A0 91 (Rev. 1) Criminal Complaint UNITED STATES DISTRICT COURT forthe PH 11:!35 District of Vermont CLERK United States of America 3 3?le .UEPUTY Case No. JOSIAH LEACH . . - . l7 mt it e) Defendant(s) CONIPLAJNT I, the complainant in this case, state that the following is true to the?best of my knowledge and belief. On or about the date(s) of April 18, 2017 through April 21, 2017 in the county of Chittenden in the District of Vermont the defendant(s) violated: Code Section O?rense Description 18 U.S.C. 875(c) Knowingly transmitting in interstate commerce 3 communication containing a threat to injure the person of another. This criminal complaint is based on these facts: See attached Af?davit. Er Continued on the attached sheet. 1 Mesh; 52 ewe-am. /0 Complainaa?s signature Jennifer Vander Veer. Special Agent, FBI Printed name and title to before me and signed in my presence. Date: ?4 ll! 7 Judge .9 signature City and state: Burlington, Vermont Hon. Christina Reiss, Chief US. District Court Judge Printed name and rifle IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF VERMONT AFFIDAVIT I, Jennifer A. Vander Veer, being ?rst duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this affidavit in support of charging JOSIAH LEACH with knowingly transmitting in interstate commerce communications containing threats to injure the person of another on or about April 18-21, 2017, in violation of 18 U.S.C. ?875(c). 2. I am a Special Agent with the United States Federal Bureau of Investigation (FBI), and have been since 2008. 13111 assigned to the cyber squad of the Albany Field Of?ce where I am responsible for investigating high-tech crimes, including cyber?based terrorism, espionage, computer intrusions, and major cyber fraud. Prior to joining the FBI, I held the position of Internet Operations Manager at a private company in Vermont for eight years, and also worked as a Software Development Intern for a large technology company in California. 3. This af?davit is intended to show only that there is suf?cient probable cause for the requested charge and does not set forth all of my knowledge about this matter. PROBABLE CAUSE 4. Based on my training and experience and the facts as set forth in this af?davit, there is probable cause to believe that from in or about April 18, 2017 through in or about April 21, 2017, JOSIAH LEACH violated 18 U.S.C. 875(c) (Interstate threats to injure another person) by transmitting threats indicating his intention to kill and harm students and faculty at South Burlington High School. INCIDENT SUNEMARY 5. As explained in more detail below, between 4/18/2017 and 4/21/2017 certain students and teachers South Burlington High School (SBHS) received multiple emails threatening physical harm to students and faculty members. I have reviewed these emails. I also learned that during this time an employee at SBHS received a phone call during which the caller threatened to kill persons at SBHS. During the same time period, South Burlington Police Department (SBPD) received a similar, apparently related threat via acebook message. The- threats led to school lockdowns on April 18, 19, and 20 and cancellation of school on 4/21/2017. 6. I responded to assist the SBPD in the investigation of the threats and have reviewed the information described below between 4/19/2017 and today. THREAT #1 7. On April 18, 2017, between 11:09:04 to 11:27:29 EDT six emails sent by email account subedimukesh@outlook.com were received by six separate addresses within the South Burlington schools (all receiving accounts ended in I have reviewed these emails which said, with one slight variation, ?I?m going to kill you and all your students soon at south Burlington high school in Vermont. I?m coming for you. Good luck to you all. I?m coming today and if not today, I?ll kill you all tomorrow. Take it as a joke or message either way it?s fate.? [sic]. The South Burlington schools were placed in a state of heightened security following receipt of the messages. 8. I reviewed information received ?om Microsoft Corporation which operates the 2 outlook.com email service related to the sending address. Microsoft records indicated that the subedimukesh@outlook.com address was accessed on 4/18/2017 at 11:05:20 Eastern Daylight Time (EDT) from Internet Protocol address 104.200.140.118. Information from Hosting Services Inc. an internet service provider, stated that IP address 104.200.140.118 resolves to the Virtual Private Network service provider betternet.co. 9. Seven screen capture images provided to me by South Burlington High School IT staff showed copies of deleted draft messages in Josiah Leach?s South Burlington High School Google Apps account created on 4/18/2017 between 11:21:57 and 11:29:15. Four of the seven draft messages were addressed to recipients of the Threat #1 emails and were created within 30 to 60 seconds of when the threat emails were sent. South Burlington High School IT staff explained that the Google Apps account could be used to look up school network email addresses. W2. 