Case Document 20-2 Filed 07/27/18 Page 1 of 32 Exhibit 4 Superseding Indictment (Dkt. United States v. edorov, CR1 Case Document 20-2 Eiiled 07/27/18 A Page :2 01:32 Presented to the Court by the for?rnan of the Grand Jury In open Court,1n the presence of ?1 the: Grand Jury and FILED in the U. S. . DISTRICT COURT at Seattle, Washington 2 . Jaguar? .25" 20 UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE - UNITED STATES OF AMERICA, . I Pla?n?ff 2 SUPERSEDING INDICTMENT 1 V. VALERIEVICH FEDOROV, aka ?hOtdIIna, Defendant. . The Grand Jury charges that: DEFINITIONS . . 1. IP Address: An Internet Protecol address (or simply address?) 15 a unique numeric. address uSed by devices, such as computers, on the Internet. An IP address Is a series of four numbers, each In the range 0-255, separated by- periods gf ., . I104.250. 138. 210). Every device attached to the Internet must be assigned an IP address . so that Internet traf?c sent from and directed togthat deyice may bee-directed properly from its sourcelto its destination, Most Internet service providers control arrange of IP addresses. Superseding Indictment/ United States Fedorov 5 UNITED STATES Arrow 7 No. 1 - 2700 STEWART 5220 - WASHINGTON 98101 . (206) 553-7970 Case Document 20-2 Filed 07/27/18 . Page 3 of 327 2. Server: A server is a cemputer that provides services for other'computers connected to it via a network or the Internet. The Computers that use the server? services are sometimes called ?clients. Servers can be physically located anvahere with a . network connection that may be reached by the clients; for example, it is not uncommon . for a server to be located hundreds (or even thousands) of miles away from the client computers. A serVer may be either a physical or virtual machine. A physiCal server is a piece of computer hardware con?gured as a server with its own power Source, central 7 processing unit/s and assoCiated software. A virtual server is typically one Of many servers that Operate on a single physical server. Each virtual server shares the hardware 7 resources of the physical server but the data residing on each virtual server is Segregated . from the data 011 Other Virtual servers that reside on the same physical machine 3. Malware: Malware IS malicious cemputer code running on a computer. Relative to the owner/authorized user of that computer, malware 13 computer code that is running 011 the system that 18 unauthorized and present on the system Without the user?- consent. MalvVare can be designed to do a variety of things, including logging every - keystroke on a computer, stealing ?nancial information or ?user credentials? (passtOrds or commanding that cemputer to becomejpart of a network of ?rebot? or ?bot? computers known as a ?botnet. In addition, malware can be used to transmit data from the infected computer to another destinatiOn on the Internet, as identi?ed by. an IP address. Often times, these destination IP addresses are computers controlled by cyber criminals. i A The Carbanakmalware; "?Carbanak? is the name giVen by Computer security researchers to a particular malicious software (malware) program Carbanak has . A been uSed to remotely access computers without authorization. The Carbanak malware allows an attacker to spy on another person?s computer and remotely control the computer. Carbanak can record .v1-deos of the victim? 3 computer screen and send the recordings back to the attacker. It can also letthe attacker use the victim computer to Superseding Indictment/ United States Fedorov 7 1 - i - - UNITED STATES ATTORNEY No. CR18-OO4RSM700 STEWART STREET, SUITE 5220 98101 (206)553-7970 \o GIL): 1? Case Document 20-2 Filed 07/27/18 Page4of32f attack other computers, and to. steal ?les from the _victim'computer, and-install other malware. All of thisacan'be done without the legitimate user?s knewledge or 'permiSSion 5. 7 Bot: A ?hot? computer is a computer that has been infected with some kind of malicious software or code and 1s thereafter subject to control by someone other than the true owner. The true owner of- the infected computer usually remains able to use the computer as he did before it was infected, although speed or performance may be compromised.? .. . . Botnet: A ?homet? 1s a network of comprOmised computers knoWn as ?bots? that are under the. control of a cybercriminal or ?bot herder. The bots are II harnessed by the bot herder through the surreptitious installation of malware that provides the bot herder with remote access to, and centrol of, the compromised computers. A botnet may be used en maSSe, in a Coordinated fashion, to deliver a variety of Internet- based attacks, including attacks, brute force password attacks, the transmission of i' spam emails, the transmission cf phishing emails, and hosting communication networks for cybercriminals g, acting as a proxy server fer email communications) 7. . Phishing: Phishing IS a criminal scheme in which the perpetrators use mass email messages and/or fake websites to trick peOple into providing information such as network credentials usernames and passwords) that may later be used to gain access to a Vietim? systems. PhisIhing schemes often utilize social engineering 7. techniques similar to traditional con-artist techniques 1n order to trick Victims into believing they are providing their information to a trusted vendor, customer, or other acquaintance. Phishing emails are also often used to trick a victim into clicking on documents or links that contain malicious software that will compromise the victim?s computer System - 8. Spear Phishing: Spear phIishing IS a targeted form of phiShIing directed towards a speCi?c individual, organization or business. Although often intended to steal data for maliciOus purposes, cybercriminals may also use spear phishing schemes to I install malware on a targeted uSer? 3 computer. Superseding Indictment/ United States v. Fedora); ?i A I 715??me ?$011123; . . ART . No CRIS 004RSM- 3 I . I I (206) 553-7970 KO- col-q as will: Case Document 20-2 Filed 07/27/18. Page 5 of 32 9. -. social Engineering: Sociallengineering is .a skill developed over time by? people who seek to acquire protected information through manipulation of social 1 . relationships. People who are skilled in Social engineering can convince key individuals to divulge protected information or access Credentials that the social engineer deems valuable to the aChievement of his or her aims. I I '10. PenuTesting: Penetration testing, or pen?testing, is the practice of testing a 7 computer system, network or computer application to ?nd vulnerabilities that an attacker I may exploit COUNT 1_ 7 . (Conspiracy to Commit Wire and Bank Fraud) 1. -. OFFENSE 11. The allegations set forth 1n Paragraphs 1 through 10 of this oSuper?seding- Indictment ?are re-alleged and incorporated as if fully set forth herein. 12. Beginning at a time unknown, but no later than september 2015, and continuingithrough on or after January 17, 201-8, at Seattle, within the Western DistriCt of '1 Washington, and elsewhere, VALERIEVICH FEDOROV, aka- ?hotdima, - and others known and unknOwn to the Grand Jury, did knowingly and willfully combine,- - - . conSpire, confederate and agree together to commit offenses against the United States, to wit: . I I I to knowingly and willfully devise and execute and attempt to I execute, a Scheme. and arti?ce to defraud, and for obtaining money and property by means of materially falSe and fraudulent pretenses, representation,s and promises; and in executing and attempting to execute this scheme and arti?ce, to knowingly cause to be transmitted in interstateand'fOreign commerce, by'means of Wire communication, certain signs, signals and sounds as further described below, in violation of Title 18, United I States Code, Section 1343knowingly and willfully devise and execute and attempt- to execute, a scheme and arti?ce to defraud ?nancial institutions, as de?ned by Title 18 Superseding Indictment/ United States v. Federov 73313131) STASTES NoTEWART TREET, 1111's -8 OMRSM 4 . - . 