Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 1 of 16 PageID# 74 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF VIRGINIA Alexandria Division Criminal No. l:16-cr-228 UNITED STATES OF AMERICA Count 1: 18U.S.C. §371 Conspiracy RUSLANS BONDARS, Count 2: I8U.S.C. § 1349 a/k/a, "Ruslan Bondar,' Conspiracy to Commit Wire Fraud Count 3: 18U.S.C. §§ 1343 & 2 Wire Fraud & Aiding and Abetting JURIJSMARTISEVS, a/k/a, "Yury Martyshev," '"Jurijs Count 4: 18 U.S.C. §§ 2 & 1030(a)(5)(A) Computer Intrusion With Intent to Damage & Aiding and Abetting Bereverovs" Defendants Notice of Forfeiture UNDKRSEAL INDICTMENT October 2016 Tenn — at Alexandria, Virginia Introduction THE GRAND JURY CHARGES THAT: At all times relevant to this Indictment: 1. Defendant RUSLANS BONDARS was a permanent resident of Latvia who resided in Riga, Latvia. BONDARS sometimes went by the first name Ruslan and the last name Bondar. 2. Defendant JURUS MARTISEVS was a citizen of Latvia who resided in Riga, Latvia and Moscow, Russia, MARTISEVS sometimes went by the last names "Martyshev' and "Bereverovs." MARTISEVS sometimes went by the first name "Yury." Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 2 of 16 Page D# 75 3. Amazon Web Services operated servers in the Eastern District of Virginia upon which it ol't?ered cloud storage services. 4. ICQ was an instant messaging service that employed servers located n-tithin the Eastern District oi'Virginit-i. The above introductory allegations are realleged and incorporated in each count of this Indictment as though full},r set out in each count. COUNT 18 use. 371 (Conspiracy) 117'. GRAN JURY FURTHER lA?l': 6. From at least on or about October 3. 2006. and continuing until at least the date of this Indictment. in the District ol'Virginia and elsewhere. the Defendants. RUSLANS BONDARS and .l RUS knowingly and intentionally conspired and agreed with one another and with conspirators known and unknown to the Grand Jury to commit offenses against the United States. tltal is: a. to intentionally access a computer without authorization and exceed authorized access. and thereby obtain information from any protected computer, for purposes advantage and private ?nancial gain. in violation ol? Title 18. United States Code. Section and h. to knowingly and with intent to defraud access a protected computer without authorization and exceed authorized access. and by means ot?such conduct further the intended Fraud and obtain anything. ol? value, in violation ol?Tille 18, United States Code. Section lU3U(a)(4j; and ix.) Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 3 of 16 PagelD# 76 c. to knowingly cause the transmission of a program. information, code. and command, and as a result of such conduct, intentionally cause damage without authorization to 10 or more protected computers during any one year period: in violation oi'Title 18. United States Code, Section ltl3Uta)(5)(A} and Manner and Means of the Conspiracv [t was part of the conspiracy that: 7. The Defendants agreed. combined. and worked together with each other and others. known and unknown to the grand jury. to operate an online service called- 8. a counter antivirus service, provides information that computer hackers can use to determine whether the computer viruses anti other malware they create will be detected by antivirus software. including and especially antivirus software used b_v the computer systems ofmajor United States retailers. linancial institutions, government agencies, and other high-value targets. The purpose oli-_. and the intent of the defendants in operating the service, is to allow computer hackers to develop malware. in particular: to make changes to their mah-vare so as to reduce the chances that the malwarc will be detected by the antivirus applications and services ofthc companies and institutions they target. 9. - is one ofthe largest services of its kind and has at least 30,000 users. i?v?lalware that has been sulnnitted to- includes some of the most prolific malware known to the Federal Bureau of Investigation and has been used in major computer intrusions committed against American businesses. 10. The malware submitted to- includes. but is not limited to, the following: a. software used to hide malicious tiles from antivirus software so that the software cannot detect and quarantine the malicious tiles; Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 4 of 16 Page D# 77 h. ?Remote Access 'l'rojans?: software that allows a remote ?operator" to control a system as it" he or she has physical access to that system. including the possibility ofadministrator-level privileges; c. ?Keyloggers?: surveillance software that has the capability to record keystrokes entered on the victim computer and send that information to the user of the keylogget?. A keylogger can record and steal any in formation typed on a keyboard, including sensitive information such as emails, instant messages, and passwords to email, social media, and financial accounts; and d. ?Malwa?re Tool Kits?: toolkits specifically designed for users to create customized malicious tiles with functions of user preference. Some of the toolkits have embedded Application Program lntertaee (APT) in order to determine il'the er tated malicious tiles *ere detected by antivirus software. 