Case 2:19-cr-00342-CB "Document 1 ?led 11/12/19 Page THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF U. 3. DISTRICT COURT

. STATES OF AMERICA



MAKSIM V. YAKUBETS

a/k/a 

a/k/a
a/k/a
a/k/a










a/k/a . . -
IGOR TURASI-IEV . -











a/k/a
a/k/a
a/k/a
a/k/a
- a/k/a
a/k/a
a/k/a

a/k/a?

a/k/a
a/k/a

Aqua
Aquamo
Carlos
Shluhnet 
3 8 88 8 8

Igor Tueashev
Enki
Parasurama
Nintutu 
Vzalupkin
Vasya Zaluplin-
Diananbeauty
domain access
Tigrr

Tigrruz . 

WEST. DIST. OF 

Criminal No. '2 if g?

(18.U8..C ??3711349,1344,1343,_
1030(a)(5)(A) and 1

 

(UNDER SEAL) 

INDICTMENT

I The grand jury chargesz?

INTRODUCTION

 

At?all times material to this Indictment, unless otherwiSe alleged:

I 14) Malicious software (?malware?) is a software program designed to disrupt I

computer operations, gather sensitive information, gain access to private computer systems, or do 

other unauthorized action On, a computer system. Common examples of malware include Viruses,

. . 1 
worms, TrOJan horses, keyloggers, spyware, and others.

. 2) . . Keystroke logging is the action of recording (or logging) the keys struck on

a keyboard. This action is usually done surreptitiously by a computer program keylogger) to

capture the keys typed on a computer without the typist? knoWledge. Malware that uses keystroke

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 2 of 24

logging often will provide the captured keystrokes to the individual who caused the malware to be
installed or to a place designated by the individual. Through keystroke logging, individuals are
able to obtain online banking credentials as soon as the user of the infected computer logs into
their account. After obtaining this information, these individuals can access the victim?s online
bank account and execute unauthorized electronic funds transfers such as Automated
Clearing House payments or wire transfers,1 to accounts that they control.

3) Web injects introduce (or inject) malicious computer code into a victim?s
web browser while the victim browses the Internet and ?hij acks? the victim?s Internet session.
Different injects are used for different purposes. Some web injects are used to display false online
banking pages into the victim?s web browser to trick the victim into entering online banking
information, which is then captured by the individual employing the web inject.

4) ?Bot,? which is short for ?robot,? is a computer that has been infected by
malware and does tasks at the malware?s direction.

5) I A ?botnet? is a network of bots. It is a collection of bots that can
communicate with a computer controlling the botnet or with each other through some network
architecture.

6) Bugat is a multifunction malware package designed to automate the theft of

con?dential personal and financial information, such as online banking credentials, from infected

 

1 Electronic funds transfers are the exchange and transfer of money through computer-
based systems using the Internet. ACH payments allow the electronic transferring of funds from
one bank account to another bank account within the ACH network without any paper money
changing hands. The ACH network is a network of participating depository ?nancial institutions
across the United States, and the network provides for interbank clearing of electronic payments.
Because ACH payments require the network to clear the transaction, the funds are not immediately
available. Wire transfers also allow electronic transferring of funds from one bank account to
another bank account without any paper money changing hands; however, unlike ACH payments,

wire transferred funds are immediately available.
2

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 3 of 24

computers through the use of keystroke logging and web injects. Later versions of the malware
were designed with the added function of assisting in the installation of ransomware.2

7) Bugat is a malware Speci?cally crafted to defeat antivirus and other
protective measures employed by victims. As the individuals behind Bugat improved the malware
and added functionality, the name of the malware changed, at one point being called ?Cridex,? and
later ?Dridex.? However, each version was based upon the same original code. Hereinafter a
reference in this Indictment to Bugat is meant to refer to Cridextand Dridex as well.

8) Bugat malware is generally distributed through a process known as
?phishing,? where spam emails are distributed to victims. The emails appear legitimate and are
carefully crafted to entice the victim to click on a hyperlink or to open an attached ?le. By clicking
on the hyperlink or opening the attached ?le, the victim causes the installation of malware without
the victim?s consent or knowledge

9) A ?mule? or ?money mule? is a person who received stolen funds into their
bank account, and then moved the money to other accounts, or withdrew the funds and transported
the funds overseas as smuggled bulk cash.

10) First National Bank was a ?nancial institution insured by the Federal
Deposit Insurance Corporation, and was headquartered in Pittsburgh, It offered
online banking services through computer servers located in the Western District of 

1 1) First Commonwealth Bank was a ?nancial institution insured by the Federal

Deposit Insurance Corporation, and was headquartered in Indiana, It offered online

banking services through computer servers located in the Western District of 

 

2 RansomWare is a type of malware designed to deny access to a victim?s computer and/or

computer ?les until the payment of a ransom.
3

Case 2:19-cr-00342-CB Document-.1 Filed 11/12/19 Page 4 of 24

12) The Sharon City School District was a public school district located in
Sharon, in the Western District of 

13) Penneco Oil Company, Inc., Penneco Pipeline Corporation and Pennquest
Oil Corporation (collectively Penneco Oil) were petroleum businesses located in Delmont,
in the Western District of 

14) Remington Outdoor Company (?Remington?) was a ?rearm manufacturing
company located in Madison, North Carolina.

