Regional Enforcement Allied Computer Team INVESTIGATION REPORT: COVER AND PARTY PAGES Case Number: 2018-0018 Occurred Date Time ON OR FROM Feb 12, 2018 12:00:00 AM Report Type: 502(c)(1) PC Unlawful Computer Access, 487(a) PC Grand Theft TO Location of Crime: 1486 Fairway Drive, Los Altos, CA 94024 Mar 19, 2018 12:00:00 AM REPORTED Mar 20, 2018 2:15:00 PM SUSPECT INFORMATION AND ASSOCIATED CHARGES # Name: Last, First Middle Date of Birth 1 Ortiz, Joel 02/20/1998 Age 20 Sex Race Height Weight M Hisp 6'2" 230 Home Address City State Zip Code 1399 Commonwealth Ave Apt. #26 Boston MA 02134 Phone Number/Type E-mail Address DL # PFN Applicable Charge Description of Charge 502(c)(1) PC Unlawful Computer Access 487(a) PC Grand Theft 529 PC False Personation 530.5(C) PC Identity Theft REACT Agent: C. Tuttle #1945 Date: 7/10/18 CII # Case Number: 2018-0018 Social Security # Page 1 of 7 INVOLVED PARTY INFORMATION # Name: Last, First Middle 1 Liu, Mitch Date of Birth Address Phone Number/Type Age Sex Race M A City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 2 Laffey, Kyle Date of Birth 26 Address Phone Number/Type Age Sex Race Height Weight M White 5'10" 145 City E-mail Address Other Phone State DL # Zip Code Relationship to Case Witness # Name: Last, First Middle 3 Kitze, Chris Date of Birth Address Phone Number/Type Age Sex City E-mail Address Other Phone Height Race State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 4 Nichols, Jeremiah Date of Birth 42 Address Phone Number/Type Age Sex Race Height Weight M Whi 5'10' 235 City E-mail Address Other Phone DL # State Zip Code Relationship to Case Victim REACT Agent: C. Tuttle #1945 Date: 7/10/18 Case Number: 2018-0018 Page 2 of 7 # Name: Last, First Middle 5 Villani, Fiorenzi Date of Birth 47 Address Phone Number/Type Sex Race M W City E-mail Address # Name: Last, First Middle 6 Logsden, Ty Other Phone Age 27 Other Phone Weight Zip Code Relationship to Case Sex Race Height Weight M W 6'00" 180 City E-mail Address Height State DL # Date of Birth Address Phone Number/Type Age State DL # Zip Code Relationship to Case Victim # Name: Last, First Middle 7 Stickney, Mark Date of Birth 37 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 8 Covone, Michael Date of Birth 26 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone DL # Height State Weight Zip Code Relationship to Case Victim REACT Agent: C. Tuttle #1945 Date: 7/10/18 Case Number: 2018-0018 Page 3 of 7 # Name: Last, First Middle 9 Monroe, Eddie Date of Birth 52 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 10 Hogan, William Date of Birth 23 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 11 Snow, Paul Date of Birth Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 12 Sarhanis, George Date of Birth Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone DL # Height State Weight Zip Code Relationship to Case Victim REACT Agent: C. Tuttle #1945 Date: 7/10/18 Case Number: 2018-0018 Page 4 of 7 # Name: Last, First Middle 13 Shapiro, Seth Date of Birth 54 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 14 Cordes, William Date of Birth 30 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 15 Johnson, Jeremy Date of Birth 41 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 16 Copeland, William Date of Birth 32 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone DL # Height State Weight Zip Code Relationship to Case Victim REACT Agent: C. Tuttle #1945 Date: 7/10/18 Case Number: 2018-0018 Page 5 of 7 # Name: Last, First Middle 17 Sidhu, Jagdeep Date of Birth 41 Address Phone Number/Type Age Sex Race M Other City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 18 Danieli, Damon Date of Birth 48 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 19 Boboff, Peter Date of Birth Address Phone Number/Type Age Sex City E-mail Address Other Phone Height Race State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 20 Holmes, Michael Date of Birth 54 Address Phone Number/Type Age Sex Other Phone Height Weight M City E-mail Address Race DL # State Zip Code Relationship to Case Victim REACT Agent: C. Tuttle #1945 Date: 7/10/18 Case Number: 2018-0018 Page 6 of 7 # Name: Last, First Middle 21 Hui, Tina Date of Birth 37 Address Phone Number/Type Age Sex Race F A City E-mail Address Other Phone Height State DL # Weight Zip Code Relationship to Case Victim # Name: Last, First Middle 22 Mcalary, Christopher Date of Birth 33 Address Phone Number/Type Age Sex Race M W City E-mail Address Other Phone DL # Height State Weight Zip Code Relationship to Case Victim REACT Agent: C. Tuttle #1945 Date: 7/10/18 Case Number: 2018-0018 Page 7 of 7 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE SYNOPSIS: Victim 01 Mitch Liu, a resident of , had his AT&T cell phone taken over by an unknown suspect who then contacted V01 Liu through his wife’s cellphone and was demanding V01 Liu give the suspect Bitcoin cryptocurrency. The suspect also accessed V01 Liu’s Gmail and social media accounts including Twitter and LinkedIn. There are multiple victims in this case who all had their