Case Document 11-1 Filed 07/27/18 Page 1 of 33 Exhibit 5 Indictment (Dkt. United States v. Kolpakov, CR18-159RSM CD 00. -CaseI Document 11-1 Filed 07/27/18 Page 2 of 33 Presented to the Court by the foreman of the Grand Jury in open Court, in the presence of the Grand Jury and FILED in the S. DISTRICT COURT at Seattle, Washington. June. ZI 901$}: UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE - UNITEDSTATES OFIAMERICA, I i N0. 1 8""1 5 9 JLK Plamt?ff? INDICTMENT ANDRII KOLPAKOV, aka ?Andrey Kolpakovf? - aka ?Andriy Kolpakov, . aka ?Andre Kolp akov, aka ?Andrew KolpakoV, aka ?santisimo,? aka? ?santisimozf aka ?AndreyKSI: Defendant. The Grand Jury Charges that: I DEFINITIONS .. I 1; IP Address. An Internet Protocol address (or address?) IS a unique numeric address used by devices, sucha's computers, on the Internet. Every deVice attached to the Internet must be assigned an IP address so "that Internet traf?c sent- from and directed to that deVioe may be directed properly from its source to its destination. MIIost Internet service providers control a range of IP addresses. 1 Indictment I United States v. Kolpakov - 1 I 1 UNITED STATES ATTORNEY 700 STEWART STREET, Stars 5220 . . SEATTLE, WASHINGTON 98103 - I (206) 553 4970 \Case Document 11-1 Filed 07/27/18 Page 3 of 33 2. Server: A server is a computer that provides serviCes for other computers connected to it via a network or the Internet. The computers that use the server?s services are sometimes called? ?clients.? Servers can be physically located anvahere with a network connection that may be reached by the clients; fer example it is not uncommon . 5 '3 for a server to be located hundreds (or even thousands) of miles aWay from the client computers. A'server may be either a physical or virtual machine. A physical server is a. - piece of computer hardware con?gured as a server with its own power source, .?central .. processing unit/s and associated software. A virtual server is typically one ?of many: servers that operate on a single physical server. Each virtualserver shares the hardware resources of the physical server but the data residing on each Virtual server isi'segregated from the data on Other virtual servers that reside on the same physical machine-- 3. Malware: Malware IS malicious computer code running on a computer. Relative to the owner/authorized user of that computer, malware 18 computer code that 13 running on the system that 18 unauthorized and present on the system without the user? 3 consent. Malware can be designed to do a variety of things, including logging every keystrOke on a computer, stealing ?nancial information or ?user credentials? (passwords I or usernames), or. commanding that computer to become part of a network, of ?robot? or ?hot? Computers known as a ?botnet.? In addition, malware can be used to transmit data from the infectedcomputer to another destination on the Internet, as identi?ed by an IP address. Often times, these destination IP addresses are computers controlledby cybercriminals. 4. The Carbanak malware: ?Carbanak? is the name given by computer seCurity researchers to a particular malicious software (malware) program. Carbanak has i been used to remotely access computers without authorization. The ?Carbanaik' malware . allows an attacker. tospy on another person?s computer and remotely control the I computer. Garb-anak 'can record videos of the victim?s computer screen and send the recordingsiback to the attacker. It can?also let the attacker use the victim Computer to Indictment United States v. Kolpakov - 2 UNITED STATES ATTORNEY 700 STEWART STREET, Sums 5220 98101 - . (206) 553-7970" . Case Document 11-1 Filed 07/27/18 Page 4 of 33 - attack other'computer's, and to steal ?les from the Vietim computer, and install other .malware. All of this can be dene without the legitimate user?s knowledge 0r permission. 5. Bot: A ?hot? computer is a computer that has been infected with some kind of malicious Software or code=and IS thereafter subject to control by someone otherthan the true owner. The true owner of the infected computer usually remains able to use the computer as he did before it was infected, although speed or performance may be I compromised. I I 6. Botnet: A "?botnet?iis a network of compromised computers knownas ?bots? that are under the control of a cybercriminal or ?bot herdert The bets are - harnessed by the bot herder through the surreptitious installation of malware that provides the bot herder with remote access to, and control of, the compromised computers. A botnet may be used en masse, in a coordinated fashion, to deliver?a variety of Internet? based attacks, including attacks, brute force password attacks, the of spam emails, the transniiSsion of phishing emails, and hosting communication netWorks - fer cybercriminals acting as a proxy server for email communications). I 7. Phishing: Phishing IS a criminal scheme in which the perpetrators use . mass email messages and/or fake websites to trick people into providing information such as network credentials (eig., usernames and passwords) that may later be used to gain access to a Victim?s Systems. Phishing schemes often utilize social engineering techniques similar to traditional con? artist techniques 1n order to trick Victims into believing they are providing their information to a trusted vendor, customer, or other acquaintance. Phishing emails are also Often used to trick a Victim into clicking on I documents 'or links that contain malicious softWare that will compromise the Victim? 3 computer system. . . I I 8. Spear Phishing: Spear phishing 1s a targeted form of phishing directed towards a speci?c individual, organization or business. Although often intended to steal data for malicious purposes, .cybercriminals may also use Spear phishing schemesito install malware on a targeted user?s computer. Indictment! United States Kolpakov 3 . - . UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEA-nus; WASHINGTON 98101 (206) 553-7970 Case Document 11-1 Filed 07/27/18 Page 5 of733 9. Soeial Engineering: Social engineering is a skill developed over time by people who seek to acquire protected information through manipulation of social relationShips. People who are skilled in social engineering can Convince key individuals to, divulge protected information or access credentials that the social engineer deems valuableto the achievement of his or her aims. 10. Pen-Testing: Penetration testing, or pen-testing, is the practice of testing a computer system, network or computer application to find vulnerabilities that an attacker may exploit. i I i I i COUNT 1 (Conspiracy to Commit Wire and Bank Fraud) 1. . OFFENSE 11. The allegations set forth 1n Paragraphs 1 through 10 and 21 through 25 of this Indictrnent are re-alleged and incorporated as if fully set fOI'th herein. 12. ..Beginning at a time unknoWn, but no later than September 2015, and 7 continuing through an or after June '20, 2018, at Seattle, Within the Western District of i Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka ?Andrey . Kolpakov, ?Andriy "Kolpaki?ov, ?AndreKolpakov, ?Andrew Kolpakov, ?3 ?santisimo, ?santisimozf and ?AndreyKS, and others known and unknown to the Grand Jury, did knowingly and willfully combine, conspire, confederate and agree tOgether to commit offenses against the United States, to wit: i . i a. to knowingly and willfully devise and execute and attempt to execute, a scheme and arti?ce to defraud, and for obtaining money and property by means of materially false and fraudulent pretenses, representations, and promises; and In executing and attempting to execute this scheme andarti?ce, to knowingly canse to be transmitted in interstate and foreign commerce, by means of wire communication,'ce1tain I signs, signalsand sounds as further described below, in violation of Title 18, United States Code, Section 1343; Indictrnent/ United States v. Kolpdkov - 4 UNITED STATES ATTORNEY 700 8113me STREET, SUITE 5220 Sam-us, WASHINGTON 98101 (206) 553-7970. sooexrmm-hmmid Case Document 711-1 FiledO7/27/18 Pag-e6of?33 to knowingly and will?illy devise and execute and attempt to execute, a scheme and arti?ce to defraud ?nancial institutions, as de?ned by Title 18, United States Code, Section 20, and to obtain moneys, funds, and credits under the custody and Control of the ?nancial institutions by means of materially false and fraudulent pretenses, representations, and premises, in Violation cf Title 18, United States A Code, Section 1344(1) and (2). I I A II. OBJECTIVES OF THE CONSPIRACY 13. The defendant, and others known and unknown to the Grand Jury, Were part of a ?nancially motivated cybercriminal conspiracy known variously as FIN7, the ?Carbanak Group, and the Navigator Group (referred to herein ast?FIN7?). consists of a group of criminal actors engaged in a sophisticated malware campaign targeting the 1 computer systems of businesses, primarily in the restaurant, gaming, and hospitality industries, among others), i I I 14. The objectives of the conspiracy included hacking into protected computer networks using malicioussoftware (hereinafter, ?malware?