15) 84 Lumber was a building materials supply company located in Eighty
Four, in the Western District of 

16) . Kurt J. Lesker Company was a vacuum and thin ?lm deposition technology
company located in Jefferson Hills, in the Western District of 

17) WF Industries was a metal manufacturing company located in Johnstown,
in the Western District-of 

18) The defendant, MAKSIM V. YAKUBETS, was a resident of Russia. He
was the leader of the group of conspirators involved with the Bugat malware and botnet. As the
leader, YAKUBETS oversaw and managed the development, maintenance, distribution, and
infection of Bugat as well as the ?nancial theft andthe use of money mules. At times material to
this Indictment and prior to this Indictment, YAKUBETS used the online nicknames ?Aqua,?
?Aquamo,? ?Carlos,? and ?Shluhnet,? as well as the ICQ number 388838. I

I 19) The defendant, IGOR TURASHEV, was a resident of Russia. He was a

close associate of MAKSIM V. YAKUBETS and handled a variety of functions for the Bugat
conspiracy, including system administration, management of the internal control panel, and

oversight of botnet operations. At times material to this Indictment and prior to this Indictment,

TURASHEV used the online nicknames ?Enki,? ?Parasurama,? ?Nintutu,? ?Vzalupkin,? ?Vasya

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 5 of 24

Zalu lin ?Diananbeaut ?domainaccess,? ?Ti rr,? and ?Ti rruz,? as well as the name I or
a 

Tueashev.

MANNER AND MEANS OF THE CONSPIRACY

 

20) From in and around November 2011, the exact date being unknown to the
grand jury, and continuing to the present, in the Western District of and elsewhere,
the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co?conspirators, known
and unknown to the grand jury, did devise, and intend to devise, a scheme and arti?ce to defraud
and to obtain money and property through the unauthorized installation of the Bugat malware on
victim computers.

21) It was a part of the scheme and arti?ce that the defendants, MAKSIM V.
YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to the grand jury,
sent phishing emails that contained material false and fraudulent pretenses, representations, and
promises, and that omitted material information, to employees of victim companies.

22) It was further a part of the scheme and arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, sent, through the Internet, these phishing emails that falsely represented to be
legitimate emails from legitimate companies, associations, and organizations.

23) It was further a part of the scheme and arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, created the phishing emails to fraudulently induce recipients to click on a hyperlink
or open an attachment that falsely represented itself to be a legitimate link or attachment containing
business or personal information, when in truth and fact, it installed and caused the installation of I
the Bugat malware on Internet?connected victim computers without the email recipients? consent,

knowledge, or authorization. 

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 6 of 24

24) It was further a part of the scheme and arti?ce that the Bugat malware was
designed to automate the theft of con?dential personal-and ?nancial information, such as online
banking credentials. The Bugat malware facilitated the theft of con?dential personal and ?nancial
information by a number of methods. For example, the Bugat malware obtained such information
through keystroke logging. Alternatively, the Bugat malware allowed computer intruders to hijack
a computer session and use web injects to present a fake online banking webpage to trick a user
into entering personal and ?nancial information.

25) I It was further a part of the scheme and arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, used the Bugat malware on infected computers to capture the user?s con?dential
personal and ?nancial information, such as online banking credentials, by keystroke logging or by
hijacking the computer session and presenting a web inject, fake online banking webpages.

26) It was further a part of the scheme and arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, used the captured information, without authorization, to falsely represent to banks
that the defendants and co?conspirators were victims or employees of victims who had
authorization to access the victims? bank accounts and to make electronic funds transfers from the
victims? bank accounts.

27) It was further a part of the scheme and. arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, used the captured banking credentials to cause banks to make unauthorized wire

transfers, ACH payments, or other electronic funds transfers from the victims? bank accounts,

without the knowledge or consent of the account holders.

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 7 of 24

28) It was further a part of the scheme and arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, used money mules to receive the wire transfers, the ACH payments, or other
electronic funds transfers from the Victims? bank accounts.

29) It was further a' part of the scheme and arti?ce that the defendants,
MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators known and unknown to
the grand jury, used the money mules to further transfer the stolen funds to reach the control of
other members of the conspiracy.

30) It was further a part of the scheme and arti?ce that, on or about November
8, 2011, the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators
known and unknown to the grand jury, engaged in interstate and foreign wire communications
over the Internet by sending to an employee of the Sharon City School District, which was located
in the Western District of a phishing email to fraudulently induce the employee to
click on a graphic falsely represented to be a legitimate graphic.

31) I It was further a part of the scheme and arti?ce that, on or about November
10, 2011, the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators
known and unknown to the grand jury, caused the employee to click on the fraudulent graphic and,
in so doing, resulted in the unauthorized installation of the Bugat malware on an Internet?connected
computer used by the Sharon City School District and located in the Western District of


32) It was further a part of the scheme and arti?ce that, on or about December
16, 2011, in the Western District of the defendants, MAKSIM V. YAKUBETS and
IGOR TURASHEV, and co-conspirators known and unknown to the grand jury, fraudulently

attempted to cause the electronic transfer of $999,000.00 from Sharon City School District?s

7

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 8 of 24

account at First National Bank to an account in the name of S.M. at PJ SC Bank Forum, Kiev,
Ukraine.

33) It was further a part of the scheme and artifice that, on or about August 31,
2012, the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators
known and unknown to the grand jury, caused the Bugat malware to be installed, without
authorization, on an Internet-connected computer used by Penneco Oil and located in the Western
- District of 

34) It was further a part of the scheme and arti?ce that, on or about August 31,
2012, through on or about September 4, 2012, the defendants, MAKSIM V. YAKUBETS and
IGOR TURASHEV, and co-conspirators known and unknown to the grand jury, used the Bugat
malware to fraudulently obtain the banking credentials of Penneco Oil and to cause the transfer of
?nds out of Penneco Oil?s bank accounts maintained with First Commonwealth Bank.

