Case Document 1 Filed 02/19/20 Page 10143 Page ID 

. A0 91 (Rev. 11/11) Criminal complaint-

 

 



Central District of California

United States of Alnerica
V.
ARTHUR-IAN 

Defendant(s)

UNITED STATES 

for the

 

 

 




WET DI: 

rm??

ib?, m?J

CLERK up;

FEB 2020

ii?

mm" 

 

 

CENTETAT. DleiaTcT o: 
DEFHI

 

Case No. I

 

CRIMINAL COMPLAINT

I the complainant in this case, state that the following is true to the best of my knoWledge and belief:

From on Or about April 20, 2018 to on or about May 29, 201 8, in the county of Los Angeles in the Central

District of California the defendant(s) violated:
Code Section . 

18 (3 1030(a)(5)(A) 
(ii) 

This criminal complaint is based on these facts:

Please see attached a?davit.

Continued on the attached sheet.

Tgned in my presence.

TM: ngaet? -

 

 

City and ESeTAngeTes, California

O?ense Description

Intentionally Damaging and
Attempting to Damage a Protected
Computer

 



Complainant ?s .T?ignatgure

ELLIOTT WEIDEMAN, Special Agent A

Printed name and title

MICHAEL R. 1111111159

 

Judge ?s signature

. Hon. Michael R. Wilner, U.S. Magistrate Judge

Printed name and title

 

Case Document _1 Filed 02/19/20 Page 2 of 43 Page ID 

AFFIDAVIT 
Elliott Weideman, being duly sworn, declare and state as

fOllows:

I. INTRODUCTION
1. I am a Special Agent With the Federal Bureau of 

.Investigation and have been so -employed? since September
2017. I am.currently assigned to the Los Angeles Field Office,
Computer Intrusion SqUad, which is responsible for investigating
.fraud and related-aetivity in connection with computers,
including denialrof?service attacks, phishing attacks and
malicious software injections. Since becoming an FBI Special
Agent, I have received specialized and onttheejob training
(including hundreds of hours of training at the FBI Academy-in
Quantico, Virginia) regarding a variety of criminal activi_ties
involving malware, computer intrusions, extortion, and various
types of fraud and organized criminal activities. During my
training, interactions with other Special Agents and law
enforcement. officers, and on?the?job work with investigations, I
have gained considerable knowledge and expertise in the .
?investigation of computer intrusions, malware analysis, and
associated cyber crimes. I am a Certified Fraud Examiner and
prior to being a Special Agent, I worked for approximately five
.years as?a Private Investigator in hos Angeles, where I .
conducted civil andcriminal investigations involving the

detection of fraud and identifiCation of hidden assets.

 Case DOCUment 1 Filed 02/19/20 Page 3 of 43 Page ID 

II. AFFIDAVIT

1. This affidavit is made in support of.a criminal
complaint against, and arrest warrant for, ARTHUR JAN DAM
for a violation of 18 U.S.C. l030(a)(5)(A),
(Intentionally Damaging and-
Attempting to Damage a Protected Computer).

2. -The facts set forth in this affidavit are based upon
my personal observations, my training and experience, and
information obtained from various law enfOrcement perso nnel and
witnesses. This?affidavit is intended to show merely that there
is sufficient probable cause for the requested Complaint and-
warrant and does not purport to set forth all of my knowledge of
or investigation into this matter. Unless specifically
indicated otherwise, all cOnversations and statements described
in this affidavit are related in substance and in part only.

SUMMARY OF PROBABLE muss. . 

3. The Los Angeles Field Office of the FBI has been
investigating four cyber attacks which targeted and disrupted
the website of.a political candidate for a congressional A
diStrict in California (the As a result of the four
cyber attacks, the Victim?s Website was down for approximately
21 hours during the campaign. The Victim reported suffering
losses, including website downtime, a reduction in campaign
donations, and time spent by campaign staff and Others.
Iconducting critical.incident response. In June 2018, the Victim

lost the primary election for the congressional distriCt.

Case Document 1' Filed 02/19/20 Page4 of 43 Page ID i

4; In the course of the investigation, and as described
below, the FBI found that the cyber attacks originated from. 
Amazon Web Services and in particular, were tied tO'a
Single AWS.account, which Was controlled by DAM.- DAM was found
to be connected to the cyber attacks through subscriber 
'information, IP addreSses,igeolocation history, and open-
sources, including through his employer and his wife, K.O., who
worked for one of the Victim?s oppOnents.r As described in
further detail below, each of the four cyber attacks corresponds
with logins to the AWS account from either residence orv
from place of workiA'FurthermOre, DAM was found to hate,
conducted extensive research on both the Victim and various
cyber exploits, malicious toolkits, and cyber attacks, including
the same kind of cyber attack used against the Victim, a
distributed denial? ?of? ?service or_?DDoS? attack. The attacks
caused the Victim to suffer loss in excess of 000, as
described below. Therefore, there is probable cause to believe
that DAM committed a violation of 18 U.S.C. 103o(a a) (5) (A),

(MEL) (1). 
IV. STATEMENT OF PROBABLE CAUSE

Description of Cyber Attacks against the Victim

5. In late 20l7, the Victim publicly declared Candidacy
for.the ULS. House of Representatives in a California I
congressiOnal district. A

During the course of this investigation, the Victim

provided the following information to the FBI:

Case Document. 1 Filed 02/19/20 Page 50f 43 Page ID 

a. As part of campaign efferts, in late 2017, the
Victim established a website to provide campaign information and?,
ireceive.donations, iThe website was hosted by the website?
hosting company SiteGround.

3b. Between Apri12018 and May 2018, the Victim?s
website was targeted and disrupted byfonr 0008 attacks._ At the
time of each attack, the-Victimfs website was forced
offline because of uncharacteristically high Internet traffic.
The attacks caused the Victim?s website to crash and be
?unavailable for approximately 21 hours-cumulatively.

. The Victim observed the four attacks

beginning on or about the following dates and times (all Pacific
Daylight Time 

i. April 20, 2018, at approximately 6:38 

ii. April 21, 2018, at approximately 3:52 

28, 2018, at_approximately 4:59 and. I

iv. May 29, 2018, at approximately 8:00 I

7. Based on my training and-erperience, and conversations-

with computer-scientists and law enforcement personnel, 1 know

the following about attacks:

 

1 In a previous affidavit, it was reported that the Vietim
first observed three of the attacks at times different
than those above, that is, April 20, 2018 at 6:31 
21, 2018 at 3:49 and May 29, 2018 at 9:09 p.m, I believe
the times reported previously were the Victim?s and the Victim?s
best understanding of when the attacks were initiated, 
according to their internal investigation, and not necessarily
when the Victim first observed the activity. ,The times reported
here correspond to when the Victim reported first observing the

activity.

