Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 1 of 10 PageID# 111

IN THE UNITED STATES DISTRICT COURT FOR fII
EASTERN DISTRICT OF VIRGINIA f '

^ hi£d -

'JML 2 6

Alexandria Division

UNITED STATES OF AMERICA

Criminal No. l:17-cr-34

TAYLORHUDDLESTON,
Defendant

STATEMENT OF FArTS

The United States and the defendant, TAYLOR HUDDLESTON ("HUDDLESTON"),
agree that the following facts are true and correct, and that had this matter proceeded to trial, the
United States would have proven them beyond areasonable doubt with admissible and credible
evidence.

Net Seal

1.

From May 2012 through October 2016, in the Eastern District ofVirginia and

elsewhere, HUDDLESTON knowingly aided and abetted Zachary Shames and other persons
who knowingly caused the transmission ofaprogram, information, code, and command, and as
result ofsuch conduct, intentionally caused damage without authorization to protected
computers, in violation ofTitle 18, United States Code, Sections 1030(a)(5)(A) and 2.

2.

In particular, HUDDLESTON made afinancial profit by aiding and abetting

computer mtmsions, that is, by selling software that would be used by some ofhis customers to

further illegal and unauthorized computers intrusions. At all relevant times, HUDDLESTON
knew and was aware that these customers intended to use, and in fact did use, the software for
illegal and unauthorized computer intrusions. At all relevant times, HUDDLESTON acted with

Page 1 of 10

 Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 2 of 10 PagelD# 112

the purpose of furthering and aiding and abetting these illegal and unauthorized computer
intrusions and causing them to occur.

3. HUDDLESTON developed licensing software called ?Net Seal" and sold it to
other software developers, some of whom used Net Sea] to distribute their own malicious
software. By developing and selling Net Seal. HUDDLESTON assisted in the distribution of
that malicious software.

4. marketed Net Seal on l-lackl?orumsnet. a forum where members
can obtain hacking tools and programs and chat with other members on the Forum about
computer intrusions.

5. accepted payment for Net Seal via PayPal. Generally.
required his Net Sea] customers pay for St} licenses at a time. meaning that they
would buy the right to use Net Seal to distribute it] copies ot'thcir software (either malicious
software or other software}. received thousands of' payments via Paleal from
Net Seal customers.

6. HUDDLESTON was a member of a group on the messaging service ?Skype?
with approximately seven other prominent members ot? l-laekl?orumsnet where they could discuss
the topic ot?computer intrusions and the products they were developing. One of the members of
this Skype group was Zachary Shames. who was well-known on l-laekforums.net as the
developer and distributor ofa popular keylogger called "Limitless." Limitless allowed users to
steal information from victim computers, including sensitive information such as passwords to
online banking and email accounts. as well as any keystroke typed by the owner of the victim

computer.

Page 2 of 10

Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 3 of 10 PagelD# 113

7. I-IUDDLESTON provided Sliames with access to his Net Seal licensing software
in order to assist Shames in the distribution ofhis Limitless keylogger. In exchange, Shames
made approximately one thousand payments via PayPal to HUDDHESTDN
knew that he was assisting in the distribution of the Limitless keylogvcr, and that the purchasers
of the l-teylogger intended commit unauthorized and unlawful computer
intrusions.

8. HUDDLESTON set up his Net Seal licensing software to automatically send
emails to purchasers of software developed by customers. including Shames.
Those emails contained a license serial code and instructions for how to download and activate
the software, inciuding Shamcs" Limitless keylogger, The purpose emails was to help
with the orderly, effective, and pro?table distribution of software, including Shamcs? Limitless
keylogger.

9. HUDDLESTON aided and abetted Shames? distribution of the Limitless
lteylogger to over 3,000 people who used it to infect, damage, anti access without authorization,
over 16,000 computers and who had the goal ofstealing sensitive inli'irmation from those
computers.

10. provided Net Seal to several other customers to assist in the
profitable distribution of the malicious software they deveIOped including inalware that has
repeatedly been used to conduct unlawful and unauthorized computer intrusions and to damage
victim computers.

