Case 1:18-sw-00182-GMH AO 106 (Rev. 06/09) Application for a Search Warrant Document 1 Filed 07/12/18 Page 1 of 1 UNITED STATES DISTRICT COURT for the District of Columbia __________ District of __________ In the Matter of the Search of (Briefly describe the property to be searched or identify the person by name and address) ,1)250$7,21 $662&,$7(' :,7+ )25(16,& ,0$*( 2) *$7(:$< 02'(/ '; '(6.723 &20387(5 6(5,$/ 180%(5 37 $8 $ 7+$7 ,6 ,1 7+( 3266(66,21 2) ,56 &, ) ) ) ) ) ) Case No. APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its location): ,1)250$7,21 $662&,$7(' :,7+ )25(16,& ,0$*( 2) *$7(:$< 02'(/ '; '(6.723 &20387(5 6(5,$/ 180%(5 37 $8 $ 7+$7 ,6 ,1 7+( 3266(66,21 2) ,56 &, 6HH $WWDFKPHQW $ KHUHE\ LQFRUSRUDWHG E\ UHIHUHQFH located in the District of , there is now concealed (identify the Columbia person or describe the property to be seized): See Attachment B, hereby incorporated by reference. The basis for the search under Fed. R. Crim. P. 41(c) is (check one or more): ✔ evidence of a crime; u u contraband, fruits of crime, or other items illegally possessed; u property designed for use, intended for use, or used in committing a crime; u a person to be arrested or a person who is unlawfully restrained. The search is related to violationV of: Offense Description CodeV 'LVWULEXWLQJ D FRQWUROOHG VXEVWDQFH LPSRUWLQJ D FRQWUROOHG VXEVWDQFH LQWR WKH 8QLWHG 6WDWHV 8 6 & † D O 8 6 & † D 8 6 & FRQVSLULQJ ZLWK SHUVRQV WR YLRODWH WKHVH VWDWXWHV WUDQVSRUWLQJ WUDQVPLWWLQJ RU WUDQVIHUULQJ PRQHWDU\ † 8 6 & † D 8 6 & † K LQVWUXPHQWV RU IXQGV IURP WKH 8QLWHG 6WDWHV WR RU WKURXJK D SODFH RXWVLGH WKH 8QLWHG 6WDWHV FRQVSLULQJ ZLWK SHUVRQV WR YLRODWH WKHVH VWDWXWHV The application is based on these facts: See attached Affidavit in Support of Search Warrant ✔ Continued on the attached sheet. u days (give exact ending date if more than 30 days: u Delayed notice of under 18 U.S.C. § 3103a, the basis of which is set forth on the attached sheet. ) is requested Applicant’s signature Matthew Price, Special Agent Printed name and title Sworn to before me and signed LQ P\ SUHVHQFH. Date: 07/12/2018 Judge’s signature City and state: District of Columbia G. Michael Harvey, U.S. Magistrate Judge Printed name and title Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 1 of 59 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION ASSOCIATED WITH THE FORENSIC IMAGE OF GATEWAY MODEL DX4840 DESKTOP COMPUTER SERIAL NUMBER PT6AU020170171A7582700 THAT IS IN THE POSSESSION OF IRS-CI Case No. ____________________ AFFIDAVIT IN SUPPORT OF AN APPLICATION UNDER RULE 41 FOR A WARRANT TO SEARCH AND SEIZE I, Matthew Price, Special Agent (SA) with the Internal Revenue Service – Criminal Investigation (IRS-CI), Washington DC Field Office (WFO), Washington, D.C., being duly sworn, deposes and states as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this affidavit in support of an application under Rule 41 of the Federal Rules of Criminal Procedure for a search warrant authorizing the examination of property, a forensic image of an electronic device, which is currently in law enforcement’s possession, and the extraction from that property of electronically stored information described in Attachment B. 2. I am a Special Agent with IRS-CI and have been so employed since November 2017. I was previously a Special Agent with IRS-CI from September 2009 through September 2012. As a special agent, my responsibilities include the investigation of criminal violations of the Internal Revenue Code (Title 26, United States Code), the Money Laundering Control Act (Title 18, United States Code), the Bank Secrecy Act (Title 31, United States Code), and related offenses. Prior to my re-employment as a special agent with IRS-CI, I was a Special Agent with the Central Intelligence Agency (“CIA”), Office of Inspector General for one year and a Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 2 of 59 Targeting Officer with the CIA Directorate of Operations for four years. I was also a Police Officer with the Montgomery County, Maryland Police Department for 2 1/2 years prior to originally joining IRS-CI in 2009. My education includes a Bachelor’s Degree in Accounting from the University of Scranton in Scranton, Pennsylvania and a Master’s Degree of Accounting and Information Technology from the University of Maryland University College in College Park, Maryland. As a Special Agent, I have attended training at the Federal Law Enforcement Training Center (“FLETC”) in Glynco, Georgia, in various aspects of criminal investigations dealing specifically with criminal law, criminal tax law, money laundering, wire fraud, seizure, and various financial investigative techniques. I have training and experience in the enforcement of criminal statutes within the United States Code, including the preparation, presentation, and service of arrest and search warrants. I am currently assigned to the Cyber Crimes Unit with IRS-CI and I have received training in cyber operations and in criminal schemes perpetrated via the internet. As a federal agent, I am authorized to investigate violations of the laws of the United States, and as a law enforcement officer, I am authorized to execute warrants issued under the authority of the United States. 3. This affidavit is intended to show only that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. 2 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 3 of 59 IDENTIFICATION OF THE DEVICE TO BE EXAMINED 4. The property to be searched is the forensic image of a Gateway Model DX4840- 03E Desktop Computer, serial number PT6AU020170171A7582700 hereinafter the “Device.” The Device is currently located at the IRS-CI Washington, D.C. Field Office, 1200 First Street, NE, Suite 4100, Washington, D.C. 20002. 5. The applied-for warrant would authorize the forensic examination of the Device for the purpose of identifying electronically stored data particularly described in Attachment B. PROBABLE CAUSE I. Background on The Onion Router (Tor), Bitcoin, and Darknet Markets A. 1. The Tor Network The Tor network is designed specifically to facilitate anonymous communication over the Internet. Information documenting what Tor is and how it works is provided on the publicly accessible Tor website at www.torproject.org. To access the Tor network, a user must install Tor software either by downloading an add-on to the user’s web browser or by downloading the free “Tor browser bundle” available at www.torproject.org. 1 Use of the Tor software bounces a user’s communications around a distributed network of relay computers run by volunteers all around the world, thereby masking the user’s actual internet-protocol (“IP”) address which could otherwise be used to identify a user. Traditional techniques used by law Users may also access Tor through so-called “gateways” on the open Internet; however, use of those gateways does not provide users with the anonymizing benefits of the Tor network. 1 3 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 4 of 59 enforcement to identify IP addresses are no longer viable because of the way Tor routes communications through other computers. For example, when a user on the Tor network accesses a website, the IP address of a Tor “exit node,” shows up in the website’s IP log, rather than the user’s actual IP address. An exit node is the last computer through which a user’s communications are routed. There is no known practical way to trace the user’s actual IP address back through that Tor exit node’s IP address. A criminal’s use of Tor makes it extremely difficult for law enforcement agents investigating a target’s website to detect: 1) the host’s administrators; or, 2) the users’ actual IP addresses or physical locations. 1. Within the Tor network, entire websites can be set up as “hidden services.” “Hidden services” operate as regular public websites with one critical exception. The IP address for the web server is hidden and replaced with a Tor-based web address, which is a series of algorithm-generated characters (such as “asdlk8fs9dflku7f” followed by the suffix “.onion”). A user can only reach these “hidden services” if the user is using the Tor software and operating in the Tor network. Unlike using public lookups on an open Internet website, it is not possible to determine the IP address of a computer hosting a Tor “hidden service.” Neither law enforcement nor users can determine the location of the computer which hosts the website through those public lookups. B. 2. Bitcoin (“BTC”) Bitcoin (“BTC”) is a decentralized virtual currency that is supported by a peer-to- peer network where all transactions are posted to a public ledger, called the Blockchain (which can be seen at https://Blockchain.info). Although transactions are visible on the public ledger, each transaction is only listed by a complex series of numbers that does not identify the 4 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 5 of 59 individuals involved in the transaction. This feature makes bitcoin pseudonymous. However, it is possible to determine the identity of an individual involved in a bitcoin transaction through several different tools that are available to law enforcement. For this reason, many criminal actors who use bitcoin to facilitate illicit transactions online (e.g., to buy and sell drugs or other illegal items or services) look for ways to make their transactions even more anonymous. 3. A BTC address is a unique token; however, BTC is designed such that one person may easily operate multiple bitcoin accounts. Like an email address, a user can send and receive BTC with others by sending BTC to a BTC address. People commonly have many different BTC addresses and an individual could theoretically use a unique address for every transaction in which they engage. A BTC user can also spend from multiple BTC addresses in one transaction; however, to spend BTC held within a BTC address, the user must have a private key, which is generated when the BTC address is created and shared only with the BTC-address key’s initiator. Similar to a password, a private key is shared only with the BTC-address key’s initiator and ensures secured access to the BTC. Consequently, only the holder of a private key for a BTC address can spend BTC from the address. Although generally, the owners of BTC addresses are not known unless the information is made public by the owner (for example, by posting the BTC address in an online forum or providing the BTC address to another user for a transaction), analyzing the public transactions can sometimes lead to identifying both the owner of a BTC address and any other accounts that the person or entity owns and controls. 4. Law enforcement uses proprietary services offered by several different Blockchain-analysis companies to investigate BTC transactions. These companies analyze the Blockchain to identify the individuals or groups involved with BTC transactions by creating 5 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 6 of 59 large databases that group BTC addresses into “clusters” (using heuristics that are based on BTC-transaction metadata). By “clustering” these addresses together, the software is able to locate commonalities and tie seemingly disparate BTC addresses to the same owner. Through numerous unrelated investigations and trials, the analysis provided by third-party clustering software has been found to be reliable. This same anti-money laundering clustering software is used by banks and international law enforcement organizations. 5. BTC is transacted often using a virtual-currency exchange, which is a digital- currency trading platform and exchange. It typically allows trading between the U.S. dollar, other foreign currencies, BTC, and other digital currencies. Many virtual-currency exchanges also act like banks and store their customers’ BTC. Because these exchanges are analogous to banks, they are similarly required to conduct due diligence of their customers and have antimoney laundering checks in place. C. 6. Darknet Markets Darknet markets are commercial websites located within Tor’s hidden services that must be accessed using Tor. Though they can sell legal products, they function primarily as black markets, selling or brokering transactions involving drugs, unlicensed pharmaceuticals, cyber-arms, weapons, counterfeit currency, stolen credit-card details, forged documents, and other illicit goods. BTC is the most common method of payment for products or services within darknet markets. 