maximum;


9?

 

 

Case Document 47-2 Filed 07/27/18 Page 2 of 33

Presentedto- the Court by the foreman of the
Grand Jury in Open Court, in the presence of . .
the Grand Jury and FILED in the US. 
DISTRICT COURT at Seattle, Washington. 

W. COOL, Clerk

By - Deputy

 

UNITED STATES DISTRICT COURT FOR THE
WESTERN DISTRICT OF WASHINGTON

AT SEATTLE
- UNITED STATES 0F AMERICA, - No. CR1-7-276RSL 
Plam?ff SUPERSEDIISIGETDICTMENT 
FEDIR HLADYR,
aka ?Fedor Gladyr,?

aka ?Fedir Oleksiyovych Gladyr,? 
- aka ?Gladyr Fedir Oleksiyovych, 
aka ?Gladyr Fedor Oleksiyovich, 
aka ?Fedor, .
aka ?das, 
aka ?Fyodor,?
aka ?AronaXus

 

Defendant. 

 

I The Grand Jury charges that:
7 DEFINITIONS
1. 7 IP Address: An Internet Protocol address (or simply address?) IS a
unique numeric address used by devices, such as computers, on the Internet. An IP
address is a? series of four numbers, each in the range 0-255, separated by periods (egg

104.250.138.210). Every device attached to the Internet must be assigned an IP address 7 7 I

so that Internet traf?c sent from and directed to that device may be directed properly

Superseding Indictment/ United States v. HIadyr - .- . UNITED STATES ATTORNEY .
No. CR17-276RSL 1 . - 700 STEWART STREET, 

SEATTLE, WASHINGTON 98101
7 (206)553- 7970

 

 

uncommon-mm?

.N 


 

 

Case Document47-2 Filed 07/27/18 Page?) ofi33

from it's'source to its destination. Most Internet service providers control a range of .IP

addresses.

- 2. 1 Server: A server is ?a?COmputer that provides services for other cemputers
connected to it Via a network or the Internet The Computers that use the serVer? services A 
are sometimes called? ?clientsf? Servers can be physically located anywhere with a A A 
network connection that may be reached by the clients; for example, it is not uncommon . - i
for a server to be located hundreds (or even thousands) of miles away frOm the client
computers. A server may be either a physical or virtual machine A physical server is a
piece of computer hardware con?gured as a server with its oW11 pewer source, central I
processing unit/s and associated sOftwa?re A virtual server is typically one of many 
servers that operate on a single physical server. Each virtual server shares the hardware 3 3

resources of the physical server but the data residing on each virtual server is segregated

from the data on other virtual serVe'rs that reside on the same physical machine.

3. Malware: Malware lS malicious computer Code running on a computer.
Relative to the oWner/authorized user of that computer, malware is computer cede that 13 ,7 7.
running on the system that is unauthorized and present on the System without the user?- .
consent Malware can be designed to do a variety of things, including logging every

keystroke on a computer, stealing ?nancial information or ?user credentials? (passwords .

or usernames), or commanding that computer to become part of a network of ?robot? Or

?bot? computers known as a ?botnet. In addition, malware can be used to transmit data
from the infected cemputer to another destination on the Internet, as identi?ed by an IP
address. Often times, these destination IP addresses are computers controlled by cyber
criminalsThe Carbanak malwarez. ?Carbanak? is the name 'giVen by. computer
security researchers to a particular malicious softWare (malware) program. Carbanak has
been used to re'mOtely access computer's without authorization. The 'Carbanak malWaIf? .
allows an attaCker to spy on another person?s computer andrernotely control the I
computer. Carbanak can record videos of the victim?s computer screen and send the

Superseding Indictment/ United States Hladyr . . - UNITED STATES ATTORNEY
No. A 7 . . . 700 STEWART STREET, SUITE 5220

SEATTLE, 98101 
(206) 553-71970 

 

 




 

 

Case Document-472 Filed 07/27/18 Page 4 of?33

recordings back to the attacker. 'It. can also let the attacker use the Victim computer to .7 

attack other Computers, and to. steal ?les from the victim computer, and install other 

.malware. All of this can be dene without the legitimate user?s knowledge or permiSsion.

5. - Bot: A ?bet? computer is a computer that has been infected With seine kind . 7
of malicious software or code and 1s thereafter subject to control by someone other than .
the true oWner. ;The true owner of the infected computer usually remains able to use the .
computer as he did before it was infected, althOugh speed or performance maybe
compromised. 7 I 7 I 

6. Botnet: A ?botnet? is a network of compromised computers known as 

?bots? thata're under the control of a cybercriminal or ?bot herder.? The bots are

harnessed by the bot herder through the surreptitious'installation of malware that provides i

the bot herder with remote access to, and control or, the compromised cemputers. A 

'botnet may be used en masse, in a coordinated fashion, to deliver a Variety Of Internet-

based attacks, including attacks, brute force pastord attacks, the transmission of

spam emails, the transmission of phishing emails, and hosting communication networks it
for cybercriminals (e acting as a proxy server for email communications). 

7. Phishing: Phishing 1s a criminal scheme 1n which the perpetrators use

mass email messages and/or fake Websites to trick people into providing information such --

as network Credentials usernames and passwords) that may later begused to gain
access to a victim?s systems. Phishing schemes Often utilize social engineering
techniques similar toitradition'al con-artist techniques in Order to trick victims into-

believing they are providing their information to a trusted?vendor, customer, or Other

acquaintance. Phishing emailsare also often used to trick a Victim into clicking on

documents or links that contain malicioirs software that will cempromise the victims?
computer system. . I 
8. Spear Phishing Spear phishing rs a targeted form of phishing directed

towards a Speci?c individual, organization or business. Although often intended to steal

Superseding Indictment] United States v. Hladyr 1 I 730! ISHED sug?s 52;)
. - 7 . TEWART 

N0 275RSL 3 . SEATTLE, WASHINGTON 98101 

(206) 553-7970 

 

 

 




ooqoxm-wah-?owooqmm-hwmma

 

 

Case 2:17ecr-00276-RSM Document 47-2 Filed 07/27/18 Page 5 off33

data for malicious purpoSes, cybercriminals may also'use spear phishing schemes-to 

install malware 011 a targeted user?s computer.

i 9 Social Engineering: Social engineering is a skill developed over time by
people who seek to acquire protected information through manipulation of social- I
relationShips. People who are skilled 1n social engineering can convince key individuals? I
to divulge protected information or access credentialsithat the social engineer deems 
valuable to the achievement of his or her aims. 

10. Pen-Testing: Penetration testing, or pen-testing, is the practlce of testing a 9

computer system, network or computer application to ?nd vulnerabilities that an attacker 1 2

may exploit.
1
(Conspiracy to Commit Wire and Bank Fraud)
1. OFFENSE
11. The allegations set forth in Paragraphs 1 through 10 of this Superseding 
Indictment are re-alleged and incorporated as if fully set forth herein.
12. -I Beginning at a, time unknown, but no later than.September.I201.5, and

continuing through on or after January 10, 20198, at Seattle, within the -WesternI District of .

Washington,? and elsewhere, FEDIR OLEKSIYOVYCH HLADYR, aka ?Fedor Gladyr,?
aka ?_?Fedir Qleksiyovych IGladyr,? ?Gladyr Fedir ?Gladyr Fedor

Oleksiyovich,? aka I?Fedor,? aka aka ?Fyodor,? aka ??ArIonaXus,? and others if"
known and unknown to the Grand Jury, did-knowingly and willfully combine, conspire,

confederate and agree together to commit Offenses against the United States, to Wit:

4 a. 3? to knowingly and willfully devise and execute and attempt to I

execute, a scheme and artifiCe to defraud, and for obtaining money and property by

means of materially false and fraudulent pretenSes, representatibns, and promises; and 1n

executing and attempting to execute this scheme and arti?ce, to knowingly cause to be

transmitted in interstate and foreign Commerce, by means of wire communication,'0ertain -

Superseding Indictment] United States Hladyr - I - 737 . UNITED STATES ATTORNEY

I No. 4 I I 700 STEWART $112331, 5111135220

SEATTLE, WASHINGTON 98101
(206) 553 47.970

 

 

 

\qumUI-bm?Nl?I




 

 

Case Document 47-2 Filed 07/27/18 Page 6 of 33 '7

'signs, signals and sounds as further described below, in violation of Title 18, UIiited_

States Code, Section 1343; 
b. to knowingly and willfully devise and execute and attempt to .

exeCute, a scheme and arti?ce to defraud ?nancial institutions, as de?ned by Title 18, 

United States Code, Section 20, and to obtain moneys, funds, and credits under the 7 . 7'
custody and control of the ?nancial institutions by means of materially false and

fraudulent pretenses, representations, and promises, in violation of Title 18, United States

Code, Section l344(1) and (2).

