CASE Document 1 Filed 04/14/17 Page 1 of 21 A0 91 (Rev. 1) Criminal Complaint 2015R00504 UNITED STATES DISTRICT COURT for the District of Minnesota UNTIED STATES OF AMERICA v. Cam. \w mean 27ch JOHN KELSEY GAhe?vaLL CRIMINAL COMPLAINT I, the undersigned complainant, being duly sworn, state the following is true and correct to the best of my knowledge and belief. COUNT ONE (Intentional Damage to a Protected Computer) From on or about July 30, 2015 through in or about September 2016, in the State and District of Minnesota and elsewhere, the defendant, JOHN KELSEY GAMELL, did knowingly cause and aid and abet the transmission of a program, information, code, and command, and as a result of such conduct, intentionally caused damage, without authorization, to a protected computer within the District of Minnesota, and the offense caused loss to one or more persons of at least $5,000 in aggregated value during one year. I further state that I am a(n) Special Agent and that this complaint is based on the following facts: SEE ATTACHED AFFIDAVIT Continued on the attached sheet and made a part hereof: [ZYes El No Complainant ?s signature Brian Behm, FBI Special Agent name and title j/u/ Judge ?3 Signature Sworn to before me and signed in my presence. Date: i/?I 7? City and State: Minneapolis, MN Honorable Franklin L. Noel, U.S. Magistrate Judge Printed Name and 2017 3'33? DISTRICT COURT CASE Document 1 Filed 04/14/17 Page 2 of 21 530% STATE OF MINNESOTA ss. AFFIDAVIT OF BRIAN BEHM COUNTY OF HENNEPIN) 1. I am a Special Agent of the Federal Bureau of Investigation United States Department of Justice, and have been so employed since May 2004. I am currently assigned to the Minneapolis Field Division, Cyber Crimes Squad, which is responsible for the investigation of, among other things, Internet and computer intrusion offenses. 2. This af?davit is made in support of a Complaint charging JOHN KELSEY GAMMELL with intentional damage to a protected computer, in violation of Title 18, United States Code, Section 1030(a)(5)(A). The statements in this Af?davit are based on my investigation of this matter, which includes information provided to me by other law enforcement of?cers whom I believe to be reliable. This af?davit contains information to support probable cause, but is not intended to convey facts of the entire investigation. I. The Internet and De?nitions of Technical Terms Pertaining to Computers 3. The Internet is a worldwide network of computers, computer systems, and other devices. Individuals and entities use the Internet to gain access to a wide variety of information, to send information to, and receive information from, other individuals, to conduct commercial transactions, and to communicate via electronic mail (?email?). Once the individual has accessed the Internet, that individual can use Internet mail services, including sending and receiving e-mail. In addition, the individual can visit Web sites and make purchases from them. Due to the structure of the Internet, connections between CASE Document 1 Filed 04/14/17 Page 3 of 21 computers on the Internet routinely cross state and international borders, even when the computers communicating with each other are in the same state. 4. An individual who wants to use Internet e-mail must ?rst obtain an account with a computer that is linked to the Internet for example, through a university, an employer, or a commercial service which is called an ?Internet Service Provider? or Most users reach the Internet through an Internet Service Provider The ISP assigns each user an Internet Protocol Address address?), a set of four numbers, each between 0-255, separated by dots, such as 165.254.24.167. IP addresses are traceable back to the pertinent ISP through publicly available databases. 5. A ?domain name? is a logical, text-based equivalent of the numeric IP address; for example, the domain name ?uscourtsgov? is assigned the IP address 23.219.160.66. A domain name is generally associated with a particular IP address and an Internet-connected device. An individual seeking to use a particular domain name can register it with a ?domain name registrar,? and that registration information is maintained in a publicly-accessible database. An online query frequently called a ?Whois? query - can be used to obtain registration information pertaining to a particular IP address or domain name. 6. Because every device that connects to the Internet must be assigned an IP address, IP address information can help to identify which computers or other devices are communicating over the Internet. This, in turn, can assist in identifying speci?c Internet CASE Document 1 Filed 04/14/17 Page 4 of 21 users. Conversely, individuals who want to obfuscate their online activity can take a variety of measures to hide this information. II. Details of the Investigation A. The Distributed Denial of Service Attacks on Washburn Computer Group. 