10. Shortly after the initial threats were received, on April 18, 2017 at approximately 11:45 AM EDT, the Facebook account received a message ?om a Facebook account ending in 9596 stating, ?First I am killing everyone at south Burlington high school right now. Then your next. [sic]? 11. Facebook provided records related to the acebook account ending in 9596 which I reviewed. Those records indicated that the registered name on the account was Mukesh I A VPN is a method of providing to provide secure access to a computer over the internet. Mukesh, and the account was ?rst registered on 4/18/2017 at 11:35:11 EDT. The records indicated that all access to this account was from IP address 104.200.140.118, the same IP Address associated with the access to the sending email account involved in Threat Facebook records also provided email addresses jimmymukie98@outlook.com and as associated with the account. 12. Microsoft Corporation provided information related to the jimmymukie98@outlook.com address which I reviewed. According to the records, the account was created on 4/ 18/2017 at 11:37:20 EDT and was accessed from IP address 64.30.37.252 on 4/18/2017 at 11:37:17 EDT. 1 con?rmed that IP Address 64.30.37.252 resolves to the South Burlington School District indicating that the person registering and accessing the email account was using the South Burlington School District?s servers. 13. Law enforcement reviewed the South Burlington school server logs with permission from the school for activity during this time period. Approximately three students, including Josiah Leachz, were identi?ed as connecting to websites associated with Microsoft Outlook within the two minute window on 4/18/2017 when the email account was created. 14. I conducted further review of network logs and determined that Josiah Leach was conducting this activity from a device with MAC Address3 an Intel laptop. 2 Josiah Leach is 18 years old. 3 A MAC address, or media access control address, also called physical address, is a unique identi?er assigned to network interfaces for communications on the physical network segment. This device also had the name: South Burlington High I School IT staff stated that this was a student laptop owned by the school. THREAT #3 15. On April 18, 2017 ?om 14:16:17 to 14:16:53 EDT, the South Burlington High School secretary received a phone call ?'om telephone number 802-472-1 93 9 in which the caller stated in what the secretary described as a raspy voice, ?everyone is going to die tomorrow.? I have spoken with law enforcement of?cers who interviewed the school secretary regarding this call. 16. I have spoken with law enforcement of?cers who received information from South Burlington High School telephone service provider Sovernet. Sovernet provided them with information that determined that phone number 802-472?1939 was serviced by TextN ow. 17. I reviewed records provided by TextNow, a Voice Over Internet Protocol (V provider, which indicated that their account for phone number 802-472-1939 was created on April 18, 2017 at 10:16:02 EDT using email address Further, TextNow indicated that IP Address 73.114.21.114 was associated with the phone call. Publicly available web resources indicate that IP Address 73.114.21.114 resolves to Comcast X?nity Wi?. 18. Law enforcement reviewed records from the South BurlingtonI-Iigh School computer network which indicated that a device with MAC address had 4 is a form of technology that allows the transmission of Speech over the internet. 5 Records from Google, the provider of gmail, which I reviewed, indicate that this is an invalid email address. accessed TextNow via the school?s servers using Josiah Leach?s login credentials (leachj) at 10:15:11 EDT onApIil 18, 2017. 19. Law enforcement also reviewed records from the South Burlington High School computer network which indicated that the MAC address is associated with an with an Andriod Z812 device. Public source research indicate this is a ZTE Maven cell phone. According to records from the South Burlington High School computer network, this device was connected to SBHS networks on 4/18/2017 from 9:59:07 to 11:52:42 EDT. THREAT #4 20. On April 19, 2017, between 10:51 :57 to 10:56:09 EDT, ?ve emails from sender address were received by accounts on the South Burlington network. The messages, which I reviewed, stated, ?Wow, you guys really thought it was a threat. That's what I wanted you guys to think. Should've taken it seriously. I don't care for my life and don't care for yours. I'm choosing 5 students in my interest to kill today then I'm killing every teacher who gets this mail. We are armed with knives and guns. We know all exits and side doors and windows.We are coming before 1:00pm today. We wasn't joking. Essex only. got lucky. GET READY FOR THEORY MURDER. The slacks are coming.? 21. I reviewed records from Microsoft regarding the email account which indicated that the account was created on 4/19/2017 at 10:18:34 EDT and was accessed on 4/19/2017 at 10:18:29 and 11:34:06 EDT from IP address 172.98.87.72. 