II. OBJECTIVES OF THE CONSPIRACY

l3. Defendant FEDIR OLEKSIYOVYCH HLADYR, and others 101an and
unknown to the Grand Jury, were part of a ?nancially motivated cyberCriininal . .
conspiracy knOWn' variously as FIN7, the Carbanak Group, and the Navigator Group 
(referred to herein as FIN7 consists of a group of criminal actors engaged in a
sephisticated malware campaign targeting the computer systems of businesses, primarily 
in the restaurant, gaming, and hospitality industries, among others. . I.

7 14. The objectives of the conspiracy included hacking into protected computer
networks using malicious software (hereinafter, ?malware?) designed to provide the 
conspirators with unauthorized access to, and control of, victim computer systems. The .
objectives of the conspiracy further included conducting surveillance of victim computer 7
networks, and installing additional malware on victim computer netw0rks for the purpose i ii;
of establishing persistence, stealing money and property, including payment credit 
and debit) card track data, ?nancial information, and proprietary and non-public 
information. The objectives of the censpiracy further included using and selling the
stolen data and information for ?nancial gain in a variety of ways, including, but not
limited to, using stolen paymentcard?data to actress the . i .

United States and in foreign countries.

Superseding Indictment/ United States v. Hladyr 7 UNHED STATES - .
No. 7-276RSL- 5 ., 700 STEWART STREET, 31111135220

3mm, WAsmNoroN 931-01
(206) 55317970 -

 

 

 

?omk?th-W?Ni?d




 

 

7 Case Document 47-2 Filed 07/27/18 Page 7-of33v

.MANNER AND MEANS OF THE CONSPIRACY
15. The manner and means used to accOmplish the conspiracy included the
following: . 
a. FIN 7 developed and employed?various malware designed to 
in?ltrate, compromise, and gain control of the computer systems of Victim companies

operating in the United States and elsewhere, including within the Western District of

1 Washington. IN 7 established and operated an infrastructure of servers, located 1n

various countries, through which FIN 7 members Coordinated activity to further the 

scheme. This infrastructure included, but was not limited to, the use of command and.

control servers, accessed through custom botnet control panels, that With 1 7' 

and controlled compromised computer systems of victrm companies 
b. IN 7 created a front company doing business as Combi Security to

facilitate the malware scheme by seeking to make the scheme? 3 illegal conduct appear

legitimate. Combi Security purports to Operate as a computer security pen?testing

company based 1n Moscow, Russia and Haifa, Israel. As part of advertisements and

public intemet pages for Combi Security, FIN7 portrayed Combi Security as a legitimate 

penetration testing enterprise that hired itself out to businesses for the purpose of testing
their computer security systems. I 7

Under the guise of a legitimate computer seCurity company, FIN7,
doing business as Combi Security, recruited individuals with computer programming

skills, falsely claiming that the prospective employees would be engaged 111' legitimate

I pen-testing of Client computer networks. I11 truth and in fact, as Defendant and his FIN7

co?cOnspirators well knew, Combi Security was a front: company used to hire anddeploy

hackers who were given tasks in furtherance of the conspiracy.

FIN7 targeted victims inthe Western District of 
elsewhere, using phishing techniques to distributemalware designed to gain unau?iorized'
access to, take control of, and ex?ltrate data from the computer systems of various

businesses. targeted victims include more than 120 identi?ed companies, with--

Superseding Indictment/ United States v. Hladyr i UNITED STATES ATTORNEY

No. CR17-276RSL- 6 700 STEWART STREET, Sum 5220.
WASHINGTON 98101 -

. (206)553? 4970

 

 

 






 

 

I Case DocUment47-2 Fil'e?d 07/27/18 Page 8111 33

thousands of individual locations of operation throughout the United States, including, .
but not limited to, the following representative victim companies:

1 i. 7 ?Victim?l? referenced herein is the Emerald Queen Hotel and
Casino (EQC), a hotel and casino owned and operated by a federally recognized Native 
American Tribe with locations in Pierce County, within the Western District of

Washington.

ii. ?Victim- 2? referenced herein IS a 

- public corporation headquartered 111 Seattle, within the Western District of Washington,

with operations throughOut the United States and elseWhe?re;

?Victim-3?. referenced herein is Chipotle MeXican Grill, 3 I
U. S. L-based restaurant chain with thouSands of locations in the United States, including in
the western District of Washington, and in Canada and multiple EurOpean countries.

I iv. ?VictiI1n-4?I referenced herein lS a U. S. - -
based pizza parlor chain with hundreds of locations predominantly in the Western United
States, including in the Western District of Washington. i

Iv. ?Victim- 5? referenced herein lS BECU, a U. S. -based I
federally insured credit union headquartered in the Western District of Washington.
I vi; ?Vieti-m- 6? referenced herein lS Jason?s Deli, a U. -based
casual delicatessen restaurant chain with hundreds of locations in the United States.

II vii. ?Victim?7?I referenced herein is -, an automotive
retail and repair chain with hundreds of locations in the United States, including in the
Western District. of Washington?Victim-8? referenced herein is Red Robin Gourmet Burgers
and Brews (Red Robin), a S. ?based Casual dining restaurant Chain, founded in the 
Western District of Washington, with hundreds of locations in the United States,
including in the Western District of Washington.

Superseding Indictment/ United States v. Hladyr UNITED STATES-ATTORNEY I
No. CR17- 7 I -. I 700 

SEATTLE, WASHINGTON 98101 -

(206) 553 7970

 

 






 

 

Case Document 47-2 Filed 07/27/18 Page 9 of 33

ix. ?Victim-9? referenced herein .is some Drive-in (Sonic),a 
U. S. -based drive-in fast-food chain with thousands of locations In the United States,
including 1n the western District of WashingtOn. I I

x. ?Victim?10? referenCed herein 1s Taco John?s, a U. S. -based

fast-food restaurant chain with hundreds of locations 1n the United States, including 111 the

Western District of washington. 
e. FIN7 typically initiated its attacks by delivering, directly and
through intermediaries, a phishing email with an attached malicious ?le, using wires in
interstate and fereign commerce, to an employee of the targeted victim company. The
attached malicious ?le usually was a Microsoft Word (. doc or 3?19?) or Rich Text File 
(.rtf) document with embedded malware. FIN 7 used a variety of malware delivery .
mechanisms in its phishing attachments including, but not. limited to: Weaponized
Microsoft Word macros, malicious Object Linking and Embedding (OLE) objects,
malicious visual basic scripts or avaScript and malicious embedded shortcut ?les (LNK
?les). In some instances, the phishing email or attached ?le contained a link to malware
hosted on servers controlled by FIN7. The phishing email, through false representations
and pretenses, iraudulently induced the Victim company employee to open the attachment i, i
or click on the link to activate the. malware, For example, when targeting a hotel chain,
the purported sender of the phishing email might falsely Claim to be interested in making I
a hotel-reServation. By way of further. example, when targeting a restaurant chain, the
purported sender of the phishing email might falsely claim to be interested in placing a fl:-
catering order or making a complaint about prior food service at the restaurant.

f. In certain phishing attacks, FIN7, directly and through
interrnediaries, sent phishing emails to personnel at victim companies who had uniquel-
access to internal preprietary and non?public company information, including, but not
limited to, emplOyees involved with making filings with the United States Securities and.