'l?ypicz-illy, il'the malicious tiles were detected by antivirus software, users would change the digital signature of the malicious tiles and resean the malicious ?les using the_ service with the goal of making the malicious tiles full undetectable by antivirus software. 1 1. The Defendants intentionally marketed- to computer hackers using the website_ and a hidden service accessible via The Onion Router (TOR), an onlinc network for enabling anonymity. The Defendants also advertised- on underground online cyhererime forums, which are support networks used by individuals worldwide to buy. sell- and rent malware kits, botnets. and stolen personal identifying information (PII). Moreover, the_ service differed from legitimate scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded tiles with the antivirus community. Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 5 of 16 Page D# 78 and notify their users that they will do so, - instead informed its users that they could upload anonymously, and that data about uploaded files would not be shared with the antivirus community. As a result, the Defendants knew and intended that the- service would be used for facilitation ofonline criminal activity. 12. The Defendants were leaders of the conspiracy and played the following roles, among others: a. RUSLANS BONDARS served as an administrator ar- responsibilities in the conspiracy included, among other things, nit-lintaining the technical infrastructure used for the_ service and website; b. JURIJS also served as an administrator of- responsibilities in the conspiracy included, among other things, providing customer support to customers, typically via email, ICQ, Jabber. and Skype. Overt Acts In furtherance ot'the conspiracy and its objects, the overt acts, among others, were committed in the Eastern District of Virginia and elsewhere by members ol.? the conspiracy: 13. On or about October 3. 2006. MARTESEVS registered for a PayPal account under the business name 14. One of the Det?endants? co-conspirators, ZS, was a malware developer who operated, in part, from Great Falls, Virginia, within the Eastern District oi'Virginia. Z.S. designed a keylogger that he sold to over 3,000 customers, .who in turn infected over 16,000 computers and thereby stole information, such as passwords, from these computers. On or about November Ur Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 6 of 16 PagelD# 79 18. 2012. 2.8.. using a computer in the liastern District of Virginia. caused a payment to be made to an account controlled by the Defendants. l5. In exchange for this payment and others. the Defendants provided ZS. with access to - and allowed Z.S. to integrate the- tool directly into his Itcylogger toolkit. The integration oftlte- tool into keylogger allowed 2,835 customers to scan the keylogger?s executable lile to determine il?thc executable file would be detected by antivirus companies. If the executable was detected. the user could change the ?les digital signature and rescan the executable: with the goal of making the malware Fully undetectable by antivirus software. to. On or about November 18, 2012 through on or about November 23, 2012. 21.8.. using a computer located in the Eastern District ol? Virginia, and MARTISEVS exchanged emails regarding Z.S.'s access to the- service. 17. Beginning at least on or around October 28, 2009. and continuing through the present. ARTISEV communicated with customers and potential customers of- via an instant messaging system, in order to provide customer support and discuss the bene?ts and terms of- membership. At all relevant times. ICQ employed servers within the Eastern District ot? Virginia. Accordingly. ICQ messages, which were sent in furtherance ol?the conspiracy. involved a wire signal being sent into, and typically out of. the Eastern District of Virginia. 18. On or about February 1. 2013. through on or about .luly 15. 2014. BONDARS accessed the- service and site and performed administrative functions in furtherance of the conspiracy while logged into cloud storage space that was controlled by the conspiracy and hosted on servers owned by Amazon Web Services within the Eastern District ofVirginia. In 6 Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 7 of 16 Page D# 80 nrtler to access llte- service and site from Outside the United States through the Amazon cloud stnragei BONDARS caused wire signals to be transmitted bath intn and out nt?the Eastern District of Virginia. (All in violatinn (it"l'itle 18, United States Code, Section 371.) Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 8 of 16 Page D# 81 NT 2 18 1349 (Conspiracy to Commit Wire Fraud) 'I'l lli. GRAND JURY FURTHER CHARGES 'l'l lA'l': 19. The tactual allegations contained in paragraphs 1 through 18 are rcalleged and incorporated by reference herein. 