35) It was further a part of the scheme and arti?ce that, on or about August 31,
2012, the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators
known and unknown to the grand jury, used the fraudulently obtained online banking credentials
to falsely represent to First Commonwealth bank that the defendants and co-conspirators were
persons authorized to access the online banking accounts of Penneco Oil and to cause, or attempt
to cause, the transfer of funds out of Penneco Oil?s bank accounts maintained with First
Commonwealth Bank.

36) It was further a part of the scheme and artifice that, on or about August 31,
2012, in the Western District of the defendants, MAKSIM V. YAKUBETS and
IGOR TURASHEV, and co-conspirators known and unknown to the grand jury, fraudulently
caused the international electronic transfer of $2,158,600.00 from Penneco Oil?s bank account

X2948 at First Commonwealth Bank to an account in the name of G.S. at Krajinvestbank in

8

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 9 of 24

Krasnodar, Russia. The transaction was processed through Citibank, New York City, New York,
as the correspondent bank for Krajinvestbank.

37) It was further apart of the scheme and arti?ce that, on or about September
4, 2012, the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators
known and unknown to the grand jury, used the fraudulently obtained online banking credentials
to falsely represent to First Commonwealth Bank that the defendant and co-conspirators were
persons authorized to access the online banking accounts of Penneco Oil and to cause, or attempt
to cause, the transfer of funds out of Penneco Oil?s bank accounts maintained with First
Commonwealth Bank.

38) It was further a part of the scheme and arti?ce that, on or about September
4, 2012, in the Western District of the defendants, MAKSIM V. YAKUBETS and
IGOR TURASHEV, and co-conspirators known and unknown to the grand jury, fraudulently
attempted to cause the electronic transfer of $76,520.00 from Penneco Oil?s bank account X0464
at First Commonwealth Bank to a bank account at Trumark Financial Credit Union in Philadelphia,


39) It was further a part of the scheme and arti?ce that, on or about September
4, 2012, in the Western District of the defendants, MAKSIM V. YAKUBETS and
IGOR TURASHEV, and co?conSpirators known and unknown to the grand jury, fraudulently
caused the international electronic transfer of $1,350,000.00 from Penneco Oil?s bank account
X1858 at First Commonwealth Bank to a bank account at SC VTB Bank in Minsk, Belarus. The
transaction was processed through Citibank, New York City, New York, as the correspondent bank
for CJ SC VTB Bank.

40) It was further a part of the scheme and arti?ce that the defendant, MAKSIM

V, YAKUBETS, electronically communicated with Aleskey Yaroschevich a/k/a/

9 .

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 10 of 24

?morganzaebiz,? who is located in Minsk, Belarus, to arrange money mule services for the receipt
of fraudulent electronic funds transfers. On or about September 4, 2012, the defendant, MAKSIM .
V. YAKUBETS, provided Aleskey Yaroschevich a/k/a/ ?morganzaebiz? with Penneco Oil?s First
Commonwealth Bank account information, and Aleskey Yaroschevich a/k/a/ ?morganzaebiz?
provided the defendant, MAKSIM V. with the CJ SC VTB Bank account
information to receive the fraudulent electronic funds transfers. On September 4, 2012, the
defendant, MAKSIM V. YAKUBETS, provided con?rmation that $1,350,000.00 from Penneco
Oil?s First Commonwealth Bank account was transferred to the CJ SC VTB Bank account provided
by Aleskey Yaroschevich.3

41) It was further a part of the scheme and artifice that the defendant, MAKSIM
V. YAKUBETS, electronically communicated with an individual, who. resides in the United
Kingdom and who is known to the grand jury, concerning money mule services for the receipt of
fraudulent electronic funds transfers. On or about August 10, 2015, this U.K. resident explained
that, although he successfully cashed out approximately $25,000 on behalf of the defendant and
co-conspirators known and unknown to the grand jury, he was unable to cash out more money
because banks were freezing accounts and not releasing monies until after. investigating the
legitimacy of the wire transfers. In response, the defendant, MAKSIM V. YAKUBETS, explained
that he works on the malware and botnet while another co-conspirator is ?in charge of tranches.?

42) On or about August 31, 2015, in electronic communications with the UK.
resident, the defendant, MAKSIM V. YAKUBETS, stated that he has two teams who worked with
his malware and botnets and that each team has their own spammers individuals who sent out

phishing email campaigns) and so on.

 

3 The Belarussian authorities arrested Aleskey Yaroschevich and three of his associates who were
involved in the receipt of the fraudulent $1,350,000.00 electronic funds transfer. All four were

convicted and sentenced in Belarus.
1 0

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 11 of.24

43) In subsequent conversations, the defendant, MAKSIM V. YAKUBETS,
agreed, for $100,000 initial fee and 50% of all revenues with a minimum of $50,000 a week, to
allow the U.K. resident to join the conspiracy, to infect computers with his malware, and to make
fraudulent electronic funds transfers from funds associated with the victims of the infected
computers. 

