On January 27. 2016. the Florida Department of Law Enforcement received a referral from the Lee County
Sheriff?s Office in reference to a possible unauthorized breech of the Lee County Elections Office website. It
was discovered that an opponent in the election for Lee County Supervisor of Elections. Dan Sinclair, has
been advertising that an associate of his named David Levin. owner of Vanguard Cybersecurity. was able to
perform a SQL (Structured Query Language) injection attack on the Lee County Elections Office website. An
SQL injection is a code injection technique used to attack datawdriven applications. An SQL injection enables
an individual to obtain secure information, such as usernames and passwords. from vulnerable websites. It
was also discovered that Levin performed a separate SQL injection attack against the Division of Elections in

Tallahassee, Florida.

On January 25, 2016, Sinclair and Levin posted two YouTube videos explaining the SQL injection that was
performed on the Lee County Elections Office website. Levin explained that an SQL injection attack tricks the
system into giving you information that might not otherwise be accessible to the public. During the YouTube
videos Levin demonstrated how he performed the SQL injection attack on the Lee County Elections Office
website. Levin displayed screenshots of his computer device that showed the program Levin utilized to
perform the SQL injection. Levin also showed screenshots of him logging into the Lee County Elections Office
website with Sharon Harrington?s credentials, the current Lee County Supervisor of Elections. Levin then

demonstrated how he was able to navigate the Lee County Elections Office website as an administrator.

On January 25. 2016. Sinclair and Levin conducted an interview with a local Fort Myers television news
station. During this interview, Levin demonstrated how he was able to perform an SQL injection on the Lee
County Elections Office website. When referring to the SQL injection he performed on the Lee County
Elections Office database Levin stated ?i hacked it." Levin stated that he used Sharon Harrington?s credentials

to log into the system.

On February 1. 2016. Special Agent (SA) Christopher Tissot was forwarded an e?mail with a Vanguard
Cybersecurity, security research report attached. The e-mail was originally sent to an empioyee within the
Department of State. Division of Elections, from Daniel Sinclair. The report was written by David Levin and
outlined the Structured Query Language (SQL) injection attacks he conducted on both the Lee County
Elections Office website as well as the Division of Elections. The report inciuded screenshots of the actual
SQL injection attacks that were performed on the Division of Elections in Tallahassee. Florida as well as a list
of the different types of data that Levin obtained from performing the SQL injection attacks. The report was
dated January 27. 2016. . LR

On February 3. 2016, a?to David Levin was conducted by members with the
Fiorida Department of Law Enforcement. During?evin was asked about the SQL

injection attack he performed on the Lee County Elections Office website as wait as the Office of Elections in
Tallahassee, Florida.

The foiiowing is a summary of?

 

On February 8, 2016, members of the Fiorida Department of Law Enforcement (FDLE) executed a search
warrant at 9812 Foxhail Way, Unit 2. Esters, FL 33928. At approximately 8:00 AM, Speciai Agent Supervisor
(3A8) Jason Knowles and Speciai Agent (SA) Christopher Tissot proceeded to the target iocation, 9812
Foxhali Way. Unit 2, Estero, FL 33928, in attempts to interview David Levin.

Upon arrivat at the target tocation, 8A8 Knowles and SA Tissot made contact with Jacquelyn Leah Levine,
David Levin's wife. Jacquelyn advised the agents Levin was not home, he was at work. SA Tissot requested
Jaoqaeiyn to call Levin to see if he oouid come back to the residence to speak with the agents. Jacquetyn
caiied Levin and after she made contact with him she handed SA Tissot the phone. 8A tissot advised Levin
that the agents wished to speak with him regarding the 80!. injection he performed. Levin stated he would
return to the residence, 9812 Foxheil Way, Unit 2. to speak with the agents,

Approximateiy thirty minutes tater Levin arrived at the residence. Upon arrival, Levin invited both SAS
Knowles and SA Tissot inside the residence. Once inside, Levin agreed to speak with both SAS Knowles and

SA Tissot and a recorded interview was subsequentiy conducted.

The following is a summary of the interview:

 

 

During the interview, Levin utilized his MacBook computer and showed SA Tissot the video Levin recorded of
the SQL injection attack he periormed on the Lee County Elections Office. Levin also showed SA Tissot two
that he to perform the attacks.

 

Once the interview was complete, SA Tissot advised Levin that SA Tissot had a search warrant for the

residence. SA Tissot contacted the other agentsirnembers who were staging nearby who then responded to
the residence to assist with the execution of the search warrant. Both Levin and his wits Jacqueiyn remained
outside while the search warrant was executed. While previewing Levin?s MacBook computer, Systems
Programming Consultant (SPC) Vince DellAccio copied several files from the computer onto a USB thumb
drive for evidentiary purposes. Severat electronic devices were seized during the execution of the search

warrant including Levin's MacBook computer and iPhone 68 Plus.

On February 11. 2016? Special Agent (SA) Christopher Tissot and Systems Programming Consultant (SPC)
Vince DellAccio interviewed Sharon Harrington, Lee County Supervisor of Eiections. The interview took piece
at the Florida Department of Law Enforcement's Fort Myers Regional Operation Center located at 4700
Terminal Drive Suite 1, Fort Myers, Fiorida 33907.