. case Documentl Filed 02/19/20 Page60f 43 PagelD#:6

a. AA attack is a cyber attack in which a
perpetrator seeks to make a computer, website, or network
resource unavailable to its intended user(s) by temporarily or
indefinitely disrupting services of a host or provider that is
connected to the Internet. .

b; attacks are typically accomplished by
iflooding the targeted computer with superfluous requests in an 
attempt to overload systems and prevent some or all legitimate
_requests from being fulfilled.

8.. In October 2018, the FBI learned the following
information from the Victim/s campaign manager and from the
Victim?s IT Specialist: 

Following the second attack on or about
April 21, ?2018, the Victim hired an IT specialist to
troubleshoot the problem and prevent further attacks and
diSruptions. ,Despite the efforts by the IT Specialist, the.
website hosting Company, the Victimfs campaign manager, and,
other campaign staff, the Victimfs website suffered additional
attacks on or about April 28, 2018 and May 29, 2018.

b. The attack on or about April 28, 2018,
loccurred just before the start of a live political debate, which
featured the Victim and his two opponents. This attack
shut down the Victim?s website and it remained offline
throughout the debate. 

ThefinalDDoS attack occurred on or about May
-29, 2018, approximately one week prior to Primary'Election Day

on June 5, 2018..

Case Document 1 Filed 02/19/20 Page 7 of_ 43 PagelD 

d. On or about June 5, 2018, the Victim lost the
"primary election.by failing to gain enough votes to advance to
the general election. . 

In May 2019, the Victim provided information to the
FBI that as a result of the attacks, the Victim_suffered
various harms, including a reduction in political donations and
campaign visibility, and between approximately $27, and
$30, 000 in- expenditures and lost time to reSpond to,
.investigate, and mitigate the attacks. The Vict im also reported
what he/she believed were other consequential harms suffered
from the attacks, including losing the election by fewer than
3,000 votes, and having to donate $21,000 to the campaign after
the election to cover shortfalls in fundraising targets in the
last weeks of the campaign;-
B. website Hosting Information and Attack Data

.lO. During the investigation, the Victim provided the
following information to the FBI regarding the campaign website:
i The Victim?s website was hosted by the company
S.iteGround. 1 Initially, the Victim maintained a website hosting
package with SiteGround that provided limited website log files.
This lower?tier package was used in order to minimize costs.

b; Following each of the four attacks,

.SiteGround emailed the Victim? campaign and reperted that 
factivity had been observed on the Victim? website and that it
had been temporarily Shut down to avoid damage. In addition,
after the DDOS attacks, Site?round investigated the website

traffic to the Victimfs website.

'Case Document 1 Filed 02/19/20. Page-8 of 43 Page ID #18

1n April 2019', the Victim provided the FBI with
internal campaign emails regarding the attacks. These
emails included observations from campaign staff (the ?Campaign
Emails?), emails from SiteGround (the ?SiteGround Emails?), as
. well as several minimal log files provided by SiteGround
regarding malicious activity to the Victim? 3 website from three
of the 0003 attacks, on April 20, 2018, April 21, 2018, and
April 28, 2018 (the ?April Log Files?).

11. During the investigation, SiteGround provided
information to the FBI regarding the Victim?s website and the
four attacks (the ?SiteGround Information?), 

12. 'I-analyzed the campaiganmails, the SiteGround Emails
and the SiteGround Information, and learned the folloWing:
April 20, 2018 

On or about April 20,2018, SiteGround emailed:
the Victim and reported an abnormally high number of
.simultaneous connections to the Victimfs website.l SiteGround
stated that there were two possible explanations for the 
abnormal activity: a malicious attack designed to bring
down the Website, orthe ?Slashdot effect.?2 

or about April 20, 2018, a SiteGround Senior
Technical Support employee emailed the Victim?s campaign and

referred to the incident as an attack.? The SiteGround Technical

 

2 The Slashdot effect occurs when a popular website links to
'a smaller website, causing a massive increase in traffic. The
large influx of web traffic overloads the smaller website and
"causes it to slow down or even temporarily become unavailable.

Case Document 1 Filed 02/19/20' Page _9 of 43 Page ID 

.Support employee stated that multiple IP addresses3 were used Vto
bring-the website down by generating a lot of access towards
SiteGround flagged five addreSses as malicious.

c. On or aboutApril 20, 2018, an employee from the
Victimfs campaign emailed another campaign employee and stated
I that SiteGround had advised that the April 20, 2018 attack
occurred only to the Victim/s webSite, and not to other websites
tor applications on SiteGround?s server,4 Based on my training
and experience, I know that this information suggests that the
'Victim?s website was targeted specifically and that the incident 
i?was not the result of an unrelated problem with the server. 

April 21, 2018

d; On or about April 21, 2018, SiteGround emailed A
the Victim and again reported abnormally high traffic to the
Victim?s website; SiteGround again provided two possible
explanations: a attack or the Slashdot effeCt.

e; 'On or about April 21, 2018, another SiteGround

Senior Technical Support employee emailed the Victim?s campaign
and advised that the influx of traffic appeared to be coming
from USAToday.com and that the incident, in fact, did not appear
.to be a deliberate attack, but organic growth as a result of the

Slashdot_effect. (As described below, later examination of the

 

3 An IP address, or Internet Protocol address, is the
globally unique address of a computer or other device-connected
to_a network, and is used to route Internet communications to.

and from the computer or other'device.
I 4.A server typically hosts multiple websites and/or
applications; .

Case Document 1 Filed 02/19/20 PagelO of 43 Page ID #:101

traffic does not support this interpretation.) Regardless of
Kattributionf SiteGround flagged 11 IP addresses as malicious?