44) It was further a part of the Soheme and artifice that, from on or about April
20, 2016 to on or about March 17, 2017, the defendant, IGOR TURASHEV, also electronically
communicated with this U.K. resident. The defendant, IGOR TURASHEV, supplied the U.K.
resident with executable ?les for the Bugat malware so that the U.K. resident could conduct
phishing email campaigns and infect computers with the malware. The defendant, IGOR
further provided the U.K. resident with technical assistance concerning the internal
control panel used by the conspirators and concerning the botnet created by the U.K. resident?s
malware infections. 4 

45) It was further a part of the scheme and arti?ce that, subsequently, the exact
date being unknown to the grand jury, the defendants, MAKSIMI V. YAKUBETS and IGOR
TURASHEV, and co-conspirators known and unknown to the grand jury, used the Bugat malware
to cause the installation of ransomware onto the victims? computers.

46) It was ?lrther apart of the scheme and arti?ce that, on or about September
1 l, 2018, the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co?conspirators
known and unknown to the grand jury, caused the Bugat malware to be installed, without
authorization, on an Internet-connected computer used by Remington.

47) It was further a part of the scheme and arti?ce that, on or about February

18,2019, in the Western District of the defendants, MAKSIM V. YAKUBETS and

 

4 U.K.. authorities prosecuted and sentenced this U.K. resident.
11

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 A Page 12 of 24

IGOR TURASHEV, and co-conspirators known and unknown to the grand jury, caused the Bugat
. malware to be installed, Without authorization, on an Internet-connected computer used by 84
Lumber. I 

48) It was further a part of the scheme and arti?ce that, on or about March 4,
2019, in the Western District of the defendants, MAKSIM .V. YAKUBETS and
IGOR IURASHEV, and co-conspirators known and unknown to the grand jury, caused the Bugat
malware to be installed, without authorization, on an Internet-connected computer used by Kurt J.
Lesker Company].

49) It was further a part of the scheme and arti?ce that, on or about March 19,
2019, the. defendants, MAKSIM V. YAKUBETS TURASHEV, and co-conspirators
known and unknown to the grand jury, engaged in interstate and foreign wire communications
over the Internet by sending to an employee of JWF Industries, which was located in the Western
District of a phishing email to. fraudulently induce the employee to open an attached
zip ?le.
50) It was further a part of the scheme andarti?ce that, on or about March 19,
20l9, in the Western District of the defendants, MAKSIM V. YAKUBETS and
IGOR TURASHEV, and co-conspirators known and unknown to the grand jury, caused the
employee to open an attached zip ?le and, in so doing, resulted in the Bugat malware being

installed, without authorization, on an Internet?connected computer used by WF Industries.

?12

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 13 of 24

COUNT ONE
(Conspiracy)

The grand jury further charges:

51) Paragraphs 1 through 50 above are hereby realleged and incorporated by
reference herein, as if fully stated. I

52) From in and around November 2011, the exact date being unknown to the
grand jury, and continuing to the present, in the western District of and elsewhere,
the defendants, MAKSIM V. YAKUBETS, a/k/a Aqua, a/k/a Aquamo, a/k/a Carlos,Ia/Ik/a
Shluhnet, a/k/a 388888, and IGOR TURASHEV, a/k/a Igor Tueashev, a/k/a. Enki, a/k/a/
Parasurama, a/k/a/ Nintutu, afk/a/ Vzalupkin, a/k/a Vasya Zaluplin', a/k/a Diananbeauty, a/k/a
domainaccess, a/k/a Tigrr, a/k/a Tigrruz, knowingly and willfully did conspire, combine,
confederate, and agree tOgether and with each other and with other persons both known and
unknown to the grand jury, to commit the following offenses against the United States:

to intentionally access a computer without authorization and thereby obtain
information from a protected computer, which offense was committed fer the purpOse of private
?nancial gain, in violation of Title :18, United States Code, Sections 1030(a)(2)(C) and


to knowingly and with the intent to defraud, access a protected computer
without authorization, and by means of such conduct, further an intended fraud and obtain
something of value, in Violation of Title 18, United States Code, Sections, 1030(a)(4) and
1030(a)(3xA); i

to knowingly cause the transmission of a program, information, code, and
command, and, as a result of such conduct, intentionally cause damage, and attempt to cause
damage, without authorization, to a protected computer, and the offense did cause and, if .

completed, caused loss to one or more persons during any one?year period aggregating at least 
13

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 14 of 24

$5,000.00, in violation of Title 18, United States Code, Sections 103 and 1030(c)(4)(B);
and

to devise, and intend to devise, a scheme and arti?ce to defraud businesses
and individuals, and to obtain money and property from these businesses and individuals, by means
of material false and fraudulent pretenses, representations, and promises, and for purpose of
executing such scheme and arti?ce, to transmit, and cause to be transmitted, by means of wire
communication in interstate and foreign cemmerce, certain writings, signs, signals, and pictures,
in violation of Title 18, United States Code, Section 1343.

OVERT ACTS

53) In furtherance of the conspiracy, and to effect the objects of the conspiracy,
the defendants, MAKSIM V. YAKUBETS and IGOR TURASHEV, and co-conspirators both
known and unknown to the grand jury, did commit and cause to be committed, the following overt
acts, among others, in the Western District of and elsewhere:

On or about November 8, 2011, co-conSpirators sent a phishing email to an
employee at the Sharon City School District.

On or about November 10, 2011, co-conspirators caused the Bugat malware
to be installed, without authorization, on a Sharon City School District?s Internet-connected
computer.

(0) On or about December 16, 2011, co-conspirators attempted to cause the
electronic transfer of $999,000.00 from Sharon City School District?s account at First National
Bank to an account in the name of SM. at PJ SC Bank Forum, Kiev, Ukraine.