-?) designed to'provide the conspirators with unauthorized acCess to, and control of, Victim computer systems. The objectives of the conspiracy further included conducting surveillance of victim computer networks, and installing additional malware on Victim computer netWorks for the purposes of establishing persistence, and stealing money and property, including payment card credit and debit) track data, ?nancial information, and proprietary and non- public information. The objectives of the conspiracy further included using and selling the stolen data and information for ?nancial gain in a variety of ways, including, but net limited to, using stolen payment card data to conduct fraudulent transactions across the United States and 1n foreign countries. MANNER AND MEANS OF THE CONSPIRACY 15. The manner and means used to accomplish the conspiracy included the following: Indictment United States v. Kolpakov - 5 7 7 UNITED STATES ATTORNEY . - i 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 Case'2218-cr-00159-RSM Document 11-1 Filed 07/27/18 Page'7 of 33? a. FIN7 developed and employed various malware designed to infiltrate, compromise, and gain control of the computer Systems of victim companies operating in the United States and elsewhere, including within the Western DiStrict of 7 WaShington.? FIN 7 established'and operated an infrastructure of servers, located in various countries, through which. FIN 7 members coordinated activity to further the scheme. This infrastructure included, but was not limited to, the use of command and control servers, accessed through custom hotnet control panels, that communicated with and controlled compromised computer. systems of victim companies. b. FIN7 created a front company doing business as Combi Security to facilitate the malware scheme by seeking to make the scheme? 5 illegal conduct appear legitimate. Combi Security purports to operate as a computer security pen-testing company based in Moscow, Russia and Haifa, Israel. As part of advertisements and public internet pages: for Combi Security, FIN7 portrayed Combi Security as a legitimate penetration testing enterprise that hired itself out to businesses for the purpoSeof testing their computer security systems. i 2' i Under the gUise of a legitimate computer security company, FIN7, doing business as Combi Security, reoruited individuals with computer progrmu?ing skills, falsely claiming that the prospective employees would be engaged in legitimate pen-testing of client computer networks. In truth and in fact, as each defendant and his FIN7 co-conspirators. well knew, Combi Security was a front company used to hire and deploy hackers who were giVen tasks in furtherance fof the 1N7 conspiraCy. I FIN7 targeted victims in the Western District of Washington, and elsewhere, usingphiShing techniques to distribute malWare designed to. gain unauthorized access to, take control of, and ex?ltrate data from the computer systems of various businesses. PM 7 ?s targeted victims include more than 120 identi?ed Companies, including, but not limited to, the following representative victim companies: 7 i. ?Victim?1? referenced herein is the Emerald QueenHotel and. 7 Casino (EQC), a hotel and casino owned and operated by a .federallyirecogniZed Native Indictment United State's v. Kolpakov - 6 . . UNITED STATES ATTORNEY 700 STEWART STREET, sum; 5220 I SEATTLE, WASHINGTON 98101 - (206) 553-7970 . Case 2:18jcr-001594RSM Document 11-1 Filed 07/27/18 Page8-Of 33 American Tribe With locations in Pierce County, within the Western Districtof ii. ?VictimmZ? referenced herein is_ a public corporation headquartered in Seattle, within the Western District of Washington, Washington. with operations throughout the United States and elsewhere. . . ?Victim- 3? referenced herein IS Chipotle Mexican Grill, a U. S. -based restaurant chain with thousands of locations 1n the United States, including 1n the Western District of Washington, and in Canada and multiple European countries. I iv. ?Victim-4? referenced herein is_ a U. S. - based pizza parlor chain with hundreds of locations predominantly in the Western United States, including 111 the Western District of WashingtOn. v. ?Victim? 5? referenced herein 1s BECU, a U. S. -baSed federally insured credit union headquartered 1n the Western District of Washington. - Vi. ?Victim-6? referenced herein 1s Jason? 5 Deli, a- U. S. ~based casual delicatessen restaurant chain with hundreds of locations 1n the United States . vii. ?Victim-7? referenced herein is_, an automotive retail and repair chain with hundreds of locations 111 the United States, ineluding 1n the i_ I. Western District Of Washington. ?Victim-8? referenced herein 1s Red Robin Gourmet Burgers and Brews (Red Robin), a U. S. -b_ased casual dining restaurant chain, founded in the Western District of Washington, with hundreds of locations 1n the United States, including 1n the Western District of Washington. . ix. ?Victirn- 9? referenced herein 13 Sonic Drive?in (Sonic),a U. S. -based drive-in fast-food Chain with thousands of locations 1n the United States, ineluding 1n the Western District of Washington. x. . ?Victim-10? referenced herein 13 Taco John?s, a U. S. -based fast-food restaurant chain with hundreds of lecations 1n the United States, including 111 the Western District of Washington Indictment/ United States v. Kolpakov 7 i UNITED STATES ATTORNEY . . 1-7 SEATTLE, WASHINGTON 98101 . (206) 553?7970 oo-qmm-thHOW?oochx?m-meh-tc Case Document 11-1 Filed 07/27/18 Page 9 of 33 I 7 e, FIN7 typically initiated its attacks by deliVering, directly and i through intermediaries, a phishing" email with an attached malicious ?le, using Wires in: interstate and foreign commerce, to an employee of the targeted-victim; company. The attachedmalicious ?le usually was a MicrosoftirWordeoc or .doc?x) or Rich Text File (.rti) document with embedded malware. FIN7 used a variety of malware' delivery I mechanisms in its phishing attachments including, bat not limited to, weaponized 7 I . Microsoft Word macros, malicious Object Linking and Embedding (OLE) objects, malicious visual basic scripts or JavaSc'ript, and malicious embedded _shortcut ?les, (LNK . ?les). In some instances, the phishing email or attached ?le contained a link to malware' hosted on servers controlled by FIN7. The phishing email, through false representations - and pretenses, fraudulently induced the victim company employee to open the attachment or click on the link to activate the malware. For example, when targeting a hotel chain, the pulported sender of the phishing email might falsely claim to be interested in making, a hotel reservation. By way of further example, when targeting a reStaurant chain, the purported sender of the phishing email might falsely claim to be interested 1n placing a catering order Or making a complaint about prior food service at the restaurant f. In certain