April 28, 2018

 

f. On or about April 28, 2018; SiteGround emailed?
'the Victim to again report abnormally'high traffic to the
'Victim?s website and again provided the same possible-
explanations} a attack or the Slashdot effeCt;
I -On or about April 28,?2018, SiteGround flagged 28
addresses as malicious.5 I 
h. .In an email between campaign employees on April
28, 2018, at approximately 5:15 me..PDTg one of the Victim?s
rcampaign advisors stated, ?Just got attacked againf Same thing
and our site is down; An hour befOre the biggest debate of the
primary.? Approximately three hours later, the campaign advisor
sent another email to?a campaign employee and said, ?Use
Facebook and other social media to get your message out and to
get around your site being down, to Spread your debate 7
performanCe.?
13.? During the investigation; the FBI investigative'team?
analyZed the April Log Files from SiteGround and found the

following information;

 

5 Prior affidavits_in support of search warrants in this
investigation reported that SiteGround flagged Only 13 IP
"addresses as malicious. In December 2019, after reviewing
records obtained from SiteGround itself, it was discovered that
while SiteGround?s initial communication with the Victim only
identified 13 IP addresses} SiteGround?s internal communications
reflected that it had identified an additional 15 IP addressesj

as likely malicious.

Case Document 1 Filed 02/19/20 Page 11 of 43 Page. ID #:11

a. The April Log Files contained information from
visitors to the Victim?s webSite, including the source 
address, the User Agent String (the and the referring
Uniform Resource Locator (the ?referring 

Based on my training and knowledge, know that
both the UAS and the referring URL are data points sent by the
client to a server; however, the server does not_validate the
UAS or the referring URL. Based on my training and experience,,

pI know that an individual can ?spoof,? or falsify, the UAS or
'the referring URL, and that this type of activity is often need
in an attempt to mislead thoseresponding to an incident.?

A A review of theApril Log Files found that-the
I.referring URLs to'the ViCtimfs websiteduring the time of the 
attacks ineluded URLs from USA Today, Google, and Engadget,
all of which are legitimate information companies. However, a
closer inspection of the referring URLs found that they were
from webpages purportedly from the aforementioned companies, but
?whichdid not in fact exist.. This type of activity suggests

that the referring URLs in the April Log Files were spoofed.

 

6'A.User Agent String is a ?string,? that is, a line of
text, that identifies the browser and operating system (and'
sometimes additional data) of a computer to a web Server, For
example, such a string might look like the following:
?Mozilla/4QO (compatible; MSIE 6.1; Windows This would
indicate that the computer was Using MicroSoft Internet Explorer
(MSTE) version 6.1 as its browSer, and was running Windows XP as
its operating system (among other data). 

7 A Uniform Resource Locator is the address of a specific
webpage or file on the internet. The ?referring is the web
addreSs from which a user was led Or ?linked? to the current

site or page.

10

Case Document 1 Filed 02/19/20 Page 12 of 43 Page ID #:12

14.\ In April 2019, the-Victim told the FBI that during the.?
.timeframe of the DDOS attacks (April 2018 and May 2018), Ithe
Victim was not aware of any USA Today articles involving him/her
or the campaign (and thus, presumably, no reason for the 
referral URLs seen in the logs.to in fact be from USA_Today).
gThe Victim was not aware of any viral or rapidly circulating
news articles, blogs, or reports that circulated information
about him/her. The Victim stated that despite running fOr
?political office, there could have been no Slashdot effect to
generate the inoreased traffic because there were no major news
articles that covered the Victim or his/her campaign.
H.15. During the course of the investigation, I searched for
USA Today and Engadget articles and other articles which Could
?have generated interest and high website traffic to the Victim?sx
?website, However, I did not find any USA Today or Engadget
articles on the Victim or any other suCh articles to support the
Slashdot effect theory.
_16. During the inveStigation, the Victim? IT Specialist
provided the following information to the FBI:
a.7 Following the third attack on or about April
28, 2018, the Victim increased cybersecurity measures in orderh
to mitigate activity, including upgrading the SiteGround
account and retaining a separate website security company which
specializes-in mitigation. However, on or about May 29,
2018, the Victim?s website was disrupted by a fourth 
attack. IFollowing this fourth attack, the Victim?vaI 

?Specialist obtained a website traffic log file from SiteGround

11

Case Dbcument 1 Filed 02/19/20 Page 13 of 43 Page 

(the ?May Log File?). In October 2018, the Victim?s IT
'Specialist provided the May Log File to the FBI,

'17. I reviewed the May Log_ File and found that it
reflected website traffic to the Victim?s website on or about
May 29, 2018. Ba_sed on this information, I found that 17 IP I
addresses each accessed or attempted to access the Victim?s
website more than 10,000 times over an approximate two? ?hour

?period.

18; Therefore, according to the April Log Files, the May

"Log File, and the SiteGround Emails, I found that'a.total of 46
unique IP addresses (the ?46 IP addreSses?)lacCessed or 
7attempted to access the Victim?s website in a manner consistent
with activity between April 2018 and May 2018. As noted 
above, 15 addi tio nal IP addresses were apparently identified by
SiteGround.in its internal review of the traffic toward the
Victim?s site. However, as those 15 addresses were not included
in the correspondence with the Victim, they were not part of my
initial inveStigation.

.C. ANS Ac?ount Information_

19. conducted Whois8 Searches on each of the 46 IP
addr esSes, plus the 15 additional IP addresses later identified
from SiteGround?s records. From these searches, I learned that

all 61 of these IP addresses were owned by Amazon Web Services

 

8 Whois is a query? and? response protecol that is publicly
available and widely used for querying databases that store the
registered users ,or assignees of an Internet reSource, Such as a_
domain name or address block. Whois query responses provide
the contact information for the individual responsible for 
registering the domain name or the Internet Service Provider
which owns the IP block. 

?12

.Case Document 1 Filed 02/19/20 Page 14 of 43 Page ID #:14 I

(AWS). a company that provides onedemand cloud computing
platforms to individuals and companies, on a payeas~you?go
basis.? AWS alloWs a subscriber to create multiple.virtual
environments at one time. A A i

A 20.' Between November 2018 and April 2019, AWS provided the
'following information to the FBI about the originally identified?
4'6 ?addr?sses: . 

a. All 46 IP addresses were assigned to the same AWS
'account during the time each was used to  conduct an attack:
Amazon Account Number 619452895481 (the Account?).