7. Generally, there are two ways BTC is exchanged when using darknet markets: a. A centralized method, where: (1) all transactions pass through the darknetmarket’s BTC addresses, (2) the darknet market takes a commission, and (3) the vendor receives their payment from the darknet market. This model can be likened to the clearnet site, eBay. 6 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 7 of 59 b. 8. A decentralized method, where: (1) transactions take place directly between buyer and seller. This model can be likened to the clearnet site, Craigslist. When a buyer purchases drugs on a darknet market, that buyer provides the vendor with a physical address to which the drugs are shipped. Depending on the location of the vendor and buyer, the shipment may be domestic or international. Vendors use various methods of “stealth” to conceal drug shipments from postal inspectors, drug-sniffing dogs, and other parties who may try to intercept the contraband. While stealth can vary among vendors, tactics include vacuum sealing, applying chemicals such as alcohol to remove odors, using coffee grounds or other agents to mask odors, and concealing the drugs within legal items such as a generic kitchen appliance. Vendors typically print fake labels and/or use other tactics that provide an air of legitimacy for the shipment and make it seem as if it came from a well-known business. In addition, vendors often use stamps to avoid paying for a shipment in person at the post office. 9. OxyContin is the brand name for oxycodone, an opioid pain medication and a Schedule II controlled substance in the United States, which requires a medical prescription. I am aware that Purdue Pharma L.P., is the pharmaceutical company that produces OxyContin. I am also aware from open-source information that Purdue Pharma L.P. stamps OxyContin pills produced outside of the United States with the label “EX.” Thus, I believe that the username “expurdue” is a reference to OxyContin pills produced outside of the United States. II. 10. Narcotics Trafficking by David PATE As part of IRS-CI’s investigation, agents used the blockchain-clustering software to find BTC addresses that engaged in high-volume transactions within darknet markets. The 7 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 8 of 59 blockchain-clustering software revealed that one cluster of approximately 12 BTC addresses (identified below) transacted with the following darknet markets: Agora, Silk Road, Middle Earth, Nucleus, Abraxas, and AlphaBay. 2 These six markets are known by law enforcement to serve as sites where illegal items (such as narcotics) may be bought and/or sold. As noted in the chart below, this analysis revealed that beginning in or about February of 2013, and continuing until on or about late July 2017, approximately 6,595.41352702 BTC (or approximately $4,287,018.79 USD) 3 was received by this cluster from these darknet markets. Based on my training and experience, I know that someone receiving a significant amount of BTC directly from these particular darknet markets indicates that the person is involved in the sale of illegal goods and/or a fraud scheme that generates significant proceeds. 11. As described further below, there is probable cause to believe that this cluster is controlled by David PATE (“PATE”). 2 Agora Marketplace, Silk Road Marketplace, Middle Earth Market, Nucleus Market, AlphaBay and Abraxas are currently offline. 3 The U.S.-dollar (“USD”) value of BTC presented in this affidavit was calculated using the USD conversion feature in the aforementioned blockchain-clustering software. The software allows users to automatically convert BTC to USD based on the historical average of the daily exchange rate for BTC to USD when each transaction on the blockchain occurred. 8 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 9 of 59 Bitcoins Received from Darknet Markets * ** BTC Addresses in the Cluster* 1PEnU 1QAaY 18jDj 1Gahs 1Dk55 1KDnF 1AMpr 1APo3 13L78 1JhVz 1QEmt 152RD Agora Market Silk Road Marketplace 6.01140024 12.86963214 1.10176743 Middle Earth Marketplace Nucleus Market Abraxas Market AlphaBay Market Total BTC 1.47256858 0.43678473 0.58190000 46.74404015 32.09738682 455.35365436 36.31670000 26.39450700 73.85300000 3.57890000 51.86709946 7.81824119 4.00438025 40.43309232 158.91758154 24.20771599 171.14161875 311.33820000 7.67920000 910.93526136 39.08973594 10.34654436 100.89794640 6.27789138 4.05831198 38.21024059 7.48396882 13.30641687 1.68366743 455.35365436 132.49702045 169.72604358 73.85300000 46.83064529 8.62040470 5,234.11200000 33.84799700 96.09934938 5,234.11200000 Value in BTC 5,234.11200000 400.63219646 59.93491376 6,595.41352702 @ $650 per Total USD Value $4,287,018.79 * The BTC addresses here have been truncated to only list the first 5 characters. A. 12. Pate’s Prior Advertising on Darknet Markets of OxyContin A vendor that called itself “expurdue” had a listing on the Silk Road Marketplace for the sale of 20mg and 40mg pills of OxyContin, which “expurdue” purported to have obtained from a pharmacy in Costa Rica. 4 An analysis of the Silk Road Marketplace database disclosed vendor “expurdue” as the owner of the “1JhVz” address. People who bought items from “expurdue” made payments to the Silk Road Marketplace in BTC. Then, Silk Road Marketplace 9 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 10 of 59 sent “expurdue” the respective BTC (minus a transaction fee) to the “1JhVz” cluster. This is the same cluster that is outlined above and that I believe is owned and controlled by Pate. Moreover, pursuant to judicially authorized search warrants of a virtual-currency exchange, law enforcement obtained records about customers transacting in BTC. These records revealed that 11 of the above BTC addresses that comprise the cluster in question were associated with a user by the name of “davidpate.” This user frequently posted on the virtual currency exchange’s forums and sent many private messages. In a forum post on, or about, January 15, 2014, user “davidpate” stated that his “real name is david pate.” In addition, from approximately February 27, 2013, to January 3, 2016, “davidpate” had over 60 forum posts and private messages referencing or outright stating that he is living in Costa Rica. 13. The Silk Road Marketplace listing also provided the target email address of Theexpurdue@tormail.org. 5 Pursuant to a judicially authorized search warrant of Tormail’s servers, law enforcement reviewed the content of Theexpurdue@tormail.org, which corroborated that PATE is the user of the “expurdue” username. 14. On or about September 2, 2016, the AlphaBay vendor, “buyersclub,” had two listings for the sale of OxyContin in 20mg and 40mg dosages (Exhibit A). 6 The listings for the Law enforcement had previously shut down the Silk Road Marketplace and seized the server that was operating the site. 4 5 Tormail is an email platform that was available to persons using TOR. Law enforcement previously seized Tormail’s servers and shut down the service. 6 In July of 2017, a federal magistrate judge in the United States District Court for the Eastern District of California issued an arrest warrant for the administrator of AlphaBay for 10 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 11 of 59 Silk Road Marketplace vendor “expurdue” and AlphaBay Market vendor “buyersclub” (Exhibit B) are very similar. Specifically, both vendors are selling 20mg and 40mg OxyContin pills. The vendor “expurdue” stated that his pills are “old formula,” made by Purdue, obtained from a pharmacy, and shipped from Costa Rica. The vendor “buyersclub” stated that his pills are also made by Purdue and use the “old formula.” Moreover, the AlphaBay photo for the listing depicts a prescription bottle with Spanish writing and the “buyersclub” vendor’s profile states that it ships its product from Central America. See Exhibits C-1 and C2. 15. I am aware from public source information that the “old formula” is a reference to Purdue’s original OxyContin formula, which does not contain tamper resistant features. The “new formula” on the other hand, includes a crush proof feature that prevents a user from inhaling or injecting the pills by crushing them. Moreover, I am aware from consultations with the Drug Enforcement Administration that Purdue produces the old formula of OxyContin for distribution in Costa Rica (among other countries) through a pharmacy. The bottles of export OxyContin sold in Costa Rica have Spanish-language labels and contain the stamp “EX” on individual pills. 16. “[B]uyerclub’s” AlphaBay listing (Exhibit B) shows a photo of an OxyContin bottle with a Spanish-language label, consistent with the export version of OxyContin that would be available in Costa Rica. In addition, the “buyersclub” AlphaBay listing offers 20 mg OxyContin pills, matching the listing for “expurdue” on the Silk Road Marketplace. Given the racketeering, narcotics, identity theft and access-device fraud, transfer of false identification, trafficking in illegal-device making equipment, and conspiracy to commit money laundering. As part of the law enforcement action, the site was taken down. 11 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 12 of 59 similarities between the profiles (including product consistencies, language similarities in the product’s advertisements for sale, and shipment locations), there is probable cause to believe that “buyerclub” and “expurdue” are the same users. B. 17. Undercover Purchases of OxyContin from David Pate a/k/a “buyersclub” On or about November 2, 2016, a Drug Enforcement Administration (“DEA”) task-force officer (“TFO”) used an undercover computer in the District of Columbia and account to access the AlphaBay Marketplace. “[B]uyersclub” was offering 40mg tablets of oxycodone for BTC valued at $22.00 per tablet. The DEA TFO placed an order for 10 oxycodone 40mg tablets from “buyersclub” and funded the purchase with BTC sent to AlphaBay from an undercover BTC address. The DEA TFO also sent a private message (using Privnote) to “buyersclub” with the shipping address of an undercover P.O. Box in the District of Columbia for the purchased drugs. 7 Consequently, the BTC went from the TFO’s undercover address to an address controlled by AlphaBay. “[B]uyersclub” received the BTC, less AlphaBay’s fees, from a BTC address owned by AlphaBay. I am aware that customers and vendors use darknet markets to process payments because that process provides an extra layer of anonymity. 18. On or about November 8, 2016, “buyersclub” sent the DEA TFO a Privnote message containing a United States Postal Service (“USPS”) tracking number for the package containing the drugs that the DEA TFO had purchased. That same day, the DEA TFO retrieved a USPS Priority Mail envelope from the P.O. Box that the agent provided, which was located within the District of Columbia. The return address was listed as “Hooker’s Sports Cards, 293 7 Privnote is a self-destructing encrypted messaging system where only holders of the web URL link can access the content of the message. 12 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 13 of 59 West 7th Ave, Eugene, OR 97401.” According to USPS tracking data, the envelope in question originated from Eugene, Oregon on or about November 4, 2016. Agents discovered a smaller, sealed, and padded manila envelope (within the shipping envelope) containing a small plastic bag with 10 pills stamped with “EX” and “40.” Based on my training, experience and consultations with other law enforcement officers, I am aware that these pills are consistent with 40 mg, oxycodone pills that are designated for dispensation outside of the United States. 19. On or about January 19, 2017, the DEA TFO utilized an undercover computer in the District of Columbia and account to access the AlphaBay Marketplace. The vendor, “buyersclub,” was offering 40mg tablets of oxycodone for BTC valued at approximately $32.00 per tablet. The DEA TFO placed an order for 10 oxycodone 40mg pills from “buyersclub” and funded the purchase with BTC sent to AlphaBay from an undercover BTC address. 