Exchange Commission These emailsiused an email address that spoofed an

- Superseding Indictment United States v. Hladyr - I - UNITED STATES ATTORNEY

No. CR17-276RSL 8 . - 700 STEWART 5220'
- - SEATTLE, WASHINGTON 98101
(206) 553-7970

 

 

 




m?oxm-th?r-dowooxlmm-hmboeo

 

 

Case DoCument 47-2 Filed 07/27/18 Page. 10 of 33?

email address associated With the electronic ?ling system, and induced the 
recipients to activate the malware contained in the emails? attachments. I 
g. In many of the FIN7 attacks, a FIN7 member, or someone hired by

FIN7 speci?cally for such purpose, would also call the victim company, using wires in

. interstate or fereign commerce, tolegitimizl-e the phishing email and cenvince the victim.

company employee to open the attached document using social engineering techniques. t:
For example, when targeting a hotel chain or a. restaurant chain, a conspirator would .1 
make a follow-up call falsely claiming that the details of a reservation request, -catering._ 7 -
order, or customer complaint could be found in the ?le attached to the preViOus?ly -
delivered email, to induce the employee at the victim company to read the phishing
email, open the attached ?le, and activate the malware. 

h. If the recipient activated the phishing email attachment or clicked on 
the link, the recipient would unwittingly activate the malware, and the computer 0n 7
which it was opened would become infected and Connect to One or more command and
control sewers controlled by FIN7 to report details of the newly infected computer and

download additional malware. The command and control- infrastructure relied upon ..

. various servers in multiple countries, including, but not limited. to, the United States,

typically leased using false information, - such as alias names: and ?ctitious information. 

i. FIN 7 typically would install additional malware, including the
Carbanak malware, to connect to additional FIN 7 command and control servers to
establish remote control of the victim computer.

j. . OnCe a victim? 3 computer was ?Compromised, FIN 7 wOuld
incorporate the compromised machine or ?hot? into a botnet. 7

k. FIN7 designed and used a custom botnet centre] panel to manage
and issue commands to the compromised machines.

Once a Victim company?s computers were incorporated into the

PIN 7 betnet and remotely controlled by malware, the group used this remote

control and access to, among other things, install and manage additional mal'ware,

Superseding Indictment] United States v. Hladyr . . UNITED STATES ATTORNEY

. . . . . 700 STEWART STREET, SUITE 5220
No. 9 SEATTLE, WASHINGTON 98101
(206) 553-7970

 

 

 






 

 

Case Document 47-2 Filed-O7/27/18 Page 111017.333

conduct surveillance, map and navigate the compromised computer network, Compromise

additional computers, ex?ltrate ?les, and send and receive data. For instance, FIN 7 often

conducted surveillance on the victim?s computer ne'twOrk by, among Other .
capturing screen shots and videos of v1ct1m computer workstations that provided the conspirators with additional inforniation about the Vietim company ComputernetWOI?k i I
and non-public credentials for both generic company accelmts and for actual- company
employeesIn. 1N7 used its acceSs to the Victim? 5 computer network and

. information gleaned from Surveillance of the victim?s computer systems to install ..

additional malware designed to target and extract particular information and property of
value, including payment card data and proprietary and non-public infermation. For

instance, FIN7 often utilized various ?off-the? shelf? software and. Custom malWare, and a

- combination- thereof, to eXtract and transfer data to a ?loot? folder on one or more servers

controlled by FIN7. . 
FIN7 frequently targeted victim companies with customers who use

payment cards while making legitimate point-of-sale purchases, such as victim

cempanies in the restaurant, gaming, and hospitality industries. In those cases, FIN7

con?gured malWare to extract, copy, and compile the payment card data, and then to

transmit the data from the victim computer systems to servers controlled by 

0. I For example, between approximately March 24, 2017, and April I8,
2017, FIN7 harvested payment card data from point-of-sale devices at certain Victim-3 1

- restaurant locations, including dozens of locations 111 the Western District of Washington.

p. FIN7 stole millions of payment card numbers, many of which'have

been offered for sale through Vending sites, including, but not limited to, Joker?s Stash,

thereby attempting to generate millions of dollars of- illicit pre?ts.

q. The payment card data were Offered for sale to allow purchasers to 

falsely represent themselves as authorized users of the stolen payment cards and to use 
the stolen payment card information to purchase goods and services in fraudulent 

Superseding Indictment/ United States Hladyr - - 1 UNITED STATES ATTORNEY
No. 10 - 7 700 STEWART STREET, Surra5220 -
- SEATTLE, WASHINGTON 98101

(206)553-7970 

 

 

 

scooqoxmihmimihn




 

 

Case Document47-2 Filed 07/27/18 Page'12'of33

transactiOns throughout the United States and the world, including oVer the Internet, 3 .
resulting in millions of dollars-in losses to, and and banks,
including ?nancial institutions, as de?ned in Title 18, United States Code, Section '20.
For example, on or about March 10, 2017, stolen payment card data related to accounts
held at Victim-5, a ?nancial institution headquartered 1n the Western District of

Washington, compromised through the computer network intrusion of a vlctim company,

. was used to make unauthorized purchases at a merchant 1n Puyallup, Washington.

r. FIN7 members employed various techniques to conceal their
identities, including simultaneously utilizing various leased servers, that had been leased
using false subscriber information, in multiple countries. I

.s. FEDIR OLEKSIYOVYCH I-ILADYR served as a high?level
systems administrator for FIN7 who maintained serVers and cominunication channels
used by the organization For example, FIN 7 members requested FEDIR .
OLEKSIYOVYCH I-ILADYR to grant them access to servers used by FIN7 to facilitate 

the malware scheme. FEDIR OLEKSIYOVYCH HLADYR also played a management

role 1n the scheme by delegating tasks and by providing instruction to other members of
the scheme. .
I . FIN7 members typically comniunicated with one another and others
thrOugh private cominunication channels to further their malicious activity. Among other
channels, FIN 7 conspirators communicated using Jabber, an instant messaging Service 
that allows members to communicate across multiple platforms and that supports end-to-
end i i

u. For example, in Jabber communications with other FIN7 members, a 
co?conspirator, D. F. ,using his alias ?hotdima,? referenced using malWare 1n co?nnectiOn
with several speci?c victim compameS, discussed using the administrative Control panels 1 .
to receive data from compromised computers, and identi?ed several pen?testers working

at his direction. I

Superseding Indictment-l United States v. Hladyr 2' UNITED STATES ATTORNEY
No. 1 1 - . - .700 STEWART Smnr, SUITE 5220

SEATTLE, WASHINGTON 98101
A (206) 553.7970 

 

 

 



.Case Document 47-2 Filed 07/27/18 Page 131of 33

7 V. FIN 7 members often communicated through a private HipChat
server. HipChat 1s a group chat, instant messaging, and file-sharing program. FIN7
members used its HipChat server to collaborate on malware and victim business
intrusions, to interview potential reoruits, and to upload and share ex?ltrated data, such as
stolen payment card data. As a system administrator, FEDIR OLEKSIYOVYCH I
HLADYR created HipChat user accounts for FIN 7 members that allowed them to acCess II
the server. i 

FEDIR OLEKSIYOVYCH HLADYR also created and participated

in multiple HipChat ?rooms? with other FIN 7 members and participated in the. uploading 
and organization of stolen payment card data and malware. For example, on or about
March 14,2016, FEDIR OLEKSIYOVYCH HLADYR uploaded an archive that
contained numerous data ?les created by malware designed to steal data from point-cf-
sale systems that precess payment cards. The ?les contained payment card numbers

stolen from a victim comp any that had publicly reported a security breach that resulted 1n

the compromise of tens of thousands of payment cards. By way of further example,

FEDIR OLEKSIYOVYCH HLADYR also set up and used a HipChat room titled.
?MyFile?, in which he was the only participant, and to which he uploaded malware used
by FIN7 and stelen payment card information. I
x. FIN7 conspirators used numerous email accounts hosted by a varietyI

of providers 1n the United States and elsewhere, which they O?en registered using Ifalse
subscriber infermation. I I I

y. IN7 conspirators frequently used the pro_] ect management software
IRA hosted on private virtual servers in various countries, to coordinate their malicious
activity and to manage the assorted network intrusions. FIN 7 members typically created
a? ?proj ect? and then associated ?issues? with the preject, each issue akin to an issue

directory or folder, for a victim company, which they used to collaborate and share 1 I

details of the intrusion, to post victim company intelligence, such as network mapping

infermation, and to store and share ex?ltrated data.

