated activity to further the scheme This infrastructure included but was not limited to the use of command and control servers accessed through custom botnet control panels that With 1 7' and controlled compromised computer systems of victrm companies b IN 7 created a front company doing business as Combi Security to facilitate the malware scheme by seeking to make the scheme 3 illegal conduct appear legitimate Combi Security purports to Operate as a computer security pen testing company based 1n Moscow Russia and Haifa Israel As part of advertisements and public intemet pages for Combi Security FIN7 portrayed Combi Security as a legitimate penetration testing enterprise that hired itself out to businesses for the purpose of testing their computer security systems I 7 Under the guise of a legitimate computer seCurity company FIN7 doing business as Combi Security recruited individuals with computer programming skills falsely claiming that the prospective employees would be engaged 111' legitimate I pen-testing of Client computer networks I11 truth and in fact as Defendant and his FIN7 co cOnspirators well knew Combi Security was a front company used to hire anddeploy hackers who were given tasks in furtherance of the conspiracy FIN7 targeted victims inthe Western District of elsewhere using phishing techniques to distributemalware designed to gain unau iorized' access to take control of and ex ltrate data from the computer systems of various businesses targeted victims include more than 120 identi ed companies with-- Superseding Indictment United States v Hladyr i UNITED STATES ATTORNEY No CR17-276RSL- 6 700 STEWART STREET Sum 5220 WASHINGTON 98101 - 206 553 4970 I Case DocUment47-2 Fil'e d 07 27 18 Page 8111 33 thousands of individual locations of operation throughout the United States including but not limited to the following representative victim companies 1 i 7 Victim l referenced herein is the Emerald Queen Hotel and Casino EQC a hotel and casino owned and operated by a federally recognized Native American Tribe with locations in Pierce County within the Western District of Washington ii Victim- 2 referenced herein IS a - public corporation headquartered 111 Seattle within the Western District of Washington with operations throughOut the United States and elseWhe re Victim-3 referenced herein is Chipotle MeXican Grill 3 I U S L-based restaurant chain with thouSands of locations in the United States including in the western District of Washington and in Canada and multiple EurOpean countries I iv VictiI1n-4 I referenced herein lS a U S - - based pizza parlor chain with hundreds of locations predominantly in the Western United States including in the Western District of Washington i Iv Victim- 5 referenced herein lS BECU a U S -based I federally insured credit union headquartered in the Western District of Washington I vi Vieti-m- 6 referenced herein lS Jason s Deli a U -based casual delicatessen restaurant chain with hundreds of locations in the United States II vii Victim 7 I referenced herein is - an automotive retail and repair chain with hundreds of locations in the United States including in the Western District of Washington Victim-8 referenced herein is Red Robin Gourmet Burgers and Brews Red Robin a S based Casual dining restaurant Chain founded in the Western District of Washington with hundreds of locations in the United States including in the Western District of Washington Superseding Indictment United States v Hladyr UNITED STATES-ATTORNEY I No CR17- 7 I - I 700 SEATTLE WASHINGTON 98101 - 206 553 7970 Case Document 47-2 Filed 07 27 18 Page 9 of 33 ix Victim-9 referenced herein is some Drive-in Sonic a U S -based drive-in fast-food chain with thousands of locations In the United States including 1n the western District of WashingtOn I I x Victim 10 referenCed herein 1s Taco John s a U S -based fast-food restaurant chain with hundreds of locations 1n the United States including 111 the Western District of washington e FIN7 typically initiated its attacks by delivering directly and through intermediaries a phishing email with an attached malicious le using wires in interstate and fereign commerce to an employee of the targeted victim company The attached malicious le usually was a Microsoft Word doc or 3 19 or Rich Text File rtf document with embedded malware FIN 7 used a variety of malware delivery mechanisms in its phishing attachments including but not limited to Weaponized Microsoft Word macros malicious Object Linking and Embedding OLE objects malicious visual basic scripts or avaScript and malicious embedded shortcut les LNK les In some instances the phishing email or attached le contained a link to malware hosted on servers controlled by FIN7 The phishing email through false representations and pretenses iraudulently induced the Victim company employee to open the attachment i i or click on the link to activate the malware For example when targeting a hotel chain the purported sender of the phishing email might falsely Claim to be interested in making I a hotel-reServation By way of further example when targeting a restaurant chain the purported sender of the phishing email might falsely claim to be interested in placing a fl - catering order or making a complaint about prior food service at the restaurant f In certain phishing attacks FIN7 directly and through interrnediaries sent phishing emails to personnel at victim companies who had uniquel- access to internal preprietary and non public company information including but not limited to emplOyees involved with making filings with the United States Securities and Exchange Commission These emailsiused an email address that spoofed an - Superseding Indictment United States v Hladyr - I - UNITED STATES ATTORNEY No CR17-276RSL 8 - 700 STEWART 5220' - - SEATTLE WASHINGTON 98101 206 553-7970 m oxm-th r-dowooxlmm-hmboeo Case DoCument 47-2 Filed 07 27 18 Page 10 of 33 email address associated With the electronic ling system and induced the recipients to activate the malware contained in the emails attachments I g In many of the FIN7 attacks a FIN7 member or someone hired by FIN7 speci cally for such purpose would also call the victim company using wires in interstate or fereign commerce tolegitimizl-e the phishing email and cenvince the victim company employee to open the attached document using social engineering techniques t For example when targeting a hotel