On or about August 31, 2012, co-conspirators caused the Bugat malware to

be installed, without authorization, on a Penneco Oil?s Internet?connected computer.

14

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 15 of 24

On or about August 31, 2012, co-conspirators caused the international
electronic transfer of $2,158,600.00 from Penneco Oil?s account X2948 at First Commonwealth
Bank to an account in the name ofG.S. at Krajinvestbank in Krasnodar, Russia. I

On or about September 4, 2012, co-conspirators attempted to cause the
electronic transfer of $76,520.00 from Penneco Oil?s bank account x0464 at First Commonwealth
Bank to a bank account at Trumark Financial Credit Union in Philadelphia, 

On or about September 4, 201.2, co?conspirators caused the international
electronic transfer of $1,350,000.00 from Penneco Oil?s account x1858 at First Commonwealth
Bank to an account in the name of B. at CJ SC VTB Bank in Minsk, Belarus.

On or about September 4, 2012, outside the Western District of
the defendant, MAKSIM V. YAKUBETS, provided Aleskey Yaroschevich a/k/a/
?morganzaebiz? with con?rmation that $1,350,000.00 from Penneco Oil?s First Commonwealth
Bank account was transferred to a CI SC VTB Bank account.

On or about September 11, 2018, outside the Western District of
co-conspirators caused the Bugat malware to be installed, without authorization, on
an Internet-connected computer used by Remington.

G) On or about February 18, 2019, co-conspirators caused the Bugat malware
to be installed, without authorization, on an Internet?connected computer used by 84 Lumber.

On or about March 4, 2019, co?conspirators caused the Bugat malware to
be installed, without authorization, on an Internet-connected computer used by Kurt J. Lesker
Company.

- (1) On or about March 19, 2019, co-conspirators sent a phishing email to an

employee at JWF Industries.

15

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 16 of 24.

On or about March 19, 2019, co-eonspirators caused the Bugat malware to
be installed, without authorization, on an Internet-connected computer used by WF Industries.

All in Violation of Title 18, United States Code, Section 371.

16

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 17 of 24

COUNT TWO
(Fraud Conspiracy)

The grand jury further charges:

54) Paragraphs 1 through 44 above are hereby realleged and incorporated by
reference herein, as if fully stated.

55) From in and around November 2011, the exact date being unknown to the
grand jury, and continuing to in and around March 2017, the exact date being unknown to the
grand jury, in the Western District of and elsewhere, the defendants, MAKSIM V.
YAKUBETS, a/k/a Aqua, a/k/a Aquamo, a/k/a Carlos, a/k/a Shluhnet, a/k/a 388888, and IGOR
TURASHEV, a/k/a Igor Tueashev, a/k/a Enki, a/k/a/ Parasurama, a/k/a/ Nintutu, a/k/a/ Vzalupkin,
a/k/a Vasya Zaluplin, a/k/a Diananbeauty, a/k/a domainaccess, a/k/a Tigrr, a/k/a Tigrruz,
knowingly and willfully did conspire, combine, confederate, and agree together and with each
other and with other persons both known and unknown to the grand jury, to commit the following
fraud offense against the United States:

to knowingly execute, and attempt to execute, a scheme and arti?ce to
defraud a ?nancial institution and to obtain any of the moneys, funds, credits, assets, securities,
and other property owned by, and under the custody and control of, a ?nancial institution by means
of material false or fraudulent pretenses, representation, and promises, in violation of Title 18,

United States Code, Section 1344.

In violation of Title 18, United States Code, Section 1349.

17

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 18 of 24

COUNTS THREE THROUGH FIVE
(Bank Fraud)

The grand jury further charges: -

56) Paragraphs 1 through 44 above are hereby realleged and incorporated by
reference herein, as if fully stated.

57) On or about the dates set forth below, in the Western District of
and elsewhere, the defendants, MAKSIM V. YAKUBETS, a/k/a Aqua, a/k/a
Aquamo, a/k/a Carlos, a/k/a Shluhnet, a/k/a 388888, and IGOR TURASHEV, a/k/a Igor Tueashev,
a/k/a Enki, a/k/a/ Parasurama, a/k/a/ Nintutu, a/k/a/ Vzalupkin, a/k/a Vasya Zaluplin, a/k/a
Diananbeauty, a/k/a domainaccess, a/k/a Tigrr, a/k/a Tigrruz, having devised and intended to
devise a scheme and arti?ce to defraud First Commonwealth Bank and First National Bank to
obtain monies and funds owned by and under the custody and control of First Commonwealth
Bank and First National Bank by means of material false and fraudulent pretenses, representations
and promises, well knowing at the time that the pretenses, representations and promises would be
and were false and fraudulent when made, did knowingly execute and attempt to execute the
foregoing scheme and arti?ce, by causing, and attempting to cause, the transfer of funds, with each

transfer, and attempted transfer, being a separate count of this indictment as described below:

 

Count On or About Date Description

 

3 December 16, 2011 The attempted wire transfer of $999,000.00 from
Sharon City School District?s account at First National
Bank to an account in the name of S.M. at PJ SC Bank
Forum, Kiev, Ukraine.

4 August 31, 2012 The wire transfer of $2,158,600.00 out of First
Commonwealth Bank account x2948 belonging to
Penneco Oil to an account in the name of GB. at
Krajinvestbank in Krasnodar, Russia. The transaction
was processed through Citibank, New York City, New
York, as the correspondent bank for Krajinvestbank.