20. On or about January 30, 2017, an envelope shipped from Eugene, Oregon, was delivered to the same P.O. Box in Washington, D.C. The return address was listed as “Peace by Piece, 1509 Long Island Dr., Eugene, OR 97401.” Open source research reveals Peace by Piece is a fabric store in Eugene, OR. The package contained a small plastic bag with 11 pills stamped with “EX” and “40.” Based on my training and experience and consultations with other law enforcement officers, these pills are consistent with 40 mg, oxycodone pills designated for dispensation outside of the United States. 21. Chemical testing conducted by the Drug Enforcement Agency confirmed both sets of pills tested positive for the presence of oxycodone. C. 22. Additional Attribution Evidence [S]enorpate@hotmail.com is an email account that is linked to PATE as follows: 13 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 14 of 59 i. PATE provided this email address, “senorpate@hotmail.com,” to a virtual-currency exchange as his registered email address. ii. Based on subpoena returns from Wells Fargo and Bank of America, this email account was linked to the Wells Fargo bank accounts ending in -1846 and -3318 and the Bank of America credit-card account ending in 6270, all of which are held in PATE’s name. iii. According to subpoena returns, this email address is also registered to: 23. 1. A Facebook account in PATE’s name; i. PATE’s Facebook account includes multiple photos of an individual who appears to be the same person as displayed in official government ID photos of PATE. 2. An eBay account (registered to PATE) with the username “davidpate2013”; 3. A Twitter account (with username “@davidpate8”) that frequently tweeted about BTC; i. This Twitter account displayed PATE’s name and listed his employment as CEO and president of Digital Mining Investments ii. PATE’s Twitter account includes multiple photos of an individual who appears to be the same person as displayed in official government ID photos of PATE. 4. A PayPal account that is registered to PATE with the username “senorpate.” i. This PayPal account is also linked to two bank accounts owned by PATE - a Bank of America account ending in -1823 and a Compass Bank account ending in -6795. PATE was naturalized as a Costa Rican citizen on October 31, 2017; however, he has not renounced his U.S. citizenship. PATE is originally from Alabama and Florida and has 14 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 15 of 59 traveled between the United States and Costa Rica frequently over the past five years. PATE has also posted (to his Facebook page) about living in Costa Rica. 24. On or about May 19, 2014, “@davidpate8” tweeted a photo of a gold Rolex watch with the caption “Just bought new Rolex . . . .” GPS geolocation data shows that these tweets were posted from Tampa, Florida. PATE’s Bank of America account ending in -1823 had a debit card purchase on or about May 19, 2014, (the same date as tweet) and a second purchase on or about May 23, 2014, at a jewelry store in Tampa, Florida. The jewelry store confirmed that PATE purchased two Rolex watches from them on or about May 19, 2014, and on or about May 23, 2014. The total purchase price of both watches was $19,000 USD. 25. On or about February 6, 2015, “@davidpate8” tweeted a web uniform record locator (“URL”) to Agora Market Place (“Agora”), a now-defunct, darknet market known for the sale of narcotics. Agora’s administrators shut the site down in August 2015. III. Jose FUNG – A Supplier in Costa Rica 26. As discussed further infra, judicially authorized search warrant returns for PATE’s senorpate@hotmail.com account show that one of PATE’s source of supply is Jose FUNG (“FUNG”). 27. Based on my training, experience, and consultation with other law enforcement officers, I know that individuals involved in the illicit sale of prescription medication (such as Oxycontin) will often obtain prescriptions for the medication from physicians or pharmacists who are complicit in the scheme. 28. Messages sent from fung.jos@gmail.com and dr.josf@gmail.com to PATE’s email account included FUNG’s full name in the account-header information. The account 15 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 16 of 59 address of FUNG’s emails includes the phrase “dr.josf” (a compressed form of FUNG’s full name, “Dr. Jose Fung”). Based on open-source research, law enforcement located a posting from on, or about January 2, 2015, to the Facebook page of a pharmacy located in San Jose, Costa Rica. The post solicited applications for employment and directed interested applicants to send resumes to FUNG at fung.jos@gmail.com. Additionally, the pharmacy’s Facebook account had multiple photos of an individual wearing a white lab coat tagged with the name, “Dr. Jose Luis Fung.” FUNG appears to be the proprietor of the pharmacy and numerous photos show him posing with employees and customers. Subpoena returns for FUNG’s Gmail accounts showed that fung.jos@gmail.com was created on August 8, 2010, using IP Address 190.241.145.132. Based on an open-source IP-geolocation-service research, this IP address resolves to Costa Rica. FUNG’s dr.josf@gmail.com account was created on June 13, 2013, using IP Address 201.191.123.100. This IP address also resolves back to Costa Rica. Additionally, based on subpoena returns for both of FUNG’s Gmail accounts, IP addresses in Costa Rica logged into these accounts hundreds of times. 29. Within the search warrant returns, PATE communicated with FUNG about obtaining prescriptions for pills such as OxyContin. FUNG in turn appeared to supply PATE with large quantities of pills. Based on the content of email conversations between PATE and FUNG, there is probable cause to believe FUNG is a pharmacist/medical professional who is illegally supplying PATE with prescription medications. 30. Moreover, based on the search warrant returns for the senorpate@hotmail.com address, PATE communicated with FUNG about FUNG’s ability to provide PATE with large quantities of pills. Specifically, approximately 60 email messages sent between PATE’s 16 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 17 of 59 senorpate@hotmail.com email account and FUNG’s email accounts (fung.jos@gmail.com and dr.josf@gmail.com) between, on, or about November 14, 2014, and November 27, 2015, appeared to be discussions related to the purchase of pills and payments for those purchases. Based on the content of the conversations, there is probable cause to believe that the pills discussed are OxyContin and/or analogous prescription medications. 31. Based on search warrant returns, the following email exchanges occurred between PATE (using senorpate@hotmail.com) and FUNG (using fung.jos@gmail.com) between, on, or about October 30, 2015, and November 1, 2015: October 30, 2015: PATE: Subject line: “try to make one more before your trip” “i know that you are leaving soon to go on vacation and was wanting to see what you could do before leaving. let me know and i will see what kind of money that i can come up with and have wired to you. thanks, dave” FUNG: “Hey David. I can get you the same amount ready for next friday before I leave. Just like last time: 48 of the 40s and 20 of the 20s. Thank you, let me know...” PATE: “will you get the prescriptions?? also the 270 30mg morphine for the 3 prescriptions that i had? 17 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 18 of 59 if so let me know total price, i am trying to make plan to limon this coming week to pick up my lexus. thanks, dave” FUNG: “Right!! the morphines too! I will take care of the papelwork this weekend for the 40s and 20s. If I've got any problem, I will let you know.” October 31, 2015: PATE (in part): “try to let me asap the total price, so that i have time to get the wire out to yoou.” FUNG: “You think you can wire 18,000 or so?” November 1, 2015: PATE: “FOR SURE.. WILL SEND IN WIRE INFO IN A BIT” 32. PATE discussed obtaining an unknown quantity of “40s and 20s” as well as 270 30mg morphine pills in the above exchange. Based on my training and experience, including observations of PATE’s advertisements for the sale of OxyContin, I know that OxyContin is sold in 40mg and 20mg dosages, and thus, there is probable cause to believe that “40s and 20s” refers to OxyContin pills. PATE further asks FUNG the total price for the pills and FUNG asks PATE 18 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 19 of 59 to wire him “18,000.” There is probable cause to believe FUNG’s request for 18,000 is a request for payment for the pills he is providing to PATE. 33. Based on search warrant returns, the following email exchanges occurred between PATE (using senorpate@hotmail.com) and FUNG (using dr.josf@gmail.com) between, on, or about November 22, 2015, and November 28, 2015: November 22, 2015: PATE (in part): “I checked with the girls and they said that there are 10 40mg and 8 20mg there and said I could get them if I wanted too. Later this week I can get the prescriptions from my doctor and come get them, but what I was wanting to know is if I can wire you the funds. If so let me know, and the price so that I can get it done, in the States banks will be closed at end of the week for Holidays. Thanks, Dave” FUNG: “Hello David, I will be back tomorrow. I think I can get more for you, tomorrow I will let you know the amount so you do it before holidays. Thank you, see you soon!” November 24, 2015: FUNG: “Hello david, if you are going to trasfer 8,000-9,000 as usual, I can get meds for that amount on friday. If you needed more, just let me know and I will try to get it.” November 27, 2015: FUNG: Subject line “This is my new email, from the Oxys” stating: “I’m getting recetas [Spanish for “prescriptions”] right now, but I may need 6 from you dr. Please tell him to do 60 of the 40s for each one. This way, I will have set this Sunday.” 19 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 20 of 59 34. Later that day, PATE asked if the “meds” could be ready by Sunday. FUNG responded that PATE should make sure he had six more “recetas,” each for 60 tablets of “40s.” FUNG responded, “Great! I’ve got 44 of the 40mg and 26 of the 20mg.” November 28, 2015: PATE: “Can you please send me a break down of the cost? Already picked up prescriptions. Do you know of a good place to buy more while I am up here. I have 5 40mg and 4 20mg that I need to fill.” 35. PATE and FUNG appear to be discussing transaction details related to obtaining 40mg and 20mg OxyContin pills, as well as 30mg morphine pills. PATE appears to be seeking approximately 360 40mg OxyContin pills (6 prescriptions for 60 pills each), in addition to 270 30 mg morphine pills from FUNG. 36. Based upon my training and experience, I know that individuals involved in the illicit sale of prescription medications will attempt to fill multiple prescriptions to obtain an amount of pills that far exceeds the medically-accepted dosage. I know from consultations with the Costa Rican Ministry of Health that Costa Rican pharmaceutical regulations only authorize pharmacists to dispense a 30-day supply of OxyContin with a valid prescription. According to the dosing instructions for OxyContin published by Purdue Pharma, OxyContin is typically administered every 12 hours up to a total dose of 80 mg a day. Therefore, a 30-day supply of OxyContin would be approximately 60 40 mg pills. In this case, PATE obtained 6 times the number of OxyContin pills (360) that would normally be dispensed for a 30-day period. Based on these face, there is probable cause to believe that the volume of pills PATE is requesting from 20 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 21 of 59 FUNG and the cost of these transactions far exceeds what an individual would typically obtain for personal use. Furthermore, the specific conversations highlighted above reference dosages that I know to be consistent with the distribution OxyContin. Moreover, I found numerous other conversations in the search warrant returns that similarly discussed the purchase of pills in quantities, price, and increments consistent with the distribution of narcotics. Thus, there is probable cause to believe FUNG is a pharmacist who illegally supplies PATE with prescription medications. VI. Co-Conspirators – Louis BUMBARA, Isaiah CASE, and Ruben MENDOZA a. 37. Louis Bumbara On or about March 14, 2016, law enforcement in Manatee County, Florida seized two packages that were mailed from Canada and addressed to “Mike Bumbara” at 4541 Dover Street Circle E, Bradenton, Florida. The packages contained approximately 8.52 pounds of 2mg pills that initially appeared to be Xanax. The Manatee County Sheriff’s Office Lab subsequently identified and confirmed the pills to be Alprazolam (Xanax), a schedule IV narcotic. 