chain or a restaurant chain a conspirator would 1 make a follow-up call falsely claiming that the details of a reservation request -catering _ 7 - order or customer complaint could be found in the le attached to the preViOus ly - delivered email to induce the employee at the victim company to read the phishing email open the attached le and activate the malware h If the recipient activated the phishing email attachment or clicked on the link the recipient would unwittingly activate the malware and the computer 0n 7 which it was opened would become infected and Connect to One or more command and control sewers controlled by FIN7 to report details of the newly infected computer and download additional malware The command and control- infrastructure relied upon various servers in multiple countries including but not limited to the United States typically leased using false information - such as alias names and ctitious information i FIN 7 typically would install additional malware including the Carbanak malware to connect to additional FIN 7 command and control servers to establish remote control of the victim computer j OnCe a victim 3 computer was Compromised FIN 7 wOuld incorporate the compromised machine or hot into a botnet 7 k FIN7 designed and used a custom botnet centre panel to manage and issue commands to the compromised machines Once a Victim company s computers were incorporated into the PIN 7 betnet and remotely controlled by malware the group used this remote control and access to among other things install and manage additional mal'ware Superseding Indictment United States v Hladyr UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 No 9 SEATTLE WASHINGTON 98101 206 553-7970 Case Document 47-2 Filed-O7 27 18 Page 111017 333 conduct surveillance map and navigate the compromised computer network Compromise additional computers ex ltrate les and send and receive data For instance FIN 7 often conducted surveillance on the victim s computer ne'twOrk by among Other capturing screen shots and videos of v1ct1m computer workstations that provided the conspirators with additional inforniation about the Vietim company ComputernetWOI k i I and non-public credentials for both generic company accelmts and for actual- company employeesIn 1N7 used its acceSs to the Victim 5 computer network and information gleaned from Surveillance of the victim s computer systems to install additional malware designed to target and extract particular information and property of value including payment card data and proprietary and non-public infermation For instance FIN7 often utilized various off-the shelf software and Custom malWare and a - combination- thereof to eXtract and transfer data to a loot folder on one or more servers controlled by FIN7 FIN7 frequently targeted victim companies with customers who use payment cards while making legitimate point-of-sale purchases such as victim cempanies in the restaurant gaming and hospitality industries In those cases FIN7 con gured malWare to extract copy and compile the payment card data and then to transmit the data from the victim computer systems to servers controlled by 0 I For example between approximately March 24 2017 and April I8 2017 FIN7 harvested payment card data from point-of-sale devices at certain Victim-3 1 - restaurant locations including dozens of locations 111 the Western District of Washington p FIN7 stole millions of payment card numbers many of which'have been offered for sale through Vending sites including but not limited to Joker s Stash thereby attempting to generate millions of dollars of- illicit pre ts q The payment card data were Offered for sale to allow purchasers to falsely represent themselves as authorized users of the stolen payment cards and to use the stolen payment card information to purchase goods and services in fraudulent Superseding Indictment United States Hladyr - - 1 UNITED STATES ATTORNEY No 10 - 7 700 STEWART STREET Surra5220 - - SEATTLE WASHINGTON 98101 206 553-7970 scooqoxmihmimihn Case Document47-2 Filed 07 27 18 Page'12'of33 transactiOns throughout the United States and the world including oVer the Internet 3 resulting in millions of dollars-in losses to and and banks including nancial institutions as de ned in Title 18 United States Code Section '20 For example on or about March 10 2017 stolen payment card data related to accounts held at Victim-5 a nancial institution headquartered 1n the Western District of Washington compromised through the computer network intrusion of a vlctim company was used to make unauthorized purchases at a merchant 1n Puyallup Washington r FIN7 members employed various techniques to conceal their identities including simultaneously utilizing various leased servers that had been leased using false subscriber information in multiple countries I s FEDIR OLEKSIYOVYCH I-ILADYR served as a high level systems administrator for FIN7 who maintained serVers and cominunication channels used by the organization For example FIN 7 members requested FEDIR OLEKSIYOVYCH I-ILADYR to grant them access to servers used by FIN7 to facilitate the malware scheme FEDIR OLEKSIYOVYCH HLADYR also played a management role 1n the scheme by delegating tasks and by providing instruction to other members of the scheme I FIN7 members typically comniunicated with one another and others thrOugh private cominunication channels to further their malicious activity Among other channels FIN 7 conspirators communicated using Jabber an instant messaging Service that allows members to communicate across multiple platforms and that supports end-to- end i i u For example in Jabber communications with other FIN7 members a co conspirator D F using his alias hotdima referenced using malWare 1n co nnectiOn with several speci c victim compameS discussed using the administrative Control panels 1 to receive data from compromised computers and identi ed several pen testers working at his direction I Superseding Indictment-l United States v Hladyr 2' UNITED STATES ATTORNEY No 1 1 - - 700 STEWART Smnr SUITE 5220 SEATTLE WASHINGTON 98101 A 206 553 7970 Case Document 47-2 Filed 07 27 18 Page 131of 33 7 V FIN 7 members often communicated through a private HipChat server HipChat 1s a group chat instant messaging and file-sharing program FIN7 members used its HipChat server to collaborate on malware and victim business intrusions to interview potential reoruits and to upload and