98101 (206) 553-7970 Case Document20-2 Filed 07/27/18 Page '6 of 32 United States Code, Section 20, and to obtain moneys, funds, and credits under the custody and control of the ?nancial institutions by means of materially false and 3 fraudulent pretenses, representations, and premises, in Violation of Title 18, United States 8 Code, Section 1344(1) and (2) II. OBJECTIVES OF THE CONSPIRACY l3, Defendant VALERIEVICH EDOROV and others known and unknown to the Grand Jury, were part of a ?nancially motivated cybercriminal I conspiracy known variously as IN 7 the Carbanak Group, and the Navigator Group I (referred to herein as FIN7 consists of a group of criminal actors engaged 111 a sophisticated malware campaign targeting the computer Systems of busineSSes, primarily in the restaurant, gaming, and hespitality industries, among others. - 1' 14. The objectives of the conspiracy included hacking- into protected computer networks Using malicious software (hereinafter, ?malware?) designed to provide the conspiratorswith unauthorized access to, and control of, Iv10t1m computer systems. The objectives of the conspiracy further included conducting surveillance of victim computer networks and installing additional malwar?e on victim computer for the purpose . of establishing perSistencIe, stealing meney and property, including payment card credit and debit) track data, ?nancial information, and proprietary and non-public information, The objectives of the conSpiracy further included using and selling the stolen data and information for ?nancial gain in Ia variety of ways, including, but not I limited to, using stolen payment card data to cenduct fraudulent transactions across the United States and 1n foreign countries. In. MANNER AND MEANS OF THE CONSPIRACY 15. The manner and means used to accomplish the conspiracy included the following: I Ia; IN 7 developed and employed various malware designed to in?ltrate, comprOmise, and gain control of the computer systems of victim companies 7 operating in the United States and elsewhere, including within the Western of Superseding Indictment] United States Peder-0v . - I UNTTED STATES ATTORNEY I I I - 700 STEWART STREET, SUITE 5220 . - (206) 553-7970 Case Document 20-2 Filed 07/27/18 Page 7 of 32 . WashingtOn, FIN 7 established and operated an? infrastructure cf servers, 10cated in. various countries, through WhiCh FIN7 members coordinated-activity to further the scheme. This infrastruCture included, but was not limited to, the use of command and control servers, accessed through Custom botnet Control panels, that communiCated-With I and controlled compromiSed computer systems of victim companies b. FIN7 created a front cOmpany doing business as Combi Security to legitimate. COmbi Security purports to operate as a computer security pen-testing . cempany based in Moscow, Russia and Haifa, Israel. As part of advertisements and it public internet pages for Gombi Security, IN7 portrayed Combi Security as a legitimate . penetration testing enterprise that hired itself out to businesses for the purpose of testing their computer security systems. c. Under the guise of a legitimate computer security company, FIN 7 . doing business as Combi Security, recruited individuals With computer programming skills, falsely claiming that the prospective employees would be engaged in legitimate - pen-testing of client computer networks. In truth and in fact, as Defendant and his FIN7 co-conspirators well knew, Combi Security was a front company used to hire and deploy hackers who were given tasks in furtherance of the FIN7 conspiracy._ d. . FIN7 targeted victims in the Western District of Washington and elsewhere, using phiShing techniques to distribute malware designed to gain unauthorized access to, take control of, and exI?ltr?a?te data from the computer systems of variOus' I businesses. FIN 7 targeted Victims include more than 120 identi?ed companies, With thousands 0f individual lecations' of operation throughout the United States, including, - but not limited to, the folloWing representative Victim companies: i. ?Victim- 1? referenced herein is the Emerald Queen Hotel and Casino (EQC), a hotel and casino owned and operated by a federally recognized Native 7 American Tribe with locations in Pierce County, within the Western District of _Washington. Supersediug Indictment! United States v. Fedorov . 1: UNITED STATES ATTORNEY No. CR18-OO4RSM 6 7 I - 700 STEWART STREET, SUITE 5220 Same, WASHINGTON 98101 (206) 55347970 boosioxm-awmi?e Case Document 20-2 FiledWO7/2-7/18 Pages-0132? ii. - ?Victim-2? referenced herein is? a, public corporation headquartered 1n Seattle, within the Western District of Wasbiogton, ., I with operations throughout the United States and elsewhere?I?Victim- 3? referenced herein 1s Chipotle Mexican Grill, 3 U. S. ~based restaurant chain with thousands of locations 1n the United States, ineluding 1n 1 the Western District of Washington, and 1n Canada and multiple European countries. iv- I ?V1ct1m 4? referenced herein is? a U. S. i based pizza parlor chain with hundreds of locations predominantly 1n the Western United States, including 1n the Western District of Washington?Victim?5? referenced herein 1s a S. -based federally insured credit union headquartered in the Western District of washingtoo. vi. ?Victim- 6? referenced herein 1s Jason.? Deli, a U. S. ~based casual delicatessen restaurant chain with hundreds of locations 111 the United States. I I vii. ?Victim- 7? referenced herein is- an autOmotive retail and repair chain with hundreds of locations 1n the United States, including 111 the Western District of Washington i . I - ?Victiin? 8? referenced herein 1s Red Robin Gourmet Burgers I I: and Brews (Red Robin), a U. S. ~based casual dining restaurant chain, founded in the I Western District of Washington, with hundreds of locations 1n the United States, including 1n the Western District of washington. ix. . ?Victini- 9? referenced herein IS Sonic Drive-in (Sonic), a U. S. -based drive?in- fast-food chain with thousands of locations 1n the United States, including in the Western District of Washington. I x. I ?Victim- 10? referenced herein is Taco John?s, a U. S. -based fast-food restaurant chain with hundreds (if locations 1n the United States, 1nclud1ng 1n the Western District of Washington. . A. e. FIN 7 typically initiated its attacks by delivering, directly and . through intermediaries, a phishing email with an attached malicious ?le, using wires 1n Superseding Indictment/ United States v. Fedorov . . aI: UNITED STATES - No. CR18-004RSM - 7 . 700 STEWART STREET, SUITE 5220 I 98101 (206) 553-7970 - ICaIse Document 20-2 Filed 07/27/18 Page 9 of 32 interstate and foreign commerce, toan employee of the targeted victimcompany. The attached malicious ?le usually was a Micrdsoft Word (,doc or .d'ocx) or Rich Text File .