38. On or about March 14, 2016, Louis BUMBARA (“BUMBARA”) called the post office in Bradenton, Florida and inquired as to the whereabouts of his packages. A postal inspector called the phone number from which BUMBARA called and spoke to BUMBARA. The postal inspector and BUMBARA made arrangements to deliver the package addressed to “Mike Bumbara” (which was seized on March 14, 2016) the following day. On or about March 16, 2016, law enforcement prepared the two packages of Xanax for a controlled delivery, which included an electronic signaling device in the packages that would alert law enforcement that the package has been opened. , Law enforcement subsequently conducted a traffic stop on March 21 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 22 of 59 16, 2016, shortly after the packages were delivered to BUMBARA’s residence. BUMBARA and two other occupants were inside a minivan along with the signaling device, a bottle of 24 Xanax, and a pipe with cannabis residue. After law enforcement informed BUMBARA of his rights, BUMBARA stated he had opened the two packages, found the tracking device, brought it with him, and left the packages at the house on the dining room table. 39. Law enforcement executed a judicially authorized search warrant for BUMBARA’s residence on or about March 16, 2016. The two opened packages (that had been previously seized by law enforcement) were located on the dining room table of BUMBARA’s residence. In a subsequent interview, BUMBARA recounted that PATE would routinely send him large numbers of oxycodone pills packaged inside souvenirs (namely, maracas) from Costa Rica. PATE would then send a private note to BUMBARA detailing the identities and shipping information of customers to whom BUMBARA was to ship the pills. BUMBARA would then address packages filled with oxycodone pills and send the packages under the guise that he was mailing trading cards. BUMBARA also showed law enforcement a box he had received that contained oxycodone-filled souvenirs. BUMBARA also informed law enforcement that PATE was sending another souvenir package containing a substantial amount of oxycodone. PATE apparently instructed BUMBARA that BUMBARA was to mail the pills to customers to whom PATE had sold pills online. 40. On, or about March 25, 2016, law enforcement seized another package coming from Costa Rica, which was addressed to BUMBARA. The package contained the following approximate amount of pills hidden inside maracas: • 69.8 grams of purple 30mg Morphine pills 22 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 23 of 59 41. • 123.9 grams of pink 20mg OxyContin pills • 105.6 grams of yellow 40mg OxyContin pills • 109.5 grams of yellow 40mg OxyContin pills Based on law-enforcement interviews with BUMBARA, agents learned that BUMBARA and PATE had been business partners in a cryptocurrency-mining operation called Digital Mining Investments. Digital Mining Investments operated out of Tampa, FL and Salt Lake City, UT from in or about early January 2014 through, in or about late December 2015. PATE, who was then residing in Costa Rica, supplied the seed money to start Digital Mining Investments and tasked BUMBARA with the daily management of Digital Mining Investments. In this role, BUMBARA opened a business checking account at Wells Fargo Bank (“WF”), on which he was the sole signature authority. BUMBARA stated that PATE had sent approximately $1.4 million to the Digital Mining Investments WF checking account to purchase computer equipment (with which to mine cryptocurrencies) and pay for data-center space and operating expenses. PATE’s investment originated from PATE’s cryptocurrency holdings that PATE had first converted into fiat currency on the BTC-e exchange, then wired from his BTC-e accounts to the Digital Mining Investments WF business account controlled by BUMBARA. 8 As discussed supra, PATE received approximately $4,287,018.79 (which was held in PATE’s BTC-e exchange) in cryptocurrencies from darknet marketplaces. Based on my training and 8 BTC-e was an exchange operated by Alexander Vinnik, which law enforcement shut down in the summer of 2017 following an indictment for Vinnik by the Eastern District of California. Vinnik was consequently arrested by Greek authorities. 23 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 24 of 59 experience, I believe that this cryptocurrency constituted proceeds from the sale of illicit narcotics on darknet marketplaces. Therefore, there is probable cause to believe PATE used proceeds he previously derived from the sale of illicit narcotics on darknet marketplaces to invest in Digital Mining Investments with BUMBARA. 42. Digital Mining Investments was initially profitable in early 2014, netting profits of approximately $14,000 per week. However, after a series of missteps, Digital Mining Investments quickly lost money by the end of 2014. BUMBARA estimated the company lost between $3 and $4 million by the end of 2014; much of the money that was lost came from PATE. 43. PATE, eager to recoup the financial losses he suffered from the failure of Digital Mining Investments, suggested that he and BUMBARA work together to sell OxyContin and Xanax pills over the internet. PATE told BUMBARA he could obtain large quantities of OxyContin and Xanax from suppliers in Costa Rica. PATE explained that he would ship the narcotics to BUMBARA for subsequent resale or redistribution in the United States. BUMBARA reluctantly agreed to this scheme because he owed PATE a substantial amount of money from Digital Mining Investments’s losses. 44. BUMBARA stated that he received the first package of OxyContin pills from PATE sometime in early June of 2015. PATE contacted BUMBARA a few days before the package arrived to advise him that a package of pills was on the way and instructed BUMBARA to sell the pills concealed inside of the package, which contained approximately 400 OxyContin pills concealed inside of an Italian coffee maker. BUMBARA subsequently sold the 400 OxyContin pills contained in the package to a local drug dealer in the Bradenton, FL area and 24 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 25 of 59 raised approximately $6,700. Per PATE’s instructions, BUMBARA then wired the $6,700 to PATE in Costa Rica using Western Union. Between sometime in early June of 2015 and late July of 2015, PATE sent BUMBARA several similar packages of OxyContin, which BUMBARA resold to a local drug dealer, at a profit between $18,000 and $24,000. Again, in accordance with PATE’s instructions, BUMBARA wired all of the proceeds to PATE in Costa Rica using Western Union. 45. Sometime in late July of 2015, BUMBARA and PATE switched from selling OxyContin to local dealers in Florida to selling OxyContin and Xanax to customers throughout the United States using darknet marketplaces, such as Abraxas and AlphaBay. During an interview with law enforcement, BUMBARA stated that PATE sent approximately two packages per month from Costa Rica, each containing approximately 10,000 OxyContin pills, which were concealed inside of maracas or other souvenir items. Once BUMBARA received a package from PATE containing OxyContin (and sometimes Xanax), PATE directed BUMBARA to use the supply to fill orders that customers had placed on PATE’s vendor shops on various darknet marketplaces. The scheme would work as follows: (1) PATE would send BUMBARA a list of customer orders which included the customer’s name, the customer’s shipping address, and the quantity to be sent; (2) BUMBARA then created smaller packages of pills; and, (3) BUMBARA mailed (via the United States Postal Service) the pills to the customer. At the time, BUMBARA purported to operate a trading-card business on an e-commerce site. BUMBARA would evade detection by law enforcement by concealing the pills between two baseball cards wrapped in plastic and placed in a padded envelope and ultimately, shipping these packages to customers. BUMBARA and PATE engaged in this scheme from July of 2015 to March of 2016. During this 25 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 26 of 59 time, BUMBARA believed that PATE was selling individual pills of OxyContin for approximately $22 each on his darknet-market vendor pages. PATE was the top rated seller of OxyContin on the Abraxas market in the summer of 2015. In the late fall of 2015, PATE told BUMBARA that he had earned over $790,000 in two months selling illicit narcotics on the darknet. 46. Money Laundering: Once a customer placed an order, that customer paid BTC into the darknet market (e.g., AlphaBay). This BTC was held in escrow by the darknet market until the customer received the package, at which time, the darknet market released the BTC to PATE’s BTC wallet. PATE then transferred that BTC to virtual-currency wallets he controlled at the BTC-e exchange. Once the currency was in the BTC-e exchange, PATE converted the BTC to fiat currency, then transferred that fiat currency to the Digital Mining Investments WF account, on which BUMBARA maintained signatory authority. Beginning in early June 2015, PATE directed BUMBARA to make weekly cash withdrawals (ranging from $5,000 to $8,000) from the Digital Mining Investments WF account and wire the cash to PATE in Costa Rica using Western Union and/or Moneygram. Per PATE’s instructions, BUMBARA complied from approximately March to June of 2015 and wired somewhere between $350,000 and $400,000 to PATE. During this period, BUMBARA (at PATE’s behest) also wired between 10 and 15 wire transfers (totaling approximately $150,000) from the Digital Mining Investments WF account to accounts located in Costa Rica. PATE informed BUMBARA that the wire transfers were to pay doctors and pharmacies for prescriptions to obtain pills and to pay for the pills themselves. b. Use of Accounts to Discuss Drug Shipments 26 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 27 of 59 47. Facebook: Based on interviews with BUMBARA, law enforcement learned that BUMBARA and PATE communicated via Facebook’s private-message-exchange feature. PATE used his Facebook User ID 13949449036 and BUMBARA used his Facebook User ID 100003955641809 to send private messages back and forth. For example, using Facebook, PATE and BUMBARA communicated about shipping and receipt of pills, packaging and shipping details, customer details (including quantity of pills to be sent), fulfillment of orders, and tracking numbers. 9 BUMBARA and PATE also used Facebook private messenger to communicate about cash and money transfers (i.e., when to make them, how much to withdraw and wire). 10 Indeed, BUMBARA and PATE used Facebook private messenger to conduct virtually all of their illicit transactions and the specifics thereof. 9 Specifically, PATE would send BUMBARA a Facebook private message telling BUMBARA to expect a package of pills to arrive. BUMBARA would respond to PATE with a Facebook private message, acknowledging receipt of the package of pills. PATE would then send BUMBARA a private message containing a list of customer orders which included the name of the customer, the address to send the order to and the quantity of pills to be sent in each order. BUMBARA would respond to notify PATE that the customer’s order had been filled and send PATE the tracking numbers for the individual packages BUMBARA mailed to each customer. 