share ex ltrated data such as stolen payment card data As a system administrator FEDIR OLEKSIYOVYCH I HLADYR created HipChat user accounts for FIN 7 members that allowed them to acCess II the server i FEDIR OLEKSIYOVYCH HLADYR also created and participated in multiple HipChat rooms with other FIN 7 members and participated in the uploading and organization of stolen payment card data and malware For example on or about March 14 2016 FEDIR OLEKSIYOVYCH HLADYR uploaded an archive that contained numerous data les created by malware designed to steal data from point-cf- sale systems that precess payment cards The les contained payment card numbers stolen from a victim comp any that had publicly reported a security breach that resulted 1n the compromise of tens of thousands of payment cards By way of further example FEDIR OLEKSIYOVYCH HLADYR also set up and used a HipChat room titled MyFile in which he was the only participant and to which he uploaded malware used by FIN7 and stelen payment card information I x FIN7 conspirators used numerous email accounts hosted by a varietyI of providers 1n the United States and elsewhere which they O en registered using Ifalse subscriber infermation I I I y IN7 conspirators frequently used the pro_ ect management software IRA hosted on private virtual servers in various countries to coordinate their malicious activity and to manage the assorted network intrusions FIN 7 members typically created a proj ect and then associated issues with the preject each issue akin to an issue directory or folder for a victim company which they used to collaborate and share 1 I details of the intrusion to post victim company intelligence such as network mapping infermation and to store and share ex ltrated data Superseding Indictment United States v Hladyr - UNITED STATES ATTORNEY No 12 700 STEWART Some 5220 SEATTLE WASHINGTON 98101 206 55347970 Case Document 47-2 Filed 07 27 18 Page 14 of 33 For example on about September 7 2016 FEDIR OLEKSIYOVYCH HLADYR created an issue for Victim-6 to which FIN7 conspirators posted les centaining internal Credentials for the victim company 8 computer networkfurther example on multiple occasions in January 2017 00 conspirator D F and others posted to the IN 7 fissue created for Victim-7 information about the victim company internal network and uploaded ex ltrated data - including stolen employee credentials Similarly on or about April 5 2017 co conspirator F created an issue for another victim company Victim-9 and uploaded stolen user credentials from the Victim company i bb- FIN 7 conspirators knew that the scheme would inVolve the use of wires in both interstate and foreign commerce to accomplish the objectives of the scheme For example the Defendant and his FIN 7 co-conspirators knew that execution 1 of the scheme necessarily caused the transmission of wire communications between the United States and one or more servers controlled by IN7 located 111 foreign countries All 1n violation of Title 18 United States Code Section 1349- COUNTS 2-15 Wire Fraud - 16 _The allegations set forth 1n Paragraphs 1 through 15 of this Superseding Indictment are re-alleged and incorporated as if fully set forth herein I SCHEME AND ARTIFICE To DEFRAUD l7 Beginning at a time Unknown but no later than September 2015 and continuing through 011 or after January 10 2018 at Seattle Within the Western DiStrict of _Washington and elsewhere HLADYR and others known and unknown to the Grand Jury deyised'and intended to devise a scheme and arti ce'to defraud and to obtain money and property by means of materially false and fraudulent pretenses representations and promises Superseding Indictment United States v Hladyr 7 UNITED STATES ATTORNEY No 13 STREET Sorta 5220 SEATTLE WASHINGTON 98101 206 553-7970 Document 47-2 Filed 07 27 18 Page 15 of 33' 18 The essence of the scheme and arti ce to defraud Was to obtain unauthorized access into and control of the computer netWOrks of victims thrOugh deceit - and materially false and fraudulent pretenses and representations through the installation it I and use of malware designed to facilitate among other things the installation of additional malware the sending and receiving of data and the surveillance of the victims computer networks The object of the scheme and arti Ce to defraud was to steal money and property of value including payment card data and proprietary and 11911 public information which was and could have been sold and used for nancial gain II MANNER AND MEANS OF SCHEME TO DEFRAUD I 19 The manner and means of the scheme and arti ce to defraud are set forth Paragraph 15 of Count of this Superseding Indictment I I111 EXECUTION OF SCHEME T0 DEERAUD 20 On or about the dates set forth below Within the Western District of Washington and elsewhere FEDIR OLEKSIYOVYCH I-ILADYR and others known and unknown to the Grand Jury having devised a scheme and arti ce to defrand and to obtain money and property by means of materially false and fraudulent pretenses representations and promises did knowingly transmit and cause to be transmitted writings signs Signals pictures and sounds for the purpose 0f executing such scheme by means of wire Communication in interstate and foreign commerce ineluding the following transmissions Email from justgetravel@yahoo com - which traveled through a server Victim-1 7 located outside the State of Pierce County _Washington to a Victim '1 employee located within the State of 2' I August8 2016 Washington superseding Indictment United States Hladyr A 7 i I UNITED STATES ATTORNEY No 14 I I - 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 55377970 00 NJ t-d Case Document 47-2 Filed 07 27 18 Page 16 of 33 Email from frankjohnson@re ntal traVelcom which traveled through a Victim-1 server locatedoutside the State of 7 August 8 2016 Pierce County Washington to a Victim-1 employee 7 1 - located Within the State of 1Washington Electronic cemrnunication between a - Victim-1 7 server lecated outside the State of August 8 2016 Pierce Coun Washington and Victim-1 5 computer - ty system located Within the State of Washington Email puiporting to be from a government account Which traveled Victim- 2 through a server located outside the February 21 2017 Seattle State of Washington to a Victim-2 employee loCated within the State of Washington Electronic communibation between a i I Vic tim 2 server located outside the State of February 23 2017 Seattle