Superseding Indictment/ United States v. Hladyr - UNITED STATES ATTORNEY

No. 12 . .700 STEWART Some 5220 .
. SEATTLE, WASHINGTON 98101 .

(206) 55347970

 





 

 

Case Document 47-2 Filed 07/27/18 Page 14 of 33.

For. example, on about September 7, 2016, FEDIR ..
OLEKSIYOVYCH HLADYR created an ?issue? for Victim-6, to which FIN7
conspirators posted ?les centaining internal Credentials for the victim company 8
computer networkfurther example, on multiple occasions in January 2017
00? conspirator D. F. and others posted to the IN 7 ?fissue? created for Victim-7,
information about the victim company? internal network and uploaded ex?ltrated data,-
including stolen employee credentials. Similarly, on or about April 5,2017, co? 
conspirator F. created an? ?issue? for another victim company, Victim-9, and uploaded
stolen user credentials from the Victim company. i

bb- FIN 7 conspirators knew that the scheme would inVolve the use of

wires in both interstate and foreign commerce to accomplish the objectives of the

scheme. For example, the Defendant and his FIN 7 co-conspirators knew that execution 1

of the scheme necessarily caused the transmission of wire communications between the

United States and one or more servers controlled by IN7 located 111 foreign countries

All 1n violation of Title 18, United States Code, Section 1349-.
COUNTS 2-15
. . (Wire Fraud) 
- 16. _The allegations set forth 1n Paragraphs 1 through 15 of this Superseding

Indictment are re-alleged and incorporated as if fully set forth herein. 
I. SCHEME AND ARTIFICE To DEFRAUD 

l7. . Beginning at a time Unknown, but no later than September 2015 and
continuing through 011 or after January 10, 2018, at Seattle, Within the Western DiStrict of

_Washington, and elsewhere, HLADYR, and others known

and unknown to the Grand Jury, deyised'and intended to devise a scheme and arti?ce'to 
defraud and to obtain money and property by means of materially false and fraudulent

pretenses, representations and promises.

Superseding Indictment/ United States v. Hladyr . 7 . UNITED STATES ATTORNEY,
No. .. 13 . STREET, Sorta 5220

SEATTLE, WASHINGTON 98101
(206) 553-7970

 

 



 

 

Document 47-2 Filed 07/27/18 Page 15 of 33'

18. The essence of the scheme and arti?ce to defraud Was to obtain

unauthorized access into, and control of, the computer netWOrks of victims thrOugh deceit -

and materially false and fraudulent pretenses and representations, through the installation it I

and use of malware designed to facilitate, among other things, the installation of 

additional malware, the. sending and receiving of data, and the surveillance of the 

victims? computer networks. The object of the scheme and arti?Ce to defraud was to

steal money and property of value, including payment card data and proprietary and 11911?
public information, which was, and could have been, sold and used for ?nancial gain.
II. MANNER AND MEANS OF SCHEME TO DEFRAUD I 

19. The manner and means of the scheme and arti?ce to defraud are set forth 

Paragraph 15 of Count of this Superseding Indictment.I

I111. EXECUTION OF SCHEME T0 DEERAUD 

20. On or about the dates set forth below, Within the Western District of
Washington, and elsewhere, FEDIR OLEKSIYOVYCH I-ILADYR, and others known
and unknown to the Grand Jury, having devised a scheme and arti?ce to defrand, and to
obtain money and property by means of materially false and fraudulent pretenses,
representations, and promises, did knowingly transmit and cause to be transmitted
writings, signs, Signals, pictures, and sounds, for the purpose 0f executing such scheme,

by means of wire Communication in interstate and foreign commerce, ineluding the

following transmissions

 

 

Email from justgetravel@yahoo.com, -
which traveled through a server
Victim-1 7 located outside the State of 
Pierce County _Washington, to a Victim?'1 employee,
located within the State of 

2' I August8, 2016

 

 

 

 

 

 

Washington
superseding Indictment United States Hladyr A 7 i. I UNITED STATES ATTORNEY
No. 14 I I - 700 STEWART STREET, SUITE 5220

SEATTLE, WASHINGTON 98101 

(206) 55377970

 

 

 00 NJ t-d




Case Document 47-2

Filed 07/27/18 Page 16 of 33

  

Email from frankjohnson@re\ntal? 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

. traVelcom, which traveled through a
Victim-1 server locatedoutside the State of 7
August 8? 2016. Pierce County Washington, to a Victim-1 employee, 
7 1 - located Within the State of 
1Washington 
Electronic cemrnunication between a
. - .. Victim-1 7 server lecated outside the State of 
August 8, 2016 Pierce Coun Washington, and Victim-1? 5 computer 
. - . . ty system, located Within the State of
Washington 
Email puiporting to be from a 
. government account, Which traveled
Victim-?2 through a. server located outside the
February 21? 2017 Seattle. State of Washington, to a Victim-2
employee, loCated within the State of
Washington 
Electronic communibation between a
i I Vic tim?2 server located outside the State of . . 
February 23; 2017 Seattle Washington and V1ct1m-2?s computer 
system, located Within the State of
Washington
i . . Electronic cominunication betWeen a 
7. V1ct1m?3 .
. 4120 196th St SW server, located outs1de the State of
March 24, 2017 . . 7 and V1ct1m?3?s computer
. ulte 1?50, . .
- system, located w1th1n the State of ..
7 Washington - 1..
. Electronic communication between a 
. 7 Victim??3 . server, located outside the, State of .
March 25,2017 7 '1415 Broadway, washington, and Victim-3?s computer
Seattle system, located within the State of
Washington
ElectrOnic communication between a
. Victim-3 server, located outside the State of 7
March 25, 2017 800 156th Ave NE, Washington, and Victim-3? computer.= 
- 7 BelleviJe. s,ystem located Within the State of
Washington a
UNITED STATES ATTORNEY

Superseding Indictment/ United States Hladyr

No. 15 700 STEWART STREET, SUITE 5220

SEATTLE, 98101 
(206) 553?7970-

 

 






 

 

  

Case 2:17-cr-00276l-RSM Docume'nt'47-2

Filed 07/27/18! Page 17 of 33'

 

 

 

 

 

 

 

 

 

 

 

 

- Electronic communication between a 7 I
. 7 Victim?3 server, located outSide the State of 
10 - March 25, 2017 4Bellis Fair Pkwy, - Washington, and Victim-3? 3 computer.
- - 7 Bellingham 7 system, located within the State of
. Washington 
-. - 7 Electronic communication betWeen Gilman server, located outside the State of
11 7 March 25, 2017 . Blvd, Suite A Washington, and V1ct1m?3?scornpute?r
ISsaquah system, located within the State of
Washington 7
Victim-3 - Electronic communication between a 3 
7 515 SE Everett . server, located outs1de the State. of .
12 March 27,2017 . .. Washington, and V10t1m-3? 5 computer- -
- . - all Way, Smte B,
. Everett - - system, located Within the State of
Washington
.., Vietim-3 Electronic oommunication between a
. 22704 SE 4th?St server, located outside the State of 
13 April 11, 2017 . Washington, and V1ct1m-3?s computer
ulte 210,
Samm?amish' system, located within the State of
. washington
Email from
. .. oliver_palmer@yahoo. com,- Which 4
- - Victim-4. traveled through a server located 3 
14. . Apnl 11? 2017 - Renton outside the State'of Washington, to a
Victim-'4 employee, located within the 
. State of WashingtOn 
Electronic communication between a
. . Victim-5 . merchant, lecated within the State of 
15 .March 10, 2017 Pu 11 . and a payment processor -. 
ya up server, 10oated outside the State of 
Washington
All 1n violation of Title 18, United States Code, Seetion 1343. 