10 PATE sent BUMBARA private messages to direct BUMBARA when to make cash withdrawals from the Digital Mining Investments checking account at Wells Fargo Bank and to specify the amount BUMBARA should withdrawal. BUMBARA would reply to PATE confirming BUMBARA had made the withdrawals directed by PATE and sent the money via wire to PATE in Costa Rica. PATE also sent BUMBARA Facebook private messages in which he directed BUMBARA to make wire transfers from the Digital Mining Investments WF account to doctors and pharmacies located in Costa Rica to pay for the purchase of pills such as OxyContin and Xanax. 27 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 28 of 59 48. Based on subpoena returns from Facebook, PATE opened his account on January 24, 2009, used the vanity name “tonymercedez101,” and registered the account using his senorpate@hotmail.com email address. PATE’s Facebook account was accessed primarily from IP addresses located in Costa Rica (where PATE resides) during the period from June 2015 to March 2016. BUMBARA opened his account on June 17, 2012, using the vanity name “Louis Bumbara” and registered the account using his email address, lbumbara@tampabay.rr.com. BUMBARA’s Facebook account was accessed primarily from IP addresses located in the Bradenton, Florida area (where BUMBARA resides) during the period from June 2015 through March 2016. The phone number used to register BUMBARA’s Facebook account -- (941) 4625814 – has BUMBARA’s wife listed as the subscriber, although BUMBARA advised that he used (941) 462-5814 as his personal cellular phone number during the time he communicated with PATE. 49. On March 29, 2018, during an interview with law enforcement, BUMBARA’s wife showed agents BUMBARA’s Facebook profile page, which was logged into on the family computer during the interview. The profile I observed had the vanity name “Louis Bumbara,” which included a photo of BUMBARA. BUMBARA’s wife also showed agents a Facebook post from PATE, which included the vanity name “David Pate” and included a photo of PATE. B. 50. Isaiah Case On the online forums of specific websites such as Reddit and Alphabay, a profile in the name of “BC_USA” stated multiple times that it is a U.S.-based reshipper for the vendor, 28 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 29 of 59 “buyersclub,” on Alphabay and various other darknet markets. 11 Based on my training and experience, I believe that the vendor “buyersclub” uses a U.S.-reshipper so that it can make single, large shipments of oxycodone to its reshipper in the U.S., rather than make multiple smaller shipments to each of its U.S. customers on a per-transaction basis. This scheme also decreases the number of contraband packages that must clear customs and significantly decreases the shipping time because packages coming from Oregon arrive much more quickly than from Costa Rica. According to the AlphaBay vendor profile for “BC_USA,” every package is tracked and made to look like “a boring purchase from e-bay.” 51. Based on records obtained during this investigation, I believe that “BC_USA” is a U.S.-based reshipper based out of Eugene, Oregon and employed by the vendor, “buyersclub.” Using undercover communications with “buyersclub” and subpoena returns, law enforcement has identified “BC_USA” as Isaiah CASE (“CASE”), who lives in Oregon. 52. As noted supra, the undercover purchases of oxycodone from PATE were sent from addresses in Oregon. C. 53. Ruben MENDOZA On or about February 14, 2018, Costa Rican law enforcement seized a package at the Juan Santamaria International Airport in Costa Rica. The package label indicated that it had been shipped by “David Brian Pate ND” via DHL to “Ruben Mendoza,” at “225 Clift Street, Central Islip, NY 11722-4109” in the United States. The package also listed BUMBARA’s telephone number “941-462-5814” as the telephone number for the individual receiving the 11 Reddit is a social-news-aggregation, web-content-rating, and discussion website. Reddit’s registered community members can submit content and post about a variety of topics. 29 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 30 of 59 package. A report obtained from the Costa Rican authorities indicates that the package contained a number of maracas. The sender had stored a total of approximately 717 pills inside the maracas. 54. On or about March 29, 2018, law enforcement spoke to the listed receiver, Ruben MENDOZA (“MENDOZA”). MENDOZA, who is a cousin of PATE’s wife, resided (and continues to reside) at the destination address listed on the package. MENDOZA informed law enforcement that he normally received packages from PATE through the mail and that the packages typically contained three different types of pills, each a different color. PATE also separately emailed MENDOZA with instructions on the particulars of each shipment (i.e., how many pills to send and the customer to whom the pills are to be sent). Following these instructions, MENDOZA then repackaged the pills he received from PATE into smaller quantities and shipped the repackaged pills to PATE’s customers all over the United States. MENDOZA additionally provided law enforcement with a composition notebook that included details from approximately 33 different shipments, which together totaled approximately 378 pills that MENDOZA repackaged and reshipped. MENDOZA told law enforcement that the pills he shipped to customers came from a package PATE had shipped to him on or about late February 2018. 55. PATE used the email address, senorpate@hotmail.com. MENDOZA used the email address, rubed9@gmail.com. Based on records obtained during the course of the investigation, MENDOZA’s email account was created on or about October 17, 2014, and registered with the telephone number (631) 639-4739. MENDOZA has a MetroPCS cellphone with the phone number, (631) 639-4739. MetroPCS operates on the T-Mobile network. The IP 30 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 31 of 59 address (172.56.29.147) that was used to create the rubed9@gmail.com address is a T-Mobileassigned IP address, which was used to access the rubed9@gmail.com address on or about March 12, 2018. VIII. POSSESION OF THE DEVICE 56. The Device is currently in the lawful possession of the IRS-CI in Washington, D.C. It came into IRS-CI’s possession in the following way: BUMBARA’s spouse R.B. provided consent for IRS-CI to complete a forensic image of the Device on March 29, 2018. 57. I interviewed BUMBARA’s spouse R.B. at their shared residence, 4541 Dover Street Circle E, Bradenton, Florida 34203 on March 29, 2018. R.B. told me the Device, which was located in the kitchen of the residence where the interview took place, was used by her husband BUMBARA to communicate with PATE while working with PATE to import and sell narcotics. R.B. told me the Device is a family computer which she, BUMBARA and her two children all share access to. R.B. further told me the Device was a gift from her mother to her for use by R.B.’s family including BUMBARA. During the interview, R.B. unlocked the device and showed me BUMBARA’s Facebook page, including a Facebook post from PATE. R.B. told me the device contained conversations between BUMBARA and PATE that took place while BUMBARA and PATE were working together to traffic narcotics into the United States. After showing me BUMBARA’s Facebook account, R.B. granted written consent for IRS-CI to take possession of the Device and complete a forensic image. An IRS-CI Special Agent-Computer Investigative Specialist (SA-CIS) successfully completed a forensic image of the Device and returned it to R.B. on March 30, 2018 because her children needed the Device for school work. Therefore, while the IRS-CI might already have all necessary authority to examine the Device, I 31 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 32 of 59 seek this additional warrant out of an abundance of caution to be certain that an examination of the Device will comply with the Fourth Amendment and other applicable laws. 58. The Device is currently in storage at IRS-CI Washington, D.C. Field Office, 1200 First Street, NE, Suite 4100, Washington, DC 20002. In my training and experience, I know that the Device has been stored in a manner in which its contents are, to the extent material to this investigation, in substantially the same state as they were when the Device first came into the possession of the IRS-CI. TECHNICAL TERMS 59. Through Based on my training and experience, I use the following technical terms to convey the following meanings: 60. IP Address: An Internet Protocol address (or simply “IP address”) is a unique numeric address used by computers on the Internet. An IP address is a series of four numbers, each in the range 0-255, separated by periods (e.g., 121.56.97.178). Every computer attached to the Internet computer must be assigned an IP address so that Internet traffic sent from and directed to that computer may be directed properly from its source to its destination. Most Internet service providers control a range of IP addresses. Some computers have static—that is, long-term—IP addresses, while other computers have dynamic—that is, frequently changed—IP addresses. 61. Internet: The Internet is a global network of computers and other electronic devices that communicate with each other. Due to the structure of the Internet, connections between devices on the Internet often cross state and international borders, even when the devices communicating with each other are in the same state. 32 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 33 of 59 62. In my training and experience, examining data stored on devices of this type can uncover, among other things, evidence that reveals or suggests who possessed or used the device. Based on my training and experience, and information acquired from other law enforcement officials with technical expertise, I know the terms described below have the following meanings or characteristics: a. “Digital device,” as used herein, includes the following three terms and their respective definitions: 1) A “computer” means an electronic, magnetic, optical, or other high speed data processing device performing logical or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device. See 18 U.S.C. § 1030(e)(1). Computers are physical units of equipment that perform information processing using a binary system to represent information. Computers include, but are not limited to, desktop and laptop computers, smartphones, tablets, smartwatches, and binary data processing units used in the operation of other products like automobiles. 2) “Digital storage media,” as used herein, means any information storage device in which information is preserved in binary form and includes electrical, optical, and magnetic digital storage devices. Examples of digital storage media include, but are not limited to, compact disks, digital versatile disks (“DVDs”), USB flash drives, flash memory cards, and internal and external hard drives. 3) “Computer hardware” means all equipment that can receive, capture, collect, analyze, create, display, convert, store, conceal, or transmit electronic, magnetic, 33 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 34 of 59 or similar computer impulses or data. Computer hardware includes any data-processing devices (including, but not limited to, central processing units, internal and peripheral storage devices such as fixed disks, external hard drives, floppy disk drives and diskettes, and other memory storage devices); peripheral input/output devices (including, but not limited to, keyboards, printers, video display monitors, modems, routers, scanners and related communications devices such as cables and connections), as well as any devices, mechanisms, or parts that can be used to restrict access to computer hardware (including, but not limited to, physical keys and locks). b. “Wireless telephone” (or mobile telephone, or cellular telephone), a type of digital device, is a handheld wireless device used for voice and data communication at least in part through radio signals and also often through “wi-fi” networks. When communicating via radio signals, these telephones send signals through networks of transmitters/receivers, enabling communication with other wireless telephones, traditional “land line” telephones, computers, and other digital devices. A wireless telephone usually contains a “call log,” which records the telephone number, date, and time of calls made to and from the phone. In addition to enabling voice communications, wireless telephones offer a broad range of applications and capabilities. These include, variously: storing names and phone numbers in electronic “address books”; sending, receiving, and storing text messages, e-mail, and other forms of messaging; taking, sending, receiving, and storing still photographs and video; storing and playing back audio files; storing dates, appointments, and other information on personal calendars; global positioning system (“GPS”) locating and tracking technology, and accessing and downloading information from the Internet. 