Google accounts compromised and accessed without authorization. The victims listed in this investigation live within the . Google’s headquarters are in Mountain View, California. BACKGROUND DEFENITIONS: Cryptocurrency: any form of currency that only exists digitally, that usually has no central issuing or regulating authority but instead uses a decentralized system to record transactions and manage the issuance of new units, and that relies on cryptography to prevent counterfeiting and fraudulent transactions SIM card: a card that is inserted into a device (such as a cell phone) and that is used to identify a subscriber on a communications network and to store data (such as phone numbers or contact information) IMEI: IMEI number (International Mobile Equipment Identity) is a 15 or 17-digit unique number to identify mobile devices, as well as some other devices. It is usually found printed on the phones back under the battery. 2-Factor Authentication(2FA): a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimizing security breaches. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 1 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE I began receiving a series of emails from V01 Liu which stated the suspect gained control if his AT&T cell phone number . I have consolidated the content of the emails into V01 Liu’s statement. STATEMENT OF VICTIM 01 MITCH LIU: On 2/12/18, V01 Liu’s AT&T cell phone stopped working and lost cell service. V01 called AT&T and a representative told V01 Liu that on 2/12/18, the suspect walked into an AT&T store/reseller and presented ID and Social Security Number to get a new SIM card which gave the suspect control of V01 Liu’s cell phone number. Using Short Message System(SMS), the suspect then reset the passwords and accessed one of V01 Liu’s secondary Gmail accounts. V01 Liu was able to block the suspect’s actions at that point. V01 Liu contacted AT&T and regained control of his cell phone number. On 3/19/18, at approximately 1100 hours V01 Liu received a notification from AT&T text message at approximately 1155 hours that his account passcode was changed. The suspect then gained access to V01 Liu’s 2 main email accounts, and , which contained most of V01 Liu’s financial and personal identifying information, tax returns, private passwords. The suspect also changed the passwords and took control of V01 Liu’s social media accounts listed below. Also, the suspect gained control of V01 Liu’s 2 Factor Authenticator(2FA) Google authenticator and started resetting passwords on V01 Liu’s cryptocurrency exchanges. Once V01 Liu was able to view his cryptocurrency accounts he realized the suspect was able to steal approximately $10,000 of cryptocurrency. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 2 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE The original AT&T account was under and in V01 Liu’s wife’s name, Jeannie Chong. V01 Liu closed that account and got a new telephone number On 3/20/18, at approximately 1330 hours, the suspect called V01 Liu’s wife’s telephone number and the caller ID showed V01 Liu’s number . The voice was male, very deep, sounded like a voice changer, asked to speak to V01 Liu and V01 Liu hung up. The suspect continued to try and call V01 Liu and even sent text messages to V01 Liu’s daughter saying V01 Liu owed the suspect Bitcoin. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 3 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE The suspect also began Direct Messaging(DM) contacts on V01 Liu’s social media accounts pretending to be V01 Liu and asking to borrow cryptocurrency. One example of this, pretending to be V01 Liu, the suspect would message contacts and state he needed to borrow the cryptocurrency. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 4 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE INVESTIGATION CONTINUED: On 5/8/18, I prepared a search warrant for call detail records and account data for V01 Liu’s AT&T cell phone account to include the dates 2/12/18 and 3/19/18 that the suspect was in control of V01 Liu’s cell phone. The Honorable Judge William Monahan signed the warrant and I served it on AT&T. On 5/22/18, I received the search warrant returns back from AT&T. The records showed that on the dates the suspect was in control of V01 Liu’s cell phone number, IMEI numbers and were being used with V01 Liu’s cell phone number. An internet search on IMEI,info showed those IMEI numbers were both Samsung Android cell phones. I contacted V01 Liu who confirmed he did not ever use any Samsung phones. Using the call detail records and mapping software, I plotted locations for calls placed on the dates the suspect was in control of V01 Liu’s cell phone. The records showed that on 2/12/18, the suspect was using the cell phone in Boston, Massachusetts. On 5/22/18, I prepared a search warrant to Google for account data connected to the IMEI numbers and . The Honorable Judge Kenneth Barnum, Judge of the Superior Court, Santa Clara County signed a search warrant directing Google, Inc. to identify accounts associated with the suspect devices (based on the two IMEI numbers) during the time frame from 11/12/17 through 5/22/17, and to provide the content associated with those accounts during the same time frame. The warrant was served on Google and the company provided responsive information on 5/31/18. The records provided identified three email accounts associated with one or both of the devices during those time frames, one of which was juju1012010@gmail.com. This email address appears to be frequently utilized by the suspect. The records provided by Google also included search history for that Google account. It included victim Liu’s name among the account’s recorded Google search history, as well as references to locations in Massachusetts. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 5 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE TFA Berry and TFA Tarazi analyzed the Google warrant returns and among the emails in that account were the following of interest suggesting the identity of the account holder and offering links between the user of the account and the hacking and theft activity: • A sent email containing a photograph of a subject holding a Massachusetts Identification Card. The subject holding the Identification Card appears to be the same subject as the person depicted in the card. The information listed on the card is as follows: Joel Ortiz ID card number: Birth date: 2/20/1998 Height: 6’2” Address: 1399 Commonwealth Ave, Apt. 26, Boston, MA 02134; REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 6 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE • Emails received from Coinbase pertaining to account activity in a Coinbase account identified by that email address. The emails indicated that beginning 3/23/18, shortly after the funds were stolen from the victim’s Ether account and moved into Bitcoin, changes were made to the associated Coinbase account including identity verification and changes to the account’s two-factor authentication settings; • Emails received from Bittrex, another cryptocurrency exchanger, pertaining to account activity in a Bittrex account identified by that email address. Beginning on 3/23/18, the activity noted in the emails included IP address verification and changes to the account’s two-factor authentication settings; • Numerous emails received from Binance, another cryptocurrency exchanger, showing hundreds of thousands of dollars’ worth of cryptocurrency transfers into an account identified by that email address; • An email containing information about SIM swapping, the account takeover technique employed in this case; • Emails confirming the purchase/lease of numerous domain names likely obtained for masquerading purposes, including for example "www.tw-tter.com". Such domain names are typically used to send “phishing” emails designed to maliciously harvest account credentials, which is another tactic employed to effect account takeovers; • Emails sent to an email address, ending in @orange.fr, that appeared to have been sent to a third party in France, indicating that the @orange.fr email address had been compromised by the suspect such that the suspect’s account was being copied on emails sent to that address; and, • Emails indicating numerous videos were posted to the user’s YouTube channel showing how to exploit several social media and phone company web sites, sharing information about zero-day exploits, and showing how to take over an orange.fr email address using Gmail. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 7 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE TFA Berry obtained Search Warrants for financial account information pertaining to the accounts held by the suspect’s known email addresses with Coinbase and Bittrex. On 6/13/18, Bittrex provided responsive information showing that over $550,000 dollars’ worth of various cryptocurrencies had flowed through that Bittrex account, which was at that time essentially empty. The date of the last withdrawal was 6/4/18. The account holder information listed a name and address matching Ortiz’ Identification Card information, as follows, accompanied by “selfie” photographs of a person who appears to match the photograph in the ID card: Joel Ortiz ID card number: Birth date: 2/20/1998 Address: 1399 Commonwealth Ave, Apt. 26, Boston, MA 02134 On 6/13/18, Binance voluntarily provided information pertaining to the suspect’s account with that financial institution, which was under the email account juju1012010@gmail.com. That information showed that over $620,000 had flowed through the account, which was at that time empty. The date of the last withdrawal was 5/18/18. The information provided included customer due diligence images consisting of a photograph of a person who appears to be Ortiz holding a United States passport bearing the following information: Name: Joel Ortiz Passport number: Birth date: 2/20/1998 Place of Birth: Massachusetts, U.S.A. On 6/18/18, Coinbase provided responsive information that showed the email address joel10153@live.com was also associated