Case Document 33 Filed 08/28/19 Page 1 of 7 Presented to the Court by the foreman of the Grand Jury in open Court, in the presence of the Grand Jury and FILED in the US. DISTRICT COURT at Seattle, Washington. 14444? 28 20 M. 00L, Clerk By ?Deputy UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON AT SEATTLE UNITED STATES OF AMERICA, RSL Pla?m?ff INDICTMENT v. PAIGE A. THOMPSON, Defendant. The Grand Jury charges that: COUNT 1 (Wire Fraud) 1. Beginning in or before March 2019, and continuing until in or after July 2019, at Seattle, Within the Western District of Washington, and elsewhere, PAIGE A. THOMPSON, with the intent to defraud, devised and intended to devise, a scheme and arti?ce to defraud and to obtain money and property by means of materially false and fraudulent pretenses, representations, and promises. A. Background 2. The ?Cloud Computing Company? is a company that provides cloud- computing services to individuals, companies, and governments. Cloud computing is the practice of using a network of remote servers hosted on the Internet, commonly referred to as ?the cloud,? rather than a local computer or server, to store, manage, and process Indictment - 1 UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 5220 Umted States v. Page A. Thompson SEATTLE, WASHINGTON 98101 (206) 553-7970 OO \IO?xkl'I -P 45 WN t??O Case Document 33 Filed 08/28/19 Page 2 of 7 data. The Cloud Computing Company provides services through server farms that are located throughout the world and maintained by the Cloud Computing Company. 3. Capital One Financial Corporation (?Capital One?) is a bank holding company that offers credit cards and other services to customers throughout the United States. Capital One supports its services, in part, by renting or contracting for computer servers from the Cloud Computing Company. The servers on which Capital One stores credit card application and other information generally are located in states other than the State of Washington, and they store information regarding customers, and support services, in multiple states. Deposits of Capital One are insured by the Federal Deposit Insurance Corporation. 4. Victim 2 is state agency of a state that is not the State of Washington. Victim 2 supports its services, in part, by renting or contracting for computer servers from the Cloud Computing Company. 5. Victim 3 is a telecommunications conglomerate located outside the United States that provides services predominantly to customers in Europe, Asia, Africa, and Oceania. Victim 3 supports its services, in part, by renting or contracting for computer servers from the Cloud Computing Company. 6. Victim 4 is a public research university located outside the State of Washington. Victim 4 supports its services, in part, by renting or contracting for computer servers from the Cloud Computing Company. B. The Essence of the Scheme and Arti?ce 7. The object of the scheme was to exploit the fact that certain customers of the Cloud Computing Company had miscon?gured web application ?rewalls on the servers that they rented or contracted from the Cloud Computing Company. The object was to use that miscon?guration in order to obtain credentials for accounts of those customers that had permission to View and copy data stored by the customers on their Cloud Computing Company servers. The object then was to use those stolen credentials in order to access and copy other data stored by the customers on their Cloud Computing Indictment - 2 UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 5220 Umtea' States v. Page A. Thompson SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 33 Filed 08/28/19 Page 3 of 7 Company servers, including data containing valuable personal identifying information. The object also was to use the access to the customers? servers in other ways for PAIGE A. own bene?t, including by using those servers for C. The Manner and Means of the Scheme and Arti?ce 8. It was part of the scheme and arti?ce that PAIGE A. THOMPSON used, and created, scanners that allowed her to scan the publicly facing portion of servers rented or contracted by customers from the Cloud Computing Company, and to identify servers for which web application ?rewall miscon?gurations permitted commands sent from outside the servers to reach and be executed by the servers. 9. It was further part of the scheme and arti?ce that PAIGE A. THOMPSON then transmitted commands to the miscon?gured servers that obtained the security credentials for particular accounts or roles belonging to the customers with the miscon?gured servers. 10. It was further part of the scheme and arti?ce that PAIGE A. THOMPSON then used the accounts for which she had obtained security credentials to obtain lists or directories of folders or buckets of data in the Cloud Computing Company customers? storage space at the Cloud Computing Company. 11. It was further part of the scheme and arti?ce that PAIGE A. THOMPSON used the accounts for which she had obtained security credentials to copy data, from folders or buckets of data in the Cloud Computing Company customers? storage space at the Cloud Computing Company for which the accounts had requisite permissions, to a server that PAIGE A. THOMPSON maintained at her own residence. 12. It was further part of the scheme and arti?ce that, in taking these steps, PAIGE A. THOMPSON implicitly represented that commands to copy data that she sent using the accounts for which she had obtained security credentials were legitimate commands sent by users with permission to send such commands, rather than commands sent by a person who had stolen the security credentials and who lacked authority to use the accounts and send the commands. Indictment 3 UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 9810! (206) 553-7970 United States v. Paige A. Thompson Case Document 33 Filed 08/28/19 Page 4 of 7 13. It was further part of the scheme and arti?ce that, in executing the scheme and arti?ce, PAIGE A. THOMPSON used virtual private networks including a VPN offered by the company IPredator, to conceal PAIGE A. location and identity from the Cloud Computing Company and from victim companies. . 