staist?m cedar UNITED STATES DISTRICT COURT 3 amass 81537811; I-VWI EASTERN DISTRICT OF WISCONSIN ILLD 281% RR: I33 3-118 UNITED STATES OF AMERICA, egg-:2. EREE CLERR Plaintiff, Case No. V. . [Title 18, United States Code, Sections . 371, 1001(a)(2), 1030(a)(5)(A), MARCUS HUTCHINS, and 2511(a)(1), aka ?Malwaretech,? 2512(l)(c)(i) and and 1349] aka ?irp@j abberse? Defendant. FIRST SUPERSEDING INDICTMENT COUNT ONE THE GRAND JURY CHARGES: 1. At times material to this indictment: RELEVANT ENTITIES a. Defendant MARCUS developed malware. HUTCHINS used various aliases, including ?Malwaretech? and ?irp @j abberse.? b. Individual A, also known as ?Vinny,? ?VinnyK,? ?Gone with the Wind,? 7 ?Cocaine,? ?Jack of All Trades,? and ?Aurora123? advertised, promoted, and distributed malware developed by defendant MARCUS RELEVANT TERMS c. A ?protected computer? was a computer in or affecting interstate or foreign commerce or communications, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communications of the United States. Case Filed 06/05/18 Page 1 of 16 Document 86 d. ?Malware? was a term used to describe malicious computer code intended to damage a computer. Malware deletes, creates, and modi?es ?les on a computer and allows unauthorized access to a protected computer. 6. ?Kronos? was the name given to a particular type of malware that recorded and ex?ltrated user credentials and personal identifying information from protected computers. Kronos malware was commonly referred to as a ?banking Trojan.? Kronos utilized a key logger, a form grabber, and web injects to intercept and collect personal information from a protected computer. During the installation process, Kronos was concealed in a legitimate program already running on the victim computer. f. Kit? was the name given to a particular type of malware that was advertised as a ?modular HTTP bot.? UPAS Kit was marketed to ?install silently and not alert antivirus engines.? UPAS Kit allowed for the unauthorized ex?ltration of information from protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer. g. A ?form grabber? was the process of intercepting certain data being sent from a computer?s intemet browser to a website. h. ?Web injects? work by intercepting data being sent from a website to a computer?s internet browser. The data is intercepted before it is displayed by. the browser, allowing the malware to modify the data before it is displayed by the browser. Typically, the modi?cations cause false and fraudulent representations to be displayed by the browser, prompting the user to provide additional personal and account related information like PIN numbers, credit and debit card numbers, or a social security number, among other information. Case Filed 06/05/18 Page 2 of ?16 Document 86 i. was a term used to describe computer code used to conceal the existence of malware from anti-Virus software. The Conspiracy 2. Between in or around July 2012 and September 2015, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka ?irp@j abber.se? knowingly conspired and agreed with Individual A, aka ?Vinny,? aka ?VinnyK,? aka ?Gone With the Wind,? aka ?Cocaine,? aka ?Jack of All Trades,? aka ?Aurora123,? and others unknown to the Grand Jury, to commit an offense against the United States, namely, to: I knowingly cause and aid and abet the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage Without authorization, to 10 or more protected computers during a 1-year period, in Violation of Title 18, United States Code, Sections 1030(a)(5)(A), and and 2; intentionally access and aid and abet another to intentionally access a computer Without authorization, and obtain information from a protected computer for the purpose of private ?nancial gain, in Violation of Title 18 United States Code, Sections 1030(a)(2)(C) and and 2 and intentionally intercept, endeavor to intercept, and procure any other person to intercept and endeavor to intercept, any electronic communication in Violation of Title 18, United States Code, Section 2511(1)(a). Manner and Means of the Conspiracy 3. The manner and means sought to accomplish the object and purpose of the - conspiracy included: Case Filed 06/05/18 Page 3 of 16 Document 86 a. Advertising, promoting, and marketing the availability of the UPAS Kit and Kronos; b. Selling and distributing the UPAS Kit and Kronos; 0. Receiving and distributing the proceeds obtained from selling malware; and d. Concealing acts done in furtherance of the conspiracy. Overt Acts in Furtherance of the Conspiracy 4. In furtherance of the conspiracy, and to accomplish the objects and purposes of