with an account belonging to Ortiz, including customer due diligence information consisting of additional photographs of what appears to be the same subject holding the same Massachusetts Identification Card bearing the same information: Joel Ortiz ID card number: Birth date: 2/20/1998 Address: 1399 Commonwealth Ave, Apt. 26, Boston, MA 02134 That account had sold over $237,000 in Bitcoin, over $48,000 in Ether, and over $14,000 in Litecoin (another cryptocurrency) since the account was opened in November of 2014. Coinbase had REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 8 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE contacted Ortiz at one point inquiring about his source of funds. He told them he was selling Twitter/Instagram usernames in exchange for cryptocurrency at forums such as Hackforums, Ogusers and Ogflip. He stated he either holds bitcoins or exchanges them for other cryptocurrencies for profit. He stated outgoing bitcoins were most likely exchanged for alternative cryptocurrencies through Bittrex or Binance, “or held in cold storage for security purposes (such as Ledger Nano S).” “Cold storage” is a method of storing cryptocurrency in a form that is not connected to the Internet on a dayto-day basis. The current whereabouts of the withdrawn cryptocurrencies is currently unknown. Also, among the emails located in the account juju1012010@gmail.com were emails linking the user to PayPal accounts. On 6/13/18, the Honorable Cynthia Sevely, Judge of the Superior Court, Santa Clara County signed a search warrant for the PayPal accounts linked to the email addresses juju1012010@gmail.com and joel10153@live.com. On 6/14/18 and 6/18/18, PayPal provided responsive information that showed the following: 1) Five accounts were linked to Ortiz’ identifying information, including emails associated with him and his address. The customer due diligence information consisted of the following: a. A photograph of the same Massachusetts Identification Card showing the same name and address b. A photograph of a piece of mail from PayPal to Joel Ortiz at 1399 Commonwealth Ave in Boston, MA, 02134 c. A picture of a social security card in the name of Joel Ortiz 2) The email address joel10153@live.com was listed as one or more of the email addresses for the account holder of three accounts under Ortiz’ identifying information and including some variation of his address (listed in most cases as “Allston” rather than “Boston” with the remaining information matching, and including the apartment number 26), including the following: a. The account which appeared to be Ortiz’ primary PayPal account was also associated with the email account juju1012010@gmail.com. That account included REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 9 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE numerous withdrawals to a Citizens Bank account in his name, numerous payments of thousands of dollars at a time to “Airbnb Payments” for a total of approximately $59,000, approximately $72,000 in payments in even dollar amounts to an entity called “Stop N’ Shop” at an email address , and numerous other payments of thousands of dollars at a time in even dollar amounts to various individuals. b. Another of these accounts, with the primary email address of sick@live.fr, was used to purchase fourteen SIM cards from various cell phone carriers, one cell phone, and one PS3, and a sale of one cell phone case between 10/18/17 and 5/11/18, with no other transactions associated with the account. 3) The email address joel10153@live.com was also associated with an account under the name “Lon Frye” with an address in . On that account there was also an associated address that matches Ortiz’ address at 1399 Commonwealth Ave. in Allston, MA, a third party address added 12/12/15). Based on this evidence, I now believed Joel Ortiz was the suspect who took control of V01 Liu’s cell phone and used that unauthorized access to take control of V01 Liu’s cell phone, email and social media accounts and steal approximately $10,000 in cryptocurrency. REACT TFA Sergeant Samy Tarazi contacted AT&T and requested any and all accounts which had the IMEI numbers and listed in the accounts. TFA Sergeant Tarazi received a list of approximately forty AT&T customers who had those IMEI numbers attached to their accounts from 11/19/17 through 6/7/18. The Microsoft excel files were titled .xls and .xls and submitted as an attachment to this report. On 6/21/18, I began calling the telephone numbers listed on each AT&T account to determine if they were a victim as well. Below are the statements of victim’s who reside in . All the victims AT&T cell phones were taken over through a process known as “SIM swapping” in which the suspect convinces customer service agents of the cellular service provider that he/she is the legitimate REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 10 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE account holder and has somehow lost access to his original mobile device, and needs to be issued a new SIM