 

 

 

 

 

 

l8

Case 2:19-cr400342-CB Document 1 Filed 11/12/19 Page 19 of 24

 

 

September 4, 2012

 

VTB Bank in Minsk, Belarus. The transaction was

 

The wire transfer of $1,350,000.00 out of First
Commonwealth Bank account x1858 belonging to
Penneco Oil to an account in the name of B. at CJ SC

processed through Citibank, New York City, New
York, as the correspondent bank for CT SC VTB Bank.

 

 

In Violation of Title 18, United States Code, Section 1344 and Section 2.

19

Case 2:19-cr-00342-CB Document 1. Filed 11/12/19 Page 20 of 24

COUNT SIX
(Wire Fraud)

The grand jury further charges:

58) Paragraphs 1 through 50 above are hereby realleged and incorporated by
reference herein, as if fully stated.

59) On or about November 8, 2011, in the Western District of and
elsewhere, the defendants, MAKSIM V. YAKUBETS, a/k/a Aqua, a/k/a Aquamo, a/k/a Carlos,
a/k/a Shluhnet, a/k/a 388888, and IGOR TURASHEV, a/k/a Igor Tueashev, a/k/a Enki, 
Parasurama, a/k/a/ Nintutu, a/k/a/ Vzalupkin, a/k/a Vasya Zaluplin, a/k/a Diananbeauty, a/h/a
domainaccess, a/k/a Tigrr, a/k/a Tigrruz, for the purpose of executing, and attempting to execute,
a scheme and arti?ce to defraud the Sharon City School District, and to obtain money and property
from the Sharon City School District, and to affect a ?nancial instruction, that is, to obtain control
of a Sharon City School District?s computer and to obtain Sharon City School District?s First
National Bank online banking credentials in order to gain online access to funds maintained with
a ?nancial institution, by means of material false and fraudulent pretenses, representations, and -
promises, well knowing at the time that the pretenses, representations, and promises were false
and fraudulent when made, knowingly did transmit, and cause to be transmitted, in interstate and
foreign commerce, by means of wire communication, from an IP address then located in the
Republic of Korea, to a computer located in Sharon, certain writing, signs, signals,
and pictures, that is, an electronic phishing email that falsely represented that a graphic within the
email was a legitimate graphic. 1

In Violation of Title 18, United States Code, Section 1343.

20

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 21 of 24


COUNT SEVEN
(Wire Fraud)

The grand jury further charges:

60) Paragraphs 1 through 50 above are hereby realleged and incorporated by
reference herein, as if fully stated.

bl) On or about March 19, 2019, in the Western District of and
elsewhere, the defendants, MAKSIM V. YAKUBETS, a/k/a Aqua, a/k/a Aquamo, a/k/a Carlos,
a/k/a Shluhnet, a/k/a 388888, and IGOR TURASHEV, a/k/a Igor Tueashev, a/k/a Enki, a/k/a/
Parasurama, a/k/a/ Nintutu, a/k/a/ Vzalupkin, a/k/a Vasya Zaluplin, a/k/a Diananbeauty, a/k/a
domainaccess, a/k/ a Tigrr, a/k/a Tigrruz, for the purpose of executing, and attempting to execute,
a scheme and arti?ce to defraud JWF Industries, and to obtain money and property from JWF
Industries, that is, to obtain'control of a JWF Industry cOmputer and to cause the installation of
ransomware on JWF Industry?s systems, by means of material false and fraudulent pretenses,
representations, and promises, well knowing at the time that the pretenses, representations, and
promises were false and fraudulent when made, knoWingly did transmit, and cause to be
transmitted, in interstate and foreign commerce, by means of wire communication, from an IP
address then located in Taiwan, to a computer located in ohnstown, certain writing,
signs, signals, and pictures, that is, an electronic phishing email that falsely represented that an
attached zip file contained a document.

In violation of Title 18, United States Code, Section 1343.

21

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 22 of 24

COUNT EIGHT TO TEN
(Intentional Damage to a Computer)

The grand jury further charges:

62) Paragraphs 1 through 50 above are hereby realleged and incorporated by
reference herein, as if fully stated.

63) On or about the dates set forth below, in the Western District of
and elsewhere, the defendants, MAKSIM V. YAKUBETS, aik/a Aqua, a/k/a
Aquamo, a/k/a Carlos, a/k/a Shluhnet, a/k/a 388888, and IGOR TURASHEV, a/k/a Igor Tueashev,
a/k/a Enki, a/k/a/ Parasurama, a/k/a/?Nintutu, a/k/a/ Vzalupkin, a/k/a Vasya Zaluplin, a/k/a
Diananbeauty, a/k/a domainaccess, a/k/a Tigrr, a/k/a Tigrruz, did knowingly caused the
transmission of a program,inforrnation, code, and command, that is, caused the installation of the
Bugat malware, and, as a result of such conduct, intentionally caused damage, without
authorization, to a protected computer belonging to the persons set forth below, an offense which,

if completed, would have caused a loss aggregating at least than $5,000 to a person during a one?

 

 

 

 

year period.
Count On or About Date Persons
8 February 18, 2019 84 Lumber
9 March 4, 2019 Kurt J. Lesker Company
10 March 19, 2019 WP Industries

 

 

 

 

 

In Violation of Title 18, United States Code, Sections 1030(a)(5)(A), -

103 and Section 2.