Washington and V1ct1m-2 s computer system located Within the State of Washington i Electronic cominunication betWeen a 7 V1ct1m 3 4120 196th St SW server located outs1de the State of March 24 2017 7 and V1ct1m 3 s computer ulte 1 50 - system located w1th1n the State of 7 Washington - 1 Electronic communication between a 7 Victim 3 server located outside the State of March 25 2017 7 '1415 Broadway washington and Victim-3 s computer Seattle system located within the State of Washington ElectrOnic communication between a Victim-3 server located outside the State of 7 March 25 2017 800 156th Ave NE Washington and Victim-3 computer - 7 BelleviJe s ystem located Within the State of Washington a UNITED STATES ATTORNEY Superseding Indictment United States Hladyr No 15 700 STEWART STREET SUITE 5220 SEATTLE 98101 206 553 7970- Case 2 17-cr-00276l-RSM Docume'nt'47-2 Filed 07 27 18 Page 17 of 33' - Electronic communication between a 7 I 7 Victim 3 server located outSide the State of 10 - March 25 2017 4Bellis Fair Pkwy - Washington and Victim-3 3 computer - - 7 Bellingham 7 system located within the State of Washington - - 7 Electronic communication betWeen Gilman server located outside the State of 11 7 March 25 2017 Blvd Suite A Washington and V1ct1m 3 scornpute r ISsaquah system located within the State of Washington 7 Victim-3 - Electronic communication between a 3 7 515 SE Everett server located outs1de the State of 12 March 27 2017 Washington and V10t1m-3 5 computer- - - - all Way Smte B Everett - - system located Within the State of Washington Vietim-3 Electronic oommunication between a 22704 SE 4th St server located outside the State of 13 April 11 2017 Washington and V1ct1m-3 s computer ulte 210 Samm amish' system located within the State of washington Email from oliver_palmer@yahoo com - Which 4 - - Victim-4 traveled through a server located 3 14 Apnl 11 2017 - Renton outside the State'of Washington to a Victim-'4 employee located within the State of WashingtOn Electronic communication between a Victim-5 merchant lecated within the State of 15 March 10 2017 Pu 11 and a payment processor - ya up server 10oated outside the State of Washington All 1n violation of Title 18 United States Code Seetion 1343 Superseding Indictment United States v Hladyr UNITED STATES ATTORNEY 2700 STEWART STREET Surra5220 WASHINGTON 98101 206 553-7970 Case Document 47-2 Filed 07 27 18 Page 18 of 33 COUNT 16 Conspiracy to Commit Computer Hacking I 21 The allegations set forth in Paragraphs 1 through 20 of this Superseding Indictment are re-alleged and incorporated as if fully set forth herein I - OFFENSE 22 Beginning at a time unknoWn but no later than September 2015 and continuing through on or after January 10 2018 at Seattle Within the Western District of Washington and elsewhere FEDIR OLEKSIYOVYCH HLADYR and others known and unknown to the Grand Jury did knoWingly and willfully cembine conspire confederate and agree together to commit offenses against the United States to wit 1' - a to knowingly and with intent to defraud access a protected computer without authorization and exceed authorized access to a protected computer and by means of such conduct further the intended fraud and obtain anything of value exceeding $5 000 00 1n any luyear period in violation of Title 18 United States Code Sections 1030 a 4 and and b to knowingly cause the transmission of a program information A 1 code and and as a result of such conduct intentionally cause damage without authorization to a protected computer and the offense caused loss to one or more persons 1 during a 1-year period aggregating at least $5 000 00 1n value and damage affecting 10 or A more protected computers during a l-year period in violation of Title 18 United States Code Sections 1030 a 5 A and 1 II OBJECTIVES OF THE CONSPIRACY 23 The objectives of the conspiracy included hacking into protected computer networks using maIWarIe designed to provide the conspirators With Unauthorized access I to and control of victim computer systems The objectives of the conspiracy further included conduCting surveillance of victim computer networks and installing additiOnal' malware on the victim computer networks for the purposes of establishing persistence and stealing payment card track data nancial information and proprietary private and Superseding Indictment United States Hladyr - - UNITED STATES ATTORNEY a - 700 STEWART sinner 5mm 5220 No 276RSL 17 SEATTLE WASHINGTON98101 206 553 7970 Case Document 47-2 Filed 07 27 18 Page 19 of 33' non-public information with the intention of using and Selling Such stolen items either 7 I directly or indirectly for nancial gain The objectives cf the conspiracy further I included installing malware that would integrate victim computers into a botnet that I allowed the conspiracy to control alter and damage compromised Computers - MANNER AND MEANS OF THE CONSPIRACY 24 The manner and means used to accomplish the conspiracy are set forth in Paragraph 15 of Count 1 of this Superseding Indictment IV OVERT ACTS 7 25 In furtherance of the conspiracy and to achieve the objects thereof FEDIR OLEKSIYOVYCH HLADYR and others known and unknown to the Grand Jury did commit and cause to be cOminitted the following overt acts among others in the Western District of Washington and elserhere I a FEDIR OLEKSIYOVYCH HLADYR served as a high-level systems administrator for FIN 7 who maintained servers and cominunication channels used by the organization including administrating HipChat rooms and the uploading and organization of stolen payment card data and malware For example I -- i On or about March 14 2016 FEDIR OLEKSIYOVYCH HLADYR uploaded to a HipChat room shared with another 1N7 member an archive that contained numerous data les centaining payment card numbers stolen from a victim company that had publicly reported a security breach that reSulted 1n the loss of tens of thousands of payment cards ii - On or about April 8 2016 FEDIR OLEKSIYOVYCH HLADYR created a HipChat room called My_ Files to which he had exclusive access and later uploaded data for approximately 100 stolen payment cards 7 On or about July 19 2016 FEDIR OLEKSIYOVYCH HLADYR posted in a HipChat room accessible to other FIN7 members les related to a i victim company including multiple soreenshots fromr'one or more victim Company Superseding Indictment United States Hlaafyr i - UNITED STATES ATTORNEY '700 STEWART STREET SUITE 