22. Public source information which I reviewed indicated that IP address 172.98.87.72 resolved to Total Server Solutions, who also was the listed registrant for the IP address in Threat #1 which provided service to Betternet.co. 6 23. On 4/20/2017 from 11:29:45 to 11:41:43 EDT email address sent three emails to accounts on the South Burlington school network which stated: My other threat was only a test. I stood across the Street and saw you evacuating, great job. Now I got to see What students I can kill. I?ve already hacked into your students emails and servers to see who.You all can keep thinking it's a "low risk". I can already be inside your building right now. I have access to all students and teacher information, check out the murder list. I'm watching you all. The message then included a MURDER which included the names of ?ve teachers, including reference to one of their locations in the building and eleven students including Josiah Leach. The message concluded: THIS BEEN PREVENTED FROM KEEPING THE REBEL NAME. NOW I'm gonna have to attack you all, I don't care for my own life as long as you're all Sincerely, Unknown. 24. I reviewed information from Microsoft Corporation regarding the account which indicated that the account was accessed on 4/20/2017 at 1 1:12:19 EDT from IP address 71.161.92.56. Publicly available records indicate that 73.161.92.56 resolved to Fairpoint Communications Inc. 25. I have spoken with law enforcement of?cers who received information from airpoint Communications Inc. Fairpoint Communications Inc. stated that at the time in question, the IP address 71.161.92.56 resolved to JOSIAH home address. The account '7 had been active since August 2016 and was registered under the name Leon McKenzie, who law enforcement of?cers con?rmed was the brother of Josiah Leach. THREAT #6 26. On 4/20/2017 from 11:47:43 to 11:48:52 EDT email address jimcollins9797@outlook.com sent messages to three email accounts on the South Burlington School network which were identical to the messages received in Threat 27. I reviewed information from Microsoft Corporation regarding the jirncollins9797@outlook.com account which indicated that the account was accessed on 4/20/2017 at 11:45:49 from IP Address 73.114.21.93. Publicly available records indicate that 73.114.21.93 resolved to Comcast X?nity WIFI. THREAT #7 28. On 4/21/2017 at 00:57:00 EDT a video was shared on Facebook by Facebook account taylor.isabelle.5496 which appeared to show a young male face whichwas blurred and voice was altered. The male discussed the threats, stated he was pleased they were taken seriously, and showed and image of the email from threats #5 and 6. 29. Facebook provided records, which I reviewed, indicating that Facebook account taylor.isabelle.5496 was associated with a user in Plattsburgh, New York and has communicated with the facebook account of Josiah Leach on 4/19/2017 at 22:11 EDT. THREAT #8 30. On 4/21/2017 at 2:25 EDT an email which I reviewed was sent to nine accounts on the South Burlington High School network from The email 8 contained a video which was law enforcement of?cers con?rmed was identical to the video posted on acebook in Threat 31. Information provided by Google, Inc. which I have reviewed showed that the email account theycallmejim98@gmail.com was created on 4/21/2017 at 01:08:52 EDT ?'om IP address 71.161.92.56. 32. address 71.161.92.56 is the same Fairpoint Communications Inc. address that was associated with the PREMISES in Threat 33. I conducted a review of South Burlington High School network logs between 4/18/2017 and 4/20/2017. The logs showed that Josiah Leach accessed the network using three unique devices identi?ed by the following MAC addresses and device description: a. a ZTE Maven cell, MAC Address: b. Intel PC, MAC Address: and c. a Samsung SGHI317, MAC Address: 34. Two of these devices were described conducting activity above. Open source information indicated the third device was a Galaxy Note II cell phone. This device was seen being used on school networks by Josiah Leach during the period of the threats and could have been used to conduct the described activity since not all of the Threats could be attributed to devices due to the use of a VPN and other deceptive tactics. 35. I am aware from my training and experience that the email communications and telephone communications described above traveled by wires in interstate commerce. CONCLUSION 36. Based on the information outlined above, there is probable cause to believe that from in or about April 18, 2017, through in or about April 21, 2017, JOSIAH LEACH knowingly transmitted in interstate commerce communications containing threats to injure the persons of students and faculty members at the school. Respectfully submitted, 4444;; VEER pecial Agent Federal Bureau of Investigation Subscribed and sworn to before me CHIEF UNITED STATES DISTRICT COURT IUDGE 10