phishing attacks, FIN7, directly and through intermediaries, sent phishing emails to personnel at victim companies who had unique access to internal proprietary and non-public company information, including, but not limited 'to, employees involved with making ?lings With the United States Securities and Exchange Commission These emails used an email address that spoofed an email address associated with the electronic ?ling system, and induced the . reCipients to activate the malware contained 1n the emails? attachments. In many of the FIN 7 attacks, a FIN7 member, or someOne hired by FIN7 specifically for such purpose, would also call the victim company, using-?dies in . interstate and foreign commerce, to legitimize the phishing email and- convince the victim I company employee to open the attached document using social engineering techniques. For example, when targeting a hotel, chain or a restaurant chain, a conspirator would - 7 Indictment United States v. Kolpaliciv - 3 . - . - UNITED STATES ATTORNEY STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970, Case Document 11-1- Filed 07/27/18 Page 10 of 33 make afollowgup call falsely claiming that the details of a reservation i order, or. customer complaint could be found in the (?le attached to the previously . delivered email, to induce the employee at the victim company to read the phishing email, open the attached ?le, and activate the malware. . 1 h. If the recipient activated the phishing email attachment or clicked on the link, the recipient would unwittingly activate the malware, and the computer on which it was Opened would become infected and connect to one or more command-and 7' control servers centrolled by FIN7 to report details of the newly infected. computerfand download additional malware. The command and control infrastructure relied upon various servers in multiple countries, including, but not "limited to, the United States, typically leased using false information, such as alias names and ?ctitious information. i. FIN7 typically would install additional malware, including the carbanak malware, to connect to additional FIN7 command and control servers to establish remote control of the victim computer. 1 j. Once a victim?s computer was compromised, FIN7 would incorporate the compromised machine or ?bot? into a botnet. k. FIN7 designed and used a eastern botnet control panel to manage .- I, .- I and lssue commands to the compromised machines. 1. Once a victim company?s computers were incorporated into the FIN7 botnet and remotely controlled by FIN7 ?s malware, the group used this ?remote control and access to, among: other things, install and manage additional malwar-e, conduct surveillance, map and navigate the comprOmised computer network, compromise additional computers, ex?ltrate ?les, and send and receive data. For instance, FIN7 often conducted surveillance on the victim 3 computer network by, among other things, I capturing screen shots and videos of [victim computer workstations that provided the I_con3pirators with additional information about the victim company computer-network I and non-public credentials for both generic company accounts and for actual cOmp'any employees. Indictment/ United States v. Kolpakov 9 1 - 1 .. . UNITED STATES - - 700 STEWART STREET, Sung 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 Document 11-1 Filed 07/27/18 Page 11 of, 33 7 m. FIN7 used itsaccess, to the victim?s computer network and inforrnationjgleaned from surveillance of the victim?s computer systems to install. .. additional malware designed to target and extract particular information and preperty of value, including payment card data and proprietary and non-public information, For instance, FIN7 often utilized-various ?off-the-shelf? software and custom malware, and a combination thereof, to extract and transfer data to a ?loot? folder on one or more servers .. i controlled by IN7 n. IN7 frequently targeted victim companies with customers who use 7 payment cards while making legitimate point-of?sale purchases, such as victim companies in the restaurant, gaming, and hospitality industries. In those cases, FIN7 con?gured malware to extract, copy, and compile the payment card data, and then to transmit the data from the victim computer systems to servers controlled by FIN7. o. For example, between approximately March 24, 2017, and April 18, 2017, FIN7 harvested payment card data from point-of-sale devices at certain Victim?3 restaurant locations, including dozens of locations in the Western District of washington. p. FIN7 stole millions of payment card numbers, many of which have been offered for sale through vending-sites, including, but not limited to, Joker?s Stash, thereby attempting to generate millions of dollars of illicit pro?ts. (1. The payment card data were offered for sale to allow purchasers to falsely represent themselves as authorized users of the stolen. payment cards and to use the stolen payment Card information to purchase goods rind serVices in fraudulent transactions throughout the United States and the world, resulting in millions of dollars in lossesto, and thereby affecting, merchants and banks, including ?nancial institutions, as de?ned in Title 18,, United States Code, Section '20. For ,example,'on or? about March 110, 2017, stolen payment card data relatedto accounts held at Victim-5, a, ?nancial . institution headquartered in the western, District 'of Washington, compronuse?dithrough the computer network intrusion of a victim company, was used to make unauthOrized- purchases at a merchant in Puyallup, Washington. Indictment United States v. Kolpakov - 10 i UNITED STATES ATTORNEY 700 STREET, SUITE 5220 I SEATTLE, 98101 (206) 553-7970 uncommon-hooww Case Document 11-1 Filed 07/27/18 Page 12 of 33 r. FIN7 members employed various techniques toconceal their identities ,including simultaneously utilizing Various leased servers that had been leased . '7 using false Subscriber informatiOn, in multiple countries, I . s. FIN7 operated as a structured enterprise with a hierarchical command structure under which dozens of members with diverse skillsets could coordinate their malicious activity. Key members of the scheme ineluded, but were not - limited to: I i. Fedir HlaIdyr, a systems administrator who, among other things, maintained servers and communication channels used by the organization. Fedir . Hladyr played a leading managerial role by delegating tasks and by providing instruction . to Other members of the scheme. ii. Fedorov, a high- level ?pen-tester? ?who supervised other hackers speci?cally tasked with breaching the security of Victims? computer systems without the victims? knowledge or consent. I I I ANDRII KOLPAKOV, a hithevel ?Fpen-tester? who supervised other hackers responsible for breaching the security of victims? computer systems without the victims? knowledge or consent. t. 1N7 members typically communicated with one aucther and others through private cominunication channels to further their malicious activity. Among other I channels, IN7 conspirators communicated using Jabber, an instant messaging service that allows members to communicate across multiple platforms and that supports end-to- end .. I u. 1 For example, iniJabber Communications with other FIN7 members, co-consPirator using his alias 5?hotdima,? referenced using malware in connection with several speci?c victim companies, discussed using the administrative control panels to receive data from compromised computers and identi?ed several pen? testers working at his direction Indictment United States v. Kolpakov 1'1 Vi. UNITED STATES ATTORNEY - 5220 . WASHINGTON 98101 - (206) 553-7979 Case Document 11-1 Filed 07/27/18 Page 13 of 33 7 v. 1N7 members often communicated through a private HipChat server. HipChat is a group Chat, instant messaging, and ?le-sharing program. IN7: members used its HipChat 'server to collaborate on malware and victim busineSS I intrusions, to interview potential recruits, and to upload and share