The AWS Account was subscribed with Ithe email
address to the name ?Mike at the
fictitious address ?1234, Brooklyn,pNY 11211. 7'

c. Billing information for the AWS Account, however,
Hidentified the name ?Arthur Dam? (DAM), a telephone number

.ending in ?4881, and a billing address on 4th Street in
Brooklyn, New Yorkknow, based on my training and experience,,
that it is not uncommon? for persons wishing to disguise their
identity on the Internet to use false or .fictitious information
when setting up -online accounts, and many providers of such
,aocounts do not have any mechanism.to verify the identities of
their users. However, where those accounts are not free'

services, individuals often are obliged to provide information

 

9 The complete phone number and address were in the records;
only limited information is included here for privacy purposes.

13

Case Document 1 . Filed. 02/19/20 Page 15 of 43 'Page ID #:15 I

about their true'identities and/orlocations-in order to pay for
the services. . .
maintained limited logs on the activity of
the AWS Account, but these logs did include information' A
regarding the computer which accessed the account, in additicn'
to dates, times, and IP addresses of user logins and API calls.?
- e. rAlthough AWS did not retain detailed activity
logs of the AWS account, their records did reflect that the
account was active in April 2018 and May 2018. During this time 4
period, the AWS Account was used and.was billed for several AWS
?services, including the following: AWS Data Transfer, Amazon
ElaStic Compute Cloud (ECZ), Amazon EC2 Container Registry (ECR)
and Amazon Simple Storage Service If 
i.l I know, based on my training and experience
and publicly available information about AWst services, that
the services described above, used by the AWS Account in April
2018 and May 2018,.provide the infrastructure and capabilities

for a user to rapidly create multiple VPS-instances? and make

 

An API call, also known as an Application Programming
a software intermediary that allows two
computer applications to communicate, one to send a request and
the other to receive and interpret the request. Developers use
API calls to request another-computer or program perform a task.

- llA VPS, or virtual private server, can be thcught of as a
digital container that has all of the general processing
capabilities of a physical computer, but which is not confined
to a particular piece of physical hardware. VPSs_can even be
?moved or stored in different physical locations, and multiple
VPSs can be stored on a single piece of physical hardware. An?
?instance? is the term used to describe this digital container,
to distinguish it from an actual, physical device. Thus, having
multiple VPS instances would be equivalent to having multiple
physical servers, without having to acquire the hardwarep

14

Case Document 1 Filed 02/19/20 Page 16 of 43 Page'ID #:16

?various?API calls.~ These services effectively create a self?
contained platform from which the user can conduct activity
(among other things, including of course legitimate uses). All
files or code repositories can be stored in the -Amazon S3 cloud
storage, and can be accessed by API calls from the Amazon Data
?Transfer service.? The code-can then be run from a virtual
machine operating as Amazon EC2. The number of virtual machines
can scale significantly according to the Code requested in the
AEI call.

21. In March 2019, the FBI received information from AWS

that the AWS Account was suspended on or aboutheptember 20,

?2018, IIn-March 2019, I conducted openusource research and found

(a news article dated September 20, 2018, in which the Victim
publicly reported the attacks to an online news agency.l I
alSo found several other news articles published on or about the

A'same date that referenced the Victim and the original article:

I conducted followwup investigation with AWS regarding they I
details of the suspension of the AWS Account. AWS advised that
it did not suspend or close the AWS Account, and clarified that
customers can suspend or close their own accounts at any time.

'According to AWS, there is no distinction between a suspended
account and a closed account. iTherefore, this data indicates
that the AWS Account used to conduct the attacks was selfe

suspended/closed on or about September 20, 2018,

 

oneself, and instead by paying for capacity on someone else? 
hardware (such as The VPS user maintains the ability to
direct what the instance is used to do and who has access to it

(hence, ?private? 

?15

Case Document 1 Filed 02/19/20 Page 17 of 43 Page ID #:17

contemporaneously with the publication of news reports on the

attacks. 
22. iRecords from AWS further reflect following
information: I. I
a. On or about April 20, 2018 at approximately 6:31-
that is, a few minutes before the Victim observed the
first attack, the five IP addresses which SiteGround-
flagged as malicious were assigned to the AWS Account.
b. On or about April 21,12018, at approximately 3:46
p. m. that is, a few minutes before the Vietim observed the
second attack, the 11 IP addresses which SiteGround flagged
as malicious were assigned to the AWS Account.
c. 'On or about April 28, 2018, at approximately 5:46 
the 13 IP addresses which SiteGround first flagged as
nmalicious were assigned to the AWS Account. This is consistent
?with logs provided by SiteGround regarding malicious activity on-
the Victim? site from these 13 IP addresses, which show
activity at exactly 5:46 p.mp PDT. While records were requested
from AWS regarding the additional 15 IP addresses identified by
SiteGround in its own records relating to the attacks on this.
?date, AWS has indicated that it does not have, or has no longer-
Iretained, records identifying a partiCulariAWS account those IP:
addresses were used by during the relevant timeframe.
. i, Notably, the Victim recalled that the 
activity on April 28, 2018, began at approximately 4:59 
which is earlier than AWS reflect the previously

identified 13 IP addresses being assigned to account.

16

Case Document 1 Filed 02/19/20, Page 18 of 43 Page ID #:18

However, the internal SiteGround communications included logs
showing malicious activity_with the 15 previously unknown IE
addresses beginning at least as early as 4:56 p.m. PDT, which.is
2 consistent with what the Victim reported.? The Combination of
the logs from. SiteGround, Ithe AWS records, and the Victim?s
observations suggest that there may have been at least two
technically separate attacks On the Victim? site within
approximately an hour, but in all likelihood, the Victim simply
experienced this as one ongoing attack. 

di On or about May 29, 2018, at approximately 7:53
p. that is, a few minutes before the Victim nOticed the 
attack, the 17 IP addresses which SiteGround flagged as I
maliciOus were assigned to the AWS Account.

.D.V Investigation of the AWS Account Email and Phonex
'Number 

23.? In January 2019, Microsoft provided information to the
FBI that preatorian_ @hotmail. com the email address used in  -the
Account_subscription records m_was created using the

subscriber. name ?Arthur Slam? in 2002.

24;. In January 2019, Verizon provided information to the
FBI that the phone number_ending in *4881 listed in the AWS
?Account information was subscribed to a business, hereafter

referred to as ?Company A. 