34 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 35 of 59 c. A “tablet” is a mobile computer, typically larger than a wireless phone yet smaller than a notebook, that is primarily operated by touch-screen. Like wireless phones, tablets function as wireless communication devices and can be used to access the Internet or other wired or wireless devices through cellular networks, “wi-fi” networks, or otherwise. Tablets typically contain programs called applications (“apps”), which, like programs on both wireless phones, as described above, and personal computers, perform many different functions and save data associated with those functions. d. A “GPS” navigation device, including certain wireless phones and tablets, uses the Global Positioning System (generally abbreviated “GPS”) to display its current location, and often retains records of its historical locations. Some GPS navigation devices can give a user driving or walking directions to another location, and may contain records of the addresses or locations involved in such historical navigation. The GPS consists of 24 NAVSTAR satellites orbiting the Earth. Each satellite contains an extremely accurate clock. Each satellite repeatedly transmits by radio a mathematical representation of the current time, combined with a special sequence of numbers. These signals are sent by radio, using specifications that are publicly available. A GPS antenna on Earth can receive those signals. When a GPS antenna receives signals from at least four satellites, a computer connected to that antenna can mathematically calculate the antenna’s latitude, longitude, and sometimes altitude with a high level of precision. e. “Computer passwords and data security devices” means information or items designed to restrict access to or hide computer software, documentation, or data. Data security devices may consist of hardware, software, or other programming code. A password (a string of alpha-numeric characters) usually operates as a digital key to “unlock” particular data 35 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 36 of 59 security devices. Data security hardware may include encryption devices, chips, and circuit boards. Data security software of digital code may include programming code that creates “test” keys or “hot” keys, which perform certain pre-set security functions when touched. Data security software or code may also encrypt, compress, hide, or “booby-trap” protected data to make it inaccessible or unusable, as well as reverse the progress to restore it. f. “Computer software” means digital information which can be interpreted by a computer and any of its related components to direct the way they work. Computer software is stored in electronic, magnetic, or other digital form. It commonly includes programs to run operating systems, applications, and utilities. g. Internet Protocol (“IP”) Address is a unique numeric address used by digital devices on the Internet. An IP address, for present purposes, looks like a series of four numbers, each in the range 0-255, separated by periods (e.g., 149.101.1.32). Every computer attached to the Internet must be assigned an IP address so that Internet traffic sent from and directed to that computer may be directed properly from its source to its destination. Most Internet service providers control a range of IP addresses. Some computers have static—that is, long-term—IP addresses, while other computers have dynamic—that is, frequently changed—IP addresses. h. The Internet is a global network of computers and other electronic devices that communicate with each other using numerous specified protocols. Due to the structure of the Internet, connections between devices on the Internet often cross state and international borders, even when the devices communicating with each other are in the same state. 36 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 37 of 59 i. “Internet Service Providers,” or “ISPs,” are entities that provide individuals and businesses access to the Internet. ISPs provide a range of functions for their customers, including access to the Internet, web hosting, e-mail, remote storage, and co-location of computers and other communications equipment. ISPs can offer a range of options in providing access to the Internet, including via telephone-based dial-up and broadband access via digital subscriber line (“DSL”), cable, dedicated circuits, fiber-optic, or satellite. ISPs typically charge a fee based upon the type of connection and volume of data, called bandwidth, which the connection supports. Many ISPs assign each subscriber an account name, a user name or screen name, an e-mail address, an e-mail mailbox, and a personal password selected by the subscriber. By using a modem, the subscriber can establish communication with an ISP and access the Internet by using his or her account name and password. j. A “modem” translates signals for physical transmission to and from the ISP, which then sends and receives the information to and from other computers connected to the Internet. k. A “router” often serves as a wireless Internet access point for a single or multiple devices, and directs traffic between computers connected to a network (whether by wire or wirelessly). A router connected to the Internet collects traffic bound for the Internet from its client machines and sends out requests on their behalf. The router also distributes to the relevant client inbound traffic arriving from the Internet. A router usually retains logs for any devices using that router for Internet connectivity. Routers, in turn, are typically connected to a modem. l. “Domain Name” means the common, easy-to-remember names associated with an IP address. For example, a domain name of “www.usdoj.gov” refers to the IP address of 37 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 38 of 59 149.101.1.32. Domain names are typically strings of alphanumeric characters, with each level delimited by a period. Each level, read backwards – from right to left – further identifies parts of an organization. Examples of first-level, or top-level domains are typically .com for commercial organizations, .gov for the governmental organizations, .org for organizations, and, .edu for educational organizations. Second-level names will further identify the organization, for example usdoj.gov further identifies the United States governmental agency to be the Department of Justice. Additional levels may exist as needed until each machine is uniquely identifiable. For example, www.usdoj.gov identifies the World Wide Web server located at the United States Department of Justice, which is part of the United States government. m. “Cache” means the text, image, and graphic files sent to and temporarily stored by a user’s computer from a website accessed by the user in order to allow the user speedier access to and interaction with that website. n. “Peer to Peer file sharing” (P2P) is a method of communication available to Internet users through the use of special software, which may be downloaded from the Internet. In general, P2P software allows a user to share files on a computer with other computer users running compatible P2P software. A user may obtain files by opening the P2P software on the user’s computer and searching for files that are currently being shared on the network. A P2P file transfer is assisted by reference to the IP addresses of computers on the network: an IP address identifies the location of each P2P computer and makes it possible for data to be transferred between computers. One aspect of P2P file sharing is that multiple files may be downloaded at the same time. Another aspect of P2P file sharing is that, when downloading a 38 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 39 of 59 file, portions of that file may come from multiple other users on the network to facilitate faster downloading. i. When a user wishes to share a file, the user adds the file to shared library files (either by downloading a file from another user or by copying any file into the shared directory), and the file’s hash value is recorded by the P2P software. The hash value is independent of the file name; that is, any change in the name of the file will not change the hash value. ii. Third party software is available to identify the IP address of a P2P computer that is sending a file. Such software monitors and logs Internet and local network traffic. o. “VPN” means a virtual private network. A VPN extends a private network across public networks like the Internet. It enables a host computer to send and receive data across shared or public networks as if they were an integral part of a private network with all the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. The VPN connection across the Internet is technically a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from a private networkhence the name “virtual private network.” The communication between two VPN endpoints is encrypted and usually cannot be intercepted by law enforcement. p. “Encryption” is the process of encoding messages or information in such a way that eavesdroppers or hackers cannot read it but authorized parties can. In an encryption 39 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 40 of 59 scheme, the message or information, referred to as plaintext, is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. This is usually done with the use of an encryption key, which specifies how the message is to be encoded. Any unintended party that can see the ciphertext should not be able to determine anything about the original message. An authorized party, however, is able to decode the ciphertext using a decryption algorithm that usually requires a secret decryption key, to which adversaries do not have access. q. “Malware,” short for malicious (or malevolent) software, is software used or programmed by attackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. Malware is a general term used to refer to a variety of forms of hostile or intrusive software. 63. Based on my knowledge, training, and experience, I know that electronic devices can store information for long periods of time. Similarly, things that have been viewed via the Internet are typically stored for some period of time on the device. This information can sometimes be recovered with forensics tools. 