the conspiracy, the following overt acts, among others, were committed and were caused to be I committed: 3. Defendant MARCUS HUTCHINS developed UPAS Kit and provided it to Individual A, who was using alias ?Aurora123? at the time. b. On or about July 3, 2012, Individual A, using the alias ?Aurora123,? sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1 ,5 00 in digital currency. c. On or about July 20, 2012, Individual A, using the alias ?Aurora123,? distributed an updated version of UPAS Kitto an individual located in the Eastern District of Wisconsin. (1. Prior to July 2014, defendant MARCUS HUT CHINS developed Kronos and provided it to Individual A. HUTCHINS intended Individual A to advertise, promote, sell, and distribute Kronos. e. On or about July 13, 2014, a video showing the ?inctionality of the ?Kronos Banking troj an? was posted to YouTube. Individual A and defendant MARCUS HUTCHINS used the video to demonstrate how Kronos worked and to promote the sale of Kronos. Case Filed 06/05/18 Page 4'of 16 Document 86 f. In or around August 2014, Individual using the alias ?Vinny,? offered to sell the ?Kronos Banking troj an? for $3,000 on the forum exploitin. g. On or about September 7, 2014, Individual A, using the alias ?Vinny marketed Kronos to members of the Darkode forum. I h. On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with Individual B, HUTCHINS stated, ?well we found exploit (sic) in his panel just hacked all his customers and posted it on my blog sucks that these idiots who cant (sic) code make money off this HUTCHINS then published an article on his Malwaretech blo titled ?Phase Bot - Exploiting Panel? describing the vulnerability. i. In or around February 2015 defendant MARCUS HUTCHINS and Individual A, updated Kronos. On February 9, 2015, in a chat with Individual B, HUTCHIN described the update. Individual asked, ?[D]id you guys just happen to make a (sic) update?? HUTCHIN responded, made a few ?xes to both the panel and bot.? Individual replied, ?ah okay yeah read something that Vinny posted was curious on what it was exactly.? j. In or around February 2015, defendant MARCUS HUTCHIN distributed Kronos to Individual B, who was located in the State of California. At that time, HUTCHINS knew Individual was involved, in the various cyber?based criminal enterprises including the unauthorized access of point-of?sale systems and the unauthorized access of ATMs. k. On or about April 29, 2015 Individual A, using the alias ?VinnyK,? advertised the availability of the Kronos on the AlphaBay market forum. Case Filed 06/05/18 Page 5 of 16 Document 86 1. On or about June 11, 2015, Individual A, using the alias ?Vinny? sold a version of Kronos in exchange for approximately $2,000 in digital currency to an individual located in the Eastern District of Wisconsin. m. On or about July 17, 2015, Individual A, using the alias ?VinnyK,?offered services for Kronos. n. Defendant MARCUS HUTCHINS referred customers interested in buying Kronos to Individual A. All in violation of Title 18, United States Code, Section 371. Case Filed 06/05/18 Page 6 of 16 Document 86 COUNT TWO THE GRAND JURY FURTHER CHARGES: Between in or around July :014 and in or around August 2014, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka intentionally disseminated and aided and abetted the dissemination by electronic means any advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce. In violation of Title 18, United States Code, Sections 2512(l)(c)(i), and 2. Case Filed 06/05/18 Page 7 of 16 Document 86 COUNT THREE THE GRAND JURY FURTHER CHARGES: Between in or around July 2014 and in or around August 2014, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUT CHINS, aka ?Malwaretech,? aka ?irp@j abber.se,? intentionally disseminated and aided and abetted the dissemination by electronic means any advertisement of any other electronic, mechanical, or other device, where such advertisement promotes the use of such device for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce. In Violation of Title 18, United States Code, Sections 2512(1)(c)(ii), and 2. Case Filed 06/05/18 Page 8 of 16 Document 86 COUNT FOUR THE GRAND JU RY FURTHER CHARGES: On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCEJN S, aka ?Malwaretech,? aka aided and abetted Individual A, who intentionally sent any electronic, mechanical, or other device 1 in interstate and foreign commerce, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications. 