25. In April 2019, the California Employment Development
Department provided information to the EBI that DAM has received

wages from Company A since at least_2017l

17

Case Document 1. Filed?02/19/20- Page 19 of 43 Page ID #:19

E. Open-source Research Regarding DAM and K.O.
26; In December 2018 and.January 20l9, I conducted open?I

sourCe research and.discovered the following information: i

a. Open?sourcepublic records databases reported an
individual named Arthur DAM with a current address at a
residence in Santa Monica, California (the ?Santa Monica
The public records databases reported-DAM?s
historical addresses.in New York, including the same 4th Street,
Brooklyn, New York address that was the billing address for the
AWS 

b. Company A is a digital advertising company with

offices located internationally and across the United States,

including in New York, New York and Venice, California.

0. Numerous online business and marketing profiles
reported that DAM worked for Company A.

d. - DAM was found to have a personal website,
A arthurdam. com. The website is not aCtive currently;
however, a publicly viewable archive from March 2016 revealed
that the website displayed work affiliation with Company
The archive also reported that DAM was fluent in various
computer programming languages, including JavaScript,
TypeScript,ththon, and.C++.

e.7 A wedding website was found providing information
on the wedding reception for DAM and K. O. Accordingvto the?
website, DAM worked for  Company A, while K. 0. studied politicalf
science in college and was previously involved in local politics

in her hometown.

18?

Case Document 1 Filed 02/19/20 Page 20 of 43 Page ID #:20

f. Public records revealed that DAM ande. lived
at.the Santa Monica Residence?was found. to maintain active social media
:profiles. K. O. publicly disclosed her employment With the
Victim?s opponent, who was the eventual election winner.
According to social media posts, K.O. was a consultant
for the Victimfs opponent and active member of the oppOnent?s
campaign: I A
F. Further Analysis of 
-27. Detailed analysis of the AWS logs and associated
records for the AWS Account shoWed information on login
timestamps, connecting source IP addresses, and limited aCcount
activity, as noted below: A I
a. Between April 2018 and May 2018, the AWS Account
was logged into a total of eight times, at the following
_approximate dates/times (all in PDT):
1.2 ?April 1, 2018, at 4:36 
11. April 2, 2018, at 11 26 

111.* April 20, 2018, at?6:1l 

iv. April 21, 2018, at 3:44 
v. April 22, 2018, at 10:05 
vi. April 24, 2018, at 3:38 

vii. April 28, 2018, at 4:16 and
May 29, 2018For each of the eight logins listed above,

*connections to the AWS Account were made_from one of two IP

19

Case Documentl Filed 02/19/20 Page?21of43 

'addresses: 96.251.72.21712 (?Subject IP Address and
847.151.141.158 (?Subject 19 Address and together With
Subject IP Address 1,-the ?Subject IP Addresses?). That isI to.
Isay, only these two IP addresses were used to connect to the AWS
AcCount and direct activ ities therefrom during the time period

in which the attacks were launched from the 46 IP addresses

known to be controlled by the AWS Account. 1

1.. I obtained reCords from Frontier

Communications, the Internet Service Provider (ISP) that hosts
both of the Subject IP Addresses. Those records showed that

Subject IIP Address 1 was subscribed to Company A in Venice,-
California. SubjeCt IP Address 2 was subscribed to 0. at the
Santa Monica Residence. I

. In Specific relation to the four attacks,
the AWS logs showed logins to the AWS Account on or about the
following relevant times (all in PDT):
. i. April 20, 2018, atI 6:11 p. from Subject IP

'Address 1; I
I 11. April 21, 2018, at 3:44 p.m1 from Subject IP
Address I
April 28, 2018, at 4:16 p.ml from Subject IP
Address 1; and A. i. i
iv; xMay 29, 2018, at 7:43 p.m. from Subject IP

Address 1.

 

Previous affidavits related to this matter contained a
typographical error in the IP address inadvertently listing the
first number as 95 rather than 96. The correct records were
requested and received from the ISP - .

2O

Case Document 1 Filed 02/19/20 Page 2.2 of 43 Page ID #:22

d. To summarize information from the AWS_logs and
related research: 5 
On or about April 20, 2018, at 6:11 plm. the.

AWS Account was accessed from Subject IP_Address l, which is

subscribed to employer, COmpany A. The first attack
initiated approximately 20 minutes later from IP addresses that
'were assigned to the AWS Account just before the attack, at
approximately 6:31 p.m.

ii. 'On or about April 21, 2018, at 3:44 
the AWS Account was accessed from Subject lP Address 2, which is
subscribed to K.O. at the Santa Monica Residence. Two minutes
,later, five IP addresses were assigned to the AWS accOunt, and
approximately six minutes after that, at approximately 3:52 

p.mi, the Victim observed the second attack from those IP

'Addresses.
On or about April 28, 2018, at 4:16 
_the AWS Accdunt was accessed frOm Subject IP Address 1, Company

A: At approximately 4: 59 p. m. the Victim observed the effects

of the third attack, and SiteGround?s records reflect
malicious activity from IP addresses owned by AWS at least as
early as 4:56 p.m. At approximately 5: 46 m. 13 IP addresses
were assigned to the AWS account. At approximately the same
time, 5:46 13 IP addresSes were used to send
malicious traffic to the Victim?s website. -

iv. on or about May 29, 20l8, at 7 43_p the
AWS Account was accessed from Subject IP Address 1, Company 

Ten minutes later, at approximately 7:53 17 IP addresses

21?

Case Document 1. Filed 02/19/20 Page-23 of'43 Page 

were assigned to the AWS Account. SiteGround records reflect
malicious traf fic from several Of these IP addresses beginning
as early as 7: 56 p. m. ,'and the Victim observed the effects of
the attack just several minutes later, at approximately 8:00
p.m, with later?downloaded logs reflecting traffic from all 17
of these IP addresses. 

G. Information from Other Service Providers

28. In March 20l9, Apple Inc. (?Apple provided
information to the FBI that DAM maintained an Apple account,
subscribed in his name and with his address listed as the Santa
Monica Residence, and listing two email addresses:
e. _the email address subscribed to



'the AWS Account and created under_the name ?Arthur Slam? with
Microsoft) and arthurjdamGgmail.com.'
29. In March 20l9, Google LLC (?Google?) provided to the

the following information regarding the second email,

arthurjdam@gmail.comf

the recovery email
?for the account. - know, based on my training and experience,
that providers like Google will often ask users to provide a
l?recovery? or ?secondary? email in order to make it easier for a
[user to regain access to their account if they for.get their

password or are locked out, Thus, both the primary and 

recovery email are by nature usually controlled.by the same

person.