64. In my training and experience, examining data stored on devices of this type can uncover, among other things, evidence that reveals or suggests who possessed or used the device, and sometimes by implication who did not, as well as evidence relating to the commission of the offenses under investigation. COMPUTERS, ELECTRONIC/MAGNETIC STORAGE, AND FORENSIC ANALYSIS 65. As described above and in Attachment B, this application seeks permission to search for information that might be found within the Device. Based on my knowledge, training, 40 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 41 of 59 and experience, as well as information related to me by agents and others involved in this investigation and in the forensic examination of digital devices, I respectfully submit that there is probable cause to believe that the records and information described in Attachment B will be stored in the Device for at least the following reasons: a. Individuals who engage in criminal activity (including narcotics trafficking and money laundering) use digital devices, like the Device, to access websites to facilitate illegal activity and communicate with co-conspirators online; to store on digital devices (like the Device) documents and records relating to their illegal activity, which can include logs of online “chats” with co-conspirators, email correspondence, text or other “Short Message Service” (“SMS”) messages, contact information of co-conspirators (including telephone numbers, email addresses, identifiers for instant messaging and social medial accounts; financial and personal-identification data, including bank account numbers, credit card numbers, and names, addresses, telephone numbers, and social security numbers of other individuals) involved in the conspiracy; and records of illegal transactions from the sale of illicit narcotics, to include, among other things: (1) keeping track of co-conspirator’s contact information; (2) keeping a record of illegal transactions for future reference; and, (3) keeping an accounting of illegal proceeds for purposes of, among other things, splitting those proceeds with co-conspirators. As described in paragraphs 45 through 47 of this affidavit, BUMBARA used the Device to communicate with PATE (through Facebook, email and other messaging applications) to discuss drug shipments and money laundering in furtherance of him and PATE’s illicit narcotics sales business. 41 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 42 of 59 b. Individuals who engage in the foregoing criminal activity, in the event that they change digital devices, will often “back up” or transfer files from their old digital devices to that of their new digital devices, so as not to lose data, including that described in the foregoing paragraph, which would be valuable in facilitating their criminal activity. c. Digital device files, or remnants of such files, can be recovered months or even many years after they have been downloaded onto the medium or device, deleted, or viewed via the Internet. Electronic files downloaded to a digital device can be stored for years at little or no cost. Even when such files have been deleted, they can be recovered months or years later using readily-available forensics tools. When a person “deletes” a file on a digital device such as a home computer, a smart phone, or a memory card, the data contained in the file does not actually disappear; rather, that data remains on the storage medium and within the device unless and until it is overwritten by new data. Therefore, deleted files, or remnants of deleted files, may reside in free space or slack space – that is, in space on the digital device that is not allocated to an active file or that is unused after a file has been allocated to a set block of storage space – for long periods of time before they are overwritten. In addition, a digital device’s operating system may also keep a record of deleted data in a “swap” or “recovery” file. Similarly, files that have been viewed via the Internet are automatically downloaded into a temporary Internet directory or “cache.” The browser typically maintains a fixed amount of electronic storage medium space devoted to these files, and the files are only overwritten as they are replaced with more recently viewed Internet pages. Thus, the ability to retrieve “residue” of an electronic file from a digital device depends less on when the file was downloaded or viewed 42 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 43 of 59 than on a particular user’s operating system, storage capacity, and computer, smart phone, or other digital device habits. d. As further described in Attachment B, this application seeks permission to locate not only electronic evidence or information that might serve as direct evidence of the crimes described in this affidavit, but also for forensic electronic evidence or information that establishes how the digital device(s) were used, the purpose of their use, who used them (or did not), and when. Based on my knowledge, training, and experience, as well as information related to me by agents and others involved in this investigation and in the forensic examination of digital devices, I respectfully submit there is probable cause to believe that this forensic electronic evidence and information will be in any of the Device(s) at issue here because: e. Although some of the records called for by this warrant might be found in the form of user-generated documents or records (such as word processing, picture, movie, or texting files), digital devices can contain other forms of electronic evidence as well. In particular, records of how a digital device has been used, what it has been used for, who has used it, and who has been responsible for creating or maintaining records, documents, programs, applications, and materials contained on the digital device(s) are, as described further in the attachments, called for by this warrant. Those records will not always be found in digital data that is neatly segregable from the hard drive, flash drive, memory card, or other electronic storage media image as a whole. Digital data stored in the Device(s), not currently associated with any file, can provide evidence of a file that was once on the storage medium but has since been deleted or edited, or of a deleted portion of a file (such as a paragraph that has been deleted from a word processing file). Virtual memory paging systems can leave digital data on a hard 43 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 44 of 59 drive that show what tasks and processes on a digital device were recently used. Web browsers, e-mail programs, and chat programs often store configuration data on a hard drive, flash drive, memory card, or memory chip that can reveal information such as online nicknames and passwords. Operating systems can record additional data, such as the attachment of peripherals, the attachment of USB flash storage devices, and the times a computer, smart phone, or other digital device was in use. Computer, smart phone, and other digital device file systems can record data about the dates files were created and the sequence in which they were created. This data can be evidence of a crime, indicate the identity of the user of the digital device, or point toward the existence of evidence in other locations. Recovery of this data requires specialized tools and a controlled laboratory environment, and also can require substantial time. f. Forensic evidence on a digital device can also indicate who has used or controlled the device. This “user attribution” evidence is analogous to the search for “indicia of occupancy” while executing a search warrant at a residence. For example, registry information, configuration files, user profiles, e-mail, e-mail address books, “chat,” instant messaging logs, photographs, the presence or absence of malware, and correspondence (and the data associated with the foregoing, such as file creation and last-accessed dates) may be evidence of who used or controlled the digital device at a relevant time, and potentially who did not. g. A person with appropriate familiarity with how a computer works can, after examining this forensic evidence in its proper context, draw conclusions about how computers were used, the purpose of their use, who used them, and when. h. The process of identifying the exact files, blocks, registry entries, logs, or other forms of forensic evidence on a digital device that are necessary to draw an accurate 44 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 45 of 59 conclusion is a dynamic process. While it is possible to specify in advance the records to be sought, digital device evidence is not always data that can be merely reviewed by a review team and passed along to investigators. Whether data stored on digital devices is evidence may depend on other information stored on the devices and the application of knowledge about how the devices behave. Therefore, contextual information necessary to understand other evidence also falls within the scope of the warrant. i. Further, in finding evidence of how a digital device was used, the purpose of its use, who used it, and when, sometimes it is necessary to establish that a particular thing is not present on the device. For example, the presence or absence of counter-forensic programs, anti-virus programs (and associated data), and malware may be relevant to establishing the user’s intent and the identity of the user. j. I know that when an individual uses a digital device to facilitate the importation of illicit narcotics and to launder proceeds derived for narcotics sales, the individual’s device will generally serve both as an instrumentality for committing the crime, and also as a storage medium for evidence of the crime. The digital device is an instrumentality of the crime because it is used as a means of committing the criminal offense. The digital device is also likely to be a storage medium for evidence of crime. From my training and experience, I believe that a digital device used to commit a crime of this type may contain data that is evidence of how the digital device was used; data that was sent or received; notes as to how the criminal conduct was achieved; records of Internet discussions about the crime; and other records that indicate the nature of the offense and the identities of those perpetrating it. METHODS TO BE USED TO SEARCH DIGITAL DEVICES 45 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 46 of 59 66. Based on my knowledge, training, and experience, as well as information related to me by agents and others involved in this investigation and in the forensic examination of digital devices, I know that: a. Searching digital devices can be an extremely technical process, often requiring specific expertise, specialized equipment, and substantial amounts of time, in part because there are so many types of digital devices and software programs in use today. Digital devices – whether, for example, desktop computers, mobile devices, or portable storage devices – may be customized with a vast array of software applications, each generating a particular form of information or records and each often requiring unique forensic tools, techniques, and expertise. As a result, it may be necessary to consult with specially trained personnel who have specific expertise in the types of digital devices, operating systems, or software applications that are being searched, and to obtain specialized hardware and software solutions to meet the needs of a particular forensic analysis. b. Digital data is particularly vulnerable to inadvertent or intentional modification or destruction. Searching digital devices can require the use of precise, scientific procedures that are designed to maintain the integrity of digital data and to recover “hidden,” erased, compressed, encrypted, or password-protected data. Recovery of “residue” of electronic files from digital devices also requires specialized tools and often substantial time. As a result, a controlled environment, such as a law enforcement laboratory or similar facility, is often essential to conducting a complete and accurate analysis of data stored on digital devices. c. Further, as discussed above, evidence of how a digital device has been used, the purposes for which it has been used, and who has used it, may be reflected in the 46 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 47 of 59 absence of particular data on a digital device. For example, to rebut a claim that the owner of a digital device was not responsible for a particular use because the device was being controlled remotely by malicious software, it may be necessary to show that malicious software that allows someone else to control the digital device remotely is not present on the digital device. Evidence of the absence of particular data or software on a digital device is not segregable from the digital device itself. Analysis of the digital device as a whole to demonstrate the absence of particular data or software requires specialized tools and a controlled laboratory environment, and can require substantial time. d. Digital device users can attempt