ex?ltrated data, such as stolen payment card data. As a system administrator co?conspirator Fedir Hladyr created HipChat user accounts for FIN 7 members that allowed them to access the server. i W. Co-conspirator Fedir I-Iladyr also created and partiCipated in multiple HipChat ?rooms? with other IN7 members and participated 1n the uploading and Organization of stolen payment card data and malware. For example, on or about March 14, 2016, co-conspirator Fedir Hladyr uploaded an archiVe that contained numerous data files created by malware designed to steal data from point?of?sale systems that process - payment cards. The ?les contained payment card numbers stolen from a victim company that had publicly reported a Security breach that resulted 1n the compromise of tens of thousands of payment cards. By way of further example, eo-conspirator ed1r Hladyr also set up and used a HipChat room titled ?MyFile?, in which he was the only I I participant, and to which he uplOaded malware used by IN7 and stolen payment card informatidn. . - x. FIN7 conspirators used numerous email accounts hosted by a variety of providers in the United States and elsewhere,which they often registered using false subscriber information. I 7 y. FIN7 conSpirators frequently used the project management software JIRA, hosted on private Virtual servers in various countries, to coordinate their malicious activity and to manage the assorted network intrusions. IIRA IS a project management and issue-tracking program used by software development teams. FIN7 members. i. . typically created a ?pro_] ect? on the virtual IRA server and then associated ?issues? with the project, each Issue akin to an issue directory or felder, for a Victim company, which they used to collaborate and share details of the intrusion, to post victim company Indictment United States v. Kolpakov 12 . i - i 5220 SEATTLE, Wamoron98101 - (206) 553-7970 . . Case Document 11-1 Filed- 07/27/18 Page 14 of 33?: I intelligence, such as network mapping information, and to store and share ex?ltrated dataFor eXample, On about September 7, 20,16 co-conspiratorFedir ,Hladyr created an ?issue? for Victim-6, to which FIN7 conspirators including ANDRII KOLPAKOV posted ?les containing internal credentials for the victim company? I computer networkfurther example, on multiple occasions in January 2017, co?COnspiratOr Fedorov and another FIN7 member posted to the FIN7 ?issue? created for- Victim?7,1nforrnation about the victim company?s internal network and uploaded ex?-ltrated data, including stolen employee credentials. Similarly, On or about g?d h?l April 5, 2017, Fedorov created an ?issue? for another victim company, Victim-9, and uploaded stolen user credentials from the victim company DJ bb. IN7 conspirators knew that the scheme would involve the use Of .5. wires in both interstate and foreign commerce to accomplish the objectives of the has LA scheme. For example, each defendant and his FIN7 co-conSpirators knew that execution ?I?l of the scheme necessarily caused the transmission cf wire cemmunications between the United States and one or more servers controlled by 1N7 located 1n foreign countries. All 111 violation of Title 18, United States Code, Section 1349. OWDOO COUNTS 2 4 15 (Wire Fraud) 1 . . . 16. The allegations set forth in Paragraphs 1 through 15 of this Indictment are mm:? re- alleged and incorporated as if fully set forth herein. 1. SCHEME AND ARTIFICE TO DEFRAUD 17. Beginning at. a3 time Unknown, but no later than September 2015, and - mints continuing through on or after June 20, 2018, at Seattle, within the Western District of I Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka ?Andrey - - Kolpakov, ?Andriy Kolpakov, ?Andre Kolpakov, ?Andrew Kolpakov, -1 00 Indictment] United States v. Kolpakov 13 - STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 \ochxmawINH Case Document-ll-l Filed 07/27/18 Page" 15 of33f ?SantisimOZ,? and ?AndreyKS,? and others known and unknown to the Grand Jury, devised and intended to devise a scheme and arti?ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses, representations and promises. . . I .. l8. The essence of the scheme and arti?ce to defraud was toobtain- unauthorized access into, and control of, the computer networks of victims through deceit I and materially false and fraudulent pretenses and representations, through the installation and use of malware designed to facilitate, ameng other things, theinstallatiOn of additional malware, the sending and receiving of data, and the surveillanceof. the . victimS? computer networks. The object of the scheme and arti?ce to defraud was to steal money and property of value, including payment Card data and proprietary and none public information, which was, and could have been, sold and used for ?nancial gain. II. MANNER AND NIEAN OF SCHEME TO DEFRAUD 19.? The manner and means of the scheme and artifice to defraud are set forth. 1n Paragraph 15 of Count 1 of this Indictment. . EXECUTION OF SCHEME TO DEFRAUD i 20. On or about the dates set forth below, within the Western District of Washington, and elsewhere, the defendant, and others known and unknown to the Grand Jury, having devised a scheme and arti?ce to defraud, and to obtain money and property by means of materially false and fraudulent pretenses, representations, and promises, did knowingly transmit and cause to bee-transmitted writings, signs, signals, pictures, and I . sounds, for the purpose of executing such-scheme, by means of wire communication in interstate and foreign commerce, including the following transmissions: Email from - which traveled through 'a server Victim-1 located outside the State of Pierce County I Washington, to a Vietimul employee . I located Within the State of Washington i 2 August 8, 2016 Indictment I United States v. Kolpakov - 14 i . UNITED STATES ATTORNEY . 700 STEWART STREET, Sum: 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 August 8, 2016 Victim?l Pierce: County 2 from franlgohnson@rev1tal- Case Document 11-1 Filed 07/27/18 Page 16 of 33 travel. com, which traveled through a . server locatedsoutside the State of Washington, to a VictiIn-l employee, located within the State of Washington 7 Electronic coMunication between a server located outside the State of Indictment United States v. Kolpakov? 15 August 8, 2016 Washington, computer ty system, located within the State of . 3' Washington Email purporting to be from a . government account, Which traveled . 3 Victim-2 ?through a Server located outside the February 21.? 2017 Seattle State of Washington, to a Victim?2 . employee, located within the State of Washington -- - Electronic communication between a ., Victim-2 server located'outside the State of February 23, 2017 - Seattle Washington, and V1ct1m?2?s computer- system, located within the State of I Washington . Electronic communiCation between a V10t1m?3 . 4120 196th St SW server, located outside the State of 7 March 24, 2017 . and V1ct1m-3? computer . u1te 1?50, system, located within the State of Washington Electronic communication between a . Victim?3 server, located Outside the State of March 25, 2017 1415 Broadway, Washington, and Victim-3?8 computer Seattle system, located within the State ?of Washington Electronic communication between a - Victim~3 server, located outside the State of March 25,2017 . 800 156th Ave NE, WaShington, and Victim-3? 5 computer Bellev'ue system, located Within the State of Washington 1 . UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 3 - (206) 553-7970 Case Document 11-1 Filed 07/27/18 Page 17 of33- I Electronic communication betWeen a - . Victim-3 Server, located Outside the State of- - 10:. - MarCh 25, 2017 4 Bellis Fair PkWy, Washington, and Victim-3?s computer Bellingham system, located within the State of - - Washington I Victim-3 Electronic Communication between a I - 77 5 NW Gilman server, located outside the State of 11 . March 25, 2017 B1 - d, 't A Washington, and V10t1m?3?scomputer ?lssaqliilali system, located within the State Of Washington I Victim-3 - 1 Electronic communication between a . . 