- i (. rtf) doCUment with embedded malware. FIN7 useda variety of malware deliyeryj mechanisms in its phishing attacMentIs including, but not limited to, Weaponized Microsoft Word macros, malicious Object Linking and Embedding (OLE) objects,- malicious visual basic scripts I0r avaScript, and malicious embedded shortcut ?les). In Some instances, the phishing email or attached ?le contained a link to malware . hosted on servers controlled by FIN7, - The phishing .,email through false representations" and pretenses, fraudulently induced the victim company employee to open the attachment or click on the link to' activate the malware. For example, when targeting a hotel chain, the purported sender of the phishing email might falsely claimto be interested in making - a hotel reservation Byway of ?irther eitample, when targeting a restaurant chain, the purported sender of the phishing email might falsely claim to be interested in placing a catering order or making a complaint about prior food service at the restaurant. f. In certain phishing attacks, FIN7, directly and through intermediaries, sent phishing emails to personnel at victim companies who had unique access to internal proprietary and hen?public company informatiOn, includinglimited to, employees inVolveId with making ?lings with the United and 7 Exchange Commis'sion These emails used an email address that spoofed an email address associated with the 3 electronic ?ling System, and. induced the recipients to activate the maIWare contained in the emails attachmentsmany of the FIN7 attacks, a FIN7 member, or someone hired by FIN7 speci?cally for such purpose, would also call the victim company, using Wires in interstate or foreign commerce, to legitimize the phishing email and convince the victim company employee to open the attached document using social?engineering techriidues. I - For example,- when targeting a hotel chain or a restaurant chain, a conspirator Would make a follow-up call falsely claiming that the details of a reservation request, catering-I order, er customer Complaint could be found in the ?le attached to the previously ?3 Indictment United States v. Fedorov UNIT-ED STATES ATTORNEY No. 004RSM- 8 i . I 70.0 STEWART Smear, Suns 5220 - 7 SEATTLE, WASHINGTON 98101 (206) 553-7970 co \1 <31- 1? Case Document 202 Filed 07/27/18 Page-1010f: 32 delivered email, to induce the employee at the victim company to read the phishing email, open the attached ?le, and activate the malware. . I I If the recipient activated the phishing email attachment or clicked on the link, the recipient wouldIunWittingly activate. the malware, and the computer on which it was opened would become infected and connect to one or more command and II control servers contrOlle'd by FIN 7 to report details of the newly infected computer, and I doWnload additional malware. The command andcontrol infrastructure relied upon - variOus servers in multiple countries, including, but not limited to, the United States, typically leased using false information, such as alias names and fictitious information. IN7 typically would install additional malware, including the CarbanakI malware, to connect to additional FIN 7 Command and control servers to establish remote control of the victim computer. j. I Once a victim?s computer was compromised, FIN7 would incorporate the compromised machine or ?_I?bot? into. a botnet. FIN7 designed and used a custom botnet control panel to manage and issue commands to the compromised machines. 1 I l. Once a victim company?s computers were incorporated into the FIN7 botnet and remotely controlled by malware, the group used this remote . control and access to, among other things, install and manage additiOnal malware,II_ conduct surveillance, map and navigate the compromised computer netWOrk, compromise additional computers, ex?ltrate ?les, and send and receive data. For instance, FIN7 often conducted surveillance on the victim? 3 computer network by, among other things, capturing screen shots and videos of victim computer Workstations that provided the conspirators with additional information about the victim company computer network and non-public credentials for both generic company IacCounts and for actual company empIOyees. - 1n. FIN7 used its access tothe victim?s computer network and information gleaned from surveillance of the victim?s computer systems to install - Superseding Indictment/ United States v. Fedorov - I 1 UNITED ISTATEIS ATTORNEY No. CR18-OO4RSM 9 . 1 700 STEWART STREET, 3011155220 SEATTLE, WASHINGTON 98101 (206) 553-7970 including ?nancial inStitutions as de?ned in Title 18, United States Code, Section 20. Case Document 20-2 Filed 07/27/18 Page 11 of 32 I additional malware designed to target and extract particular information and property of value, including payment Card data and proprietary and lien-public information. For instance, FIN 7 often utilized various ?off-the-shelt? software and custom malware, and a combination thereof, to extract and transfer data to a ?loot? folder on one or mere servers controlled by FIN7. 7' i 7 n. FIN7 frequently targeted victim companies With customers who use payment cards while making legitimate point-'ofesale purchases, such as victim companies in the restaurant, gaming, and hospitality industries. In those. cases, FIN-7 Con?gured malware to extract, copy, and compile the payment card data, and then to transmit the data from the victim Computer systems to servers controlled by FIN7. 7 o. i For example, between approximately March 24, 2017, and April 18, 2017, FIN7 harvested payment card data from point?of?sale devices at certain Victim-3 restaurant locations, including dozens of locations 1n the Western District of Washington. - p. FIN 7 stole millions of payment card numbers, many of which have been offered for sale through vending sites, including, but not limited to, Jokers StaSh,i thereby attempting to generate millions of dollars of illicit pro?ts. q. . The payment Card data were offered for sale to alloW purchasers to falsely represent themselves as authorized users of the stolen payment cards and to use the stolen payment card information to purchase goods and services in fraudulent -. transactions throughout the United States and the world, including over the Internet, reSulting in milliOns of dollars 1n losses to, and thereby affecting, merchants and banks, For example, on or abOut March 10,2017, stolen payment card data related to accounts . i 1 held at Victim-5, a ?nancial institution headquartered 1n the Western District of Washington, compromised through the computer network intruSion of a victim cempany, Was used to make unauthorized purchases at a merchant in Puyallup, Washington. Superseding Indictment] United States v. Fedorov -- . . - . UNTFED STATES ATTORNEY I No. 004RSM700375me STREET, $0112 5220 SEATTLE, wxsmeros 98101 (206) 553-7970 Case Document 20-2. Page'12 of 32 I, .. r. FIN7. members employed varioustechniques to Conceal their identities, including simu'ltaneouSly utilizing various leased Servers, ii that had been leased .- using false subscriber information, in multiple countries. s. . FIN7 member, co?conspirator F. H., served as a high-level systems administratOr for FIN 7 who maintained servers and communication channels used by the organization. For example, FIN7 members requested co?-Conspirator F. H. to grant them -- ?1 access to servers used by FIN7 to facilitate the malware scheme. Co conspirator F. also played a management role in the scheme by delegating tasks and by providing instruction to other members of the scheme. . FIN7 members typically communicated With one another and others through private communication channels to further their malicious activity. Mong other channels, 1N7 conspirators communicated using Jabber, an instant messaging service that allows members to cominunicate across multiple platforms and that supports end-Ito- end 11. For example, in Jabber communicatiOns With other FIN 7 members, VALERIEVICH FEDOROV, using his alias ?hotdima,? referenced using - I malware 1n connection With seVeral speci?c victim companies, discussed using the administratiVe control panels to receive data from compromised computers, and identi?ed several pen-testers working at his direction.