Case Document 1 Filed 08/09/4ak Page 1 of 13

Attachment A

 


Case Document 1 Filed 08/09/03 Page 2 of 13

AFFIDAVIT OF FBI SPECIAL AGENT ROBBIE J. ROBERTSON
IN SUPPORT OF A CRIMINAL COMPLAINT

 

 

I, Robbie J. Robertson, Special Agent of the Federal Bureau of Investigation 

being duly sworn, hereby declare asfollows: 
AGENT BACKGROUND AND BASES FOR STATEMENTS

l. I am a Special Agent with the FBI assigned to investigate cyber-crime, and have
been so employed since September 2017. My training included attending FBI new agent basic
training during which I received instruction on various aspects of federal investigations. Since
May 2019, I have been assigned to investigate high technology and r-crime and have been
involved in investigations of alleged computer-related and intellectual property offenses,
including computer intrusions, traf?cking in counterfeit goods, Wire frain, intemet extortion, and
other criminal matters. As an FBI agent, I am authorized to investigate violations of United
States law and am a law enforcement of?cer with the authority to execTe warrants issued under
the authority of the United States. Prior to my current position as a Special Agent with the FBI, I
obtained a Bachelor of Science degree in Information Technology. During my career as a
Special Agent of the FBI, I have received training and possess actual eiperience relating to
federal criminal proceduresand federal statutes. I have also received 3 ecialized training and
instruction in the ?eld of investigation in computer-related crimes. I ve had the opportunity to
conduct, coordinate, and participate in numerous investigations relating to computer-related
crimes. I have participated in the execution of numerous search warrants and arrest warrants
conducted by the FBI.

2. The statements contained in this affidavit are based, in part, on my training, years

of investigative experience, and my personal participation in this investigation. The statements

contained in this af?davit are sometimes based on information provided by other FBI Special

 

 

 
Case Document 1 Filed 08/09/039? Page 3 of 13



Agents, other govermnent agencies, as well as information derived froml interviews of victim
companies. 

3. Because this af?davit is submitted'for the limited purpose of securing an arrest -
warrant, I have not included each and every fact known to me that supports probable cause. This
affidavit does not purport to set forth all of my knowledge of, or investigation into, this matter. I
have summarized information, including information received from 1an enforcement agents and
of?cers, documents, and records. I have set forth those facts that I belie?h/e are suf?cient to
support the issuance of the requested arrest warrant. I am not relying upon facts not set forth
herein to support my conclusion.

4. I am one of the agents participating in the investigation of Shariq Hashme
for offenses relating to the unauthorized access and damage to'computers
belonging to Company A, a San Francisco, California-based data analysis company.

5. As part of that ongoing FBI investigation, I make this af l1davit in support of an
application by the United States of America for a complaint and arrest +arrant for HASI-IME.

6. As set forth herein, there is probable cause to believe HASHIVIE knowingly
caused the transmission of a program, information, code, and comman and as a result of such
conduct, intentionally caused damage without authorization, to a proteclted computer, and
thereby caused loss to one or more persons during a one-year period affecting protected
computers aggregating at least $5,000 in value, in violation of Title 18, United States Code,

Sections 1030(a)(5)(A) and 

APPLICABLE STATUTES

 

7. Under Title 18, United States Code, Section 1030(a)(5)(A), it is unlawful for an

individual to ?knowingly cause[] the transmission of a program, information, code, or command,

 

Case Document 1 Filed O8/O9/?a?x Page 4 of 13


and as a result of such conduct, intentionally causes damage without authorization, to a protected
computer.? A protected computer is a computer that is used in or affect?ng interstate or foreign
commerce. See 18 U.S.C. 1030(e)(2)(B). The term ?damage? means ?any impairment to the
integrity or availability of data, a program, a system, or information. See 18 U.S.C. 1030(e)(8).
8. Under Title 18, United States Code Sections 1030(e)(4) 1 and 
the penalty for a violation of 18 U.S.C. 1030(a)(5)(A) is a ?ne and imbrisonment of not more
than ten years if the offense caused loss to 1 or more persons during any 1-year period
aggregating at least $5,000 in value; (ii) the modi?cation or impairment, or potential
modi?cation or impairment, of the medical examination, diagnosis, treTment, or care of 1 or
more individuals; physical injury to any person; (iv) a threat to public health or safety; 
damage affecting a computer used by or for an entity of the United Stath Government in
furtherance of the administration of justice, national defense, or nationail security; or (vi) damage

affecting 10 or more protected computers during any 1-year period.