515 SE Everett server, located outsidethe State of . 12 March 27, 2017 I Mall Way Suite - land Victim-3?3 computer Eveitett system, located withm the, State of - - Washington Vic tim-3 Electronic communication between a . - - 22704 SE 4th St server, located outside the State of 13 11, 2017 I: . 2'10 - and Victim-3?s computer Saunigamisah system, located within?the State of Washington Email from I which I - Victim-4 - traveled through a server lecated 14 Apnl 11? 2017 Renton - outside the State Of Washington, to a Victim-'4 employee, located within the State of Washington Electronic communication between a Victim-5 merchant, located within the State of 15 March 10, 2017 Pu 11 Washington, and aIpayment processor: ya up 7 server, located outside the State of waShington All in violation of Title '18, United States Code, Section 1343. 21. re-alleged and incorporated as if fully set-forth herein. COUNT 16 (Conspiracy to Commit Computer Hacking) Indictment United States v. Kolpakov - 16 The allegations set forth in Paragraphs 1 through 20 of this Indictment are UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 \o Ch Um :93 Case Document 11-1 Filed707/27/18 Page 18 of33, I. OFFENSE . 7 22. Beginning at a time unknown, but no latergthan' September 2015, and I Continuing-through on or'Z-after June 20, 2018, at Seattle, Within the Western District of Washington, and elsewhere, the defendant, ANDRII aka ?fAndrey Kolpakov,? ?Andriy Kolpakov,? V?V?EAndre Kolpakov,? ?Andrew Kolpakov,? ,?santiSimo,? _?santisimoz,? and ?AndreyKS,? and others known and unknown to the Grand Jury, did knowingly and willfully combine, conspire, confederate and agree together to commit offenses against the United Statesand with intent to defraud, access a protected compute-rt 8' Without authorization and exceed authorized access to a protected computer, and by 8 means of such conduct further the intended fraud and obtain anything of Value exceeding 000. 00 in any 1-year period, in violation of Title 18, United States Code, Sections 1030(a)(4) and and b. to knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage without authorization to a protected computer, and cause less to one or more persons during a 1- 7 year period aggregating. at least $5,000.00 in value and damage affecting 10 or mere protected computers during a l-year period, in violation of Title 18, United States Code, Sections 1030(a)(5)(A) and 11. OBJECTIVES OF THECONSPIRACY . 23. The objectives of the conspiracy included hacking into protectedcomputer networks using malware designed to provide the c?onSpiratOrs with unauthorized access to, and control of, Victim computer systems. The obj eCtives of the conspiracy further included conducting surveillance of victim computer networks and inStalling additional malware onsthe victim computer netwOrks for the purposes of establishing persistence, . 9 and stealing payment 'card track data, ?nancial mfonnation, and proprietary, private, and non-public information, with the, intention of using and selling such stolen items, either directly or indirectly, for ?nancial gain. The objectives of the conspiracy further Indictment United States v. Kolpakov.? 17 . . UNITED STATES ATTORNEY - - 700 STEWART STREET, Sums 5220 SEATTLE, WASHINGTON 98101 (206) 553-79707 .22Case Document 11-1 Filed 07/27/18 Page 19 of 33 included installing malware that would integrate victim computers into a botnet that allowed the conspiracy to control alter, and damage compromised Computers. 111. MANNER AND MEANS OF THE CONSPIRACY . 24. The manner and means used to accomplish the conspiracy are set forth 1n Paragraph 15 of Count 1 Of this Indictment. - IV. OVERT ACTS 25. In furtherance of the conspiracy, and to achieve the objects thereOf, the defendant, and others known and unknown- to the Grand Jury, did commit and cause to be - committed, the following overt acts, among others, 1n the Western District of Washington I and elsewherepart of Its command and control infrastructure, FIN7 used a number of physical servers in different countries to host Virtual communication servers. In addition to other channels of communicatiOn, FIN 7 members uSed virtual HipChat, JIRA, Mumble, and Jabber servers to collaborate and coordinate their attacks. b. For example, FIN7 maintained a virtual Jabber server through which members could communicate privately. Among other Jabber communications made-1n furtherance of the conspiracy: I On or about April 14, 2016, a FIN7 member informed ANDRII KOLPAKOV that a particular individual and edlr I-Iladyr were the ?main? directors of the groupabout April 15, 2016, a FIN7 member informed ANDRII KOLPAKOV that a particular individual was the ?chief manager On or about January 12, 2017, a FIN7 member introdu'Ced himself to a new IN7 recruit, explained the member?s salary wOuld be paid, and indicated that ANDRII KOLPAKOV would be his supervisor. iv. On or about May 29, 2017, ANDRII KOLPAKOV informed Fedorov that KOLPAKOV had successfully located point-of-sale data and accounting technology on a victim company?s network. Indictment/ United States v; Kolpakbv 18 i 3' UNITED STATES ATTORNEY 700- STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 . (206) 553-7970 Case Document 11-1 Filed 07/27/18 Page 20 of 33 V. 011 or about September 18, 2017, ANDRII KOLPAKOV and Fedorov discussed the ?le types used In phishing emails, and KOLPAKQV informed Fedorov of the development of an enhanced malware ?le that can activate without being double-clicked upon by the phishing email. reCipient. i i Victim-1. . The conspiracy, compromised, illegally accessed, had unauthorized communications with, and eX?ltrated proprietary, priyate, and-non?public victim data and information from the computer systems of Victim-1, a hotel and casino in the Western District of Washington For instanceabout August 8, 2016, the conspiracy, directly and through intermediaries, used the account to send a phishing email, with the subject ?order, to an employee of Victim-1 located in Tacoma, - Washington, with an attached Microsoft Word document that contained malware The email contained materially false representations designed to induce the targeted employee to open enable the malware, and compromise the computer system. i i ii. On or about August 8, 2016, the conspiracy, directly and through intermediaries, used the account frankjohnson@revital-travel corn to send a - . phishing email, with the Subject ?order,? to an employee of Victim-1 located in Tacoma, Washington, with an attached Microsoft Word document that contained malware. The 7 email contained materially false representations designed to induce the targeted employee to enable the malware, and compromiSe the computer system. I Under the control of the conspiracy? malware', a Compromised computer of Victim?,1 communicated with a cominand and control server located in a foreign country. For instance, from August 8, 2016, to August-9,? 