14. It was further part of the scheme and arti?ce that, in executing the scheme and arti?ce, PAIGE A. THOMPSON used The Onion Router to conceal PAIGE A. location and identity from the Cloud Computing Company and from victim companies. 15. It was further part of the scheme and arti?ce that PAIGE A. THOMPSON copied data to her own server from servers rented or contracted by Capital One from the Cloud Computing Company, including data that contained information, including personal identifying information, from approximately 100,000,000 customers who had applied for credit cards from Capital One. 16. It was ?irther part of the scheme and arti?ce that PAIGE A. THOMPSON copied and stole data from more than 30 different entities, including Capital One, Victim 2, Victim 3, and Victim 4 that had contracted or rented servers from the Cloud Computing Company. 17. It was further part of the scheme and arti?ce that PAIGE A. THOMPSON used her unauthorized access to certain victim servers and the stolen computing power of those servers to ?mine? for her own bene?t, a practice often referred to as mining is the process by which transactions are veri?ed and added to the public ledger, the blockchain. Persons who verify blocks of legitimate transactions, often referred to as ?miners,? are rewarded with an amount of that Successful mining operations consume large amounts of computing power and hardware.) C. Execution 18. On or about March 22, 2019, at Seattle, in the Western District of Washington, and elsewhere, PAIGE A. THOMPSON, for the purpose of executing the Indictment - 4 UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 5220 Umted States v. Page A. Thompson SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 33 Filed 08/28/19 Page 5 of 7 scheme and arti?ce described above, caused to be transmitted by means of wire communication in interstate commerce, from her computer in Seattle to a computer outside the State of Washington, writings, signs, signals, pictures, and sounds, that is, a command to copy data belonging to Capital One from servers, rented or contracted by Capital One from the Cloud Computing Company, to a server belonging to PAIGE A. THOMPSON in Seattle. All in violation of Title 18, United States Code, Section 1343. COUNT2 (Computer Fraud and Abuse) - 19. The allegations set forth in Paragraphs 1-18 of this Indictment are realleged and incorporated into this Count, as if fully set forth herein. 20. Between on or about March 12, 2019, and on or about July 17, 2019, at Seattle, within the Western District of Washington, and elsewhere, PAIGE A. THOMPSON intentionally accessed a computer without authorization, to wit, a computer containing information belonging to Capital One Financial Corporation, and thereby obtained information contained in a ?nancial record of a ?nancial institution and of a card issuer as de?ned in Section 1602 of_ Title 15, and information from a protected computer, and the value of the information obtained eXceeded $5,000. All in violation of Title 18, United States Code, Section 1030(a)(2)(A) and (C), and and ASSET FORFEITURE ALLEGATION (Count 1) The allegations contained in Count 1 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeiture pursuant to Title '18, United States Code, Section 981(a)(1)(C) and Title 28, United States Code, Section 2461(0). Upon conviction of the offense charged in Count 1, the defendant, PAIGE A. Indictment - 5 UNITED STATES ATTORNEY United States v. Paige A. Thompson 700 STEWART SUITE 5220 SEATTLE, WASHINGTON 98l 01 (206) 553-7970 Case Document 33 Filed 08/28/19 Page 6 of 7 THOMPSON, shall forfeit to the United States any property, real or personal, which constitutes or is derived from proceeds traceable to such offense, including but not limited to a judgment for a sum of money representing the property described in this paragraph. (Count 2) The allegations contained in Count 2 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeiture pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(i). Upon conviction of the offense charged in Count 2, the defendant, PAIGE A. THOMPSON, shall forfeit to the United States any property constituting, or derived from, proceeds the defendant obtained, directly or indirectly, as the result of such offense, and shall also forfeit the defendant?s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such offense, including but not limited to a judgment for a sum of money representing the property described in this paragraph. (Substitute Assets) If any of the above-described forfeitable property, as a result of any act or omission of the defendant, . cannot be located upon the exercise of due diligence; a b. has been transferred or sold to, or deposited with, a third party; .0 has been placed beyond the jurisdiction of the Court; 53? has been substantially diminished in value; or e. has been commingled with other property which cannot be divided without dif?culty; Indictment - 6 UNITED STATES ATTORNEY . . 700 STEWART STREET, SUITE 5220 United States v. Page A. Thompson SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 33 Filed 08/28/19 Page 7 of 7 ?46? TWRAN United States Attorney it is the intent of the United States, pursuant to Title 18, United States Code, Sections 982(b) and 1030(i)(2), Title 21, United States Code, Section 853(p), and Title 28, United States Code, Section 2461(0), to seek the forfeiture of any other property of the defendant, up to the value of the above-described forfeitable property. A TRUE BILL: DATED: NYSE its Signature of foreperson redacted pursuant to the policy of?te Judicial Conference oft/1e United States OREPERSON Ow ANDREW C. FRIEDMAN Assistant United States Attorney STEVEWW Assistant United States Attorney Ix.) 00 Indictment - 7 United Stales v. Paige A. Thonwson UNITED STATES 700 STEWART S'l'Rl-Zli'l'. Sun'l; 5220 SEATTLE, 98101 (206) 553-7970