 

Superseding Indictment United States v. Hladyr


UNITED STATES ATTORNEY
2700 STEWART STREET, Surra5220
WASHINGTON 98101
(206) 553-7970

 





 

 

Case Document 47-2 Filed 07/27/18 Page 18 of 33

COUNT 16.
(Conspiracy to Commit Computer Hacking) I

21. The allegations set forth in Paragraphs 1 through 20 of this Superseding
Indictment are re-alleged and incorporated as if fully set forth herein.

I. - OFFENSE 

22. Beginning at a time unknoWn, but no later than September 2015, and
continuing through on or after January 10,2018, at Seattle, Within the Western District of 
Washington, and elsewhere, FEDIR OLEKSIYOVYCH HLADYR, and others known 
and unknown to the Grand Jury, did knoWingly and willfully cembine, conspire 
confederate and agree together to commit offenses against the United States, to wit: ..

1' - a. to knowingly and with intent to defraud, access a protected computer .
without authorization and exceed authorized access to a protected computer, and by
means of such conduct further the intended fraud and obtain anything of value exceeding

$5,000.00 1n any luyear period, in violation of Title 18, United States Code, Sections 

?1030(a)(4) and and

b. . to knowingly cause the transmission of a program, information, A 1?
code, and and as a result of such conduct, intentionally cause damage without
authorization to a protected computer, and the offense caused loss to one or more persons 1
during a 1-year period aggregating at. least $5,000.00 1n value and damage affecting 10 or A
more protected computers during a l-year period, in violation of Title 18, United States 
Code, Sections 1030(a)(5)(A) and 1
II. OBJECTIVES OF THE CONSPIRACY

23. The objectives of the conspiracy included hacking into protected computer 
networks using maIWarIe designed to provide the conspirators With Unauthorized access I
to, and control of, victim computer systems. The objectives of the conspiracy further
included conduCting surveillance of victim computer networks and installing additiOnal'
malware on the victim computer networks for the purposes of establishing persistence, 
and stealing payment card track data, ?nancial information, and proprietary, private, and

Superseding Indictment] United States Hladyr - . - UNITED STATES ATTORNEY 

a - 700 STEWART sinner, 5mm 5220 
No 276RSL 17 SEATTLE, WASHINGTON98101 

(206) 553?7970

 

 






 

 

Case Document 47-2 Filed 07/27/18 Page 19 of 33'

non-public information, with the intention of using and Selling Such stolen items, either 7 I

directly or indirectly, for ?nancial gain. The objectives cf the conspiracy further; I
included installing malware that would integrate victim computers into a botnet that I ., 
allowed the conspiracy to control, alter, and damage compromised Computers. -
MANNER AND MEANS OF THE CONSPIRACY

24. . The manner and means used to accomplish the conspiracy are set forth in
Paragraph 15 of Count 1 of this Superseding Indictment.

IV. OVERT ACTS 7 

25. In furtherance of the conspiracy, and to achieve the objects thereof, FEDIR
OLEKSIYOVYCH HLADYR, and others known and unknown to the Grand Jury, did
commit and cause to be cOminitted, the following overt acts, among others, in the
Western District of Washington and elserhere: I

a. FEDIR OLEKSIYOVYCH HLADYR served as a high-level

systems administrator for FIN 7 who maintained servers and cominunication channels

used by the organization, including administrating HipChat rooms and the uploading and
organization of stolen payment card data and malware. For example,

I -- i. On or about March 14, 2016, FEDIR OLEKSIYOVYCH
HLADYR uploaded to a HipChat room shared with another 1N7 member an archive that
contained numerous data ?les centaining payment card numbers stolen from a victim

company that had publicly reported a security breach that reSulted 1n the loss of tens of

thousands of payment cards.

ii. - On or about April 8, 2016, FEDIR OLEKSIYOVYCH
HLADYR created a HipChat room called ?My_ Files, to which he had exclusive access,
and later uploaded data for approximately 100 stolen payment cards. 7 
On or about July 19, 2016, FEDIR OLEKSIYOVYCH 
HLADYR posted in a HipChat room accessible to other FIN7 members, ?les related to a i
victim company, including multiple. soreenshots fromr'one or more victim Company

Superseding Indictment United States Hlaafyr i .- UNITED STATES ATTORNEY
. . '700 STEWART STREET, SUITE 5220
- SEATTLE, WASHINGTON 98101 - 

(206) 553-7970

 

 





 

 

Case Document 47-2 Filed 07/27/18 Page 20 of 33.

computers that showed, among other things, internal company information and an
administrator password.

iv. On or abOUt November 22, 2016, FEDIR OLEKSIYOVYCH
HLADYR uploaded to his ?My_ Files? HipChat reom a ?le containing data for stolen I
paymentcards. 

b; Co-conspirator D. F. served as a high- -Ieve1 ?pen- of, one- - 
tasked with ?nding vulnerabilities that an attacker may exploit) who managed Other pen-
testers responsible for breaching the security of victims? computer systems. For example,

i. . Co?conspirator D. F. created and managed ?issues? on 
private JIRA server relating to intrusions of multiple victim companies, including, but not . 

limited to, Victim-7 and Victim-9, to which FIN7 members shared and stored intrusion

information and ex?ltrated data.

ii. _Us?ing 3 private Jabber server, co?consp?irator D. F.,
communicated under the alias ?hotdima? with other FIN7 members regarding his hacking
efforts, and his payment for such efforts. I I

. Co?conspirator D. F. accessed and controlled compromised
computer systems through custom control panels.
c. 1 The conspiracy compromised, illegally accessed, had unauthorized

communications with, and ex?ltrated proprietary, private, and: non-public victim data and i

information from the computer systems of- the Victim-l, a hotel and casino in the - 

Western District of Washington. For instance,

. i. . On or about August 8, 2016, the conspiraCy, directly and
through intermediaries, used the aCcount just__ etravel@yahoo. com to send a phishmg
email, with thejsubject to an employee of Victim-1 located 1?11Tacoma,

Washington, with an attached Microsoft Word document that contained malWareV The

email contained materially false representations designed to induce the targeted employee

to open enable the malware, and compromise the computer system.

Superseding Indictment/ United States Hladyr I .- UNITED STATES 
N0. 19 . .2700 5220

. SEATTLE, WASHINGTON 98101,
(20195534970

 

 

 







.




 

 

Case Document47-2 Filed 07/27/18 Page-21 of33

ii. On or about August 8, 2016, the conspiracy, directly and
through intermediaries, used the account frankjohnSon@revital?travel. com to send a ,1
phishin'g email, with the subject ?order,? to an employee of Victim-1 located 111 Tacoma, 
Washington, With an. attached Microsoft word document that contained malware. The

email contained materially false representations designed to induce the targeted employee 

to enable the malware, and compromise the computer system.