5220 - SEATTLE WASHINGTON 98101 - 206 553-7970 Case Document 47-2 Filed 07 27 18 Page 20 of 33 computers that showed among other things internal company information and an administrator password iv On or abOUt November 22 2016 FEDIR OLEKSIYOVYCH HLADYR uploaded to his My_ Files HipChat reom a le containing data for stolen I paymentcards b Co-conspirator D F served as a high- -Ieve1 pen- of one- - tasked with nding vulnerabilities that an attacker may exploit who managed Other pen- testers responsible for breaching the security of victims computer systems For example i Co conspirator D F created and managed issues on private JIRA server relating to intrusions of multiple victim companies including but not limited to Victim-7 and Victim-9 to which FIN7 members shared and stored intrusion information and ex ltrated data ii _Us ing 3 private Jabber server co consp irator D F communicated under the alias hotdima with other FIN7 members regarding his hacking efforts and his payment for such efforts I I Co conspirator D F accessed and controlled compromised computer systems through custom control panels c 1 The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public victim data and i information from the computer systems of- the Victim-l a hotel and casino in the - Western District of Washington For instance i On or about August 8 2016 the conspiraCy directly and through intermediaries used the aCcount just__ etravel@yahoo com to send a phishmg email with thejsubject to an employee of Victim-1 located 1 11Tacoma Washington with an attached Microsoft Word document that contained malWareV The email contained materially false representations designed to induce the targeted employee to open enable the malware and compromise the computer system Superseding Indictment United States Hladyr I - UNITED STATES N0 19 2700 5220 SEATTLE WASHINGTON 98101 20195534970 Case Document47-2 Filed 07 27 18 Page-21 of33 ii On or about August 8 2016 the conspiracy directly and through intermediaries used the account frankjohnSon@revital travel com to send a 1 phishin'g email with the subject order to an employee of Victim-1 located 111 Tacoma Washington With an attached Microsoft word document that contained malware The email contained materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system - _Under the control of the censpiracy malware a compromised computer of Victim-1 communicated with a command and centrol server located 1n 3 foreign country For instance from August 2016 to August 9 2016 and from August 24 2016 to August 31 2016 a compromised Victim-l computer logged apprOximately 3 639 communications with various URLs all starting With revital- travel eom at an IP address hosted 1n Russia H- I d The conspiracy compromised illegally accessed had utiauthoriZch communications With and ex ltrated proprietary private and non-public victim data and 7 information from the computer systems of Victim-6 a restaurant chain with locations 1n multiple states For instance 1 On or about August 25 2016 the conspiracy directly and- through intermediaries used the account revital travel @yahoo com to send a phishing email to an employee of Victim 6 with an attached Microsoft Word document that contained malware The email contained materially false representations designed to induce the targeted employee to enable the maIWare and compromise the computer systemabout September7 2016 FEDIR OLEKSIYOVYCH HLADYR created an issue on the conspiracy s private JIRA serverSpecifically related to Victim-6 One or more FIN '7 members posted les Containing internal credentials for i the Victim 6 cemputer network I A i 7 be The conspiracy compromised illegally accessed had unauthdrized communications with and ex ltrated proprietary private and non-public victim data and Superseding Indictment United States Hladyr UNITED STATES ATTORNEY No 20 7 - - 700 STEWART STREET 3111155220 semenmsamcron 98101 - 206 5534 970 Case Document 47-2 Filed 07 27 18 Page 22 of 33 inforniatiOn firom the computer systems of Victim-7 an automotive retail and repair chain with hundreds of locations in multiple states including Washington For instance i i 011 or about January 18 2017 a FIN7 member created an 1 issue 011 the conspiracy 3 private JIRA server speci cally related to Victim-7 That FIN7 member and co Conspirator D F posted results from several netWork mapping tools used on Victim-7 5 internal networkabout January 20 2017 a FIN7 member posted ex ltrated data including multiple usernames and pass-words with the title Server I Passwords to the Victim-7 JIRA issue - On or about January 23 and January 24 2017 co-conspirator' F posted information about Victim-7 s internal netWork and uploaded a le centaining multiple IP addresses and information abOut Victim 7 servers to the Victim-7 JIRA issueabout January 27 2017 co-eonspirator 1 F uploaded to the Victim 7 issue a le containing over 1 000 usernaines and passwords for generic company accounts and employee accounts The potentially compromised _7 acCounts related to approximately 700 Victim-7 locations throughout the United States including approximately 12 locations located in the state of Washington ii 7 f The conspiracy compromised illegally accessed had unauthOrized communications with and exiiltrated proprietary private and 110n public Victim data and if i information from the computer systems of Victim 2 a corporatiOn headquartered 111 Seattle Washington For instanceabout February 21 2017 the conspiracy directly and through intermediaries used an account purporting to be lings@sec gov but actually 3th by secureservernet to send a' phishingemail toan employee of Victim-2 located in Seattle Washington With an attaChed MiCrosoit Word document that contained malware The email falsely purported to relate to a corporate ling with the SEC and contained Superseding Indictment I United States v Hladyr UNITED STATES ATTORNEY No 276RSL- 21 A 700 STEWART STREET 81111135220 206 553-7970 Case Document 47-2 Filed 07 27 18 Page 23 of 33 0 materially false representations designed to induce the targeted employee to open the file enable the malvvare and compromise the computer system I ii From on or about February 21 2017 to approximately March 3 2017 the conspiracy illegally accessed and had communications with the of Victim-Z located 111 Seattle washington For instance betWe en about February 23 2017 and February 24 2017 the victim computer made outgoing I