20. From at least on or about October 3, 2006, and continuing until at least the date of this Indictment, in the Eastern District ofVirginia and elsewhere, the Defendants, RUSLANS BONDARS and knowingly and intentionally conspired and agreed with one another and with conspirators known and unknown to the Grand Jury to commit Wire Fraud, in violation of 18 U.S.C. 1343, that is, having devised and intending to devise a scheme and artifice to defraud. and for obtaining money and property by means offalse and fraudulent pretenses, representations, and promises, to transmit and cause to be transmitted by means of wire, radio. and television communication in interstate and foreign commerce, any writings. signs, signals. pictures, and sounds for the purpose of executing such scheme and artifice. 21. At all relevant. times, the Defendants acted with the intent to defraud. Manner and Means of the Conspiracy It was part of the conspiracy that: 22. As specified in more detail above, the Defendants agreed, combined, and worked legether with each other and others, known and unknown to the grand jury, to operate an online service called 23. The Defendants? chief purpose in operating the - service was to enable and cause fraud to be committed by and through who were- members Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 9 of 16 PagelD# 82 and by tlteir eo-conspiratm's. accomplices, and agents. The Defendants knew that their customers were using- for the purpose of furthering fraudulent schemes that were furthered by interstate and foreign wire signals and acted with the purposes of furthering these fraudulent schemes. Speci?cally. the Defendant?s chief purpose in operating the- service was to help develop tnalware that could be used to gain unauthorized access to computer systems through false representations and thereby steal intormation. including sensitive financial and personal identifying information that could then be used to commit fraud. Overt Acts 24. The overt acts speci?ed in paragraphs 13 through 18 above were lso committed in furtherance of the Wire Fraud conspiracy alleged in the instant count. 25. in addition, that as developed by the delendants? co?eonspirators. who were_ members located in the Eastern District ol?Virginia and elsewhere. with the assistance 13E VS, BONDARS. and the- service. were used to perpetrate computer intrusions within the Eastern District of Virginia and elsewhere. The purpose ol?these computer intrusions was to steal information, including financial and personal identifying inlormation. that could be used to coma-tit fraud, and transfer that information via the internet across state and national lines to servers controlled by members ol?the conspiracy and their accomplices. (All in violation of'l'itic 18. United States Code. Section 1349.) 9 Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 10 of 16 Page D# 83 18 1343 and ?2 (Wire Fraud and Aiding and Ahetting) THE GRAND JURY FURTHER CHARGES 26. The factual allegations contained in paragraphs I through 25 are and incorporated by reference herein. From at least on or about October 3. 2006. and continuing until at least the date of this Indictment. in the Eastern District of Virginia and elsewhere. the Defendants. RUSLANS BONDARS and JURIJS MARTISEVS. having devised and intending to devise a scheme and arti?ce to defraud. and for obtaining money and property by means of false and fraudulent pretenses, representations. and promises. transmitted and caused to be transmitted by means of wire. radio. and television communication in interstate and foreign commerce. any writings. signs. signals. pictures. and sounds for the purpose of executing such scheme and artifice. in violation of'fitle 18. United States Code. Section 1343. At all relevant times. the Defendants acted with the intent to defraud. 28. In particular, as speci?ed above. the Defendants operated the- service for the purpose of gaining access to computers through false representt-ititms and through that access stealing information. including but not limited to financial and personal identifying information such as credit card. social security numbers. and dates of birth. and for the purpose ot'using that ??audulently obtained information for. among other purposes. matting fraudulent purchases and fraudulent and transfers of funds. 29. In addition to committing Wire l?raud themselves. the Defendants also knowingly and intentionally aided and abetted Wire fraud committed by- customers and their accomplices. At all times. the Defendants knew that their customers were using their service for It] Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 11 of 16 PagelD# 84 the purpose ol? furthering traudulent schemes that were titrthered by wire signals and committed the acts speci?ed in this indictment for the purposes of furthering the schemes ofthcir customers and their accomplices and co-sehemers and with the intention olieausing them to he committed. 30. Specifically, as speci?ed in paragraph 25, the Defendants provided the - service to accomplices and co-schemers in the Eastern District of Virginia and elsewhere. tmowingt that it would be used to develop malware to access computer systems by means ol?t?aise representations and thereby steal information from those computer systems located in the Eastern District ol? Virginia and elsewhere, including,l sensitive financial information, and [?or the purpose ot?using the stolen information to commit fraud. The Defendants at all times knew that the - service was being used to further such fraudulent schemes and acted for the purpose of furthering these crimes and causing them to he committed. (All in violation oli'l?itlc 18, United States Code, Sections 1343 and 2.) ll Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 12 of 16 PagelD# 85 4 18 U.S.C. l030ta)(5)(A) and 2 (Computer Intrusion with Intent to Cause Damage and Aiding and Abetting) 3 'l'he factual allegations contained in paragraph 1 through 30 are I?cailcged and incorporated by reference herein. 