- _Under the control of the censpiracy? malware, a

compromised computer of Victim-1 communicated with a command and centrol server

. located 1n 3 foreign country. For instance, from August 2016, to August 9,2016, and

from August 24, 2016 to August 31, 2016, a compromised Victim-l computer logged
apprOximately 3,639 communications with various URLs all starting With? revital- 
travel. eom? ?at an IP address hosted 1n Russia. H- 

I d. The conspiracy compromised, illegally accessed, had utiauthoriZch

communications With, and ex?ltrated proprietary, private, and non-public victim data and 7 

information from the computer systems of Victim-6, a restaurant chain with locations 1n

multiple states For instance,

1. On or about August 25, 2016, the conspiracy, directly and-
through intermediaries, used the account revital travel @yahoo. com to send a phishing
email to an employee of Victim?6, with an attached Microsoft Word document that
contained malware. The email contained materially false representations designed to
induce the targeted employee to enable the maIWare, and compromise the computer
systemabout September7, 2016, FEDIR OLEKSIYOVYCH
HLADYR created an ?issue? on the conspiracy?s private JIRA serverSpecifically related
to Victim-6. One or more FIN '7 members posted ?les Containing internal credentials for. i
the Victim?6 cemputer network. I A i 7

be. The conspiracy compromised, illegally accessed, had unauthdrized
communications with, and ex?ltrated proprietary, private, and non-public victim data and

Superseding Indictment United States Hladyr . UNITED STATES ATTORNEY .
No. 20 7 - - 700 STEWART STREET, 3111155220

semenmsamcron 98101 -
(206) 5534.970

 

 






 

 

Case Document 47-2 Filed 07/27/18 Page 22 of 33

inforniatiOn firom the computer systems of Victim-7, an automotive retail and repair chain
with hundreds of locations in multiple states, including Washington. For instance,
i. i 011 or about January 18,2017, a FIN7 member created an 1
?issue? 011 the conspiracy? 3 private JIRA server speci?cally related to Victim-7. That 

FIN7 member and co?Conspirator D. F. posted results from several netWork mapping tools"
used on Victim-7? 5 internal networkabout January 20, 2017, a FIN7 member posted
ex?ltrated data, including multiple usernames and pass-words with the title ?Server. I 

Passwords,? to the Victim-7 JIRA ?issue.?

- On or about January 23, and January 24, 2017, co-conspirator' 
F. posted information about Victim-7?s internal netWork and uploaded a ?le centaining 

multiple IP addresses and information abOut Victim?7? servers to the Victim-7 JIRA .
?issueabout January 27, 2017, co-eonspirator 1). F. uploaded

to the Victim?7 ?issue? a ?le containing over 1,000 usernaines and passwords for
generic company accounts and employee accounts. The potentially compromised _7 .
acCounts related to approximately 700 Victim-7 locations throughout the United States, 
including approximately 12 locations located in the state of Washington. ii 7

f. The conspiracy compromised, illegally accessed, .had unauthOrized

communications with, and exiiltrated proprietary, private, and 110n?public Victim data and if i?

information from the computer systems of Victim?2, a corporatiOn headquartered 111
Seattle, Washington. For instanceabout February 21, 2017, the conspiracy, directly and
through intermediaries, used an account purporting to be ?lings@sec. gov (but actually
3th by secureservernet) to send a' phishingemail toan employee of Victim-2 located in .
Seattle, Washington, With an attaChed MiCrosoit Word document that contained malware.

The email falsely purported to relate to a corporate ?ling with the SEC and contained

Superseding Indictment I United States v. Hladyr . UNITED STATES ATTORNEY

No 276RSL- 21 . A .700 STEWART STREET, 81111135220 .



"(206) 553-7970

 






 

 

Case Document 47-2 Filed 07/27/18 Page 23 of 33 ?0

materially false representations designed to induce the targeted employee to open the file,
enable the malvvare, and compromise the computer system. I

ii. From on or about February 21, 2017 to approximately
March 3, 2017, the conspiracy illegally accessed and had communications with the
of Victim-Z located 111 Seattle, washington. For instance, betWe?en
about February 23,2017, and February 24, 2017, the victim computer made outgoing I
connections to and transferred internal data, without authOrization, to an IP address 7
located 1n a foreign country.

1 011 or about February 24, 2017, a FIN7 member posted to a 

. IRA ?issue? created for- Victim?2, a screenshot from the targeted employee?s computer

at Victim-2, Which showed, among other things, an internal Victim-2 webpage available
only to emplOyees with a valid user account. 
iv. Similarly, a IFIN7 member posted to the Victim-2 JIRA

?issue? a text ?le containing the usernames and passwords of the targeted Victim-2

employee, including his/her- personal email account, LinkedIn account, and personal . - -- yr A I

investment and ?nancial institution accounts. I
g. I -- The conspiracy compromised, illegally accessed, had unauthorized

communications with, and ex?ltrated proprietary, private, and non-public Vietim data and

. information from the computer systems of Victim-3,11 restaurant chain with thouSands ofII.

locations, including the State of Washington. From apprOximatelIy March 24, 2017 to
April 18, 2017, the conspiracy accessed computer systems of Victim?3 and implanted

malware designed to harvest payment card data from cards used on point?of?sale device's 

at restaurant locations nationwide, including approximately 33 locations Within the

Western District of Washington.

h. - The conspiracy compromised, illegally accessed, had unauthOrized

communications with, and Iexfiltrated proprietary, private, and non-public victim data and

information from the computer systems of Victim?8, a restaurant Chain with hundreds of

locations in multiple states, including ashington. For instance,

Superseding Indictment/ United States v. I?adyr 5 7 UNITED STATES -

- 7 v. 700 STEWART STREET, SUITE 5220
N0. CR17-276RSL- 22 I - SEATTLE, Wasnmoron 98101
(206) 553?7970

 

 






00 \l


a 

 

 

Case IDocu'ment 47-2 Filed 07/27/18 PageI24 of 33' .

i. On or about March 27, 2017, the conspiracy, directly and

through intermediaries, used the account ray. donovan84@yahoo. com, to send a phishing

email to a Victim?8 employee, With an attached Microsoft Word document that contained

malware. The email falsely purported to convey a Customer complaint and centained
additional materially false representations designed to induce the targeted employee to
enable the maIWare, and compromise the computer system. 

ii. On or about March 29, 2017, a FIN7 member created an

?issue? on the conspiracy? private server speci?cally related to Victim-8 and

posted results from several network mapping tools used on Vietim-S?Is internal network.

the pointI?of-sale software management solution used by Victim-8, and a username and
password to the Victim-I8 JIRA ?issue.? The software management tecl allows a I
company to manage point-of-sale systems at multiple locations. The IN7 member also 1'
uploaded several screenshots presumably from one or more victim computers at Victim-
8, which showed, amongother things, the user logged into Victim-8?s account for, the
software management toolabout April 6,2017, 21 FM member uploaded to the
Victim-8 JIRA ?issue?- a ?le containing hundreds of usernames and passwords for -- 7
approximately 798 Victim-8 locatiOns, including 37 locations located 1n the State of
Washington. The ?le included network information, telephone communications, and
locations of alarm panels within restaurantsabout April 7, 2017, a FIN7 member uploaded to the 

Victim?8 ?issue? a similar ?le containing numerous usernames and passWords for
Victim-8 locations. 

vi. 011 or about May 5,2017, 3 FIN7 member uploaded to the
Victim?8 ?issue? a ?le containing ?le directories on a compromised computer

Vii. 011 or about May 8,2017, a FIN7 member uploaded to the

Victim-8 JIRA ?I?issue? ex?ltrated ?les related to a password management system from a 

Superseding Indictmenti United States v. HIadyr . UNITED STATES ATTORNEY

I No. CR1M7-276RSL .23 81111115220 

SEATTLE, WAsmnorcN 98101
(2'06) 553-7970

on or about March 31, 2017,11 FIN7 member pested a link to i

 

 

 

Case Document 47-2 Filed 07/27/18. Page 25 of733 

compromised computer, which?c'ontained the credentials,,usernames, and passwords ?of a
particular employeeor, abOut May 15, 20.17, a FIN7 member uploaded to the

Victim-8 JIRA ?issue? screenshots of a compromised computerthat Showed the

employee accessing Victim48?s security infrastructure management software .