7. Starting on July 30, 2015, the Washburn Computer Group, a company based in Monticello, Minnesota, began experiencing distributed denial of service attacks targeting two of its websites, and A attack is an attempt to make a machine or network resource unavailable to its intended users, such as by temporarily or inde?nitely interrupting or suspending services of a host connected to the lntemet, usually by shutting down a website or websites connected to the target of the attack. Beginning on or about July 30, 2015, Washburn was subjected to periodic attacks for more than a year, which resulted in the temporary shutdown of its websites. The attacks continued through at least September 2016, with the attacks also targeting Washburn?s newly launched website, on August 12, 2016. 8. I have reviewed several samples of log ?les from Washburn?s servers showing Internet traf?c during the attacks, but cannot determine attack attribution from such review. The IP addresses used in connection with the attack come back to a US~based Virtual Private Network (VPN) that is used to anonymize the true source of CASE Document 1 Filed 04/14/17 Page 5 of 21 incoming Internet access (like many ?anonymizing? services, the VPN does not maintain logging information which would show who is using the service). 9. At two different times during which the website attacks were underway, Washburn management received emails from two different email addresses purporting to be from a former employee of Washburn. The email addresses both contained the name an individual who was employed with Washburn for approximately 17 years prior to his termination approximately three and a half years ago. The emails appear to taunt Washburn management regarding ongoing IT issues the company was experiencing - at that time, Washburn?s only ?ongoing IT issues? were based on the attacks. 10. The ?rst email, sent on August 11, 2015 from email address asked how everything was at Washburn and had an attached animation (.gii) of a mouse laughing. The second email, sent October 6, 2015, from again asked how everything was going at Washburn and further inquired if any IT help was needed. Also attached to this second email was an image of a mouse laughing. 11. Grand jury subpoenas for subscriber information were subsequently served on Google, for the account and Yahoo, for the account Analysis of the results showed information connecting both accounts to an individual named John Gammell. Both email addresses were created using the cell phone number 612-205-8609. A grand jury 4 CASE Document 1 Filed 04/14/17 Page 6 of 21 subpoena issued to Wireless con?rmed Gammell as the subscriber of 612?205- 8609. In addition, IP address 75.161.68.161 was used when creating the account on October 6, 2015, the same day the above email was sent. Response to a grand jury subpoena issued to Centurylink indicated this IP address was assigned to Gammell?s current residence (4975 Mother Lode Trail, Las Cruces, New Mexico 88011) at the time the account was created. The account was created using a US?based VPN used to anonymize the true source of Internet traf?c. 12. Washburn continued that Gammell was a Washburn employee until about three years ago. Gammell left the company on good terms, resigning so he could start his own soldering training company. However, in July 2014, Gammell had a ?nancial dispute with Washburn during negotiations for training Gammell was to provide to Washburn personnel. 13. I discovered that Gammel] maintains numerous social media accounts, to include Facebook, Twitter, Linkedln, YouTube, and Freelancer. In addition, I determined that Gammell utilizes email account jkgamrnell@gmail.com, which was con?rmed via a grand jury subpoena issued to Google. B. Search Warrant Results jkgammell@gmail.com 14. A search warrant, dated September 14, 2016, was served on Google for records concerning Gammell?s email address, jkgammell@gmail.com. I reviewed the CASE Document 1 Filed 04/14/17 Page 7 of 21 records provided by Google and found numerous items indicating Gammell?s involvement with activity. 15. From May 2015 to September 2016, Gammell espressed interest in, or made purchases from, the following seven websites offering DDoS~for~hire services: ?cstress.net,? ?inbootme,? ?booter.xyz,? ?ipstressercom,? ?exostressin,? ?booterboxcom,? and ?vdos-s.com? (hereinafter DDoS~for~hire websites offer users the ability to direct attacks at speci?ed websites or IP addresses in exchange for a subscription fee. The subscription fee amount typically varies based on the duration and intensity of the attack. DDoS-for?hire websites are also often referred to as ?hooters? or ?stressers.? 16. Of the seven DDoS?for-hire websites, search warrant results and records indicate Gammell made payments to cStress, inboot.me, and In email communications with several individuals (detailed further below), Gammell identi?ed cStress, and booter.xyz as his favorite services to use. Gammell?s relationship with VDOS will be detailed in the below section entitled Records.? The following are summaries of Gammell?s relationship with the remaining six companies. 