22

Case Dbcument 1 Filed 02/19/20 Page '24 of 43 'PagelD#:24'

b. was subscribed
-in the name ?Arthueram? and with the same telephone number
ending in ?4881 as the AWS Account.

30. In March 2019, Microsoft provided additional
information to the FBI regarding the 
email address, including email headers of messages sent to and
-from the email address preatorian_ @hotmail. com. Based on these
email headers, I found that on or about Saturd ay, April 28, i i
2018, the day of one of the attacks, several emails were
'sent a Craigslist email address
'ending in Craigslist is?a
classified advertisement website which allows users, among other
things, to list items for sale and to exchange communications
with other users who may wish to purchase those items. For
privacy purposes, Craigslist anonymiZes the email addresses of
all individuals who post or reply to advertisements. When a
Craigslist subscriber creates a post, a unique osting ID is
assigned by Craigslist, and all emails to or from _the poster use
a Craigslist email address which incorporates the posting ID. i?
For example, if the Craigslist_posting ID was 123456, then
Craigslist will automatically mask the poster?s true email
-address with an email address ending in
123456@sa1e. craigslist. org. Similarly, if a user responds to an
advertisement, Craigslist will assign an anonymized address like
lthat ending in ?42abe@rep1y.Craigslist.org to which the

address sent messages.

23

Case Doc?ument 1 Filed 02/19/20 Page 25 of .43 Page ID #:25

31._ In April 2019, 'Craigslist provided_ information to the
FBI regarding the Craigsli-st account associated with the
preatorian @hotmail. com email address (the ?Craigslist
.Account?). This Craigslist Account was subscribed to the user
?Arthur? with no last name provided, Based on. the informatiOn
provided by Craigslist, I found that on or about April 26, 2018,
_the Craigslist AcCOunt created raigslist posting ID 6572766908,

iwhich was an advertisement to sell a small drone. The posting
listed ?Arthur? as the contact name and was created from Subject
IP AddreSs 1, Company 

32. ?In April provided additional.
information to the FBI regarding the preatorianm@hotmail.com
email address, including contents of communications within the
account. ?Included in this.information were copies of the
communications with the anonymized Craigslist email addreSS
ending in ?42abe@reply. Cra igslist. org which were sent on or
about Saturday, April 28, 2018 i. e. the date of one of the
attacks. From these emails, I discovered that the-
individual communicating via the email addreSS ending 
in 742abe@reply.Craigslist.org (the ?Craigslist Buyer?),
expreSSediintereSt in buying the small drone. The email
correspondence from April 28,2018 between I
preatorian @hotmail com and the Craigslist Buyer appears below:

.April 28, 2018, ?10: 20 a. m. PDT, Craigslist Buyer:
Hello I am interested in your.Mavic Pro. Still
available? has it ever_been crashed?

April 28, 2018, 11:22 a. m. PDT, preatorian_ @hotmail.comg
Hi [Craigslist Buyer], Yep, it?s still available. No
.crashes at all and the drone is in great condition

24

Case Document 1 Filed 02/19/20 Page 26 of 43' Page ID #:26

April 28, 2018, 11:32 a.m. PDT, Craigslist Buyer:
Great! Are yOu available today to come check it out?

April 28, p.m. PDT, 
If you?re cool on the asking price your7re definitely.
welcome to have a look. The drone is at my office in
.Venice, want to swing by there later tOday? What time
would work? .

?April 28, 2018, 2:12 p.m. PDT, Craigslist Buyer:

I am cool with the asking price. I can head out as soon
as possible. What time Works for you? 

April 28, 2018, 2:17 p.m. PDT, 
If it helps; my wife is actually heading to Santa
Clarita later today. She has no idea how the thing works
or anything, so it might be a bit difficult of a sell.
Otherwise, I can be in veniCe anywhere after Bilipm. The
address is [Company A?s street address], give me-a ring
on [redacted]4488l once you?re (the doOrbell doesn?t
really work) -3 -

- April 28, 2018, 2:19 p.m. PDT, Craigslist Buyer:i
Thank you for.the kind gesture, but was hoping to having
in the venice area anyway so I don?t mind heading to
venice. I?ll giye you a ring once I am close. Thanks?

. again -

. April 28, 2018, 2:24 
sounds good, see you then! -

33. Thus, based on this correspondence between
and the Craigslist Buyer, I learned the

following:

a. _The user of uSed the
telephone number ending in ?4881, i.e. the telephone number

subscribed to the AWS Account.

b. The user of worked at the~

street address for Company A?in Venice, California, which is

25

Case Document 1 Filed 02/19/20 Page 27 of 43 PageilD #:27

?also the location of Subject IP Address 1, which accessed the
AWS Account. 

.The user of requested the
Craigslist Buyer come to the user?s workoffice at Company A on 
the afternoon of April 28, 2018, in order to see and buy.the

-small drone.

-H. MEeting at Company A Prior to.the April 28, 2018
Attack . I

June 2019, the Craigslist Buyer provided the
follOwing-information to the FBI: 8
A a. In April 2018, the Craigslist Buyer was browsing
postings for small drones on Craigslist.. On or about the 
morning of Saturday, April 28,-2018, the Craigslist Buyer found
the public posting.from the Craigslist AccOunt. The Craigslist_
Buyer initially replied to the advertisement by using the
Craigslist email button on the website. The Craigslist-Buyer7
emailed the poster several times. The poster?s email address
was (As_described above,
-Craigslist anonymiZes the email addresses of individuals who
post advertisements and incorporates the posting 1D into the
anonymized email address.) In their email correspondence, the
Craigslisthuyer inquired whether the drone was still for sale
its condition. The poster advised the Craigslist Buyer that.
"the drone was at the poster?s office in Venice, California and
vthat the Craigslist Buyer could come after 3:15 p.m. on April
28, 2018, to see the drone in person. The poster advised that

Company A?s street address in Venice, California was the

26

Case DoCument 1 Filed 02/19/20 Page 28 of 43 Page ID #:28 .