connections to and transferred internal data without authOrization to an IP address 7 located 1n a foreign country 1 011 or about February 24 2017 a FIN7 member posted to a IRA issue created for- Victim 2 a screenshot from the targeted employee s computer at Victim-2 Which showed among other things an internal Victim-2 webpage available only to emplOyees with a valid user account iv Similarly a IFIN7 member posted to the Victim-2 JIRA issue a text le containing the usernames and passwords of the targeted Victim-2 employee including his her- personal email account LinkedIn account and personal - -- yr A I investment and nancial institution accounts I g I -- The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public Vietim data and information from the computer systems of Victim-3 11 restaurant chain with thouSands ofII locations including the State of Washington From apprOximatelIy March 24 2017 to April 18 2017 the conspiracy accessed computer systems of Victim 3 and implanted malware designed to harvest payment card data from cards used on point of sale device's at restaurant locations nationwide including approximately 33 locations Within the Western District of Washington h - The conspiracy compromised illegally accessed had unauthOrized communications with and Iexfiltrated proprietary private and non-public victim data and information from the computer systems of Victim 8 a restaurant Chain with hundreds of locations in multiple states including ashington For instance Superseding Indictment United States v I adyr 5 7 UNITED STATES - - 7 v 700 STEWART STREET SUITE 5220 N0 CR17-276RSL- 22 I - SEATTLE Wasnmoron 98101 206 553 7970 00 l a Case IDocu'ment 47-2 Filed 07 27 18 PageI24 of 33' i On or about March 27 2017 the conspiracy directly and through intermediaries used the account ray donovan84@yahoo com to send a phishing email to a Victim 8 employee With an attached Microsoft Word document that contained malware The email falsely purported to convey a Customer complaint and centained additional materially false representations designed to induce the targeted employee to enable the maIWare and compromise the computer system ii On or about March 29 2017 a FIN7 member created an issue on the conspiracy private server speci cally related to Victim-8 and posted results from several network mapping tools used on Vietim-S Is internal network the pointI of-sale software management solution used by Victim-8 and a username and password to the Victim-I8 JIRA issue The software management tecl allows a I company to manage point-of-sale systems at multiple locations The IN7 member also 1' uploaded several screenshots presumably from one or more victim computers at Victim- 8 which showed amongother things the user logged into Victim-8 s account for the software management toolabout April 6 2017 21 FM member uploaded to the Victim-8 JIRA issue - a le containing hundreds of usernames and passwords for -- 7 approximately 798 Victim-8 locatiOns including 37 locations located 1n the State of Washington The le included network information telephone communications and locations of alarm panels within restaurantsabout April 7 2017 a FIN7 member uploaded to the Victim 8 issue a similar le containing numerous usernames and passWords for Victim-8 locations vi 011 or about May 5 2017 3 FIN7 member uploaded to the Victim 8 issue a le containing le directories on a compromised computer Vii 011 or about May 8 2017 a FIN7 member uploaded to the Victim-8 JIRA I issue ex ltrated les related to a password management system from a Superseding Indictmenti United States v HIadyr UNITED STATES ATTORNEY I No CR1M7-276RSL 23 81111115220 SEATTLE WAsmnorcN 98101 2'06 553-7970 on or about March 31 2017 11 FIN7 member pested a link to i Case Document 47-2 Filed 07 27 18 Page 25 of733 compromised computer which c'ontained the credentials usernames and passwords of a particular employeeor abOut May 15 20 17 a FIN7 member uploaded to the Victim-8 JIRA issue screenshots of a compromised computerthat Showed the employee accessing Victim48 s security infrastructure management software Same employee s credentials i The conspiracy compromised illegally accessed had unauthorized communicatiOns with and private and non-public Vietim data and information from the computer Systems of one or more locations of Victim-9 a fast-food restaurant chain With thousands of locations throughout the United States including i WaShington For instance a i i On various dates the conspiracy directly and through intermediaries sent phishing emails With an attached le that contained malware to multiple Victim 9 locations For instance on or about April 7 2017 the conSpiracy used the account oliver__palmer@yahoo com to send a phishing email to a Victim '9 location in the State of Oregon The email contained materially false representations designed to induce the targeted employee to open the le enable the malware and compromise the 7 I 1' computer system i i i ii 011' or about April 5 2017 eo-conSpirator D F created an a issue on the conspiracy 3 private JIRA server speci cally related to Victim-9 One or more IN7 members posted usernames and passwords for Victim 9 locations including a Victim-9 location 1n Vancouver Washington 3 The conspiracy compromised illegally accessed had unautho zed communications with and eX ltrated proprietary private and non public victim data and information from the computer systems of one or morelocatiOns of Victim-4 a pizza parlor chain With hundreds of locations including in Washington For instance 7 i On or about April 11 2017 the conspiracy directly and through intermediaries used the account Oliver _pa1mer@yahoo com to send a phishing Superseding Indictment United States v Hladyr UNITED STATES ATTORNEY No CR1 7 276RSL 24 r700 STEWART STREET SUITE 5220 - SEATTLE Wasnmoron 98101 206 553-7970 Case Document 47-2 Filed 07 27 18 Page 26 of 33 email With the subject claim to an employee of a Vietim 4 located 1n Renton Washington with an attached Rich Text Format rtf document that contained malware The email falsely purported to convey a customer complaint and contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system - ii On or about April 11 2017 the conspiracy directly and through intermediaries used the account ol1ver_palmer@yahoo com to Send a phishing email with the subject an emplOyee of a Victim-4 located 1n Vancouver Washington with an attached Rich Text