- 7 v. I I FIN7 members often communicated through a private HipChatI server. HipChat 1s a group chat, instant messaging, and ?le-sharing program. FIN 7 I members used its HipChat server to collaborate on malware and victim business - intrusiOns, to interview potential recruits, and to upload and share ex?ltrated data,- such as 7 - stolen payment card data. As a syStemI administrator, co-conspirator F. H. created - I HipChat user accounts for FIN7 members that allowed them to access the server. W. Co?conspirator F. H. also created and participated 1n multiple HipChat _?rooms? with other FIN7 members and partiCipated 1n the uploading and organization of Stolen payment card data and malware. For example, on or about March Superseding United States Fedorov 1 UNITED STATES ATTORNEY I - 13?. No. 11 . I 700 STEWART STREET, SUITE 5220 2: SEATTLE, WASHINGTON 98101 - (206) 553-7970" . Case Document 20-2 Filed 07/27/18 Page 13?0f 32 I. 14, 2016, co-conspirator F. H. uploaded an archive that contained numerous data ?les - created by malware designed to steal data from point-of-sale systems that process . . payment cards. The ?les contained payment card numbers stolen from a victim company- that had publicly reported a secmity breach that reSulted 1n the compromise of tens of thousands of payment cards. By way of further example, co-conspirator F. H. also set up and used a HipChat room titled ?MyF11e?in which he was-the only participant, and to which he Uploaded malware used by IN7 and stolen payment Card information. I x. FIN7 conspirators used numerous email hosted by a varietyII . II of providers 1n the United States Iand elsewhere, Which they often regiStered using false subscriber information. y. I, FIN 7' conspirators frequently. used the project management software 7 I JIRA, hosted an private virtual servers in various countries, to coordinate their malicious -I activity and to manage the assorted network intrusions. IN7 members'typieally-created - I. a ?project? and then associated ?issues? with the project, each 1ssue akin to an. isSue 7 directory or folder, for a victim company, which they used to collaborate and share details of the intrusion, to post victim company intelligence, such as network mapping information, and Ito store and Share exfiltrated data. 7 I 2.- For example, on about September 7, 2016, co-conspirator F. created an ?issue? for Victim-6, to which FIN7 conspirators posted ?les containing internal credentials for the victim company?s compUter network. aa. By way (if further example, on multiple occasions in January 2017 VALERIEVICH FEDOROV and others posted to the FIN 7 ?issue? created for Victim-7, information about the Victim company? 3 internal netWOrk and uploaded ex?ltrated data, including stolen employee credentials. Similarly, on or about April 5, 2017, VALERIEVICH FEDORIOV created an ?issue? for another victim company, Victim-9, and uploaded stolen user credentials from the Vietim company. bb.? FIN7 censpirators knew that the scheme would involve the use of wires in both interstate and foreign commerce Ito accomplish the objectives of the Superseding Indictment/ United States v. Fedorov 1 UNITED STATES ATTORNEY No. CR18-004RSML 12 I I I I I 700 STEWART STREET, Sons 5220 - - Seams, WASHINGTON 98101 553- 7970 Case 1 Document 20-2 Filed 07/27/18 Page 14 of 32 scheme. For example, the Defendant and his FIN7 cO~Conspirators knew that execution of the scheme necessarily caused the transmission cf wire communications between the United States and one or more servers controlled by IN 7 located 1n fereign countries. I All 1n violation of Title 18, United States Code, Section 1349. I I COUNTS 2- 15 (Wire Fraud) . I 16. The allegations set forth 1n Paragraphs 1 through 15 of this Supersedmg Indictment are re-allege'd and incorporated as if ?Jlly set forth herein. 9 - SCHEME AND ARTIFICE TO DEFRAUD 17. Beg-inning at a time unknown, but no later than September 2015, and continuing through on or after January 17,2018, at Seattle, within the Western 8' Washington, and elsewhere, VALERIEVICH FEDOROV, and others known 8' and unknown to the Grand Jury, devised and intended to devise a scheme and arti?ce to I i defraud and to obtain money and property by means of materially false and fraudulent pretenses, representations and promises.- 1 i 18. The esseHCe cf the scheme and arti?ce to defraud was to obtain unauthorized access into, and control cf, the cemputer networks of victims through deceit and materially false and fraudulent pretenses and representations, through the installation and use of malware designed to facilitate, among other things, the installation cf . additional malware, the sending and receiving of data, and the surveillance of the victims? computer networks. The object of the scheme and arti?ce to defraud was to steal money and property of value, including payment card data and proprietary and non- - public information, which was, and could have been, sold and used for ?nancial gain. II. . MANNER AND MEANS OF SCHEME TO DEFRAUD l9. The manner and meansof the sCheme and arti?ce to defraud are set forth in - i Paragraph 15 of :Count 1 of this superseding Indictment United States v. Fedorov I UNITED STATES ATTORNEY N0.CR18- l3 700 STEWART STREET, SUITE 5220 - Seam,- WASHINGTON 98101? - (206) 553?7970" \oeoqoa'cnnvumha Ch -b U) h?i oeuoxm-th-Ho Case Document 20-2 Filed 07/27/18 Page 15 of 32 EXECUTIONOFSCHEMETODEFRAUD ?i i i. 20. On or about the dates set forth below, within the Western District of 7 Washington, and elsewhere, VALERIEVICH FEDOROV, and others known i and unknown to the Grand Jury, having devised a scheme and arti?ce to defraud, and to obtain money and property by means of materially false and fraudulent pretenses, representations, and promises, did knowingly transmit and cause to be transmitted writings, ?signs, signals, pictures, and sounds, for the purpose of executing such-Scheme,- by means of wire communication in interstate and foreign Commerce, including the following transmissions: 2 August .8, 2016 Victim-1 A Pierce County . i Emall from Just etravel@y oocom which traveled through a server located outside the State. of Washington, to a Victim-l employee, i . located within the State of Washington ,3 - August 8, 20-16 Victim-1 Pierce County 7 Email from frankj Ohnson@revital?_ travel. com, Which traveled through a .. 1 _Washington, to a Victim-1 employee, serVer located outside the State of located Within the State of Washington 41 August 8, 92016 Victim-?1- Pierce County Electronic communication between a Server located outside the State of Washington, and Victim-1? computer 7 7' System, located within the State of 7? Washington - 5 February21, 2017 Victim-2 Seattle through a server located outside the Email purporting to be from a_ 7 . government account, which traveled State of washington, to a Victim-2 employee, located Within the State of Washington superseding Indictment! United States v. Fedorov 004RSM- 14 UNITED STATES ATTORNEY . 700. STEWART STREET, Sums 5220 WASHINGTON 98101 (206) 553-7970 ooqumnwquxeooqaaELTqEZE Case Document 20-2 Filed 07/27/18 Page 16 of 32-. Victim-2 . server IOCated outside the State of 6 February 23, 2017 Seattle Washington, and Victim-2? 3 computer 9 - system, located within the State of Washington - Electronic communication between a I . Victim-3 - th I . 4120 196th St SW server, located outside State 0 7 March 24, 2017. . Washington, and Victim-3? computer 1 Suite 150, .. wood system, located Within the State ofI Washington 7 - Electronic communication between a . . Victim-3 server, located outside the State of 8 7 March 25, 2017 -.1415 Broadway, Washington, and Victim-3? 5 computer Seattle system, located Within the State of Washington I 1 1 Electronic communication between a I I . 1 - Victim-'3 server, located outside the State of 9? March 25, 2017 - 800 156th Ave NE, Washington, and Victim-3? 3 computer - 'BelleVue system, located Within the State of Washington 1 1 . Electronic communication between a- I I Victim?3 I server, located outside the State of 10 March 25, 2017 4 Bellis Fair Pkwy, Washington, and Victim?3? 5 computer Bellingham system, located within the State of - washington . . Electronic. communication between a . Vlctim-3? I I 775 Gilman' server, lecat'ed Outside the State of 11 March 25, 2017 - 7 . Washington, and Victim-3? 3 computer -- . Blvd, Suite A, - -- Is?saquah system, located within the State of .- . Washington 1 . Vic 11111-3 1 Electronic communication between a I I I 515 SE Everett . server, located outside the State of 12 - March 27, 2017 7 7 . Washington, and Victim-3?s computer . . MallIWay, Suite B, 1 - system, located Within the State of verett I .