17. Gammell made multiple payments to the DDOS~for~hire service cstress.net via both PayPal and Skrill. Skrill is an online payment service based in the United Kingdom. In total, Gammell?s payments to cstress.net totaled $234.93. In Gammell?s email account, I located payment confirmations for the following payments to cstress.net, CASE Document 1 Filed 04/14/17 Page 8 of 21 which include the date of payment, the amount paid, and the description of the plan purchased: a. August 3, 2015: $14.99 ?All Included;? b. August 30, 2015: $29.99 ?Premium? 0. October 2, 2015: $29.99 ?Premium? (1. November 3, 2015: $39.99 ?Premium? e. December 8, 2015: $39.99 ?Premium? f. January 9, 2016: $39.99 ?Premium? g. June 5, 2016: $39.99 ?Premium.? 18. The website cstress.net is not currently active, however I have reviewed the main page via archiveorg (dated March 21, 2016), which contains a description of the ?Premium? package, indicating that: (1) it can be used to ?Stress Large Servers and Websites;? (2) it is capable of ?Full Hour Stresses;? and (3) it provides ?30Gbps of Dedicated bandwidth? and ?Unlimited Boots.? 19. On August 9, 2015, Gammell received an email from noreply@inboot.me providing a link to reset Gammell?s inbootme password. As noted above, inboot is a DDOS~for~hire service. On October 20, 2015, Gammell received an email from PayPal which provided an email receipt for a payment of $28.99 to 4ukhost (email account The transaction was for ?Account Funding per the transaction description. Two minutes later on October 20, 2015, Gammell received an email from sales@aiobuy.net thanking him for his purchase with inboot. Based on these two 7 CASE Document 1 Filed 04/14/17 Page 9 of 21 October 20, 2015 emails, I believe Gammell paid for an account at inboot.me, which provided Gammell access to the DDoS-for-hire services provided by inbootme. 20. On July 23, 2015, Gammell sent an email to DDOS?for?hire service booter.xyz via stating he would like to order the diamond membership. On December 13, 2015, Gammell sent another email to booter.xyz via office@booter.xyz, in which Gammell wrote that he is a current customer and wishes to upgrade, and he stated that booter.xyz has good service and he recommends them to others. 21. On May 22, 2015, Gammell received an email from DDOS~for-hire service ipstresser.com via email address requesting that he con?rm his email address. 22. On May 27, 2016, Gammell received an email from noreply@exostress.in con?rming he had registered with DDOS?for?hire service exostress.in. 23. On July 2, 2016, Gammell received an email from noreply@booterbox.com providing a link to recover his account password. Gammell?s username, which was embedded in the link, was indicated to be ?Cunnilingus.? As noted above, booterbox is a DDOS?for?hire service. 24. In addition to utilizing the DDoS?for?hire services as described above, Gammell also contacted several different individuals via email seeking assistance in starting his own DDoS-for?hire company. 25. On July 12, 2015, Gammell sent an email to an individual named Derek, who utilized email address thepicklator@aol.com. Gammell proposed a business partnership 8 CASE Document 1 Filed 04/14/17 Page 10 of 21 with Derek o??ering services, which would be advertised via Craigslist, Facebook, and Twitter. The attacks would be executed using memberships maintained at cStress and In the July 12, 2015 email to Derek, Gammell wrote: I would offer on Craigslist and Facebook services for doing I will arrange an untraceable payment gateway and am also open to your suggestions. We would rent the following stresserfbooter services on a basis. These are the two most reliable and powerful ?stresser? services. CStress has unlimited boots and limites to (40) per day at a length of 3600 seconds each (1 hour) using extremely powerful ampli?ed There services are completely untraceable so our are totally protected. They uses dedicated services. offers a month premium plan and offers a 1 month Gold Plan for month. Combining these two concurrently on one website would be devastating, however, I am convinced that each one will do quite well on most sites that do not use mitigation. Between the software and services, are you interested? I cover all up front costs. All profits are split SOISO on the net pro?t. Any minor up front costs or membership costs for the memberships come off the top back to me from the gross pro?t. Everything up front and we create a ?nancial management system in which we can both view at anytime via Dropbox or a secure cloud. Your anonymity is 100% guaranteed. Your name or involvement never leaves my mouth, guaranteed. 