1 l. The following acts in furtherance ot?and to eifcct the object ol'tlie above-

aiding and abetting were committed in the Eastern District of Virginia and elsewhere:

Page 3 of 10

 Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 4 of 10 PagelD# 114

a. On or about May S. 2012. Shames. from a computer located in Great Falls.
Virginia, within the Eastern District ofVirginia. paid $140 via PayPal in
exchange for using the Net Seal licensing software to assist in the distribution of the Limitless
keylogger to individuals who intended to use Limitless to commit unlawful computer intrusions.

b. On or about July 9, 2012, caused to be sent an automated
email to Shames in the Eastern District of Virginia containing the code to activate Net Seal.

c. On or about November 2] . 2013, caused an activation
email to be sent to a customer who had purchased the Limitless keylogger, knowing that
customers ofthe Limitless kevlogger intended to use it for the purpose of committing unlawful
and unauthorized computer intrusions. The email contained the license serial code and
instructions for how to download and activate the keylogger.

d. agrees that the evidence would show that:

i. On or about April 23. 2013, Shames. from a computer located in Great
Falls: Virginia. within the Eastern District of Virginia, exchanged
emails with a customer oil.imitless who complained that ?the victim's
keyboard after infected will no longer work properly. Victim will call
the pe doctor and the logger will be compromised." In response.
Shames assured him: ?Trust me. made this logger. I coded it. It
doesn't change the way the words are typed."

ii. Shames also had several discussions with customers of Limitless on
l-laekforums.net in which be instructed them on how the Limitless
keyiogger could be used to steal email and social media passwords

from the victim computers. For instance, on or about September 

Page 4 of 10

- Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 5 of 10 PagelD# 115

iv,

2013.231 customer posted: "Continn Outlook recovery
referring to the Keylogger?s ability to recover the
victims? passwords to Microsoftis popular email service. Shames
responded, ?Thanks for testing and posting this. 1 hope you enjoy the
new update!?

On or about November 2, 2013, a customer asked Shames via
whether the Keylogger "steal[sj saved passwords of
[sic] 2014 outlook." Shames responded: ?Yes it should do that. It has
the latest recoveries."

On or about November 4, 2013. a customer asked Shames via
l-laeklbrumsnet ?still waiting to know il?it steals 2014 Outlook."
Shames responded: ?We are 100% sure it recovers 2013 passwords. If
anyone wants to test 2014, feel free.?

On or about November 21, 2013. a customer asked Shames via
l-lackt?orumsnet whether ?this is a worm which grabs the login data,
log into a lacebookjtwitter account and spreads a text." Shames
replied: ?yes, it spreads as many posts as you want, and custom ones
too!?

NanoCore

12. rom January 2014 through February 2016, at which point he sold NanoCore to a

third party, knowingly and intentionally aided and abetted unlawful computer

intrusions and attempted unlawful computer intrusions that occurred through October 2016, in

violation ot?title 18 United States Code, Section and that is, HUDDLESTON

Page 5 ofl?

. Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 6 of 10 PagelD# 116

knowingly caused the transmission ol'a program, information, code, and command, and
knowingly aided and abetted others in doing the same and attempting to do the same, and as a
result of such conduct, intentionally caused damage and attempted to cause damage without
authorization to a protected computer, and resulting in a loss or more and damage
affecting ten or more protected computers during a one year period, Speci?cally from December
1, 2015 through November 30, 2016.

13. Speci?cally, in 2013, developed and distributed computer
intrusion software known as the NanoCore Remote Access Tool [?NanoCore?). A remote access
tool, or is a program designed to allow a computer hacker to take complete control of a
victim?s computer for the purpose ol'perfonning various malicious activities. provide
hackers with a backdoor into the infected system ot'a victim computer so that the hacker can spy
on the victim's computer, cause it to run additional malicious software, or launch attacks on
other computer systems.

14. designed NanoC ore to include a number of features, including
the lollowing:

a. A keylogger that allowed NanoCore users to record all keystrokes typed on
the victim computer;

13. A password downloader that allowed NanoCore users to steal passwords that
were saved on the victim computer;

c. A wehcam feature that allowed NanoCore users to surreptitiously activate the
webcam on the victim computer in order to spy on victims; and

d. A tile access feature that allows NanoCorc users to view, delete, download,

and otherwise manipulate files stored on the victim computer.