The foliowing is a summary of the interview with Sharon Harrington:

Sharon did not grant David Levin. nor anyone else permission to perform a Structured Query Language (SQL)
injection or any other type of network intrusion against the Lee County Elections Office. Sharon did not grant
David Levin, nor anyone eise permission to utilize her username and password to log into the Lee County
Elections Of?ce website. Sharon Harrington was noti?ed of the breech on approximately January 25, 2016.
Daniei Sinclair left a voicemail with Sharon Harrington's assistant. Sharon Harrington first reported the

.1
Kr 4

3r??

network intrusion to the Lee County Sheriff's Offices who in turn referred her to the Florida Department of Law
Enforcement.

On February 23, 2016, Special Agent (SA) Christopher Tissot and Systems Programming Consultant (SPC)
Vince DellAccio interviewed Daniel Sinclair, The interview took place at Sinclair's residence iocated at 640
Dabney St, Fort Myers, FL 33966. Daniel Sinclair invited both SA Tissot and SPC DellAccio inside of his

residence for a consensuai interviews
The ioliowing is a summary of the interview with Daniel Sinclair:

Sinciair met David Levin at a Young Republicans Event in 2015. Levin contacted Sinclair December 19. 2015
and explained the Structured Query Language (SOL) injection he had performed to Sinclair. Levin shared the
video of the SQL infection he had performed on the Lee County Eiections Office website on January 8, 2016.
with Sinclair via Levin?s Dropbox acdount. Sinclair contacted both the Lee County Elections Office and the
Division of Elections to report the two incidents that occurred on December 19, 2015 and January 4, 2016.
Sinclair didn?t ask Levin to perform the SQL injection attacks; he was made aware of the attacks after the fact
by Levint

On February 23. 20161 SA Tissot obtained a search warrant for Levin?s Dropbox, lnc. account that was

associated with his gmaii account? A copy of the search warrant was sent to

Dropbox, inot on February 24. 2016.

On March 17, 2016. Special Agent (SA) Christopher Tissot received the requested information from Dropboxs
inc. in reference to the search warrant that was submitted on February 24, 2016? Dropbox. Inci provided a

silver 8 gigabyte Kingston USB drive. SA Tissot accessed the USB drive to review the information provided by
Dropbox, Inc. After reviewing the information, SA Tissot discovered the DrOpbox, inc. account associated with

the e-mait address?was registered to "David Levin" and was created on October 1,
2015. Levin had the file?In his Dropbox?, Inc. folder. This video shows Levin

performing a Structured Query Language (SQL) injection attack against the Lee County Office of Elections

website.

On March 24, 2016, SP0 Vince DeliAccio completed his analysis of the Lee County Elections Of?ce website
tog files. SPC DellAccio discovered an SQL injection attack on the Lee County Elections Of?ce website on
numerous dates including December 19, 2015. This is the date Levin told investigators that he performed the


.3. gait

SQL injection attack on the Lee County Office of Eiections website; it is also the same date 
-Levin utilized for the attacks created an HTML report file that documented the actuai attack. The HTML
file report contained a brief summary of the attack Levin performed and the information he obtained.

On Approximately April 14. 3016. SP8 Vince DellAccic compieted his analysis of the Division of Elections
website tog files. SPC DeliAccio discovered an SQL injection attack to the Division of Elections website on
numerous occasions including January 31, 2015. SP0 DelIAccio was also abie to iocate a .png screen
capture file on Levin?s seized MacBook Air computer. The screen capture tile depicted an SQL. injection attack
Levin performed on the Division of Eiections website. The .png screen capture ?le was created on January

31 2016. SP0 DellAccio also iocated an HTML file on Levin?s seized MacBook computer. The HTML file was
a report that was created b_that Levin utilized for the attacks. The HTML report file
contained the information Levin obtained as a result of the attack. The HTML file was created by the-
-on January 4. 2016. indicating the attack occurred on the same day.

Based on the evidence obtained regarding the SQL injection attack Levin performed against the Lee County
Office of Elections on December 19. 2015. probabie cause does exist to charge Levin with unauthorized
access of any computer, computer system. computer network. or electronic device. a violation of Florida
Statute a third degree felolny.

Based on the evidence obtained regarding the SQL injection attacks Levin pertormed against the Division of
Eiecticns on January 4. 2016. probable cause does exist to charge Levin with unauthorized access of any
computer. computer system. computer network, or eiectronic device. a violation of Fiorida Statute
a third degree felony.

Based on the evidence obtained regarding the SQL injection attacks Levin performed against the Division of
Elections on January 31. 2016. probable cause does exist to charge Levin with unauthorized access of any
computer. computer system. computer network. or electronic device. a violation of Florida Statute
a third degree felony.

Your Affiant believes that based upon the investigation in its entirety, to include the sworn statements provided
by the witnesses and physical evidence gathered during the investigation probable cause exists to charge
DAVID LEVIN with 3 counts of unauthorized access of any computer, computer system. computer
network, or electronic device. a violation of Florida Statute a third degree felony.

an"

6

WHEREFORE, your Affiant prays that a warrant will be issued commanding all and singular, Rick L.
Swearingen, Commissioner, Florida Department of Law Enforcement or any of his duly authorized Special
Agents; all Sheriffs and Police Chiefs of the State of Florida or any of their duly authorized deputies or officers
to arrest instanter DAVID MICHAEL LEVIN and bring him before the Court so that he may be dealt with
according to law.


If/l  wk 8
Special Agent
Florida Department of Law Enforcement

STATE OF FLORIDA
COUNTY OF LEE

The foregoing instrument was acknowledged before me this da? of y.
Christopher Tissot who identified himsetf to me and who did take a loatheil-?

6? bV'Speoialegent

    



 

1 Mt  

LEE co TY, FLORIDA

L.

Amy 8. Hawthorne
Ckcuit Court Judge