22

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 23 of 24

FORFEITURE ALLEGATIONS

64) The grand jury realleges and incorporates by reference the allegations
contained in Counts One through Ten of this Indictment for the purpose of alleging criminal
forfeiture pursuant to Title 18, United States Code, Sections 
1030(i), 103 Title 28, United States Code, Section 2461(c), and Title 21, United
States Code, Section 853(p).

65) The United States hereby gives notice to the defendants charged in Counts
One, Eight, Nine, and Ten that, upon his conviction of any such offense, the government, pursuant
to Title 18, United States Code, Sections 1030(i), and 10306), will
seek forfeiture of any property, real or personal, constituting or derived from, proceeds
obtained, directly or indirectly, as a result of such offense, such property includes, but is not limited
to, a money judgment for a sum of money equal to the proceeds obtained as a result of the offense;
and any personal property that was used or intended to be used to commit or to facilitate the
commission of the offense.

66) The United States hereby gives notice to the defendants charged in Counts
Two through Seven that, upon his conviction of any such offense, the government, pursuant to
Title 18, United States Code, Sections 981(a)(1)(C) and and Title 28, United States
Code, Section 2461(c), will seek forfeiture of any property, real or personal, constituting or derived
from, proceeds obtained, directly or indirectly, as a result of such offense, such property includes,
but is not limited to, a money judgment for a sum of money equal to the proceeds obtained as a
result of the offense.

67) If through any acts or omission by the defendant(s), any or all of the
property described in paragraphs 64 to 66 above (hereinafter the ?Subject Properties?)

Cannot be located upon the exercise of due diligence;

23

Case 2:19-cr-00342-CB Document 1 Filed 11/12/19 Page 24 of 24

Has been transferred, sold to, or deposited with a third person;

Has been placed beyond the jurisdiction of the Court;

Has been substantially diminished in value; or

Has been commingled with other property which cannot be subdivided

without dif?culty,

it is the intent of the United States, pursuant to Title 21, United States Code, Section 853(p), as
incorporated by Title 28, United States Code, Section 2461(c), to seek forfeiture of any other
property of such defendant(s) up to the value of the forfeitable property described in this forfeiture

allegation.

A True Bill,

 

FOREPERS ON

 

 

scorr w. BRADY
United States Attorney
PA ID NO. 88352

24

Case Document 1-1 Filed 11/12/19 'Page 1 of 1

IN THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF 

UNITED STATES OF AMERICA
V.

MAKSIM V. YAKUBETS
a/k/a Aqua
a/k/a Aquamo
a/k/a Carlos
a/k/a Shluhnet
a/k/a 388888

 

Criminal No. f' 

UNDER SEAL

CERTIFICATION AND NOTICE FOR FILING PRETRIAL MOTIONS

I hereby certify that I have been noti?ed by the United States Magistrate Judge that all

pretrial motions must be ?led within fourteen (14) days of Arraignment unless the Court extends

the time upon written application made within said fourteen (14) day period.

 

Date

 

Attorney for Defendant
MAKSIM V. YAKUBETS

Case 2:19-cr-00342-CB Document 1-2 Filed 11/12/19 Page 1 of 1

IN THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF 

UNITED STATES OF AMERICA
V.

IGOR TURASHEV
a/k/a Igor Tueashev
a/k/a Enki
a/k/a Parasurama
a/k/,a Nintutu
a/k/a Vzalupkin
a/k/a Vasya Zaluplin
a/k/a Diananbeauty
a/k/a domainaccess
a/k/a Tigrr
a/k/a Tigrruz -

 

Criminal No. 3 

UNDER SEAL

CERTIFICATION AND NOTICE FOR FILING PRETRIAL MOTIONS

I hereby certify that I have been noti?ed by the United States Magistrate Judge that all

pretrialxmotions must be ?led within fourteen (14) days of Arraignment unless the Court extends

the time upon written application made within said fourteen (14) day period.

 

Date

 

Attorney for Defendant
IGOR TURASHEV

Case 2:19-cr-00342-CB Document 1-3 Filed 11/12/19 Page 1 of 1

IN THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF 

UNITED STATES OF AMERICA
v. Criminal No. 2 

MAKSIM V. YAKUBETS 
a/k/a Aqua
a/k/a Aquamo
a/k/a Carlos
a/k/a Shluhnet
a/k/a 388888

 

ARRAIGNMENT PLEA

Defendant MAKSIM V. YAKUBETS

being arraigned, pleads

 

in open Court this day of

,20

 

 

 

(Defendant?s Signature)

 

(Attorney for Defendant)

Case 2:19-cr-00342-CB Document Filed 11/12/19 Page 1 of 1

I

IN THE UNITED STATES DISTRICT COLIRT .
FOR THE WESTERN DISTRICT OF 




UNITED STATES OF AMERICA 

v. . Criminal No. /4 3 
I IGOR TURASHEV - 
a/k/a Igor 'Tueashev
a/k/a Enki 

a/k/a Parasurama 
a/k/a Nintutu
a/k/a Vzalupkin
a/k/a Vasya Zaluplin
a/k/a Diananbeauty
a/k/a domainaccess
a/k/a Tigrr
a/k/a Tigrruz

 

ARRAIGNMENT PLEA

Defendant IGOR TURASHEV

being arraigned, pleads



 

in open Court this day of

,20

 

 

 

(Defendant?s Signature)

 

(Attorney for Defendant)

Case 2: 19- -cr- --00342 CB Document 1- 5 Filed 11/12/19 Page lg?/
1? 3142.
CRIMINAL CASE INFORMATION SHEET