- . Washington . - Electronic communication between a ,1 V1et1m-3 . .. I . I 22704 SE 4th 1 server, located outSide the State of 13 IApnl 11-, 2017 .- I - Su1te210 Washington, and Victim-3? camputer I - IS system, located Within the State of ammamiSh . . .I Washington Superseding Indictment-l United States v. FedorOVi A I UNITED STATES No. CR18-004RSM-15 700? STEWART STREET, SUITE 5220 Seam, WASHINGTON 9810.1 . . . (206) 55317970 Case Document 20-2 Filed 07/27/18 Page 17 of 32 Emal] from . Victim-4 employee, located Within the State of Washington Electronic communication between a merchant, located within the State of- 15 7 March 10, 2017 E?g?ks i 7 A Washington, and a payment processor - - pup I - server, located outside the State of Washington_ All 1n violation of Title 18, United States Code, Seetion 1343. COUNT 16 (Conspiracy to Commit Computer Hacking) 21. . The allegations set forth in Paragraphs 1 through 20- of this Superseding Indictment are re?alleged and incorpOrated. as if fully set forth herein. 7 I. OFFENSE 22. . Beginning at a time unknown, but no later than Septemher 2015, and continuing through on or after January 17, 2018, at Seattle, Within the Western of Washington, and elsewhere, VALERIEVICH FEDOROV, and others known and unknown to the Grand Jury, did knoWingly and willfully combine, conspire, cOnfederate and agree together to commit offenses against the United States, to Wit: . i Oliver_palmer@yahoo. com, which - - - Victim-4 traveled through a server located 14 - . 4 . April 11? 2017 Renton - outside the State of Washington, toa - a. to knowingly and with intent to defraud, access a protected computer without authorization and exceed authorized access to a protected computer, and by. means of such conduct further the intended fraud and obtain anything of value exceeding 000. 00 111 any l-year period, in violation of Title 18, United States Code, Sections 1030(a)(4) and and h. . to knowingly cause the transmission of a program, inforrnatiOn, code, and com?rand, and as a result of such conduct, intentionally cause damage W1thout . authorization to a protected computer, and the offense Caused less to one or more persons during a 1~year period aggregating at least 000.00 in value and damage affecting 10 or Superseding Indictment/ United States Fedo?rbv 1- . UNITED STATES ATTORNEY WASHINGTON 98101 No. CR18 16 .p . Sumaszzo - (206) 55317910 sqoo \1 ex u. wax.) HI. - Document 20-2 Filed 07/27/18 IIPage 18 of 32 more protected computers during a l-year period, 111 violation of Title 18, United States Code, Sections 1030(a)(5)(A) and II. OBJECTIVES OF THE CONSPIRACY . . 7 23. I The objectives of the conspiracy included hacking into protected computer networks using malware designed to provide the conspirators With unauthorized access to and control of, victim computer systems. The objectives cf the conspiracy ?n'ther included conducting surveillance of victim computer networks. and installing additional malware' on the victim computer networks fer the purposes of establishing persistence, and stealing payment card track data, ?nancial informatiOn, and proprietary, private and . non-public information, with the intention of using and selling such stolen items, either directly or indireCtly, for ?nancial gain. The obj eCtives of the Conspiracy ?lrther included installing malware that would integrate victim computers into a botnet that allowed the conspiracy to control, alter, and damage compromised computers. MANNER AND MEANS OF THE CONSPIRACY i 24. The manner and means used to accomplish the conspiracy are set forth 1n Paragraph 15 of Count 1 Of this Superseding Indictment.- IV. OVERT ACTS I '25. In furtherance of the conspiracy, and to achieve the objects thereof, VALERIEVTCH FEDQROV, and others known and unkn0wn to the Grand - Jury,- did Commit and cause to be committed, the fOllowing overt acts, among others,- in the Western cf Washington and elsewhere-: . a. Co-conspirator F.H. served as a high?level syStems administrator for. I 1N7 who maintained servers and communication channels used by the organization, including administrating HipChat rooms and the uploading and organization of stolen payment card data and malWare. For exampleabout March 14, 2016, co?conspirator F. H. uploaded to a HipChat room shared with another IN 7 member an archive that contained numerous data ?les containing payment card numbers stolen from a victim company that had Superseding Indictment] United States v. edorav - UNITED STATES ATTORNEY . I. No 17 . 700 STEWART STREET, SUIT-E .5220 - . SEATTLE, WASI-HNGTON 98101 (206) 553?7970 \o 065.: cyan-4: DJ payment cards. Case DocumentIZOaZ ?led 07/27/18 Page 19 of 32 publicly reported a security breach that reSulted 1n the loss of tens of thousands abOut April 8, 2016, co-cohspiiator F. H. created a HipChat room called ?My_ Files, to which he had exclusive access, and later uploaded data for approximately 100 stolen payment cards. . On or about July 19, 2016, co?conSpirator F. H. posted a HipChat room accessible to other FIN 7 members, ?les related to a victim company, . including multiple .screenshots from one or more victim Company computers that shovved, I. . among other things, internal cempany information and 'an administrator password I IiIv. On or about November 22, 2016, co-conspirator ..H . uploaded to his Files? HipChat room a ?le containing data for stolen payment cards. . b. DMYT-RO VALERIEVICI-I FEDOROV served as a high-level? ?pen- tester? one tasked With finding vulnerabilities that an attacker may exploit) who managed other pen-testers responsible for breaching the security of victims? computer systems. For example, . i. I - VALERIEVICH FEDOROV created and I managed? issues? on FIN7 ?s private JIRA server relating to intrusions of multiple victim companies, including, but not limited to, Victim-7 and Victim-9:, to which FIN7 members __shared and stored intrusion infermation and ex?ltrated-datan . ii. . Using 3 private Jabber Server, VALERIEVICH FEDOROV communicated under the alias ?hotdinia? with other FIN7 members regarding his hacking efforts, and his payment for such efforts. VALERIEVICH FEDOROV accessed and controlled comprOmised computer systems through custom control panels..- - .0. The conspiIaCy compromised, illegally accessed, had unauthorized communications with, and'ex?ltrated proprietary, private, and nan-public victim data. and . 5 Superseding Indictment United States v. Fedorov WEED STAIES ATTORNEY I No. CR18- 004RSM 18 . . . . . 700 3111me 1 SEATTLE, WASHINGTON 98101 . (206) 5531:1970 ne'ooqoxuuowcwv? Case Document 20-2 Filed 07/27/18 PageZO 0132 - information from thecomputer systems. of the Victim-l, .a hotel and casino in the I Western District of Washington. Fer instance . . i. On or abOut August 8, 2016, the conspiracy, directly and__ through intermediaries, used the account just__ etravel@yahoo. com to send a phishing email, with the subject ?order,? to an employee of Victim?l located 111 Tacoma, Washington, with an attached Microsoft Word doCumenIt that contained malware. The email contained materially false representations designed to induce the targeted employee to open enable the malware, and compromise the computer system - ii. - I On or about August 8, 2016,- the conspiracy, directly and through intermediaries, used the account frankjohnSon@revital?traVel. com to send a phishing email, with the subject ?order, to an employee of Victim-1 located 1n Tacoma, Washington, with an attached Microsoft IWord document that contained malware. The email contained materially false representations designed to induce the targeted employee to enable the malware, and compromise the computer system. I - Under the control of the conspiracy malWaIre, a comprotnised computer of Victim-1 communicated with a command and control server - located a foreign country. For instance, from August 8, 2016 to August 9,2016, and from August 24, 2016 to August 31, 2016, a compromised Victims] computer legged approximately 3, 639 with various URLs all starting with? I?Irevital-I_ travel. com? ?at an IP address hosted in Russia. I I d. The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated proprietary, private, and non-public victim data and information from the computer systems of Victim?6, a restaurant chain with locations 1n multiple states. For instance, - i; On or about August 25, 2016, the conSpiracy, directly and through intermediaries, used the account revital. travel @yahoo. com to send a phishing email to Ian employee of Victim-I6, with an attached Microsoft Word document that contained malware. The email contained materially false representations designed to . Superseding United States v. Fedorov I UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, 9810] (206) 553?7970 Document 20-2 Filed 07/27/18 PageIZl of 32. induce the. targeted'employee to enable the malware, and compromise the'computer systemabout September 7,2016, co-conspirator F. H. created an ?issue? _on the conspiracy? 