2016, and from August 24, 2016 to August 31, 2016, a compromised Victim-?1 computer logged approximately 3,639 communications with various URLs all Starting With ?revital- travelcom?.? ?at an'IP address hosted in Russia. Indictment United States v. KolpakOV - 19 - UNITED STATES ATTORNEY - - 700 STREET, Surrn 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document/ll-l Filed 07/27/18 Page 21 of 33 Victim-6 7 d. The conspiracy compromised, illegally accesSed, had unauthorized communications with, and ex?ltrated proprietary, private, and non-public victim data and information from the computer systems of Victim-6, a restaurant Chain with locations in multiple states. For instanCe, I On or about August 25, 2016, the conspiraCy, directly and through ihterlnediaries, used the account revitaltravel @yahoo.com to- send a? phishing email to an employee of Victim-6, with an attached Microsoft Word. document that contained malWare. The email contained materiallyfalse representations designed to induce the targeted employee to enable the malware, and compromise the computer systemabout September7, 2016, co-conspirator Fedir Hladyr created an ?issue? on the conspiracy?s private JIRA server speci?cally related to Victim- 6, to which ANDRII KOLPAKOV subsequently uploaded comments and stolen . information pertaining to Victim-6?s network structure and administrative credentials. Victim-7 A e. The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated proprietary, private, and non-public victim data and information from the computer systems of Victim-7, an automotive retail and repair chain with hundreds of locations in multiple states, including Washington. For instance, i. On or about January 18,2017, a FIN7 member created an ?issue? on the conspiracy? private JIRA server speci?cally related to Victim?7, to which that individual and Fedorov subsequently posted results from several network mapping tools used on Victim-7? internal network. . ii. On or about January 20,2017, a FIN7 member posted ex?ltrated data including multiple usernames and passWords with the title ?Server Passwords,? to the Victim-7 iSSue.? Indictment United States v. Kolpakov 20 UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 NO 00 ?4 ON D) .H Case Document 11-1 Filed 07/27/18 Page 22 of 33 On or about January 23, and January 24, 2017, . . Fedorov posted information about Victim-7?s internal netWork and uploaded a?le -- containing. multiple IP addresses and information about Victim?7?s seryers to "the Victim- 7 JIRA ?issue."? orabout January 27, 2017, Fedorov. uploaded to? I the Victim-7 ?issue? a ?le containing over 1,000 usernames and passwords for generic company. accounts and employee accounts. The potentially compromised accounts related to approximately 700 Victimu7 locations throughout the United States, .inCluding approximately 12 locations located in the state of Washington. Victim-2 f. The conspiracy compromised, illegally accessed, had unauthorized 3 communications with, and ex?ltrated proprietary, private, and non-public victim data and information from the computer systems of Victim-2, a corporation headquarteredin Seattle, Washington. For instance, i. On or about February 21, 2017, the conspiracy, directly and through intermediaries, used an account purporting to be ?lings@scc gov (but that I I actually was sent by secureservernet) to send a phishing email to an employee of Victim? 2 located in Seattle, Washington, With an attached Microsoft Word document that 1 contained malware. The email falsely purported to relate to a corporate ?ling with the SEC and contained materially false representations designed to induce the targeted employee to openthe ?le, enable the malware, and compromise the computer system. I ii. . From on or about February 21, 2017, to approximately March 3, 2017, the consPiraCy illegally accessed and had communications with the computer systems of Victim-2 located 111 Seattle, Washington For. instance, between about February 23, 2017, and February 24, 2017 the victim computer made outgoing connections to and transferred internal data, without authorization, to an IP address located in'a foreign country. Indictment/ United States v} Kolpakov 21 UNITED STATES ATTORNEY - STREET, Stars 5220 (206) 553?7970 scooqoxpu-huomtCase Document 11-1 Filed 07/27/18 Page 23 of 33 011 or about February 24, 2017, a FIN7 member posted to a IRA ?issue? created for Victim72, a screenshot from the targeted employee?s computer at Victim-2, which showed ,?among other things, an internal Victim?2 webpage available - only to employees with a valid user account. 7 iv. Similarly, a FIN7 member posted to the Victim?2 JIRA ?issue? a text ?le containing the usernames and passwords of thetargeted Victim-2 employee, including his/her personal email account, LinkedIn account, and personal investment and ?nancial institution accounts. 1 i 7 Victim-3 . 7 g. The conspiracy compromised, illegally accessed, had unauthOrized communications with, and ex?ltrated proprietary, private, and non-public victim data and information from the computer systems of Victim-3, a restaurant chain with thousands of locations, including the State of Washington. From approximately March 24, 2017 to 7 April 18, 2017, the conspiracy accessed computer systems of Victim-3 and implanted . malware designed to harvest payment card data from cards used 011 point-of?sale devices ii: at restaurant locations nationwide, including approximately 33 locations w1thin the _Western District of Washington. Victim-8 . h. The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated proprietary, private, and non-pliblic victim data and 1 information from the computer systems of Vietim?S, a restaurant chain with hundreds of 1 locations in multiple states, including Washington For instance, On or about MarCh 27,2017, the conspiracy, directly and through intermediaries, used to send a phishing. email to a Victim-8 employee, with an attached Microsoft Word document that contained- malWare._ The email-falsely purported-to convey acustomer complaint and contained additional materiallyifalse representations designed to induce the targeted employee to enable the malware, andcompromise the computer system. 7 i . Indictment United State: v. Kolpakov - 22 - UNITED STATES ATTORNEY I - 1 700 STEWART STREET, Some 5220 SEATTLE, 98101 - . . (206) 553-7970 Case Document 11-1 Filed 07/27/18 Page 24 of 33 ii._ On or about March 29, 2017, a FIN7 member created an I ?issue? on the conspiracy? 8 private JIRA server speci?cally related to Victim?8 and I posted results from several network mapping tools used on Victim~8?s internal netWork. 011 or about March 31, 2017, a FIN7 member posted a link to the point-of-sale software management solution used by Victim?8, and a usemame and password to the Victimu8 JIRA ?issue.? The software management tool allows a. 1' company to manage point~of?salei systems at multiple locations. The. FIN7 member also uploaded several screenshots? preSumably from one or more victim computers at Vietim? 8, which showed, among other things, the user logged into Vietim-S?s account ?for the software management toolabout April 6, 2017, a FIN7 member uploaded to the Victim?8 JIRA ?issue? a ?le containing hundreds of usernames and passwords for approximately 798 Victim-8 locations, including 37 locations located in the State 'of Washington. The ?le included network information, telephone communications, and locations of alarm panels within restaurants. I I v. On or about April 7, 2017, a PIN 7 member uploaded to the Vietim?S JIRA ?issue? a similar ?le containing numerous usernames and passwords for Victim?8 locationsabout May 0?5, 2017, a FIN7 member uploaded to the Victim-8 JIRA ?issue? a ?le containing ?le directories on a compromised computer. vii. On or about May 8,2017, 21 FIN 7 memberuploaded to "the Victim?8 ?issuef ?ex?ltrated ?les related to a password management system from a compromised computer, which contained the credentials, usernames, and passwords of a particular employee. . i 1 on or about May 15, 2017,11 FIN7 member uploaded to the Victim?8 JIRA ?issue? sereenshOts of a compromised computer that showed the employee accessing Victim?8? 5 security infrastructure management software using that same employee credentials. Indictment/ United States v. Kolpakov - 23 UNITED STATES ATTORNEY - . . 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 00 Case . Document 11-1 Filed'07/27/18 Page 25 of 33 Victim?9 i. The conspiracy compromised, illegally accessed, had unauthorized and exfiltrated proprietary, private, and non-public Victimdata and informationfrom the computer systems of one or more locations of Victim-9, a fast+food restaurant chain with thousands of locations throughout the United States, including 7 Washington. For instance, 7 i. . . The conspiracy, directly and through intermediaries, sent phishing emails with an attached ?le that contained malWare to multiple Victim-9 locations. For instance, on or about April 7, 2017, the conspiracy used the account oliver_palmer@yahooco1n to send a phishing email to a Victim-9 location 1n the State of Oregon. --The email contained materially false representations designed to induce the targeted employee to open the ?le, enable the malware, and compromise the. computer system. I ii. I On or about April 5,2017, Fedorov. created an issue? on the conspiracy? 