Format rtf document that contained malware The email falsely purported to convey a customer complaint and contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system i I 9 On or about May 25 2017 the conspiracy directly and through intermediaries used the account Adrian 1987cl'ark@yahoo com to send a phishing email with the subject takeout order to an employee of a Victim-4 located 1n or around Spokane Washington with an attached Rich Text Format rtf document that contained malware The email falsely stated that the sender had a large takeout order and contained additional materially false representations designed to induce the targeted employee to enable the malware and compromise the computer system k The conspiracy compromised illegally accessed had unauthorized communications with and ex ltrated proprietary private and non-public victim data and information trim the computer systems of one or more locations of Victim-10 a faste food restaurant chain with hundreds of 10Catio ns 1n various states including Washington For instance it i i on or about May 24 201 7 a FIN7 member created an issue 7 on the conspiracyis priVate JIRA server speci cally related to Victim-10 One or more FIN7 members pested information relating to the intrusion cf compnter systems'anid Superseding Indictment United States v Hladyr 1 11mm STATESAITORNEY No CR17-276RSL- 25 700 STEWART SEATTLE WASHINGTON 9810 206 553-7970 pCase Document 47-2 Filed 07 27 18 Page 27 of 3-3 exfiltrated data including les containing passwords and Screenshots from one or more compromised cempnters 1 I ii On or about June 12 2017 the conspiracy directly and through intermediaries used the accoilnt Adrian 1987c1ark@yahoo com to send a phishing email with the subj ect order catering to an emplOyee of a Victim-10 located in Iowa with an attached Rich Text Format rtf document that contained maIWare The email falsely stated that the sender had a catering order for the following day and contained additional materially false representations designed to induce the employee to - enable the malware and compromise the computer system From on or about June 12 2017 to a date mow the I conspiracy illegally accessed and had communications with the computer systems of the Victim-10 located 1n Iowa For instance the conspiracy transferred without authorization the proprietary private and non-public victim data and information including usernames and passwords to a JIRA server managed by FIN7 located 111 a foreign countryAll 111 violation of Title 18 United States Code Section 371 COUNTS 17- 19 Accessing a Protected Computer 111 Furtherance of Fraud 26 The allegations set forth 1n Paragraphs 1 through 25 of this Supersedmg - Indictment are re- alleged and incorporated as if fully set forth herein _ I 27 On or about the dates listed below Within the Western of Washington and elsewhere FEDIR OLEKSIYOVYCH HLADYR and others known and unknown to the Grand Jury knOWingly and with intent to defraud accessed a I protected computer withOut- antherization and in excess of authorized access and by i i '7 means of such conduct furthered the intended fraud and lobtai'ned something of 'Valiie speci cally payment card data and proprietary and non-public information Whereby the object of the fraud and the thing obtained consisted of more than the use of the computers and the value of such use was more than $5 000 111a l yejar period as listed below 7 - Superseding Indictment United States v I adyr UNITED STATES ATTORNEY No CR17 276RSL- 26 - 1 WASHINGTON 98101 206 553 7970 Case D0cument47 2 Filed 07 27 18 Page-28 of33 if 17 August 8 2016 throughW 18 February 21 2017 through March 3 2017 'ViCti'm-Z 19 March 24 2017 through April 18 2017 Victim-3 All 1n violation of Title 18 United States Code Sections 1030 a 4 103001 1030 c 3 A and 2 - 22 Intentional Damage to a Protected Computer 28 The allegations set forth 1n Paragraphs 1 thIOugh 27 of this Superseding Indictment are re alleged and incorpOrated as if fully set forth herein 29 On or about the dates listed below within the Western Distn'ct of Washington and-elseWhere FEDIR OLEKSIYOVYCH HLADYR and others known 7 and unknown to the Grand'Jury knowingly caused the transmission of a program 7 information code and command and as a result of such conduct intentionally caused damage without authorization to a protected computer speci cally the protected computer system of the victim listed below and the offense caused loss to One or more 1 persons during a leyear period aggregating at least $5 000 00 in value and- ii damage affecting 10 or moreprotected computers during a l-year period 20 August 8 2016 through October 4 2016 Victim-1 21 February 21 2017 through March 3 2017 Victim-2 22' March 24 2017 through April 18 2017 Victim-3 All 1n violation of Title 18 United States Code Sections 1030 a 5 A 1030 1 1030 c 4 B and 2 l Superseding Ind1ct1nent United States v Hladyr 3 1 UNITED STATES ATTORNEY No CR17-276RSL- 27 700 STEWART STREET 31111115220 WASHINGTON 98101 206 553 4970 Case I Document 47-2 Filed'Q7 27 18 Page 29 0133 COUNT 23 1 Access Device Fraud 30 The allegations set forth in Paragraphs 1 through 29 of Superseding Indictment are re- alleged and incorporated as if fully set forth herein 31 Beginning at a time unknown and continuing through on or after January 10 2018 within the Western District of and elsewhere EDIR OLEKSIYOVYCH HLADYR and others known and unknown to the Grand Jury I and with intent to defraud possessed fteen or more counterfeit and i unauthorized access deviCes namely payment card data account numbers and Other means of accOunt access that can be used alone and 1n conjunction with another aCceSs device to Obtain money goOds services and any other thing of value and that can be used to initiate atransfer of funds said activity affecting interState and foreign All In violation of- Title 18 United States Code Sections 1029 c 1 A and2 CCOUN-T 24 I Aggravated Ident1ty Theft 32 The allegations set forth 1n Paragraphs 1 through 31 of this Superseding I - Indictment are 're-alleged and incorporated as if fully set forth herein I I 33 Beginning at a time unknown but no earlier than on or about February 21 2017 and no later than March 3 2017 - and- continuing through on or after Noyember 21 2017 at Seattle within the western District of Washington and elsewhere FEDIR OLEKSIYOVYCH HLADYR and others known and unknown to the Grand Jury did knowingly transfer