Same employee?s credentials.

i. The conspiracy compromised, illegally accessed, had unauthorized
communicatiOns with, and private, and non-public Vietim data and
information from the computer Systems of one or more locations of Victim-9, a fast-food .
restaurant chain With thousands of locations throughout the United States, including i
WaShington. For instance, a i

i. On various dates, the conspiracy, directly and through
intermediaries, sent phishing emails With an attached ?le that contained malware to
multiple Victim?9 locations. For instance, on or about April 7, 2017, the conSpiracy used

the account oliver__palmer@yahoo. com to send a phishing email to a Victim?'9 location in

the State of Oregon. The email contained materially false representations designed to 
induce the targeted employee to open the ?le, enable the malware, and compromise the 7 I 1'
computer system. i i
i ii. 011' or about April 5,2017, eo-conSpirator D. F. created an a

?issue? on the conspiracy? 3 private JIRA server speci?cally related to Victim-9. One or
more IN7 members posted usernames and passwords for Victim?9 locations, including a
Victim-9 location 1n Vancouver, Washington.

3 The conspiracy compromised, illegally accessed, had unautho?zed 
communications with, and eX?ltrated proprietary, private, and non?public victim data and
information from the computer systems of one or morelocatiOns of Victim-4, a. pizza 
parlor. chain With hundreds of locations, including in Washington For instance, 7

i. On or about April 11, 2017, the conspiracy, directly and

through intermediaries, used the account Oliver _pa1mer@yahoo com, to send a phishing

Superseding Indictment United States v. Hladyr UNITED STATES ATTORNEY
No CR1 7.276RSL 24 r700 STEWART STREET, SUITE 5220 
. - SEATTLE, Wasnmoron 98101 .

(206) 553-7970

 

 

 






 

 

Case Document 47-2 Filed 07/27/18 Page 26 of 33

email, With the subject ?claim, to an employee of a Vietim?4 located 1n Renton,
Washington, with an attached Rich Text Format (. rtf) document that contained malware.
The email falsely purported to convey a customer complaint and contained additional

materially false representations designed to induce the targeted employee to enable the 

malware, and compromise the computer system.

- ii. On or about April 11, 2017, the conspiracy, directly and
through intermediaries, used the account ol1ver_palmer@yahoo com, to Send a phishing
email, with the subject an emplOyee of a Victim-4 located 1n Vancouver, 
Washington, with an attached Rich Text Format (. rtf) document that contained malware
The email falsely purported to convey a customer complaint and contained additional
materially false representations designed to induce the targeted employee to enable the
malware, and compromise the computer system. i

I 9 On or about May 25, 2017, the conspiracy, directly and
through intermediaries, used the account Adrian. 1987cl'ark@yahoo. com, to send a 
phishing email, with the subject ?takeout order,? to an employee of a Victim-4 located 1n . 
or around Spokane, Washington, with an attached Rich Text Format (. rtf) document that
contained malware. The email falsely stated that the sender had a large takeout order and

contained additional materially false representations designed to induce the targeted

employee to enable the malware, and. compromise the computer system.

k. The conspiracy compromised, illegally accessed, had unauthorized
communications with, and ex?ltrated proprietary, private, and non-public victim data and.
information trim the computer systems of one or more locations of Victim-10, a faste 
food restaurant chain with hundreds of 10Catio.ns 1n various states, including Washington
For instance, it i

i. on or about May 24, 201.7, a FIN7 member created an ?issue

7 on the conspiracyis priVate JIRA server speci?cally related to Victim-10. One or more

FIN7 members pested information relating to the intrusion cf compnter systems'anid 

Superseding Indictment/United States v. Hladyr . . . 1 11mm: STATESAITORNEY
No. CR17-276RSL- 25 . 700 STEWART 
SEATTLE, WASHINGTON 9810 
(206) 553-7970

 

 

pCase Document 47-2 Filed 07/27/18 Page 27 of 3-3

exfiltrated data, including ?les containing passwords and Screenshots from one or more
compromised cempnters .1
I ii. . On or about June 12, 2017, the conspiracy, directly and
through intermediaries, used the accoilnt Adrian. 1987c1ark@yahoo. com, to send a 
phishing email, with the subj ect ?order. catering,? to an emplOyee of a Victim-10 located
in Iowa, with an attached Rich Text Format (. rtf) document that contained maIWare. The

email falsely stated that the sender had a catering order for the following day and

contained additional materially false representations designed to induce the employee to .. -

enable the malware, and compromise the computer system. .
From on or about June 12, 2017, to a date mow, the I

conspiracy illegally accessed and had communications with the computer systems of the
Victim-10 located 1n Iowa. For instance, the conspiracy transferred, without
authorization, the proprietary, private, and non-public victim data and information,
including usernames and passwords, to a JIRA server managed by FIN7, located 111 a 
foreign countryAll 111 violation of Title 18, United States Code, Section 371.

. COUNTS 17- 19
(Accessing a Protected Computer 111 Furtherance of Fraud)

26. The allegations set forth 1n Paragraphs 1 through 25 of this Supersedmg -: 
Indictment are re- alleged and incorporated as if fully set forth herein._ I

27. On or about the dates listed below, Within the Western of
Washington, and elsewhere, FEDIR OLEKSIYOVYCH HLADYR, and others known
and unknown to the Grand Jury, knOWingly and with intent to defraud accessed a I 
protected computer withOut- antherization and in excess of authorized access, and by i i '7 
means of such conduct furthered the intended fraud and lobtai'ned something of 'Valiie
speci?cally, payment card data and proprietary and non-public information, Whereby the
object of the fraud and the thing obtained consisted of more than the use of the computers
and the value of such use was more than $5,000 111a l?yejar period, as listed below: 7 -

Superseding Indictment! United States v. I?adyr . UNITED STATES ATTORNEY
No. CR17 276RSL- 26 - 
1 . WASHINGTON 98101
(206)553?7970

 

 






 

 

Case D0cument47?2 Filed 07/27/18 Page-28 of33?

  
     

if 17 August 8,2016 throughW 

 

 

 

 

 

 

. 18 February 21,2017 through March 3, 2017 'ViCti'm-Z?
19 March 24, 2017 through April 18,2017 Victim-3.

 

All 1n violation of Title 18, United States Code, Sections 1030(a)(4), 103001),

1030(c)(3)(A) and 2
- 22 
(Intentional Damage to a Protected Computer) 

28. The allegations set forth 1n Paragraphs 1 thIOugh 27 of this Superseding
Indictment are re?alleged and incorpOrated as if fully set forth herein.? 

29. On or about the dates listed below, within the Western Distn'ct of 
Washington, and-elseWhere, FEDIR OLEKSIYOVYCH HLADYR, and others known; 7
and unknown to the Grand'Jury, knowingly caused the transmission of a program, ?7

information, code, and command, and as a result of such conduct, intentionally caused

damage without authorization, to a protected computer, speci?cally, the protected .
computer system of the victim listed below, and the offense caused loss to One or more 1
persons during a leyear period aggregating at least $5,000.00 in value and-(ii) damage

affecting 10 or moreprotected computers during a l-year period:

 

 

 

 

20 August 8, 2016 through October 4, 2016 Victim-1
21 February 21,2017 through March 3,2017 Victim-2
22' March 24, 2017 through April 18,2017 . Victim-3

 

 

 

All 1n violation of Title 18, United States Code, Sections 1030(a)(5)(A), 1030(1)),
1030(c)(4)(B), and 2.


l/

Superseding Ind1ct1nent/ United States v. Hladyr ?3 1 . UNITED STATES ATTORNEY
No. CR17-276RSL- 27 700 STEWART STREET, 31111115220

WASHINGTON 98101
(206) 553 4970

 

 






 

 

Case I Document 47-2 Filed'Q7/27/18 Page 29 0133

COUNT 23
1 . (Access Device Fraud) 
30. The allegations set forth in Paragraphs 1 through 29 of Superseding
Indictment are re- alleged and incorporated as if fully set forth herein.