?poster?s office and-where the drOne was located. -The poster?
also provided the telephone number ending in ?4881, and .
requested that the Craigslist Buyer call upon arrival at the
officeabout the afternoon of April 28, 2018, the 
Craigslist.Buyer arrived at the office building located at the
street address for Company A in Venice, California. Upon
Ia.rriva1, the Craigslist Buyer called the provided number ending
in ?4881. The Craigslist Buyer thought that the office was
closed because no employees or visitors were present. A tall13
white male emerged from the office and escorted theCraigslist
Buyer inside, where the drone Was sitting. The Craigslist Buyer
tunde_rstood the office to be the male? 3 place of work. The
Craigslist Buyer advised that the male appeared to be the only
persOn inside the office. The Craigslist Buyer inspected the'
drone and agreed to buy it for $660. The Craigslist Buyer paid-
the male in cash and departed. The Craigslist Buyer did not
rec all the male? 5 name. I

c. As described above, the AWS Account was accessed
from CompanyA in, Venice, California on or about April 28, 2018
at approximately 4:16 p.mJ ?Shortly thereafter, a 
attack was initiated against the Victim via the AWS ACcount.

d. yIn May 2019, the FBI received informat_ion from JP

?_Morgan Chase Bank regarding accounts maintained by DAM.

According to this information, I found that on or about April

30, 2018, a $660.00 cash deposit was made into checking

 

.B DAM is approximately six feet, seven inches tall.

27



Case Document 1 I Filed 02/19/20 Page ?29 of 43 Page ID #:29

account.' A review of this account and_DAM?s other known
accounts revealed that DAM seldom makes cash deposits,
?TherefOre, I believe this cash deposit was the money received 

from selling the drone to the Craigslist Buyer on or about April:



28, 2018.
I. Further Information from Google
35. In June and July 20l9, Google provided additional.

information-about two Google accOunts, 
arthurjdam@gmail. com and arthur@[Company com. The first of
theSe is one of the two email aCcounts tied to Apple
account, subscribed in name. The second is an enterprise
?email account for Company A provided by Google.b This account is
also Subscribed to DAM and his known identifiers, including the
telephone number ending in f4881 (the same-telephone number
subscribed to the AWS Account). Google provided contents of?
communications for these accounts, as well as location
-information, and searching and browsing history. Based on my
.training and experiende, I know that Google location history is
a Google Accountelevel setting that tracks a subscriber?s
physical location and account aCtivity, based on a variety of?
_inputs, including cellular data, GES information, address,?
past activity and other information} The Service is enabled by
?default on every mobile device of a Subscriber who is signed
into his/her Google account.; For example, a subscriber?s

location can be tracked when a search is conducted, an app is

 

The actual company name for Company A is part of the
email address, but is anonymized in this affidavit.

28

Case Document 1 Filed 02/19/20 Page 30 of 43 Page ID #:30

accessed, or when another Coogle service or product is used.
IThe Searching and browsing history reflects searches conducted
using Googlefs search engine by the user of a Google account,
and_web pages browsed to using the Google?s Chrome browser,
.while the user is logged into their Google account.
1. Relevant Email Contents
38. Within the email contents for the account

arthurjdam@gmail. Com was a 'mess age sent on or about April 28,
2018, at approXimately 10: 28 p. to an email address belonging
to the Victim?s opponent?s campaign (and employer). Zhe_
subject of the email was ?Guestlist? and theemail body
contained a chart of donors, contribution amount, date.
,That is to say, the user of this email account emailed the 
Icampaign of the Victim?s opponent what appeared to be campaign'
information, just several hours after the start of the third
attack on the Victim? 3 site and after the conclusion of the
televised political debate.

2. Relevant L0cation History

37. The Google location data history for the account-
arthur@[Company com revealed the following information.

a. I Shortly before three of the four attacks,
the user of the account was physically located at Company A, in
Venice, California at the approximate times the AWS Account was
accessed frOm Subject IP Address 1 ,vwhich is subscribed to
Company A.in Venice, California. Specifically, the location A

data shows that the user of the arthur@[Company A].com account

29

0 Case Document 1 Filed 02/19/20 Page 31 of 43? Page ID #:31

(presumably DAM) was at 00mpany A on or about the following .
relevant dates/times (PDT):
i. April 20, 2018, at 6:55 
ii. April 28, 2018, at 3:54 and
May 29, 2018, at 5:52 p.m. 
lb. The_location data history further showed that the
user of this-account was at the Santa Monica ResidenCe at the'
japproximate time the AWS Account was accessed from that same?
location prior to the remaining attack.? Specifically, the
user was a the Santa Monica Residence on or about April 21,
2018 at 3:32 p:m. PDT. Therefore, I believe this information
shows that DAM was in the same location from_which the 
'Account was accessed, at the same approximate time of the logins
to the AWS Account, just prior to the initiation of each of the
four attacks against the Victim.
In addition, the location history data showed
that the user of this ac count was in the vicinity of the Santa
Monica Residence on or about April 22, 2018, at approximately
10:31 a.m: As noted previOusly, according to login information
from AWS, on or about April 22, 2018, at approximately 10:05
ya.m., the'AWS Account was accessed from subject IP Address 2, or
the Santa Monica Residence. That is to say, thelocation
history of arthur@[Company A].com Geogle account showed
that the user was at_the same general location where the AWS

?Account was accessed at nearly the same time it was accessed.

30

Case DoCumentl Filed 02/19/20 Page 32 'of 43 

Relevant Search and Browsing History-

38. The search and browsing history records from Google
shewed that between March 2018 June 2018, the user of both
the arthur@[Company A].com and arthurjdam@gmail.com15 accounts
(believed to be DAM) visited the'Victimfs website the same
website that was targeted and attacked by the fonr attacks
in April 2018 and May 2018 and conducted extensive research on
the Victim, en the structure and programs Othhe
Victim?s website, and on how to conduct various types of 
attacks and other cyber attacks.

I '39. As specific examples, this data showed that on or
about March 31, 2018, April 16, 2018, and June 5, 2018, the user
of the account arthurjdam@gmail.com conducted several Google
searches for the Victim?s name and his employer?s name, viSited-
websites relating_to the Victim and the Victimfs employer, and I
visited the Victimfs Twitter profile. Interspersed between some
of these searches and website visits, the user-conducted a
-variety of searches.on terms-relating to mechanisms.

40.4 Further, the data showed that the user of the
arthurjdam@gmail com acconnt visited the Victimfs campaign
website on or about the following dates/times (PDT):

a. .March 31, 2018, at 2:52 p.m 
April 16, 2018, at 7:29 p.mJ, and

Sc. June 5,-2018, at 7:00 p.m.

 

In prior affidavits, the Search and browsing history
information reported in this section was inadvertently

attributed only A].com.? The information is
correctly associated with both of Google accounts, as

written above.