possess -and_ use vVithout lawful authority a means of identi cation of another person to wit the name username and password of a real person J an U S 1028A c that 18 conspiracy to commit wire and bank fraud 1n Violation of 18 S C 1349 as charged 1n Count 1 and wire fraud in violation of 18 U S C 1343 as I Superseding Indictment United States v Hladyr 7 - UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 - SEATTLE WASHINGTON 98101 206 553-7970 CO '4 4h Ln 1 1 Case 47-2 Filed 07 27 18 Page 30 of 33' charged in Counts 5 and 6 knowing that the means of identi cation belonged to another actual personviolation of Title 18 United States Code Sections 1028A a and 2 I I Aggravated Identity Theft 34 I The allegations set forth in Paragraphs 1 through 33 of this Supersedlng Indictment are re-alleged and incorporated as if fully set forth herein 35 Beginning at a time unknown but no later than on or about May 8 2017 and continuing through on or after November 21 2017 within the Western District of Washington and elsewhere FEDIR OLEKSIYOVYCH HLAIDYR and others known and unknown to the Grand Jury did knowingly transfer possess and use without lawful authority a means of identi cation of another person to wit the name employee credentials username and password of a real person M an employee of Victini-8 during and in relatiOn to a felony violation enumerated in 18 U S 1028A c that is conspiracy to commit wire and bank fraud 1n violation of 18 U S C 1349 as charged- in 3th 1 knowing that the means of identi cation belonged to anOther actual person All 1n violation of Title 18 United States Code Seetions '1028A a and 2 COUNT26 7 SS Aggravated Identity Theft 3 6 The allegations set forth 1n Paragraphs 1 through 35 of this Superseding Indictment are re-alleged and incorporated as if fully set forth herein 37 Beginning at a time unknown but no later than on or about January 27 2017 and Continuing through on in after- November 21 2017 within the Western District of Washington andlelsewhere EDIR OLEKSIYOVYCH HLADYR and others 1910 I and unknown to'the Grand Jury did knowingly transfer possess and use without law il authority a means of identi catiOn of another person to wit the name username and password of real personsand D employees of 1 Victim-7 during and in relation to a felony violation enumerated 18 U S C Superseding Indictment United States v wadyr - UNITED STATES ATTORNEY No CR17-276RSL 29 - 700 51111115220 WASHINGTON 98101 206 5534970 Case Document 47-2 Filed 07 27 18 Page 31 of 33 1028A c that IS conspiracy to commit wire and bank fraud - 111 Violation of 18 U S C 1349 as charged 1n Count 1 k_nowing that the means of identi catiOn belonged to another actual person All in Violation of Title 18 United States Code Sections 1028A a and 2 FORFEITURE ALLEGATION 38 The allegations contained in Counts lthrough 15_of this Sup-erSeding 7 Indictment are hereby reallegedand incorporated by reference for the purpose of alleging 7 I forfeitures pursuant to Title '18 United States Code Section 981 a and Title 28 United States Code Section 2461 b Upon conViction of any of the offenses charged 1n Counts 1 through 15 the defendant EDIR OLEKSIYOVYCH HLADYR shall forfeit to the United States any property real or personal which constitutes or is derived from proceeds traceable to such offenses including but not limited to a judgment for a sui'n of money representing the property described in this paragraph - 39 The allegations contained 111 Counts 16 through 22 of this Superseding Indictment are hereby realleged and incorporated by reference for the purpose of alleging ferfeitures pursuant to Title 18 United States Code Sections 982 a 2 B and 1030 1 Upon conViction of any of the offenses charged 111 Counts 16thrOugl1 22 the defendant FEDIR OLEKSIYOVYCH HLADYR shall forfeit to the United States any property constituting or derived from proceeds the defendant obtained directly or indirectly as the result of 'such offenses and shall also forfeit the defendant s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such offenses including but not limited to a judgment for a sum of money representing the property described 1n this paragraph 40 The allegations contained 1n Count 23 of this superseding Indictment are hereby realleged- and incorporated by reference for the purpose of alleging forfeiture-s pursuant to Title 18 United States Code Sections 981 a 1 C and 1029 cr 1 C and Title 28 United States Code SectiOn 2461 e Upon conviction Of the offense charged in f Count 23 the defendant FEDIR OLEKSIYOVYCH HLADYR shall forfeit to the -- Superseding Indictment United States v Hladyr I UNITED STATES ATTOIWEY No CR17 276RSL- 3o 700 Smwaars'mser SEATTLE WASHINGTON 98101 206 553-7970 oolaxt cnmh-wMI G cog-oxme-mmpg Case Document 47-2 Filed 07 27 18 Page 32 of 33 United States any property real or personal Whichlconstitutes-or is derived from proceeds traceable to such offenSe and Ashall also forfeit any personal property used or 7 I intended to be used to commit such offense including but not limited to a judgment for a 1 sum of money representing the property described In this paragrath I Substitute Assets 41 If any of the property described above as a result of any act or omission of I I the defendant - i I cannot be located upon the exercise of due diligence a 1b has been transferred or sold to or deposited with a third party to has been placed beyond the jurisdiCtion of the court d has been substantially diminished in value or e has been commingled with other property which cannOt be divided A without dif culty - Superseding Indictrnent United States v H1adyr UNITED ATTORNEY No 31 - 700 STREET SUITE 5220' SEATTLE WASHINGTON 98101 12095534970 Case Document 47-2 Filed 07 27 18 Page 33 of 33 DATED ANNETTE L HA United States Atto ey LQ ANDREW C FRIEDMAN Assistant United States Attorney CIS Ass tant United Stas sAttorney L Assistant United States Attorney Trial Attorney Computer Crime and Intellectual Property Section Superseding Indictment United States v Hladyr No 276RSL- 32 A TRUE BILL the United States of America shall be entitled to forfeiture of substitute property pursuant to Title 21 United States Code Section 853 p as ineorporated by Title 28 United States Code Section 2461 c 125 3 Signature of ForeperSOn redacted pursuant to policy of the Judicial Conference FOREPERSON UNITED STATES ATTORNEY 700 STEWART STREET SUITE 5220 SEATTLE WASHINGTON 98101 206 553-7970