FACTS SUPPORTING PROBABLE CAUSE

Summary

 

 

9. Beginning at least as early as on or about February 26, 2019, continuing through
and including on or about July 11, 2019, Shariq HASHME repeatedly connected to and caused
transmissions to Company A?s internal payment database to surreptitiously alter its data and
contents without authorization in order to divert at least approximately $40,000 in payments to
accounts controlled by HASHME.

10. HASHME, who was employed as an engineer at Comp+y A, is an individual that

resided in 2019 in San Francisco, California before on or about April 1 2019, and outside the

United States after on or about that date. HASHME worked for Company A as an employee

 

1
Case 3:19-mj-712-5d-MAG Document 1 Filed 08/09/4555 Page 5 of 13

then later as a non-employee contractor during this time.
Background of Investigation

11. Company A is a San Francisco, California-based data an lysis company.

12. PayPal is a web-based ?nancial services provider based 1n Mountain View,
California.

13. On May 8, 2019, representatives of Company A contact (1 the San Francisco
Division of the FBI to report a criminal cyber incident. According to representatives of the
company, they discovered their internal payment database, contained i ltheir back-end computer
network infrastructure, had been compromised in late April 2019.

14. Company A advised that it paid its employees through PayPal and would at times
issue ?bonus? payments to its employees through PayPal using its interhal payment database,
which also listed employees? personally identi?able information, inclu ing work related e-mail
account information. Company A utilized ?lPassword,? a service that streamlines access to
multiple protected enclaves through a singular password and usemame. In this instance, each
engineer was given access to a lPassword account and all administratoT-level tasks were

executed under the same account. Furthermore, lPassword automatically populated user names

 

and passwords in order to access Company A?s back-end infrastructure Access to the

company?s intemal payment database and other internal infrastructure \L'as restricted using
lPassword. Company A advised that the lPassword credentials were shared through each
engineer?s individually-operated GitHub account.

15. Company A reported that during this cyber incident, an ndividual connected to its

internal payment database and altered payments that were originally directed to legitimate

employees to divert them to a PayPal account linked to ?Bruno.Day.1988@outlook.com?

 


Case Document 1 Filed 08/09/1?9 Page 6 of 13

(?Subject PayPal account?). Company A determined that this re-directirlm of payments to the



Subject PayPal account occurred through transmissions to its internal payment database using the
lPassword account. Based on an internal investigation conducted by'C mpany A, the majority
of the altered payments made to the Subject PayPal account were in theTamount of $140.00
beginning on or about March 12, 2019 and ending on or about May 6, 2F19. Over the course of
this cyber incident, Company A advised that a total of approximately 100 payments were altered
in the internal payment database and diverted to the Subject PayPal account, resulting in losses

of at least approximately $14,000.

16. Company A provided the FBI with a suspicious IP address of 182.232.191.125,

 

which connected to its internal payment database around the time of one of the intrusion
incidents on April 30, 2019 at 13:39:53 UTC. IP addresses oftentimes TIC associated with a
particular geographic area or region based on them falling within certain known address
ranges. The aforementioned suspicious IP address was con?rmed to associated with the
particular geographic area of (?geo-located?) of Thailand using open source research conducted
by the FBI.
17. Following the initial incident, Company A advised the FBI of another similar
cyber incident in which an individual manipulated the internal payment database and altered

approximately 30 additional $140.00 bonus payments to divert them to the Subject PayPal

 

account; these payments were processed on or about May 6, 2019, resulting in losses of at least

approximately $4,200. This similar incident took place after Company A took additional

security measures in response to the initial incident. For example, kno? IP addresses were



?white listed? or allowed to access internal infrastructure, while unkno IPs were restricted.

18. On July 16, 2019, Company A advised the FBI of yet ?other similar cyber

 

Case 3.197mjr712517MAG Document 1 Filed 08/09/19 Page 7 of 13

incident in which an individual manipuhted the internal payment database and altered
approximately $15,000 in bonus payments, this time to divert them to a PayPal account linked to
The incident occurred on June 20, 2019, but was not discovered
until July 12, 2019. No addresses were available. due to new database configurations at
Company A.
Identification of EASHME

19. The FBI obtained records from PnyPal for the account registered to
Bnmo.Day.1988@outlookconL In part. PnyPal records provided the mihsaibe: 11'
log and transaction history for the account reg'slered to From
February 26, 2019 to lune 13, 2019, this PayPal account received more'tlmn 190 payments from
Company A that totaled approximately $26,663, The subscriber information of the PayPal
account included the following:

First Name: Bruno 

 