card in order to regain access to his mobile service. For some types of devices, a SIM card is a digital device that is inserted into a mobile device such as a cell phone handset to enable a mobile phone to communicate with its service provider. Once the suspect controls the new SIM card issued by the service provider, he/she can impersonate the victim with other service providers (such as email providers) by using the victim’s cell phone number to request changes to account settings. A large majority of the Victim statements were captured using my department issued digital audio recorder. For full victim statements see the audio recorded statements booked into evidence and submitted as attachments to this report. STATEMENT OF VICTIM 19 PETER BOBOFF: TFA Sergeant Tarazi spoke to V19 Boboff, a resident of , who said his Gmail account and Microsoft account were compromised by the suspect and taken over. V19 Boboff emailed Sergeant Tarazi screenshots from his Google account history detailing the unauthorized logins to his Gmail account. The images show logins and password changes from a Samsung Galaxy Note 3 cell phone IP address 107.77.229.95 and a Windows computer in Chicago, Illinois IP address 68.235.48.108 on 6/7/18. V19 Boboff did not suffer any financial loss. PARAPHRASED STATEMENT OF VICTIM 13 SETH SHAPIRO: V13 Shapiro lives in . On 5/16/18, V13 Shapiro was at the Consensus NY cryptocurrency conference in New York, New York. V13 Shapiro’s cell phone lost cell service and stopped working. V13 Shapiro immediately knew he was being hacked because he had heard of this happening to other people in the cryptocurrency world. V13 Shapiro ran across the street to the AT&T store to get his cell phone back as soon as possible. V13 Shapiro was unable to login to his Gmail accounts due to the passwords being changed. The suspects gained access to V13 Shapiro’s cryptocurrency accounts as a result. The suspect stole approximately 1200 Ethereum, $500,000 in REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 11 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE cryptocurrency from the Bittrex account and $400,000 from a Wax cryptocurrency account. V13 Shapiro had raised approximately $700,000 to $1 Million in cryptocurrency for a project he was working on and that money was comingled with V13 Shapiro’s cryptocurrency. The total stolen was approximately $1.7 million in cryptocurrency with V13 Shapiro having $1 Million of his personal cryptocurrency stolen. PARAPHRASED STATEMENT OF VICTIM 5 FIORENZI VILLANI: V5 Villani lives in . On 5/14/18, V5 Villani was at the Consensus NY cryptocurrency conference in New York, New York. V5 Villani’s cell phone stopped receiving cell service and he knew his phone was being hacked. V5 Villani went across the street to the AT&T Store to try and stop the attack. The AT&T employee told V5 Villani his SIM card was switched to another phone. V5 Villani’s Gmail account was compromised and he lost access to his Gmail account. V5 Villani believes the suspect accessed his Gmail account by resetting the passwords using the 2FA password reset and V5 Villani’s cell phone number. V5 Villani did not suffer any personal loss. PARAPHRASED STATEMENT OF VICTIM 3 CHRIS KITZE: V3 Kitze is a resident of . On 3/2/18, V3 Kitze had his cell phone taken over and his cell phone stopped receiving cell service. V3 Kitze received messages his Yahoo and Gmail passwords were both changed and as a result V3 Kitze lost access to those accounts. V3 Kitze was told by AT&T that somebody walked into an AT&T reseller in Georgia and did the SIM swap. On 5/14/18, V3 Kitze was at a cryptocurrency conference in New York and his cell phone was taken over again and stopped working. V3 Kitze’s Twitter account password was changed and was taken over on that occasion by the suspect. The suspect again reset his V3 Kitze’s Yahoo and Gmail account passwords and was unable to also access both accounts again. Eventually V3 Kitze regained access to his accounts and suffered no financial loss. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 12 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE PARAPHRASED STATEMENT OF VICTIM 7 MARK STICKNEY: V7 Stickney is a resident of . On 5/12/18, V7 Stickney’s cell phone stopped receiving cell service. V7 Stickney went to the AT&T store and was told somebody had transferred his phone number to another SIM card. V7 Stickney had his Gmail account compromised and his Twitter account was taken over by the suspect. The suspects reset V7 Stickney’s account passwords using the cell phones 2FA password reset ability. The suspect began Direct Messaging people using his Twitter account and was attempting to sell his Twitter username. V7 Stickney was able to get his accounts back and suffered no financial loss. PARAPHRASED STATEMENT OF VICTIM 17 JAGDEEP SIDHU: V17 Sidhu is a resident of . On 5/15/18, his phone stopped receiving cell service and V17 Sidhu went to AT&T to get a new SIM card. V17 Sidhu’s Gmail, Facebook and Instagram accounts were taken over by the suspects and V17 Sidhu