3 private JIRA server speci?cally related to Victim?6 One or more IN 7 members posted ?les containing internal credentials for the Victim?6 computer network. 7 I I e. . The censpiracy compromised, illegally accessed, had unauthorized - I communications with, and ex?ltrated proprietary, private, and non-public victim data and information from the Computer systems of Victim~7, an automotive retail and repair chain - with hundreds of locations 1n multiple states, including Washington. Fer instance, 1 I i. On or about January 18,2017, a FIN7 member created an ?fissue? on the conspiracy? 5 private IRA server speci?cally related to Victim?7. That FIN 7 member and VALERIEVICH FEDOROV pested results from Several - network mapping tools used on Victim-7? 3 internal network. ii. On or about January 20, 2017, a FIN7 member posted ex?ltrated data, including multiple usemames and paSSwords with the title ?Server Passwords, to the Victim- 7 ?issue.? 1 I On or about January 23, and January 24, 2017, VALERIEVICH FEDOROV posted information about Victim-7? 3 internal network and uploaded a ?le containing multiple IP addresses and information about Vietim~7?s servers to the Victim-7 JIRA ?issue.? iv. 5 On or about January 27, 2017, VALERIEVICH .FEDOROV'Luploaded to the Victim-7 ?issue? a ?le containing over 1,000 I usernames and passwords for generic cempany employee acCOunts. The potentially compromised accounts related to approximately 700 Victim-73 locations throughout the United States, including approximately 12 locations Iceated 1n the state of I Washington. Superseding Indictment United States v. Fedorov 9" UNITED STATES ATTORNEY No700 STEWART STREET, Sum: "5220 8131111143, WASHINGTON 98101 (206) 553 7970 Case Document'ZO-Z Filed 07/27/18 Page-22 of 32 f. 7 The conspiracy compromised, illegallyaccessed, had unauthorized communications with and exfiltrated proprietary, private, and nonepublic-victim data and information from the computer systems of Victim-2, a Corporation headquartered in .. I Seattle, Washington. For instance, i. On or about February 21, 2017, the conspiraCy, directly and through intermediaries, used an account purporting to be ?lings@sec. gov (but actually? sent by secureservernet) to- send a phishing email to an employee? of Victim-2 lecated 1n Seattle, Washington, with an attached Microsoft word document that contained malWare. - The email falsely purported to relate to a corporate ?ling with the SEC and contained materially false representations designed to induce the targeted employee to open the ?le, enable the malware, and compromise the computer systems ?ii. From on or about February 21, 2017, to approximately March 3, 2017, the conspiracy illegally accessed and had communicati-Ons with the computer systems of Victim-2 located 1n Seattle, Washington. For instance, between about February 23, 2017, and February 24, 2017, the victim computer made outgoing connections to and transferred internal data, without authorization, to an address located 111 a foreign country. 1 1 On or about February 24,2017, a member posted to a ?issue? created for Victim?2, a screenshot from the targeted 'employee? 3 computer at Victim-2, which showed, among other things, an internal Victim-2 webpage available only to employees with a valid user account. i i I iv. . Similarly, a FIN7 member posted to the Victim?2 JIRA ?issue? a teXt file containing the usernames and passwords of the targeted Victim-'2 employee, including his/her personal email account, Linkedln account,-and personal investment and ?nancial institution accOunts. . I - g. i. The conspiracy compromised, illegally accessed, had unauthorized communications with, and e'x?ltrated proprietary, private, and non-public victim data and information from the computer systems of Victim-3, a restaurant chain With thousands of - Superseding Indictment/ United States v. Fedorov - i -- 1 UNITED STATES ATTORNEY i . 760 STEWART STREET, SUITE 5220 No CR1 SPOMRSM 21 1 - SEATTLE, WASHINGTON 98101 (206) 553 47970 a. . mtg-mmaumwceijGEBBZS Case Document 20-27 Filed 07/27/18 Page :23 of 32 - locations, including the State Of Washington. From approximately March 24 2017 to April 18, 2017, the conspiracy accessed computer systems of Victim-3 and implanted malWare designed to harvest payment card data from cards ?used on pointrof-sale devices i at restaurant lQCations nationwide, including approximately 33 locations Within the 7 Western District of Washington. I h. The conspiracy compromised, illegally accessed, had unauthorized . communiCationIs With, and ex?ltrated proprietary, private, and nOn-public victim data and information from the Computer systems of Victim-8, a reStaurantI chain with hundreds of locations 111 multiple states, including Washington. For instance, I i. 011 or about March 27, 2017, the conspiracy, directly and II through intermediaries, used the account ray. donovan84@yahoo. com, to send a phishing email to a Victim-8 employee, With an attached Microsoft Word document that contained malware. The email falsely purported to convey a customer complaint and contained additional materially false representations designed to indUCe the targeted employee to enable the malware, and compromise the computer systemabout March 29, 2017, a FIN7 member created an i . ?issue? on the conspiracy? 8 private JIRA server speci?cally related to Victim-8 and posted results 110111 several network mapping tools used on Victim-8?s internal netWork On or about March 31, 2017,21 FIN7 member posted a link to the point-of-sale software management solution used by Victim-8, and a username and paSS'word to the Victim~8 JIRA ?issue.? The software management tool allows a company to manage point-of-sale systems at multiple locations. The FIN7 memberalso uploaded several screenshots presumably from: one Or more Victim computers at Victim- . 8, which shoWed, among other things, the user logged into Victim-8?s account for the software management toolabout April 6, 2017, a FIN7 member uploaded tothe I Victim?8 JIRA ?issue? Ia ?le- 'containing hundreds of usernames and passWo?rds for I approximately 798 Victim-8 locations, including'3z7 locationsilocated in the, Stateof . Superseding Indictment/ United States v. Fedorov I 1 UNITED STATES ATTORNEY No 22 I 5 I 700 STEWART Smear, SUITE 5220? - Swims, WASHINGTON 98101 (206) 553.1970 Document 20-2 Page-24 of32 Washington. The ?le included network information, telephone cOmmuniCations, and locations of- alarm panels within restaurantsabout April 7, 2017, a FIN7 member uploaded to the I A Victim-8 JIRA ?issue? a similar ?le containing numerdus usernames and passwords for Victim-8 locations?vi. 7 On or about May 5,2017, a FIN7 member uploaded to the Victim-8 JIRA ?issue? a file containing ?le directories on a cempromised computer. . vii. On or about May 8,2017, a FIN 7 member uploaded to the . Victim-8 ?issue? ex?ltrated ?les related to a password management system from a compromised computer, which contained the credentials, usernames, and passwords of a particular employee. I On or about May 15, 2017 a FIN7 member uploaded to the . Victim?8 ?issue? screenshots of a compromised computer that showed the 7 i . employee accessing Victim-8?s security infrastructure management sOftWar'e using that same employee? 