26. On July 23, 2015, Gammell sent an email to nofear.jonathan@hotmail.com after viewing a post by nofear.jonathan@hotmai1.com on hackforumsnet. Gammell asked if nofear.jonathan@hotmail.com could code a tool to target websites and servers. Gammell mentioned HOIC, which stands for ?High Orbit Ion Cannon,? an open source application used to execute denial of service attacks. Gammell wrote: I was checking out your post on hackforums. Tell me about DoSbox 4.5 Web Booter? Can you make me a viscous, stable booter that will drop websites and servers? Something far better than the HOIC that sucks up my system resources? I need a remarkable, stable, hard hitting beast. What do you have available for sale bro? Can you provide amli?ed NTS, DNS, 9 CASE Document 1 Filed 04/14/17 Page 11 of 21 SSDP, Layer 7, etc? I am a straight up business man. No bacon here. hit me up bro. My name is John. I believe Gammell?s reference to ?No bacon here? was intended to indicate that Gammell was not a law enforcement agent. 27. On January 18, 2016, Gammell sent an email to the.khaos.bringer@gmail.com again looking for assistance in developing a tool. Gammell stated he would like the tool to work via an offshore intemet service provider so it is not shut down if traffic is detected. Gammell noted he has memberships at cStress, and booter.xyz. Gammell also appears to identify himself as a member of the hacktivist group ?Anonymous? at the start of the email. In the email to the.khaos.bringer@gmail.com, Gammell wrote: I am an Anon. I need the services of a quali?ed brother in the family. I need one or two very high end booter/stressers preferreably through an offshore ISP that will not trip if they suspect scripts. I prefer dedicated, multiple IP of course and here?s the amusing part, I need it to hit with 200-300 with layer 4 and layer 7. I need to be able to drop Incapsula and that annoying Cloud?are who interfere with our digital world. I have a VIP membership to vDos at 50 Gbps, cStress at 30 and booter.xyz at 10 Gbps. I need more for my personal and want to look at the prospects of running a booter that exceeds the three previously mentioned. What would it cost me for an amazing booter and would you be interested in a business relationship where you get a percentage of each membership registraion? C. Records 28. As mentioned above, one of Gammell?s preferred DDoS?for?hire services was In late July 2016, an intemet security researcher provided the FBI with database records that the intemet security researcher had obtained. The intemet security 10 CASE Document 1 Filed 04/14/17 Page 12 of 21 researcher is well-known to the FBI agent to whom he provided the database, and your A?iant is also familiar with the internet security researcher?s published work. The internet security researcher provided the database to FBI to assist in a criminal investigation into and its customers who used services to engage in attacks on victim websites, and the internet security researcher was neither directed to obtain the database nor compensated in any way for providing the database to law enforcement. The database records provided information on the complete administration of which includes user registrations, user logins, payment and subscription information, contact with users, and attacks conducted; the database records include information related to Gammell, who was a customer of The attack logs cover the time-period from approximately April 2016 to July 2016. 29. I have veri?ed the authenticity of the database by comparing the information regarding Gammell in the database to information I obtained from accounts belonging to Gammell through grand jury subpoenas and search warrants. For example, the payment information for two of Gammell?s subscription payments to contained in the database matches precisely with Gammell?s PayPal records that I obtained via grand jury subpoena indicating that Gammell paid for the subscription using his PayPal account. In addition, I was able to match two of the payments Gammell made for his subscription that were contained in the records with receipts for those payments that I located in Gammell?s Gmail account I obtained via search warrant. ll CASE Document 1 Filed 04/14/17 Page 13 of 21 30. Gammell?s known email addresses and usernames were searched against the records in an effort to identify accounts created and used by Gammell. The search found two accounts linked to Gammell?s email address, jkgammell@gmail.com. 31. Gammell?s ?rst account was made under the username ?anonrooster,? with its ?rst observed activity occurring on June 14, 2015. A payment of $39.99 was made on July 24, 2015 for the ?1 Month Silver? plan. This payment was corroborated via a receipt from PayPal found in Gammell?s jkgammell@gmail.com email account. There were no recorded attacks associated with this account for the time period collected. 32. Gammell?s second account was made under the username ?AnonCunnilingus,? with its ?rst observed activity occurring on July 28, 2015. Gammell made multiple payments to via the ?AnonCunnilingus? account totaling $349.95. The transactions are listed as follows: a. July 29, 2015 - $49.99, 1 Month Gold; b. September 18, 2015 $39.99, 1 Month Silver; 0. November 16, 2015 $39.99, 1 Month Silver; (1. December 18, 2015 - $199.99, 1 Month e. June 5, 2016 - $19.99, 1 Month Bronze. 