to conceal data within digital devices through a number of methods, including the use of innocuous or misleading filenames and extensions. For example, files with the extension “.jpg” often are image files; however, a user can easily change the extension to “.txt” to conceal the image and make it appear that the file contains text. Digital device users can also attempt to conceal data by using encryption, which means that a password or device, such as a “dongle” or “keycard,” is necessary to decrypt the data into readable form. Digital device users may encode communications or files, including substituting innocuous terms for incriminating terms or deliberately misspelling words, thereby thwarting “keyword” search techniques and necessitating continuous modification of keyword terms. Moreover, certain file formats, like portable document format (“PDF”), do not lend themselves to keyword searches. Some applications for computers, smart phones, and other digital devices, do not store data as searchable text; rather, the data is saved in a proprietary nontext format. Documents printed by a computer, even if the document was never saved to the hard drive, are recoverable by forensic examiners but not discoverable by keyword searches 47 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 48 of 59 because the printed document is stored by the computer as a graphic image and not as text. In addition, digital device users can conceal data within another seemingly unrelated and innocuous file in a process called “steganography.” For example, by using steganography a digital device user can conceal text in an image file that cannot be viewed when the image file is opened. Digital devices may also contain “booby traps” that destroy or alter data if certain procedures are not scrupulously followed. A substantial amount of time is necessary to extract and sort through data that is concealed, encrypted, or subject to booby traps, to determine whether it is evidence, contraband or instrumentalities of a crime. e. Analyzing the contents of mobile devices, including tablets, can be very labor intensive and also requires special technical skills, equipment, and software. The large, and ever increasing, number and variety of available mobile device applications generate unique forms of data, in different formats, and user information, all of which present formidable and sometimes novel forensic challenges to investigators that cannot be anticipated before examination of the device. Additionally, most smart phones and other mobile devices require passwords for access. For example, even older iPhone 4 models, running IOS 7, deployed a type of sophisticated encryption known as “AES-256 encryption” to secure and encrypt the operating system and application data, which could only be bypassed with a numeric passcode. Newer cell phones employ equally sophisticated encryption along with alpha-numeric passcodes, rendering most smart phones inaccessible without highly sophisticated forensic tools and techniques, or assistance from the phone manufacturer. Mobile devices used by individuals engaged in criminal activity are often further protected and encrypted by one or more third party applications, of which there are many. For example, one such mobile application, “Hide It Pro,” 48 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 49 of 59 disguises itself as an audio application, allows users to hide pictures and documents, and offers the same sophisticated AES-256 encryption for all data stored within the database in the mobile device. f. Based on all of the foregoing, I respectfully submit that searching any digital device for the information, records, or evidence pursuant to this warrant may require a wide array of electronic data analysis techniques and may take weeks or months to complete. Any pre-defined search protocol would only inevitably result in over- or under-inclusive searches, and misdirected time and effort, as forensic examiners encounter technological and user-created challenges, content, and software applications that cannot be anticipated in advance of the forensic examination of the devices. In light of these difficulties, your affiant requests permission to use whatever data analysis techniques reasonably appear to be necessary to locate and retrieve digital information, records, or evidence within the scope of this warrant. g. In searching for information, records, or evidence, further described in Attachment B, law enforcement personnel executing this search warrant will employ the following procedures: 1. The digital devices, and/or any digital images thereof created by law enforcement in aid of the examination and review, will be examined and reviewed by law enforcement personnel, sometimes with the aid of a technical expert, in an appropriate setting, in order to extract and seize the information, records, or evidence described in Attachment B. 2. The analysis of the contents of the digital devices may entail any or all of various forensic techniques as circumstances warrant. Such techniques may include, but shall not be limited to, surveying various file “directories” and the individual files they contain 49 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 50 of 59 (analogous to looking at the outside of a file cabinet for the markings it contains and opening a drawer believed to contain pertinent files); conducting a file-by-file review by “opening,” reviewing, or reading the images or first few “pages” of such files in order to determine their precise contents; “scanning” storage areas to discover and possibly recover recently deleted data; scanning storage areas for deliberately hidden files; and performing electronic “keyword” searches through all electronic storage areas to determine whether occurrences of language contained in such storage areas exist that are related to the subject matter of the investigation. 3. In searching the digital devices, the forensic examiners may examine as much of the contents of the devices as deemed necessary to make a determination as to whether the contents fall within the items to be seized as set forth in Attachment B. In addition, the forensic examiners may search for and attempt to recover “deleted,” “hidden,” or encrypted data to determine whether the contents fall within the items to be seized as described in Attachment B. Any search techniques or protocols used in searching the contents of the digital devices will be specifically chosen to identify the specific items to be seized under this warrant. AUTHORIZATION TO SEARCH AT ANY TIME OF THE DAY OR NIGHT 67. Because forensic examiners will be conducting their search of the digital devices in a law enforcement setting over a potentially prolonged period of time, I respectfully submit good cause has been shown, and therefore request authority, to conduct the search at any time of the day or night. 50 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 51 of 59 CONCLUSION 68. I respectfully submit that this affidavit supports probable cause for a search warrant authorizing the examination of the Image described in Attachment A to seek the items described in Attachment B. Respectfully submitted, Matthew J. Price Special Agent IRS – CI Subscribed to and sworn before me on this 12th day of July, 2018. _________________________________________ HON. G. MICHAEL HARVEY UNITED STATES MAGISTRATE JUDGE 51 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 52 of 59 Exhibit A BUYERS CLUB LISTINGS ON ALPHABAY MARKET (captured Sept. 2, 2016) Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 53 of 59 Exhibit B BUYERS CLUB LISTING FOR OXYCONTIN ON ALPHABAYMARKET (captured September 2, 2016) 2 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 54 of 59 Exhibit C-1 BUYERS CLUB USER PROFILE ON ALPHABAY MARKET (screenshot 1 of 2; captured September 2, 2016) 3 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 55 of 59 Exhibit C-2 BUYERS CLUB USER PROFILE ON ALPHABAY MARKET (screenshot 2 of 2; captured September 2, 2016) 4 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 56 of 59 ATTACHMENT A Property to Be Searched The property to be searched is a forensic image of a Gateway Model DX4840-03E Desktop Computer, Serial Number PT6AU020170171A7582700, hereinafter the “Device.” The Device is currently held at the IRS-CI Washington, D.C. Field Office, 1200 First Street, NE, Suite 4100, Washington, DC 20002. This warrant authorizes the forensic examination of the Device for the purpose of identifying the electronically stored information described in Attachment 5 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 57 of 59 ATTACHMENT B Property to be seized All records on the Device described in Attachment A that constitutes fruits, contraband, evidence and instrumentalities of violations of 21 U.S.C. § 841(a)(1)(distributing a controlled substance); 21 U.S.C. § 952(a)(importing a controlled substance into the United States); 21 U.S.C. § 846(conspiring with persons to violate the above-mentioned statutes); 18 U.S.C. § 1956(a)(2)(transporting, transmitting, or transferring monetary instruments or funds from the United States to or through a place outside the United States); and 18 U.S.C. § 1956(h)(conspiring with persons to commit money laundering), including, for the Device listed on Attachment A, information pertaining to the following matters: (a) Evidence related to the distribution of a controlled substance including, but not limited to, OxyContin, by/to David Pate, “davidpate,” “buyersclub,” “expurdue,” and Louis Bumbara; (b) Evidence related to the importation of a controlled substance into the United States including, but not limited to, OxyContin, by/to David Pate, “davidpate,” “buyersclub,” “expurdue,” and Louis Bumbara; (c) Evidence related to shipments by/to/from/on behalf of David Pate, Louis Bumbara, and other co-conspirators; (d) Records related to the shipments both domestic and international including, but not limited to, postage stamps, tracking numbers, and shipping labels; (e) Records related to communications concerning Darknet Markets, Tor networks, Bitcoin; virtual currency, and “Cryptos”; Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 58 of 59 (f) Records related to communications and/or purchases concerning controlled substances including, but not limited to, OxyContin and Oxycodone; (g) Evidence related to the amount and location of any payments, monies, or funds transfers by/to David Pate, “davidpate,” “buyersclub,” “expurdue,” and Louis Bumbara; (h) Evidence related to banking or financial information related to David Pate, “davidpate,” “buyersclub,” “expurdue,” Louis Bumbara, and any co-conspirators; (i) the transportation or transmission of funds that have been derived from trafficking of controlled substances; (j) the transportation, transmission, or transfer of funds that are intended to be used to promote, conceal, or support trafficking of controlled substances; (k) Identification of coconspirators, accomplices, and aiders and abettors in the commission of the above offenses 1. Evidence of user attribution showing who used or owned the Image at the time the things described in this warrant were created, edited, or deleted, such as logs, phonebooks, saved usernames and passwords, documents, and browsing history; 2. Records evidencing the use of the Internet to access email accounts, social media, encrypted chat applications and/or other means of communication used to discuss drug shipments, drug sales, drug sources, payments for drugs, payments for shipping and transfers of proceeds; a. records of Internet Protocol addresses used; 2 Case 1:18-sw-00182-GMH Document 1-1 Filed 07/12/18 Page 59 of 59 b. records of Internet activity, including firewall logs, caches, browser history and cookies, “bookmarked” or “favorite” web pages, search terms that the user entered into any Internet search engine, and records of user-typed web addresses. As used above, the terms “records” and “information” include all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored, including any form of computer or electronic storage (such as flash memory or other media that can store data) and any photographic form. 3