3 credentials. . 7 . i. The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated proprietary, private, and nonwpublic victim data and information from the computer systems of one or more locations Of Victim-9, a feet-food restaurant chain with thousands of locations throughout the United States, including I Washington. For instancevarious dates,the conspiracy, directly and. through I intermediaries, sent phishing emails with an attached ?le that eontained malware to multiple Victim-9 locations. For instance, on or about April 7,2017, the conspiracy used the account oliver_palmer@yahoo. com to send a phiShing email to a Victim-9 location in the State of Oregon. The email contained materially false repreSentations designed to induce the targeted emplOyee to open the ?le, enable the'm'alwa're, and compromise the computer system, . Superseding Indictment] Ur?zitediS?tates v. Fedorov . 3? UNITED STATES ATTORNEY . No CR18-004RSM - 23 . . . 100 STEWART Smear, Suns 5220 SEATTLE, WASHINGTON 98101 (206) 5534970 .1?me 1?1 Case Document 20-2 Filed 07/27/18 Page 25 0f 32 _1 11. on or, about April 5, 2017, VALERIEVICH created an ?issue? on the conspiracy?s private JIRA server speci?cally 1 related to Victim?9. One. or more FIN 7 members posted usernames and passwords for. 7 7 7 I Victime locations, including aiVictim-9 location in'VancoUVer, Washington. 1 The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated preprietary, private, and non-public victim data and information from the computer systems of One or more locations of Victim-4, a pizza parlor chain With hundreds of locations, including 1n Washington. For instanCe, ii. .. On or about April 11, 2017, the conspiracy, directly and through intermediaries, used the account ol1ver_palmer@yahoo com, to send a phishing email, With the subject ?claim,? to an employee of a Victim-4 located in Renton, Washington, with an attached Rich Text Format (. rtf) document that contained malware. The email falsely purported to convey a customer complaint and contained additional materially false representations designed to induce the targeted employee to enable the malware, and compromise the computer system. i ii. On or about April 11, 2017, the conspiracy, directly and through intermediaries, used the account oliver_p_almer@yahoo. cem, to send a phishing .1 .7 email, with the subject ?claim,? to an employee of a Victim-4 located 1n Vancouver, Washington, With an attached Rich Text Format (. itt) document that contained malware, 1? The email falsely purported to convey a customer complaint and contained additional materially false representations designed to induce the targeted employee to enable the 'malware, and compromise the computer system. On or about May 25, 2017, the conspiracy, directly and through intermediaries, uSed the account Adrian. 1987clark@yahoo com, to send a ,7 7, phishing email, With the subject ?takeout order,? to an employee of a Victim-4 located in. i - or around Spokane, WaShington,with an attached'Rich Text Format (th) document that, contained malware. The email falsely stated that the sender-had a large takeout order and Superseding Indictment/ United?Statas v. Fedorov 1-1. UNITED STATES ATTORNEY No. ?7 24 - . - 700 STEWARTSIREET, 311111352211 . . - . (206) 553-7970 For instance, I Case Document 20?2 Filed 07/27/13 Page 26 of 32? contained additional materially false representations designed to induce the targeted employee to enable the malware, and compromise the computer system. k, The conspiracy compromised, illegally accessed, had unauthorized communications with, and ex?ltrated proprietary, private, and non-public Victim data and information from the computer systems of one or more locations of VictimelO, a fast- - food restaurant chain with hundreds of locations in various states, including Washington 7 i. I. On or about May 24, 2017 a IN7 member created an ?issue? on the conspiracy? private JIRA server speci?cally related to Victim-10.- One or more FIN 7 members posted information relating to the intrusion cf computer sySterns and ex?ltrated data, including ?les containing and screenshOts from one or more compromised computers. . ii. . On or abOut June 12, 2017, the conspiracy, directly and through intermediaries, used the account Adrian. l987clark@yahoo. com, to send a phishing email, with the subject ?order. catering,? to an employee of a Victim-10 located in Iowa, with an attached Rich Text Format (.rtf) document that containedimalware. The . 7' email falsely stated that the sender had a'catering order for the following'day and . I contained additional materially false representations designed to induce the employee to enable the malware, and compromise the computer system. From on or about June 12, 2017, to a date unknown, the . consPiracy illegally accessed and had with the computer systems of the - Vietim-IO located 1n Iowa. For instance, the conspiracy transferred, without r_ authorization, the proprietary: private, and non-publicVi?ctim data and infOrmation, including usernames and passwords, to a JIRA server managed by FIN7, located a foreign country. . All inviolation of Title 18, United States Code, Section 371., ?3 Superseding Indictment/ United States v. edorov 7 WEED STATES ATTORNEY. No. 25 7 .- .700 STEWART smnr,3unn5220 . . . - 7 98101 (206) 553-7979 Case Document 20-2 FiledrO7/27/1?8? Page 27 0132 1,9 . 7 .- 1' . (Accessing a Protected Computer 1n Furtherance of Fraud) - 7' 26. I The allegations set forth in Paragraphs 1 through 25 of this superseding Indictment are re-alleged and incorporated as if fully set- forth herein. i 1 27. On or about the dates listed belOw, within the Western District of 7 washington, and el-sevVhere VALERIEVICH others known and unknown tothe Grand Jury, knowingly and with intent to defraud accessed a 3 protected computer without authorization and in excess of authorized access, and by means cf such conduct furthered the intended fraud and obtained something of value, . speci?cally, payment card data and proprietary and non-public infOrmation, whereby the 1 obj ect of the fraud and the thing obtained consisted of more than the use of the Computers and the value of such use was mere than $5 000 111 a 1-year penod as listed below: 18 February 21, 2017 through March 3, 2017 Victim-2 19 March 24, 2017 through April 18,2017 Victim?3 All in violation of Title 18, United States Code, Sections 1030(c)(3)(A) and 2. 7 ?'COUNTszo-zzr 1 (Intentional Damage to a'Protected Computer) 28. The allegations set forth 1n Paragraphs 1 through 27 of this Supersedlng Indictment are re-alleged and incorporated as if fully set forth herein . 29. On or about the dates listed below, within the Western District. of i Washington, and elsewhere, VALERIEVICH FEDOROV, and others known . and unknown to the Grand Jury, knowingly caused the tranSmissiOn of a program, 1 information, code, and command, and as a result of such conduct, intentionally caused damage without authorizatiOn,ito a protected computer, speci?cally, the protected computer system of the victim listed below, and the offense caused 1033 to oneormore Superseding Indictment/ United States v. Fedorov - I a UNITED STATES ATTORNEY No. 26 - 1 . ?700 STEWART 81115111811111: 5220' . . Seams, 98101 ,i (206) 553?7970 Document 20-2 Filed.O7/27/18 Page 28 of 32 persons during a l-year period aggregating at least 000. 00 value and (ii) damage affecting 10 or more protected computers during a 1-year period 8 .. {"233 . 21 February 21,2017 through March 3, 2017 Victim-2 22 March 24,2017 through April 18,2017 Victim-3 All 1n violation of Title 18, United States Code, Sections 2 COUNT 23 (Access Device Fraud) 30. The allegations set forth in Paragraphs 1 through 29 of this Stiperseding Indictment are re?alleged and incorporated as if fully set forth herein. 