32. On or about October 15, 2012 through on or about December 2014. t-vithin the Eastern District ot'Virginia and elsewhere. the Defendants, RUSLANS and .IURIJ MARTISEVS, knowingly and intentionr-tlly aided and abetted computer intrusions with the intent to cause dan?iage. in violation of 18 U.S.C. 33. In particular. the Delbndants sold their- service to ZS, a malware developer located in the Eastern District ol?Virginia, knowing that ZS. intended to use- to develop malware which would be used to knowingly cause the transmission ot?a program. in lormation. code, or command. and as a result ol?such conduct, intentionally cause damage without authorization to it} or more protected computers during any one year period, in violation of?l?itlc 18, United States Code, Sections and 34. On or about November 18. 2012. with this knowledge, and with the intent and purpose t? aiding such unlawful computer intrusions and causing them to be committed, the Defendants provided 72.8. with access to the_ service. 35. 2.8. then used- to help shield his malware from detection by antivirus software and to offer his customers the ability to use the - service themselves to help avoid detection from the antivirus software 01' the victim computers they targeted. With the aid of the- service provided by the Defendants. ZS. sold his malware to over 3,000 customers who in turn accessed over 16,000 computers without authorization and thereby intentionally damaged these computers by changing their functioning such that those computers recorded Case Document 16 Filed 06/30/17 Page 13 of 16 Page D# 86 sensitive information such as account passwords and sent that. information to the users of keyiogger without the authorization ofthe owners of the victim computers. (All in violation oi?Title United States Code, Sections 1030(a)(5)(A) and 2.) 13 Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 14 of 16 PagelD# 87 NOTICE OF FORFEITURE 18 U.S.C. 981. 2323'. and 28 USE. 246i 'l'l lli GRAND JURY HEREBY THAT: 36. There is probable cause that the property described in this NOTICE Ol? FOlil'i?lil'l'URli is subject to forfeiture pursuant to the statutes described herein. Pursuant to Federal Rule ot'Criminal Procedure 32.201), the United States of America gives notice to the Defendants, RUSLANS BONDARS and JURIJS MARTISHVS, that in the event of their conviction oft-my of the offenses charged in this indictment. the United States intends to forfeit the Defendants? preperty as further described in this NOTICE OF 38. Upon conviction ot?any ofthe accounts alleged in the indictment, the Defendants. RUSLANS BONDARS and JURU Mr??tlt?l?lgliv 3, shall l'orl?eit to the United States ol'America any property, real or personal- which constitutes or is derived from proceeds traceable to the violation, pursuant to and anti 28 U.S.C. 2461(c}. MONEY JUDGMENT 39. The United States ot?Ameriea gives notice to the Defendants, RUSLANS BUNDARS and JURLIS ART I SEV S, that upon conviction. a money judgment may be imposed equal to the total value ot?the property subject to forfeiture, which is at ieast $125,769.87. PROPERTY SUBJECT TO F012 FEITURE 40. The United States ot'America gives notice to the Defendants. RUSLANS BONDARS and JURIJS MARTISEVS. that the property to be forfeited includes, but is not limited to: Case 1:16-cr-00228-LO Document 16 Filed 06/30/17 Page 15 of 16 Page D# 88 a. Payl?al account under the name_ with account number ending in 5280; b. liberty Reserve account under the name "?Jurijs." with account number ending in 0140; c. WebMoney account under the name Jurijs attiscys, with identi?cation number ending in 8563; d. Swedhank account, with Swift Code HABALVEE, and account number ending in 0608. ASSETS 41. If any of the property described above, as a result of any act or omission of ?the Defendants, RUSLANS BUNDARS and .IURIJS a. cannot be located upon the exercise ol? due diligence; b. has been transferred or sold to, or deposited with. a third party; c. has been placed beyond thejurisdietion of" the court; d. has been substantially diminished in value; or c. has been commingled with other property which cannot be divided without dif?culty, the United States ol?America shall be entitled to and intends to seek lorfeiture ol?substitute property pursuant to 2] USC. 32 853(3)): as incorporated by 18 USE. 2323(b)(2)(A} and :23 use. 2461(e). (All pursuant to 18 9er 2323; and 28 U.S.C. {312461.} Ur Case Document 16 Filed 06/30/17 Page 16 of 16 Page D# 89 . ATRUE BIQL: "LViltriers-1; thin, Respectfully submitted, Dana J. Boente United States Attorney mm, Kellen S. Dwyera Assistant US. Attorney Ryan K. Dickey Senior Counsel, Computer Crime and Intellectual Property Section US. Department of Justice, Criminal Division 16