33. The payment for $199.99 on December 18, 2015 was corroborated via a Coinbase receipt located in Gammell?s jkgammell@gmail.com email account. Coinbase is a BitCoin payment processing company. 12 CASE Document 1 Filed 04/14/17 Page 14 of 21 34. A search of the log ?les showed Gammell, using his ?AnonCunnilingus? user account, logged into his account 33 times from IP address 75.161.68.161 over the time-period of October 2, 2015 to October 18, 2015. Grand jury subpoena results from CenturyLink show IP address 75.161.68.161 was assigned to Gerald Gammell at address 4975 Mother Lode Trail, Las Cruces, New Mexico from August 28, 2015 to October 20, 2015. Gammell?s activity overlaps with the email sent to Washburn on October 6, 2015 from As mentioned above, email account was also created using IP address 75.161.68.161 on October 6, 2015. 35. VDOS database records indicate that Gammell utilized the ?AnonCunnilingus? account to launch multiple attacks targeting approximately 20 IP addresses over the time-period of June 5, 2016 to July 5, 2016. I was able to identify the entities to which those IP addresses were assigned, a sampling of which are set forth below. The analysis found that Gammell used the application to target a wide variety of websites, to include those belonging to ?nancial institutions, industrial and manufacturing companies, employment contracting companies, and government organizations. Several entities of note targeted by Gammell are summarized below: a. Financial Companies - 1. Wells Fargo (two IP addresses); 2. JP Morgan Chase Bank; 3. Hong Kong Exchanges and Clearing Limited (two IP addresses). 13 CASE Document 1 Filed 04/14/17 Page 15 of 21 b. Government Organizations l. Hennepin County (Minnesota) website (hennepin.us); 2. Minnesota Judicial Branch website (mneourts.gov); 3. Dakota County Technical College (dctc.edu). c. IndustrialManufacturing Companies and Associations l. STI Electronics Inc. (stielectronicsinc.com) Electronics is an electronics and manufacturing company based in Madison, Alabama. Based on my review of the jkgammell@gmai1.com search warrant return, Gammell had business discussions with STI Electronics in March and April 2015; 2. Kit Pack Co. (kitpack.com) Kit Pack Co. is a company based in Las Cruces, New Mexico. Based on my review of the jkgammell@gmail.com search warrant return, Gammell was employed at Kit Pack Co. in August 2015. (1. Employment Contracting - 1. deickason (dmdickason.com) deickason is a staf?ng and placement company based in El Paso, Texas. Based on my review of the jkgammell@gmail.com search warrant return, Gammell obtained a job with Kit Pack Co through deickason, and was in contact with deickason in an attempt to secure a job interview in July 2016. 14 CASE Document 1 Filed 04/14/17 Page 16 of 21 36. Log ?les obtained from VDOS also contain communications between VDOS administrators and customers. On approximately August 2, 2015, Gammell, via his ?AnonCunnilingus? account, provided feedback to VDOS on the success he had using their service to knock targeted websites of?ine using a particular attack method, even websites supposedly protected with mitigation services. Gammell again made reference to being a member of ?Anonymous? in these communications and he stated that the target he was referencing did not have his permission to use the internet. The subject of his message was ?Successfully dropped Mitigation.? In the August 2, 2015 email, Gammell wrote the following: Dear Colleagues, This is Mr. Cunnilingus. You underestimate your capabilities. Contrary to your statement of ?Notice! It apperas from our review that you are trying to stress test a protected host, vDos stresser is not capable of taking protected hosts down which means you will not be able to drop this host using vDos stresser Rackspace Hosting)? Port 53 utilizing UDP DNS amplification dropped the URL on the spot. Port 53 has unique exploitable vulnerabilities. As they do not have my consent to use my internet, after their site being down for two days, they changed their IP and used rackspace mitigation and must now be removed from cyberspace. Veri?ed by downforeveryone. We will do much business. Thank you for your outstanding product We Are Anonymous USA. 15 CASE Document 1 Filed 04/14/17 Page 17 of 21 Summary of Attacks in Minnesota A. Washburn Attacks 37. Records collected by Washburn?s web hosting provider indicate their website address 67.227.188.185) was knocked of?ine due to repeated attacks on the following dates: July 30, 2015; Ju1y31,2015; 1* August 6, 2015; August 10, 2015; . August 11, 2015; and - August 12, 2015. As noted above, on August 11, 2015, Washburn personnel received an email from asking how everything was at Washburn. Grand jury subpoena results show email account was created on August 1 1, 2015, with Gammell?s known cell phone number, 6 1 2-205-8 609 (veri?ed through grand jury subpoena) listed as an alternate form of communication. The account was created approximately seven minutes before the email was sent to Washburn. In an effort to prevent the ongoing attacks, on August 12, 2015 Washburn changed the IP addresses associated with their websites; however, on August 13, 2015 the attacks resumed, this time knocking a second Washbum website 1? address 67225.13] .74) offline. 