3 private JIRA server specifically related to Victim-9 to which one or more FIN7 members subsequently posted usemames and passWordsl for Victim-9 locations, including a Victim-9 location in VancouVer, Washington. 7 i i Victim-4? j. The conspiracy compromised, illegally accessed, had unauthorized communications With, and ex?ltrated proprietary, private, and non?public Victim dataand information from the computer systems of one or more locations of Victim-4, a pizza parlor chain with hundreds of locations, including 1n Washington. Fer instance, i. on or about April 11, 2017, the conspiracy, directly and through intermediaries, used the account corn, to send a phishing email, With the subject ?claim,? to an employee of a Victim?4 heated 1n Kenton,- Washington, with an attached Rich Text Format (. rtf) dOCument that Contained malware, ?The email falsely purported to convey a customer complaint and contained additional. Indictment United States v. Kellialrov 24 - - 7 7 UNITED STATES ATTORNEY . 7 1 700 STEWART STREET, Sun's 5220 98191 - (206) 553?7970 Case Document 11-1 Filed 07/27/18 Page'26 of33 .. materially false representations designed to induce the targeted employee to-enable the-9 malware, and compromise the Computer system. i 7 ii. On or about April 11, 2017, the conspiracy, directly and through intermediaries, used the account ol1ver_palmer@yahoo com, to send a phishing email, with the subject ?claim,? to an employee of a Victim-4 located Vancouver, WaShington, With an attached Rich Text Format (. rtf) doc?ment that contained malvvare. The email falsely purported to convey a cuStomer cemplaint and contained additional 7 materially false representations designed to induce the targeted employee to enable the malware, and compromise the computer system. I On or abOut May 25, 2017, the conspiracy, directly and through intermediaries, used the accOunt Adrian. 1987clark@yahoo. com, to send a phish1ng email, with the subject ?takeout order,? to an employee of a Victim?4 located in or around spokane, Washington, with an attached Rich Text Format'(. rtf) document that contained malware. The email falsely stated that the sender had a large takeout order- and contained additional materially false representations designed to induce the targeted employee to enable the malware, and compromise the computer system. I Victim-10 k. The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated? proprietary, private, and nOn-public victim data and i information from the computer systems of one or more locatidns of Victim?1'0, a fast? food restaurant chain with hundreds of locations in various states, including Washington. For instanceabout May 24, 2017, a FIN7 member created an i?issue? on the conspiracy? private JIRA server speci?cally related to Victim-10, to which other FIN7 members subsequently posted information relating to the intrusion 0f computer systems and ex?ltrated data,.including ?les containing passwords and screenshots from one or more compromised computers. Indictment/ United States v. Kolpakov - 25 - - UNITED STATES ATTORNEY - - - .1 . 700.8113me STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (205)553-7970 Case Documentll-l Filed 07/27/18 Page about June 12, 2017, the conspiracy, directly and through intermediaries, used the account Adrian. 1987c1ark@yahoo. com, to send a phishing email, with the subject ?order. catering,? to an employee of a Victim-10 located in Iowa, with an attached RiCh Text Format (.rtf) document that contained malware. The email falsely stated that the sender had a catering order for the following day'and contained additional materially false representations designed to induce the employee to enable the malware, and compromise the computer system, . 7 From on or about June 12, 2017, to a date unknown, the conspiracy illegally accessed andhad communications: with the computer systems of the-', - Victim-10 located in Iowa. For instance, the conspiracy transferred, without I authorization, proprietary, private, and non-public victim data and information, including usernames and passwords, to a JIRA server managed by FIN7, located in a foreign country On or about June 14, 2017, a FIN7 member uploaded a variety of infonnation including recommendations for attack vectors FIN7 members could use to access Victim- 10?s internal network. I All in violation of Title. 18, United States code, section 371.. COUNTS 17 {-19 (Accessing a Protected Computer in Furtherance of Fraud) 26. The allegations set forth in Paragraphs 1 through 25 Of this Indictment are re-alleged and incorporated as if fully set forth herein. 27. On or about the dates listed below, within the Western District of 'Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka ?Andrey Kolpakov,? ?Andriy Kolpakov,? ?Andre Kolpakov,? ?Andrew Kolpakov,? ?Santisimo,? ?Santisimoz, and ?AndreyKS, and others known and unknown to the GrandJury, knewingly and With intent to defraud accessed a protected computer without authorization and 1n excess of authOrized access, and by means of such conduct furthered the intended fraud and obtained something of value, Specifically, payment card data and Indictment/ United States v. Kolpakov - 26 UNYFED STATES ATTORNEY . . - 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 - (206) 553-7970 Case Document 11-1 Filed 07/27/18 Page 28 of 33 proprietary and non?public information, whereby the object of the fraud and the thing obtained conSisted of more than the use Of the computers and the Value of-Such use Was - more than $5,000 in a 1-year period, as listed below: August8 2016 through October 41",2016 . Vlctim-l 18. February 21, 2017 through March 3, 2017 Victim-2 19 MarCh 24, 2017 through April 18, 2017 Victim-3 1111 in violation of Title 18, United States Code, Sections 1030(a)(4), 1030(b), and 2. W22. (Intentional Damage to a Protected Computer) 28. The allegations set forth 1n Paragraphs 1 through 27 of this Indictment are- re-alleged and incorporated as if fully set forth herein. 1 7 29. On or about the dates listed below, within the Western DistriC't of Washington, and elsewhere, the defendant, ANDRJI KOLPAKOV, aka?Andrey Kolpakov,? V?V?Andriy Kolpakov,? ?Andre Kolpakov,? ?Andrew Kolpakov,? i?santisiino,?_ ?santisimoif? and ?AndreyKS,? and others known and unknown to the Grand Jury, knowingly caused the transmission of a program, information, code, and. command, and as a result of such Conduct, intentionally caused damage without authorization, to a protected computer, speci?cally, "the protected computer system of thevictirn listed . below, and the offense caused loss to one or more persons during a 1-year period aggregating at least 000. 00 in value and (ii) damage affecting 1-0 or more protected computers during a 1?year period: 20 1 8, 20 6 through October 4, ?1 21 February 21 2017 through March 3,2017 I Victim-2 22 March 24, 2017 through April 18,2017 Victim-3 All in violation of Title 18, United States Code, Sections 1030(a)(5)(A), 1030(1)), 1030(c)(4)(B), and 2. I .Indictment/ United States v. Kolpakov- 27 UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 52-20 SEATTLE, WASHINGTON 98101 (206) 553-7970 'Case Document 11-1' Filed 07/27/18 Page 29 of 33 COUNT23 (Access Device Fraud) '30. The allegatiOns set forth in Paragraphs 1 through 29 of this Indictment are re? ?alleged and incorporated as if fully set forth herein. 