Page 6 of 10

. Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 7 of 10 PagelD# 117

15. in addition, the following features of which was aware were
added to NanoCorc by third parties through NanoCore?s plug-in feature:

a. A ransomware feature that allowed NanoCore users to lock the victim
computer with a password held by the user; and

b. A ?hooter? or ?stresser?? feature that allowed NanoCore users to participate in
a distributed denial ofservicc (DDOS) attack through the victim?s computer.

16. advertised NanoCore on I-lackforumsnet, and caused it to be
distributed to over 350 people, some of whom knew intended to use, and were
using this malicious software for illegal and unauthorized computer intrusions and for attempted
illegal and unauthorized computer intrusions. At all relevant times, HUDDLESTON acted with
the purpose of furthering these unauthorized computer intrusions and causing thetn to occur.

17. By developing NanoCore and distributing it to hundreds of people: some of whom
he knew intended to use it for malicious purposes, knowingly and intentionally
aided and abetted thousands of unlawful computer intrusions and attempted unlawful computer
intrusions, including intrusions and attempted intrusions that occurred within the Eastern District
ofVirginia.

18. HU DDLESTON agrees the evidence would show that NanoCorc was used in a
massive ?spear phishing" scheme designed to infect and attempt to infect thousands of victim
computers, including computers within the Eastern District of Virginia. A spear phisliing scheme
is a scheme to trick victims into downloading malicious software onto their computer by sending
them communications: typically emails, that purport to be from a friendly source and ask the
victim to click on a link or open an attachment that looks benign but in fact contains a request to

download malicious software.

Page 7 of it]

 

. Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 8 of 10 PagelD# 118

19. agrees the evidence would show that as part of the spear
phishing scheme, a hacker created a so-ealled ?spoofed" email address, meaning an email
address that appeared to come from a major oil and gas company (?Company but was. in
fact, controlled by the tracker. or about August 2016, the hacker sent entails from this spoofed
email address to over 6,000 targeted victim computers, including a targeted victim computer
located in Norfolk, Virginia, within the Eastern District of Virginia. The spear phishing email
stated that the victims owed money to Company 1 and included a PDF file attachment that
purported to be an invoice from Company l. The attachment in fact contained a link to a
malicious executable that, if clicked by the victim, would send a request to download NanoCore
onto the victinfs computer from a remote server. The sending by the hacker of each spear
phishing email constituted an attempt to transmit a program. information, code, and command

that would intentionally cause tit-Image without authorization to protected computers.

Page 8 of 10

 Case 1:17-cr-00034-LO Document 28 Filed 07/25/17 Page 9 of 10 PagelD# 119

CW
20. The statement of facts includes those facts necessary to support the defendant?s
guilty plea. It does not include each and every i'act known to the defendant or to the
government and it is not intended to be a full enumeration ol?all ol'the facts surrounding the
defendant?s case.
21. The actions ofthe defendant, as recounted above. were in all respects
knowing, voluntaryi and intentional, and were not committed by mistake, accident or other

innocent reason.

Dana Boente
United States Attorney

Date: July J33 ZOIT By: Mg 
K?lien S. Dun-"yer
Assistant United States Attorney

Ryan K. Dickey, Senior Counsel

US. Department ofJustice, Criminal Division
Computer Crime 8: Intellectual Preperty Section

Page 9 ol?lU

 

- Case 1'17-cr-00034-LO Document 28 Filed 07/25/17 Page 10 of 10 Page D# 120

Defendant?s Signature: Al?ter consulting with my attorney, I hereby stipulate that the

above Statement of Facts is true and accurate and that had the matter proceeded to trial, the

United States would have proved the same beyond a reasonable doubt.

Date: July 2017' Tag-1301? 
Taylor Huddleston
Defendant

Defense Counsel Signature: I

am Taylor attorney. I have carefully

reviewed the above Statement of Facts with him. To my knowledge, his decision to stipulate to

these facts is an and voluntary one.

Date: July LZ, I

Kenneth 
i-layter L. Whitman. Esq.
Counsel for the Defendant

Page IO of it)