16 CASE Document 1 Filed 04/14/17 Page 18 of 21 38. On or about August 13, 2015, Washburn began trial subscriptions with two different mitigation service providers in an attempt to mitigate the attacks. mitigation service is a software that attempts to identify the ?normal? traf?c to a website and block the malicious traf?c, as in the case of a attack. The services were successful in blocking the attacks and the attacks subsided. 39. On October 6, 2015, heavy attacks resumed, again knocking the Washburn website of?ine. Also on October 6, 2015, Washburn personnel received an email from asking again how everything was at Washburn and if any IT support was needed. As noted above, grand jury subpoena results showed that email account was created on October 6, 2015, from IP address 75 .161 .68.]61. Grand jury subpoena results showed that IP address 75.161.68.161 was assigned to Gammell?s current address on October 6, 2015. Also, Gammell?s known cell phone number, 612?205-8609 (veri?ed through grand jury subpoena), was listed as the contact number on the account. The account was created approximately ?ve minutes before the message was sent to Washburn personnel. 40. On December 17, 2015, Washburn?s website was again hit with a attack. Logs provided by Washburn show that IP address 64.145.94.1 19 was involved in the attack. IP address 64.145.94.119 is assigned to a company called IP Vanish, which is a US-based Virtual Private Network (VPN) subscription service that is used to anonymize the true source of incoming Internet access. A grand jury subpoena was issued for Gammell?s known email account, jkgammell@gmail.com. Review of the 17 CASE Document 1 Filed 04/14/17 Page 19 of 21 log~in activity for jkgarnmell@gmail.com provided by Google showed on December 17, 2015 the account was logged into from IP address 64.145.94.119. The same IP address, 64.145.94.119, participated in the activity targeting Washburn?s website approximately seven minutes before logging into Gammell?s email account, jkgammell@gmail.com. 41. On August 15, 2016, Washburn reported via email that after months of using a mitigation service to block attacks against their website washbumgrp.com, the mitigation was removed to see if attacks would continue. Within a couple of days, the attacks resumed and Washburn had to again subscribe to the mitigation service. In addition, on August 12, 2016, attacks targeted another Washburn website, washburnpos.com. These attacks knocked washburrlposcom of?ine until at least August 15, 2016. Washburn also provided via email a screenshot of a post made by Gammell on his Facebook page, dated May 12th (no year listed), calling for attacks against global banks. Included in Gammell?s post is an image of a laughing mouse. This same image of a laughing mouse was included in the emails received previously by Washbum personnel from and referenced above. Washbum advised that the attacks have resulted in a minimmn of $15,000 in loss. B. Hennepin County Attacks 42. Review of the records found that IP address 199.66.72.124 was targeted by Gammell on June 11, 2016, and from June 13 - 14, 2016. Open source 18 CASE Document 1 Filed 04/14/17 Page 20 of 21 research found that IP address 199.66.72.124 was likely assigned to a website belonging to Hennepin County, Minnesota at the time of the attack. Hennepin County IT personnel con?rmed IP address 199.66.72.124 was assigned to Hennepin County at the time of the attack and the IP address was targeted with attacks on June 11, 2016 and June 13, 2016. The initial attack on June 11, 2016 caused the website to be knocked of?ine temporarily, alter which mitigation services were enabled and mitigated the remaining attacks. C. Attempted Attacks on Minnesota Judicial Branch 43. Review of the VDOS records found that on three occasions (June 6, 2016; June 20, 2016; and July 4, 2016) Gammell attempted to target IP address 156.98.246.251 with attacks. Research found that IP address 156.98.246.251 is assigned to mncourtsgov, which is the website for the Minnesota Judicial Branch. Gammell?s attempts to attack the Minnesota Judicial Branch?s website appear to have been blocked by VDOS because the targeted IP address belonged to a .gov website. IV. Conclusion Based on the foregoing facts, I respectfully submit there is probable cause to believe that, from on or about July 30, 2015, through on or about September 2016, JOHN KELSEY GAWIELL caused or attempted to cause distributed denial of service attacks against 19 CASE Document 1 Filed 04/14/17 Page 21 of 21 targets in the District of Minnesota and elsewhere, in violation of Title 18, United States Code, Sections 1030(a)(5)(A). Further your af?ant sayeth not. Brian Behm, Special Agent Federal Bureau of Investigation Sworn and subscribed before me this Lg): of April 14, 2017. MM 2AM Honorable Franklin Noel United States Magistrate Judge 20