 

Pittsburgh Erie I- ohnstown

Related to closed/150v-1315 Judge Cathy 'Bissoon
(All criminal prosecutions arising out of the same criminal transaction. or series of transactions are
deemed related). 1

 

 

CATEGORY: 1. Narcotics and Other Controlled Substances
la. NarcotiCs and Other COntrolled Substances
(3 or more Defendants) 
2. Fraud and Property Offenses
2a. Fraud and Property Offenses

(3 or more Defendants)

 

3. Crimes of Violence
4. Sex Offenses
5. Firearms and Explosives
6. Immigration
7. All Others
Defendant?s name: . MAKSIM V. YAKUBETS, a/k/a Aqua, 
Aquamo, a/k/a Carlbs, a/k/a Shluhnet, a/k/a
388888, 
Is indictment waived: - Yes i No
Pretrial Diversion: I - Yes No
Juvenile proceeding: I i. Yes No
Defendant is: I . Male Female

Superseding indictment or information Yes No

Previous case number:

 

If superseding, previous case was/will be:

Dismissed on defendant?s motion
Dismissed on governments? motion
After appellate action
Other (explain)

County 1n which first offense cited
occurred.
Previous proceedings before
Magistrate Judge: 

Case No.:

 

 

 

PLEASE INCORPORATE MAGISTRATE CASE WITH CRIMINAL CASE

Case 2:19-cr-00342-CB Document 1-5 Filed 11/12/19 Page 2 of 2

Date arrested or date continuous U.S.
custody began:

 

Defendant: I is in custody . is not in custody

Name of Institution:

 

Custody is on: .: . this charge another charge I

another conviction

 

 

 

State Federal
Detainer filed: yes no
Date detainer ?led:
Total defendants: A
Total counts: I _10_
Data below applies to defendant No.: 
Defendant?s name: MAKSIM V. YAKUBETS
COUNT U.S. CODE OFFENSE . FELONY
1 18 U.S.C. 371 Conspiracy 
2 18 U.S.C. 1349 Fraud Conspiracy

3?5 18 U.S.C. 1344 and 2 Bank Fraud

6?7 18 U.S.C. 1343 Wire Fraud

XXNN

8-10 18 U.S.C. 1030(a)(5)(A), Intentional Damage to a Computer
1030(c)(4)(B)(i) and 2

FORFEITURE ALLEGATION

I certify that to the best of my knowledge the above entries are true and correct.

DATE: 51011122019 jW aw;

SHARDUL S. DESAI
Assistant U.S. Attorney
DC ID No. 990299

Case 2:19-cr-00342-CB Document 1-6 Filed 11/12/19 Page 
I CRIMINAL CASE INFORMATION SHEET I
Pittsburgh Erie Johnstown

Related to No. 15-cr-198 closed/15-Cv-1315 Judge Cathy "Bissoon

 

 

(All criminal prosecutions arising out of the same criminal transaction or series of transactions are
deemed related). 

CATEGORY: l. Narcotics and Other Substances-
- . la} Narcotics and Other controlled Substances
- (3"or-more Defendants).
. 2. Fraud and Property Offenses 
2a. Fraud and Property Offenses 
(3 'or more Defendants)

 

3. Crimes of Violence
4. Sex Offenses 
5. Firearms and Explosives I
6. Immigration -
7, All Others 
Defendant?s name: A IGOR TURASHEV, a/k/a. Igor Tueashev, a/k/a
- Enki, a/k/a Parasurama, a/k/a Nintutu, a/k/a
Vzalupkin, a/k/a Vasya Zaluplin, a/k/a
- Diananbeauty, a/k/a domainaccess, 'a/k/a Tigrr,
a/k/a Tigrruz 
Is indictment waived: - I Yes No
Pretrial Diversion: . Yes 'No
Juvenile proceeding: Yes No
Defendant is: . Male Female
Superseding indictment or information Yes No

Previous caSe number:
If superseding, previous case was/Will be;

Dismissed on defendant?s motion
Dismissed on governments? motion
After appellate action I

.?Other (explain) 

County in which first offensecited
occurred: -
Previous preceedings before
Magistrate Judge:
Case No:

 

 

 

PLEASE INCORPORATE MAGISTRATE CASE WITH CRIMINAL CASE

Case 2:19-cr-00342-CB Document 1-6 Filed 11/12/19 Page 2 of 2

Date arrested 61 date continuous U.S.

custody began: 
Defendant:
Name of Institution:

Custody is on:

Detainer ?led:

Date detainer ?led:

Total defendants:

Total counts:

Data below applies to defendant No.:

Defendant?s name:

COUNT U.S. CODE
1 18 U.S.C. 371
2 18 U.S.C. 1349
3-5 18 U.S.C. 1344 and 2
6-7 18 U.S.C. 1343

8?10 18 U.S.C. 1030(a)(5)(A),
1030(c)(4)(B)(i) and 2

 

is in custody

is not in custody

 

 

 

this charge another charge
another conviction A

State Federal

yes no







IGOR TURASHEV
OFFENSE FELONY
Conspiracy 
Fraud Conspiracy 
Bank Fraud 
Wire Fraud 
Intentional Damage to a Computer 

FORFEITURE ALLEGATION

I certify that to the best of my knowledge the above entries are true and correct.

jW/Z?w

NOV 2 
DATE:

 

 

SHARDUL S. DESAI
Assistant US. Attorney
DC ID No. 990299