1 - In violation of Title 18, United States Code, Sections 2512(1)(a), and 2. Case Filed 06/05/18 Page 9 of 16 Document 86 COUNT FIVE THE GRAND JURY FURTHER CHARGES: On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka aided and abetted Individual A, who intentionally sold any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications and'that such device and any component thereof was transported in interstate and foreign commerce. In Violation of Title 18, United States Code, Sections 2512(l)(b), and 2. Case Filed 06/05/18 Page 10 of 16 Document 86 COUNT SIX THE GRAND JURY FURTHER CHARGES: On or about June 11, 2015 in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka ?irp@j abber.sei? knowingly and intentionally endeavored to intercept and procure any other person to intercept and endeavor to intercept certain electronic communications, namely computer keystrokes of others Without the knowledge or consent of said others. In Violation of Title 18, United States Code, Sections 2511(1)(a), and 2. Case Filed 06/05/18 Page 11 of 16 Document 86 COUNT SEVEN THE GRAND JURY FURTHER CHARGES: On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka knowineg caused and aided and abetted the transmission of a program, information, code, and command and as a result of such conduct, attempted to cause damage Without authorization, to 10 or more protected computers during a 1?year period. In Violation of Title 18, United States Code, Sections 1030(a)(5)(A), and 1030(1)), and 2. Case Filed 06/05/18 Page 12 of 16 Document 86 COUNT EIGHT THE GRAND JURY FURTHER CHARGES: Between in or around June 2014 and on or about June 11, 2015, in the state and Eastern District of Wisiconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka ?irp@j abber.se? knowingly aided and abetted another to intentionally access a computer Without authorization and thereby obtain and attempt to obtain information from a protected computer for the purpose of private ?nancial gain. In Violation of Title 18, United States Code, Sections 1030(a)(2)(C), l030(b), and 2. Case Filed 06/05/18 Page 13 of 16 Document 86 COUNT NINE THE FURTHER CHARGES: 1. On or about August 2, 2017, defendant MARCUS HUTCHINS was advised that it was a crime to make a materially false statement in a matter within the jurisdiction of the executive branch of the Government of the United States. 2. The Federal Bureau of Investigation is an agency within the executive branch of the Government of the United States. 3. On August 2, 2017, the Federal Bureau of Investigation was conducting an investigation related to Kronos, which was a matter within the jurisdiction of the Federal Bureau of Investigation. 4. On or about August 2, 2017, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka ?Malwaretech,? aka knowingly and willfully made a materially false, ?ctitious, and fraudulent statement and representation in a matter within the jurisdiction of the Federal Bureau of Investigation when he stated in sum and substance that he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016, when in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHIN made multiple statements to Individual in which HUTCHINS acknowledged his role in developing Kronos and his partnership with Individual A. In violation of Title 18, United States Code, Section 1001(a)(2). Case Filed 06/05/18 Page 14 of 16 Document 86 COUNT TEN THE GRAND JURY FURTHER CHARGES: 1. The allegations in paragraph lof Count One of this Superseding Indictment are - realleged and incorporated into this count by reference as if they were fully set forth here. 2. Between in or around July 2012 and September 2015, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHIN S, aka ?Malwaretech,? aka ?irp@jabber.se? knowingly conspired and agreed with Individual A and others unknown to the Grand Jury, to devise and participate in a scheme to defraud and obtain money by means of false and fraudulent pretenses, and representations and transmit by wire in interstate and forei cominerce any writing, signs, and signals for the purpose of executing the scheme, in Violation of Title 18, United States Code, Section 1343. 3. The object of the conspiracy was to use interstate and foreign wire communications to obtain money by adverting, promoting, selling, and distributing Kronos and UPAS Kit. 4. The manner and means to accomplish the object of conspiracy are described in paragraph 3 of Count One. Case Filed 06/05/18 Page 15 of 16 Document 86 5. Overt acts committed in furtherance of the conspiracy are described in paragraph 4 of Count One. All in violation of~Title 18, United States Code, Section 1349. A TRUE BILL: Dated: 1X7 United States Attorney Case Filed 06/05/18 Page 16 of 16 Document 86