1 31. Beginning at a time unknown, and continuing through on or after January 17, 2018, Within the Western District of Washington, and elsewhere, VALERIEVICH FEDQROV, and others known and unknown to the Grand Jury, knowingly and with intent to defraud, possessed ?fteen or more counterfeit and 7 unauthorized access devices, namely, payment card data, account numbers, and other . means of. account access that can be used, alone and in conjunction with another access 7 device, to obtain money, goods, services, and any other thing of value, 'and?that can be: used to initiate a transfer of funds, said activity affecting interstate and foreign commerce All in violation. of Title 18, United States Code, Sections 1029(c)(1)(A), and 2 . 24'- . (Aggravated Identity Theft) . 32. The allegations set forth 1n Paragraphs 1 through 31 of this Superseding - .- . Indictment are re?alleged and incorporated as if fully set forth herein. i 33. Beginning at a time unknown, but no earlier than on or about February 21, 2017, and no later than March 3, 2017, and continuing through on or after November 21, 2017, at Seattle, within the Western District of Washington, and elseWhere, Superseding Indictment/ United States Fedorov . . UNITED STATES ATTORNEY No. 27 700_ STEWART STREET, SUITE 5220 - SEATTLEWASHINGTONQSIOIH (206) 553-7970 i?Ii?ti?Im Luigi-dc: mumm-Ari?cowacxu Case - Document 20-2 Filed 07/27/18 Page 29 of 32 I VALERIEVICH FEDOROV, and others known and unknown to the Grand Jury, did knowingly transfer, possess, and use, without lawful authority, a means of identi?c?atiOn . of another person, to Wit: the name, username, and passWord of a real person, J. Q, an employee of Victim-2, during and 111 relation to a felony violation enumerated in 18 U. S. C. 1028A(c), that 1s, conspiracy to commit wire and bank fraud, in Violation of 18 U. S. 1349, as charged in Count 1, and wire fraud, in violation of 18 U. S. C. 1343, as i 1 charged in Counts 5 and 6, knoWing that the means of identification beIOnged to another actual person. All 1n violation of Title 18, United States Code, Sections 1028A(a) and 2. . . (Aggravated Identity Theft) 341 I The allegations set forth 1n Paragraphs 1 through 33 of this Supe'rseding Indictment are re?alleged and incorporated as if fully set forth herein. - 35. Beginning at a time unknown, but no later than on or about May 8, and continuing through on Or after November 21, 2017, within the Western District of Washington, and elsewhere, VALERIEVICH FEDOROV, and others known . and unknown to the Grand Jury, did knowingly transfer, possess, and use, Without lawful autho11ty, a means of identi?cation of another person, to Wit: the name,emp10yee credentials, username, and password Of a real person, N. M. ,an empIOyee of Victim?8, during and in relation to a felony violation enumerated 111 1.8 U.S.C. 1028A(c), that is, conspiracy to commit wire and bank fraud, inviolation of 18 U.S.C. 1349, as charged in Count 1 ,knowing that the means of identi?cation belonged to another actual person. All in violation of Title 18, United States Code, Sections 1028A(a) and 2. COUNT 26' 7 (Aggravated Identity Theft) 36. The allegations set forth in Paragraphs 1 through 35 of this Superseding' Indictment are re.- alleged and inCorporated as if fully set forth herein.- Superseding Indictment-l United States v. Fedorov 'l I i I - STATES ATTORNEY . No. CR18- 004RSMSEATTLE, WASHINGTON 98101 (206) 553-1910 Case Document 20-2 Filed 07/27/18 Page 30 of 32 37. Beginning at a time unknown, but no later than-011.01 about January 27, a; 1 2017, and continuing through onior after November 21, 2017,. Within the W?SternIDisuict - of Washington, and elsewhere, VALERI-EVICH EDORQV, and others. -. known and unknown to'tIhe Grand Jury, did mowingly?transfer, possess, and use, without i lawful authority, a means of identi?cation of another person, to Wit: the name, username, andpasswerdofrealpersons BC C.H., E.L., J..M, AP RO T.T., 7 employees of Victim-7, during and in relatiOn to a felony violation enumerated in 18 U. S. C. 1028A(e), that IS, conspiracy to commit Wire and bank fraud, in violation of . 18 U. S. C. 1349, as charged 1n Count 1 ,knowing that the means of identificatiOn . 1 I belonged to another actual person. I All 1n violation of Title 18, United States Code, Sections l028A(aI) and 2 1 1 . 38. The allegations contained 111 Counts 1 through 15 of this superseding I I Indictment are hereby realleged and incorporated by reference for the purpose of alleging 1 - forfeitures pursuant to Title 18, United States Code, Section and Title 28, United States Code, Section 2461(0). Upon conviction of any of the offenses chargedui'n I Counts 1 through 15, the defendant, VALERIEVICH FEDORQV, shall forfeit to the United States any property, real or personal, which constitutes or is derived from proceeds traceable to such offenses, including- but not limited td a. judgment for a sum of money representing the property described 1n this paragraph. 39. The allegations contained in Counts 16 through 22 of this Supersedmg I I Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(1). Upon conviction of any cf the offenses charged in Counts 16 through 22, the defendant, shall'forfeit tothe United States any preperty Constituting, or derived from, proceeds the defendant obtained, direCtly or indirectly, as the result of such offenses, and shall also forfeit the defendant? interest in any personal property that was used or intended to be used to commit or to facilitate the commission cf Supersedjng Indictment United States v. edorov . - UNITED STATES ATTORNEY No_ 29 I I r, "700 STEWART STREET, SUITEISZZO 98101 tom-MN A Case Document 20-2 Filed 07/27/18 Page 31.. of'32 such offenses, including but not limited to a judgment for a 'sum of money representing the property described 1n this paragraph. 7 40. 7' The allegations contained 1n Count 23 of this supersedlng Indictment are .. hereby realleged and inCorporated by reference for the purpose of alleging forfeitures . i - pursuant to Title 18, United States COde, Sections 981 and and Title 28, United States Code, Seetion 2461(0). Upon conViction of the offense charged in '1 Count 23, the defendant, VALERIEVICH FEDOROV shall forfeit to the United States any property, real or personal, which constitutes or is derived from proceeds traceable to such offense, arid shall also forfeit any personal property used or intended to be used to commit such Offense, including but not limited to a judgment for a sum of money representing the property described 111 this paragraph. (SubStitute Assets) 41, If any Of the property described above, as a result of any act or omisSion of- the defendant: cannot be located upon the exercise of due a. b. has; been transferred or sold to, ordepoSited with, a third party; 5 i c. . 7 has been placed beyond the jurisdiCtion of the court; . - d. 7' has been substantially diminished 1n valuehas been cemmingled with other property which cannot be 2di'vid?edvi- without dif?culty, 8 itpe?iift?tot?lg?gegg? United States Fedorov . . SEATTLE, WASHINGTON 98101 . (206) 553-7970 Case Document 20-2 Filed 07/27/18. Page 32 of 32 Code, SeCtion 2461(0) i I ANNETTE L. YE United States Att rn (An ANDREW C. FRIEDMAN Assistant United States Attorney CIS FRANZ Ass stant United ates Attorney Assistant United States Attorney Trial Attorney Computer Crime and Intellectual Property Section . Superseding Indictr'n?ent/ United States v. edorov No. CR18-004RSM - 31 A TRUE BILL: DATED: the United States of America shall be entitled to forfeiture of substitute property pUrsuant . to Title 21, United States Code,- Section 853(p), as incorporated by Title 28, United States 2V. I 12:9?; A (Signature of FereperSOn redacted pursuant to Delicv of. the Judicial Conference) FOREPERSON UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 - SEATTLE, 98101. (206) 553-7970