lost access to those accounts. V17 Sidhu had a Coinbase cryptocurrency account which the suspect got into but he is unsure how much cryptocurrency in that account. V17 Sidhu never looked into any losses and didn’t believe it was worth the effort. PARAPHRASED STATEMENT OF VICTIM 9 EDDIE MONROE: V9 Monroe is a resident of . On 3/7/18, V9 Monroe’s cell phone stopped working and was not getting cell service. V9 Monroe contacted AT&T and was told that somebody at AT&T bypassed the security measures at AT&T and did the SIM card switch. The suspect then changed password to his Yahoo email and V9 Monroe lost access to that account. The suspect attempted to change his Gmail account password but was unsuccessful. The suspect also reset V9 Monroe’s Facebook password and V9 Monroe lost access to Facebook. The IP address for the computer/cell phone which reset his Facebook password was 104.200.154.107 and showed a location REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 13 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE of Washington State. The suspect tried to reset V9 Monroe’s Coinbase cryptocurrency account password but was unsuccessful. PARAPHRASED STATEMENT OF VICTIM 15 JEROMY JOHNSON: V15 Johnson is a resident of . On 3/6/18, V15 Johnson’s stopped receiving cell service. The next day V15 Johnson went to an AT&T Store and got his phone number back. In the meantime, the suspect took control of V15 Johnson’s Facebook account and began Direct Messaging Facebook friends impersonating V15 Johnson and asking to borrow cryptocurrency. One of V15 Johnson’s Facebook friends, Rich Waters, fell victim to the scam and sent the suspect approximately 10 Bitcoin valued at approximately $100,000. PARAPHRASED STATEMENT OF VICTIM 21 TINA HUI: V21 Hui is a resident of . On 11/20/17, at approximately 1600 hours, V21 just woke from a nap and noticed that she was oddly logged out of her primary Gmail account. After a few attempts where Gmail insisted V21 Hui had the wrong password, a notification popped up stating V21 Hui’s changed her Gmail password four hours prior. V21 Hui was confused since she was in a meeting 4 hours prior and didn’t reset her password. V21 Hui asked to have her password reset and awaited the 2FA SMS text. V21 Hui quickly realized she wasn’t getting any text resets and then looked at her phone and noticed it said, ‘NO SERVICE.’ Looking again at the message from Gmail saying she had changed her password when she hadn’t, V21 Hui began to worry that she may have been hacked. At approximately 1630 hours, V21 Hui asked friends on Facebook if anyone else had any issues with their AT&T service and shared that her email may have gotten hacked. V21 Hui received responses that her SIM card may have been hijacked and that many in the bitcoin space have been hacked. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 14 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE Upon arrival at the AT&T Store, V21 Hui was told by an AT&T employee that someone had walked into an AT&T reseller store in Oakland and that is where the SIM swap occurred. The suspect also gained access to V21 Hui’s Coinbase cryptocurrency account but doesn’t believe anything was stolen. V21 Hui knows the suspect gained access to her Coinbase account because she received a text on her newly activated cell phone that she was logged out of Coinbase. V21 Hui sent an email to Coinbase notifying them of the intrusion and believed that stopped the attack. V21 Hui had a very small amount of cryptocurrency and did not believe the suspects were able to steal any. INVESTIGATION CONTINUED: On 7-10-2018, AT&T investigator Robert Arno provided TFA Tarazi with call record details pertaining to the IMEI numbers being used to take over victims AT&T cell phone accounts. TFA Tarazi analyzed these records and determined the following, pertaining to victims in . The majority of the text messages received in the following records came from a “short code” number, which is a phone number used strictly to send text messages and cannot receive voice calls. Using https://usshortcodedirectory.com, TFA Tarazi was able to determine some of the companies that sent the text message. TFA Tarazi was not able to identify all the “short code” phone numbers, but based on his knowledge and experience TFA Tarazi believes them to originate from automated messaging services, commonly used for two factor authentication or identity verification services. While the suspect was in control of Jeanie Chong’s(V01 Liu’s) AT&T account (February 2018), the phone received 25 text messages and sent 0 text message. 10 of the received text messages came from Google. While the suspect was in control of Jeromy Johnson’s AT&T account, the phone received 14 text messages and sent 0 text message. 1 of the received text messages came from Google. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 15 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE While the suspect was in control of Eddie Monroe’s AT&T account, the phone received 11 text messages and sent 0 text message. 