31. Beginning at a time unknown, and continuing through on or after

January 10, 2018, within the Western District of and elsewhere, EDIR

OLEKSIYOVYCH HLADYR, and others known and unknown to the Grand Jury, I .

and with intent to defraud, possessed ?fteen or more counterfeit and . i

unauthorized access deviCes, namely, payment card data, account numbers, and Other

means of accOunt access that can be used, alone and 1n conjunction with another aCceSs
device, to Obtain money, goOds, services, and any other thing of value, and that can be
used to initiate atransfer of funds; said activity affecting interState and foreign 

All In violation of- Title 18, United States Code, Sections 

1029(c)(1)(A), and2

CCOUN-T. 24
I (Aggravated Ident1ty Theft)
32. The allegations set forth 1n Paragraphs 1 through 31 of this Superseding I -
Indictment are 're-alleged and incorporated as if fully set forth herein. I I
33.. Beginning at a time unknown, but no earlier than on or about February 21,
2017, and no later than March 3, 2017,- and- continuing through on or after Noyember 21,
2017, at Seattle, within the western District of Washington, and elsewhere, FEDIR

OLEKSIYOVYCH HLADYR, and others known and unknown to the Grand Jury, did

knowingly transfer, possess,-and_ use, :vVithout lawful authority, a means of identi?cation? 

of another person, to wit: the name, username, and password of a real person, J. an 

U. S. 1028A(c), that 18, conspiracy to commit wire and bank fraud, 1n Violation of 18

S. C. 1349, as charged 1n Count 1, and wire fraud, in violation of 18 U. S. C. 1343, as I

Superseding Indictment/ United States v. Hladyr 7 - UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220

- SEATTLE, WASHINGTON 98101
(206) 553-7970

 

 

 CO '4 4h Ln 1?1

 

 

Case 47-2 Filed 07/27/18 Page 30 of 33' .

charged in Counts 5 and 6, knowing that the means of identi?cation belonged to another
actual personviolation of Title 18, United States Code, Sections 1028A(a) and 2

I 

.I .. (Aggravated Identity Theft) .

34. I The allegations set forth in Paragraphs 1 through 33 of this Supersedlng
Indictment are re-alleged and incorporated as if fully set forth herein.

35. Beginning at a time unknown, but no later than on or about May 8, 2017,

and continuing through on or after November 21, 2017, within the Western District of

Washington, and elsewhere, FEDIR OLEKSIYOVYCH HLAIDYR, and others known

. and unknown to the Grand Jury, did knowingly transfer, possess, and use, without lawful .

authority, a means of identi?cation of another person, to wit: the name, employee
credentials, username, and password of a real person, M. ,an employee of Victini-8,?
during and in relatiOn to a felony violation enumerated in 18 U. S. 1028A(c), that is,
conspiracy to commit wire and bank fraud, 1n violation of 18 U. S. C. 1349, as charged-
in (3th 1,knowing that the means of identi?cation belonged to anOther actual person.

All 1n violation of Title 18, United States Code, Seetions '1028A(a) and?2.

COUNT26 7 SS

(Aggravated Identity Theft) . . .

3.6. The allegations set forth 1n Paragraphs 1 through 35 of this Superseding
Indictment are re-alleged and incorporated as if fully set forth herein.

37. Beginning at a time unknown, but no later than on or about January 27,
2017, and Continuing through on in after- November 21,2017, within the Western District
of Washington, andlelsewhere, EDIR OLEKSIYOVYCH HLADYR, and others 1910? I
and unknown to'the Grand Jury, did knowingly transfer possess, and use, without law?il
authority, a means of identi?catiOn of another person, to wit: the name, username, and
password of real personsand ..D employees of ,1 
Victim-7, during and in relation to a felony violation enumerated 18 U.S.C.

Superseding Indictment] United States v. wadyr - . UNITED STATES ATTORNEY
No. CR17-276RSL 29 . -. 700 51111115220

WASHINGTON 98101, .
(206) 5534970

 

 

 






 

 

Case Document 47-2 Filed 07/27/18 Page 31 of 33? 

1028A(c), that IS, conspiracy to commit wire and bank fraud],- 111 Violation of 18 U. S. C.
1349, as charged 1n Count 1,k_nowing that the means of identi?catiOn belonged to
another actual person. 
All in Violation of Title 18, United States Code, Sections 1028A(a) and 2.
FORFEITURE ALLEGATION 
.38. The allegations contained in Counts lthrough 15_of this Sup-erSeding.? 7

Indictment are hereby reallegedand incorporated by reference for the purpose of alleging 7 I
.forfeitures pursuant to Title '18, United States Code, Section 981(a)( and Title 28,

United States Code, Section 2461(b). Upon conViction of any of the offenses charged 1n
Counts 1 through 15, the defendant, EDIR OLEKSIYOVYCH HLADYR, shall forfeit
to the United States any property, real or personal, which constitutes or is derived from 
proceeds traceable to such offenses, including but not limited to a judgment for a sui'n of
money representing the property described in this paragraph.- .

39. The allegations contained 111 Counts 16 through 22 of this Superseding
Indictment are hereby realleged and incorporated by reference for the purpose of alleging
ferfeitures pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(1).
Upon conViction of any of the offenses charged 111 Counts 16thrOugl1 22, the defendant",
FEDIR OLEKSIYOVYCH HLADYR, shall forfeit to the United States any property

constituting, or derived from, proceeds. the defendant obtained, directly or indirectly, as

the result of 'such offenses, and shall also forfeit the defendant?s interest in any personal

property that was used or intended to be used to commit or to facilitate the commission of

such offenses, including but not limited to a judgment for a sum of. money representing

the property described 1n this paragraph. ..

40. The allegations contained 1n Count 23 of this superseding Indictment are
hereby realleged- and incorporated by reference for the purpose of alleging forfeiture-s
pursuant to Title 18, United States Code, Sections 981(a)(1)(C) and 1029(cr)(1)(C), and
Title 28, United States Code, SectiOn 2461(e). Upon conviction Of the offense charged in f"

Count 23 the defendant FEDIR OLEKSIYOVYCH HLADYR shall forfeit to the --

Superseding Indictment/ United States v. Hladyr . I UNITED STATES ATTOIWEY

No. CR17.276RSL- 3o . . 700 Smwaars'mser, 

SEATTLE, WASHINGTON 98101
(206) 553-7970

 

 




oolaxt?cnmh-wMI?G


cog-oxme-mmpg




 

 

Case Document 47-2 Filed 07/27/18 Page 32 of 33

United States any property, real or personal, Whichlconstitutes-or is derived from .
proceeds traceable to such offenSe, and Ashall also forfeit any personal property used or .. 7 I: 
intended to be used to commit such offense, including but not limited to a judgment for a 1
sum of money representing the property described In this paragrath I 
(Substitute Assets) . 
41. If any of the property described above, as a result of any act or omission of I I
the defendant: - i I

cannot be located upon the exercise of due diligence; 



a.
1b. has been transferred or sold to, or deposited with, a third party;
to. has been placed beyond the jurisdiCtion of the court
d. has been substantially diminished in value; or 
. e. has been commingled with other property which cannOt be divided 
A without dif?culty, 

- Superseding Indictrnent/ United States v.H1adyr . . UNITED ATTORNEY 
No 31 - 700 STREET, SUITE 5220'

SEATTLE, WASHINGTON 98101
12095534970

 

 




 

 

Case Document 47-2 Filed 07/27/18 Page 33 of. 33

DATED:

   

ANNETTE L. HA
United States Atto ey

(LQ 

ANDREW C. FRIEDMAN
Assistant United States Attorney



CIS 

. Ass tant United Stas sAttorney

 

(L


Assistant United States Attorney

 

 



Trial Attorney

Computer Crime and Intellectual Property Section 

Superseding Indictment United States v. Hladyr
No 276RSL- 32

A TRUE BILL.

the United States of America shall be entitled to forfeiture of substitute property pursuant
to Title 21, United States Code, Section 853(p), as ineorporated by Title 28, United States 
Code, Section 2461(c).

125/3

(Signature of ForeperSOn redacted pursuant to
policy of the Judicial Conference) .
FOREPERSON 

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101. 
. . ((206) 553-7970