Time Created: February 26. 2019, 20:04:39

20, The FBI also obtained records from PayPal for the account registered to
dragonhall844@outlook.com In part, Payl'al records provided the subocribet informmiun, 1P
logs and transaction history for the accounts registered to dragonballs44@outlookcom. From
June 28, 2019 to July ll, 2019, this PayPal account received more than' 70 payments from
CompanyA that totaled approximately 313,1901 The subscriber infomiation of the PayPal

accounts included the following:

 


Case Document 1 Filed O8/O9/tf9?x Page 8 of 13

Email: dra onball844 ,outlook.com
Address:

   
  

 

21. PayPal records also provided a ?con?rmed? cellular pho number for both of the
aforementioned PayPal accounts, - A cell phone number is ?con?rmed? when a

user con?rms receipt of an automated text message from PayPal by entering an alphanumeric.

 

code included in the text message. By using open source and FBI internal record searches, a
number of documents associated Shariq HASHME with mobile numbei - and the
aforementioned addresses. 

22. In addition, PayPal records included banking information related to the ability of
PayPal users to transfer money from their PayPal account to a debit/ere 't card or to another
?nancial institution. The PayPal accounts registered to Bruno.Day.l988@outlookcom and
dragonball844@outlook.com listed the following accounts:

Account Status Name Start Date Expiration Date
2713 Bruno Day 6-Mar-I9_
Ittpe Issuer Continued Issue# Currenqv
VISA CREDIT Bank of America-Consmner Credit Uncon?rmed - USD
and
Account Status Name Start Date Expiration Date
3421 INA CIIVE Bruno Day 6-Mar-19_
we Issuer Con?rmed Issue# C107 enqv
VISA PREPAID Central Bank of Kansas City Uncon?mzed? SD
and
Account Status Name Star I Date Espir ation Date
9824 ACTIVE Bruno Dav 6-Mar 19 -
vae Issuer Con?rmed Issue# Cur; euqv
VISA DEBIT Bank of America, National Association Uncon?nu ed - USD
and
Account Status Name Star Date Expir ation Date
9824 ACTIVE Victor Manta) 0 24-Jun-19 -
[we Issuer Con?rmed Issue# Curr enqv
VISA DEBIT Bank of America, National Association Uncon?m ed - USD

 

 

 

 

 

Case 3:19-mj-7lE5i1-MAG Document 1 Filed 08/09//f+ Page 9 of 13

23. Additionally, during the records searches, personal email addresses of

and? forms1 revealed. The
FBI obtained records'?om PayPal for an account registered to?. In

part, PayPal records provided the subscriber information, IP logs and transaction history for the

accounts registered to The subscriber information of the PayPal

accounts included the following:

First Name: Shariq

Last Name: Hashme
DOB: 1
Email: I

 

   

Address: (Entered on 9/27/17)
Telephone: 
Time Created: July 30, 2011, 13:25:31 
Bank Name: Bank of America
Bank Account: -2236

 

24. Based on the PayPal records for the bruno.day.1988@outlook.com and
accounts, IP addresses geo-located in Thailand accessed both accounts
during a time period relevant to the aforementioned cyber incidents. This approximate time
period and location matched the previously-provided suspicious IP noted by Company A, also
geo-located in Thailand, which connected to its internal payment database on April 30, 2019.

The records below re?ect a portion of relevant IP address logs:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IP Address Payfi Account ISP Location
053133;:29319 182.232.145.215 ?nial:
05 :45? i319 182.232.145.215 waif;
04:81:89 ass
was? 188.11
03 May 2019 182.232.161.90 TH AIS Mobile Bangkok.

 

 

 

 

Case Document 1 Filed 08/09/163 Page 10 of 13

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

25. The FBI requested records associated with two bank ac

 

 

 

IP Address PayPal Account ISP Location
2:58:59 Internet Thailand
03 :43 3919 182.232.161.90 bnmo.day.l988@outlookcom ?g?l?i
02213113231319 182.232.161.90 TH??ifni?fb?e Brionaiika?
22222222; ?21:2st 3132*:
?$25219 meters 32:13.23;
01 ?413; 327019 182.232.191.33 I 

unts listed with the



PayPal accounts registered to Bruno.Day.l988@outlook.com and drag nba11844@outlookcom

-2713 and?9824), ?Bruno Day,? and ?Sh 'q Hashme? ?om the

issuing bank, Bank of America. In part, the records provided by Bank of America included the

following information:

Account Number:

  

2236

Account Name: Shari Hashme

26. The Bank of America records were linked by account owner information and

direct deposits described below. The following transactions were obse ed in the transaction

history portion of the Bank of America records for account -2236, an account linked to

the PayPal account registered to which mirr rs PayPal withdrawals

from the account registered to Bruno.day.1988@outlook.com:

 

 

 

 

 

 

 

Date Amount Payment Received From City, State
June 7, 2019 $3,009.50 PayPal *Day Bruno San Jose, CA
May 31, 2019 $3,009.50 PayPal *Day Bruno San Jose, CA

 

 

 

 

Case Document 1 Filed 08/09/1?i?x Page 11 of 13

 

 

 

 

 

 

 

 

 

 

 

 

 

Date Amount Payment Received From Cit State

May 24, 2019 $3,009.50 PayPal *Day Bruno San Jose, CA
May 10, 2019 $3,284.00 PayPal *Day Bruno San Jose, CA
April 29, 2019 $3,146.75 PayPal *Day Bruno San Jose, CA
April 19, 2019 $3,146.75 PayPal *Day Bruno San Jose, CA
April 12, 2019 $3,274.15 PayPal *Day Bruno San Jose, CA
March 22, 2019 $951.14 PayPal *Day Bruno San Jose, CA
March 15, 2019 $533.79 PayPal *Day Bruno San Jose, CA
March 8, 2019 $1,044.88 PayPal *Day Bruno San Jose, CA
March 6, 2019 $23.63 PayPal *Day Bruno San Jose, CA
March 6, 2019 $336.15 PayPal *Day Bruno San Jose, CA

 

 

 

 

27. The FBI collected additional information on the subject, Shariq HASHMIE, from

California DMV records. The following identi?ers relate to HASI-IME:

DL Numberzq
Name: Shari S. Has 
DOB:

Address:
Sex - Hair - ac Eyes Brown; Height 5'11"; Vt ight 160

  
 
 
 
  

 

28. According to one of social media pro?les, was most recently

 

employed as an engineer at Company A and located in San Francisco, omia. HASHMB is a
citizen of the United Kingdom and is believed to have left the United States to live overseas on
April 18, 2019, due to an expired work visa.

29. Company A advised that at no time during the aforementioned cyber incidents
was HASHME authorized to access or alter the data or contents of the internal payment database,
or cause the aforementioned rewards payments to be made to himself. 

30. Furthermore, Company A informed the FBI that an intenial investigation revealed
the destruction of payment database logs. Speci?cally, shortly after HASI-IME accessed internal
Company A infrastructure via his Virtual Private Network (VPN), database logs were altered to

delete the record of some of the ?audulent payments sent to the PayPal account registered to

10

Case Document 1 Filed 08/09/19? Page 12 of 13

Bruno.Day.1988@outlook.com, an account controlled by HASHME.
Discovery of HASHME Arrival

31. On August 7, 2019, the FBI received information that HASHME was expected to
return to the United States by way of San Francisco International Airport on or about August 9,
2019. The FBIreceived additional information on August 9, 2019 that HASHME is expected to
return to the United States by way of SFO the next day, on August 10, 2019.

CONCLUSION

32. Based on the evidence uncovered and the information pr vided by Company A as
well as records received by the FBI, it is believed that HASHIVEE conne ted to Company A?s
internal payment servers to alter and divert bonus payments that were 111 imately deposited to a
bank account he owned and controlled, resulting in losses of at least approximately $40,000.
Furthermore, as advised by Company A, HASHME had no authorization, legitimate business
requirements, or need, to access or alter payment information in Company- A?s internal payment
database. I respect?illy submit that there is probable cause to believe that HASHME knowingly
caused the transmission of a program, information, code, and command, and as a result of such
conduct, intentionally caused damage without authorization, to a protect ed computer, and
thereby caused loss to one or more persons during a one-year period affe 'cting protected
computers aggregating at least $5,000 in value, all in violation of Title 18, United States Code,
Sections 1030(a)(5)(A), and 

REQUEST FOR SEALING
33. Because this investigation is continuing, disclosure of the arrest warrant, this

af?davit, and/or this application and the attachments thereto will jeopardize the progress of the

 

investigation. Disclosure of the arrest warrant at this time would seriously jeopardize the





11

Case Document 1 Filed 08/09/19} Page 13 of 13

investigation; as such a disclosure would allow to change pajems of behavior, notify
otherconfederates, destroy evidence, or ?ee or continue ?ight from prosecution. Accordingly, I
request that the Court issue an order that the complaint, arrest warrant, thlis af?davit in support of 

application for complaint and arrest warrant, and all attachments thereto be ?led under seal until

further order of this Court.

ROBBIE J. ROBERTSTO
Special Agent 
Federal Bureau of Investigation

Sworn to before me this day of August 2019

 

HONORABLE ELIZABETH D. LAPORTE
United States Magistrate Judge

 

12