1 of the received text messages came from Google. While the suspect was in control of Jagdeep Sidhu’s AT&T account, the phone received 11 text messages and sent 0 text message. While the suspect was in control of Jeanie Chong’s AT&T account (March 2018), the phone received 13 text messages and sent 0 text message. 2 of the received text messages came from Google. While the suspect was in control of Michael Holmes AT&T account, the phone received 33 text messages and sent 0 text messages. While the suspect was in control of Mark Stickney’s AT&T account, the phone received 14 text messages and sent 0 text messages. 1 of the received text messages came from Twitter and 3 came from Google. While the suspect was in control of Fiorenzo Villani’s AT&T account, the phone received 68 text messages and sent 0 text messages. 11 of the received text messages came from Google. While the suspect was in control of Peter Boboff’s AT&T account, the phone received 28 text messages and sent 0 text messages. 12 of the received text messages came from Google. Based on the large volume of text messages being received by the suspect in the short time he was in control of each victim’s AT&T account and the fact the majority of these texts were coming from “short code” numbers, I believe the following: Once the suspect gained control of the victim’s AT&T account, the suspect began attempting to login to other on-line accounts owned by the victim. Either the website texted a two-factor authentication REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 16 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE code to the AT&T account under the suspects control or the website texted a code that allowed the suspect to reset the password to the on-line account. These codes being texted to the suspect were solicited purposely by the suspect for the purpose of unlawfully accessing more of the victim’s accounts Based on the evidence seized from AT&T and Google and the Victim’s statements, I believe S01 Ortiz is in violation of the following crimes for each victim described below. V01 Liu: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Yahoo account 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing LinkedIn account 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Facebook account 502(c)(1) PC and 529(a) PC – Unlawfully Accessing Twitter account and impersonating V01 Liu 487(a) PC – Theft of approximately $10,000 in Ethereum form V01 Liu V19 Boboff: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Microsoft account V13 Shapiro: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account 502(c)(1) PC and 487(a) PC – Unlawfully Accessing Ethereum account and stealing 1200 Ethereum valued at approximately $840,000 on 5/16/18. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 17 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE 502(c)(1) PC and 487(a) PC – Unlawfully Accessing Bittrex account and stealing approximately $500,000 in cryptocurrency. 502(c)(1) PC and 487(a) PC – Unlawfully Accessing Wax account and stealing approximately $400,000 in cryptocurrency. V5 Villani: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account V3 Kitze: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account on 3/2/18 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Yahoo account on 3/2/18 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account on 5/14/18 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Microsoft account on 5/14/18 502(c)(1) PC – Unlawfully Accessing Twitter Account on 5/14/18 V7 Stickney: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account 502(c)(1) PC and 529(a) PC– Unlawfully Accessing Twitter account and impersonating V7 Stickney’s online persona V17 Sidhu: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 18 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Facebook account 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Instagram Account 502(c)(1) PC– Unlawfully Accessing Coinbase cryptocurrency account V9 Monroe: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Yahoo account 664/502(c)(1) PC and 664/530.5(C) PC – Attempting to Unlawfully Access Gmail account 664/502(c)(1) PC and 664/487(a) PC – Attempting to Unlawfully Access Coinbase cryptocurrency account 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Facebook account V15 Johnson: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Facebook account 529(a) PC – False Personation of Victim on Facebook V21 Hui: 502(c)(1) PC and 530.5(C) PC – Unlawfully Accessing Gmail account 502(c)(1) PC and 664/487(a) PC – Unlawfully Accessing Coinbase cryptocurrency account and attempting to steal cryptocurrency I am requesting the Santa Clara County District Attorney’s Office issue a warrant for the arrest of S01 Ortiz for the above listed charges. END REPORT. REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 19 of 20 Regional Enforcement Allied Computer Team INVESTIGATION REPORT: NARRATIVE PLEO: TFA Caleb Tuttle #1945 – Original report REACT AGENT: Caleb Tuttle #1945 Date: 09/05/2017 Case Number: 2018-0018 Page 20 of 20