31. Beginning at a time unknown, and continuing through on or? after June 20, 2018, within the Western District of Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka ?Andrey Kolpakov, ?Andriy Kolpakov, ?Andre Kolpakov,? ?Andrew Kolpakov, ?santisimo, ?Wsantisimozf and ?AndreyKS, and others known and unknan to the Grand Jury, knowingly and with intent to defraud, possessed fifteen or more counterfeit and unauthorized access devices, namely, payment card data, account numbers, and other means Of account access that can be used, alone and in conjunction with another access device, to obtain money, goods, services, and any other thing of 7 value, and that can be used to initiate a transfer of funds, said activity affecting interstate and foreign commerce 7 All 111 violation of Title 18, United States Code, Sections 1029(c)(l)(A), and 2. (Aggravated Identity Theft) 1 32. The allegations set forth in Paragraphs 1 through 31 of this Indictment are re-alleged and incorporated as if fully set forth herein. . 33. Beginning at a time unknown, but no earlier than on or'abOut February 21', 2017, and no later than March 3,2017, and continuing through on or after November 21,. 2017, at Seattle, within the Western District of Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka ?Andrey Kolpakov, ?Andriy Kolpakov, ?Andre Kolpakov, ?Andrew Kolpakov, ?santisimo, ?santisimoz, and ?AndreyKS, and- I others known and unknown to the Grand Jury, did knowingly transgfer possess, and use, without lawful authority, a means cf identi?cation of another person, to wit: the name, Indictment United States v. Kolpakov - 28 7 . 8 UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98 10 I (206) 553-7970 Case Document 11-1 Filed 07/27/18 Page 30 of 33 username, andpa's'sword of a real person, .Q., an employee of Victim-2, during and in relation to a felony violation enumerated in 18 U.S.C. 1028A(c), that is, conspiracy to commit wire and bank fraud, in Violation of 18 U. S. C. 1349, as charged'in Count 1, and wire fraud, in violation of 18 U. S. C. 1343, as charged 1n Counts 5 and 6, knowing that the means of identi?cation belonged to another actual person. A11 in violation of Title 18, United States Code, Sections 1028A(a) and 2. COUNT 25 . (Aggravated Identity Theft) I 34. The allegations set forth 1n Paragraphs 1 through 33 of this Indictment are re-alleged and incorporated as if fully set forth herein. 35. Beginning at a time unknown, but no later than on or about May 8, 2017, and continuing through on or after November 21, 2017, within the Western District of i 2 Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka ?Andrey 7 Kolpakov,? ?Andriy Kolpakov,? ?Andre Kolpakov,? ?Andrew Kolpakov,? ?santisimo,? . ?santisimoz,? and ?AndreyKS,? and others known and unknown to the Grand Jury, did knowingly 'transfer,'possess, and use, withoutlawful authority, a means of identi?cation of another person, to wit: the name, employee credentials, username and password of a real person, N. M., an employee of Victim?8, during and 1n relation to a felony violation enumerated 1n 18 U. S. C. 1028A(c), that 1s, conspiracy to commit wire and bank fraud, in Violation of 18 U. S. 1349, as charged 1n Count 1, knowing that the means of identi?cation belonged to another actual person. A11 1n Violation of Title 18, United States Code, Sections 1028A(a) and 2. . COUNT 26 (Aggravated Identity Theft) 36. The allegations set forth in Paragraphs 1 through 35 of this Indictment are . re-alleged and incorporated as if fully set forth herein. . Indictment/ United States v. Kolpakov - 29 2' 7 1 UNITED STATES ATTORNEY - 700 STEWART SUITE 5220 98101 (206) 553-7970 omq?mmA-wwp? Case Document 11-1; Filed 07/27/18 Page 31 of 33 37.- Beginning at a time Unknown, but no later than on or about January 27, 2017, and continuing through on or after November 21, 2017, within the Western District of Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, 7 ?aka ?Andrey Kolpakov, ?Andriy Kolpakov, ?Andre Kolpakov,?_ ?Andrew Kolpakov, ?santisimo,? ?santisimozf ?and. ?AndreyKS, and others known and unknown to the Grand Jury, did knowingly transfer, possess, and use,without lawful authority, a means of identi?cation I of another person, to wit: the name,username, and password of real persons, E.L., .M., A.P, R.O., and L.D., employees and in relation to-Ia 7 felony viOlation enumerated in 18 U.S.C. 1028A(c), that is, conspiracy to commit wire and bank fraud, in violation of 18 U.S.C. 1349, as charged in Count 1, knowing that the. means of identi?cation belonged to anotheractual person. All in Violation of Title 18, United-States, Code, Sections 1028A(a) and 2. FORFEITURE ALLEGATION 38. i The allegations contained in Counts 1 through 15 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18, United States Code, Section 981(a)(1)(C) and Title 28, United States 7 Code, Section 2461(0). Upon conviction of any of the offenses charged 1n Gonnts l_ through 15, the defendant, ANDRII KOLPAKOV, aka ?Andrey Kolpakov, ?Andriy Kolpakov, ?Andre Kolpakov, ?Andrew Kolpakov, ?santisimo, ?santisimOZ,? and ?AndreyKS, shall forfeit to the United States any property, real or personal, which constitutes or is derived from proceeds traceable to such offenses, including but not limited to a judgment for a sum of money representing the property described 1n this paragraph i 39. ?7 The allegations contained in Counts 16 through '22 of this Indictment are hereby realleged and incorporated by ?reference for the purpose of alleging forfeitures pursuant to Title 18,? UnitedStates Code, Sections 982(a)(2)(B) Upon conviction of any of theoffenses charged in Counts 16 through 22, the defendant shall Indictment/ United States v. Kolpak'ov - 30 7 UNITED STATES ATTORNEY- 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 93101 (206) 553-7970 Case Document 11-1 ?led 07/27/18 Page-32 of33 forfeit to the United States any property constituting, Or derived from, proceeds the defendant obtained, directly or indirectly, as the result of such offenses, and shall also - forfeit the defendant?s interest 1n any personal property that was used 0r intended to be used to commit Or to facilitate the commissiOn of such offenses, includingbut not limited to a judgment for a sum of money representing the property described in this paragraph. I 40. II The allegations contained 1n Count 23 of this Indictment are hereby I . realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to- Title 18, United States Code, Sections 981(a)(1)(C) and and Title 28, United States Code, Section 2461(c) Upon conviction of the offense charged 111 Count- 23, the defendant shall forfeit to the United States any property, real or personal, which constitutes or is derived from proceeds traceable to such offense, and shall also ferfeit any personal property used or intended to be used to commit such offense, including but not limited to a judgment fora sum of - money representing the property described in this paragraph. (Substitute Assets) 41. . If any of the property described above, as a result of any act or omission of the defendant: cannot be located upon the exercise of due diligence; a. I b. has been transferred or sold to, or deposited with, a third party; - has been placed beyond the jurisdiction of the court; d. has been substantially diminished 111 value; or I I e; has been commingled with other property which cannot be divided without dif?culty, I i I Indictment! United States v. Kenna/tax; - 31' I 5- UNITED STATES ,700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7979 Case DoCument 11-1 Filed 07/27/18 Page 33 of 33 the United States of America shall be entitled to forfeiture of substitute property pursuant .7 to Title 21, United States Code, Section 853(p), as incorporated by Title 28, United States Code, Section 2461(0). 7 z: Tea-vb 29?? DATED: (Signature of Foreperson redacted pursuant to policv ofthe Judicial Conference) OREPERSON 1xva'achIETTEL. Hg?s s) 2 United States Att rney 13 ,4 ANDREW C. FRIEDMAN 15 Assistant United States Attorney 18 C13 FRANZE AKAMURA Assi ant United St esAttorney 19 4" 21 . 22 Assistant United States Attorney 7 23 CL 1? ANTHONY TEELUCKSINGH 25 Trial Attorney 26 Computer Crime and Intellectual Property Section Indictment United States v. Kolpakov - 32 UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 9810-1 (206) 553-7970