31

I'Case Document 1. Filed 02/19/20 Page 33 of 43 PagexID #:33

41. In addition, the data showed that the user of the
account visited the ViCtim?s campaign
?website on or about June 5, 2018 at approximately 11:21 a.m.v

42. On or about March 31, 2018, shortly after visiting_the
Victim?s campaign website, the user searched for ?slow loris
nodejs,? Based on my training and experience, I know that a
?Slow Loris? (or ?Slowloris?) attack is a kind of attack,
designed to take down a web server computer through the use of
only minimal bandwidth by sending requests that seem slower_than
normal but otherwise mimic regular traffic.l6 lhe tool generally
works by making partial connection requests to the targeted web"
server. -The targeted server?s maximum concurrent cOnnection
pool is then filled with partial requests and connections, which
then deny additional incoming connection requests-from
legitimate visitors. The reference to ?nodejs? in the search?
refers to tnode.js,? which is an open?source server environment
?that executes JavaScript code outside of a browser. This.wouldr
be the environmentin which the attacker would attempt to run?
the Slow LOris attack. 

On or about MarCh 31, 2018,after conducting-
additional searches about the Slow Loris attack and about the?
Victim, and then visiting the Victim?s opponent?s campaign
-Website, the uSer conducted several searches for physical
equipment with the capabilities to conduct activity.?

Specifically, the user of the arthurjdam@gmail-com account.

 

hj? Apparently named after a small primate from Southeast
Asia, the slow loris, which is known for moving slowly and
.making little or no noise, but which has a toxic bite.

32

Case Document 1 Filed 02/19/20 Page 34 of 43 Page ID 

*searched for ?juniper ex3300? and and
'then visited Juniper Networks? website regarding the Juniper
EX3300 Ethernetrswitch. AThiS~device is deSigned to scale
rapidly expanding networks and is marketed .to school campuses
and data centers, where demand for computer power might quickly
increase. The equipment allows a single User to quickly amplify
computer_environments. BaSed on my training and experience, 
know that this type of Ethernet switch can be used to effect
DDoS.activity, as a single.uSer can quickly generate multipler
computer environments and direct aCtivities therefrom.

-44; _On or about April 16, 2018, the user of the
arthurjdam@gmail;com account also searched for and visited the
website of asearch engine known as ?Shodan? at 
Shodan is an open?Source research tool that, among other things,
provides information on the types of programs and content I
dmanagement systems used by a website or IP address. Based on my
training and experience, I know that Shodan is typically used by.
both cybersecurity researchers and cyber Criminals to identify
vulnerabilities of_a computer, website, or netWork the former
users to heighten security measures and the latter users for
exploitation. After searching for and visiting Shodan?s I
website, the user of arthurjdam@gmail.com conducted-Google

searches for specific vulnerabilities relating to the
_configuration of the Victim?s Website. For example:

a. On or about April 16, 2018, 'the user searched for
?_?shareaholic exploit.? I know, based on my training and

experience, that an ?exploit? refers to a softWare tool designed

33

 Case Document 1 Filed 02/19/20 Page 35 of 43 Page ID #:35

3

to. take advantage of a law in a comput-er system, typically for
malicious purposes such as installing malware or identifying a
vulnerable point of attack. According to open?source-research,
the Victim?s website features ?Shareaholic? plugins. Based on
my training and experience, I know that Shareaholic is.an online
marketing company that provides website plugins and other tools
for users to market and promote a website. Notably, Shareaholic
offers ?social share buttons? which users can embed into their
websites for visitors to easily share content on any social
sharing service. I am aware that cyber criminalssometimes
.target thirdeparty plugins or software, such as ShareaholicFS?
social share buttons, in order to gain unauthorized access about April 16, 2018, the user searched-for
?wordpress 4.9.5 exploit? and ?wordpress pingback address.
According to open?source research, the Victimfs website used the
system software WordPress. WordPress is an open?sourcecontent?
management system, which is typically used to build and maintain
websites. Based on my training and experience, I know that a
?pingback? is a method for website authors to obtain
notification when other authors link to one of their domains. 
know that WordPress is one of several companies which supports
automatic pingbaCks, and that a webSite developer can configure
the automatic pingbacks to.a specific website. Based On my
?training and experience, I know that cyber criminals have

exploited WordPress? 5 automatic pingback system so that regular

34

Case Document 1 Filed 02/19/20 Page 36 of 43 PagelD #:36

and legitimate traffic to certain websites creates-DDOS activity
against a target website.
i c. .On or about April 16, 20l8, the user searched for
?simple amplification attack? and visited a XouTube video which
?dichSsed how to conduct DDOS attacks. I am aware, based on my
training and experience that an ?amplification attack? refers to?.
?a kind of bDoS attack that leverages other internet sites and I
tools, such as DNS resolvers used to look up website-addresses.
In an amplification attack; the attacker sends a small query to
one of these sites that causes'it to generate a large response,
(henCe is then directed to the victim
computer in order to attempt to overwhelm that computer. The
tuser then searched ?40000 seconds to hours?; I believe this?
latter query was an attempt to understand in meaningful terms
how.long a 40,000 second attack would last (as such attacks
are usually measured in seconds) that is; approximately ll
hours; A
d. On or about April 16,-2018, the user searched for
5.6.36 exploit? and visited a web page with partial code
on how to conduct a denialfof?service attack using Based
on my trainingand eXperience, I know that is an open?
source relational database management systeml which is often
used to support web servers and email servers; ?The numbers

5.6.36 from the user?s search reflect the version of used;

by the Victim?s webSiten

35

Case Document 1 Filed 02/19/20 Page 37 of ?43 ?Page ID #:37

4} Expanded Timeline of Search and Browsing History
45. Examinind the search and browsing histOry data in 
expanded detail for  certa1n dates revealed- additional
information abOut the specific aotiOns of the user of this
acoount. For example, on or about-March 31, 2018, at the
approximate times listed user of the
arthurjdamGgmai1.oom acoount conducted the rollouing-activity

(among other activity):

At 2:51 p. m. the user conducted a Google searoh
.for the name of the Victim? employer. 
b. 'At 2:51 p.m. the user visited the website of the
Viotim?s employer. I
C. At 2:52 p.m. the user visited the Wikipedia page
of the Viotimfs employer. 3
d. At 2:52 p;m. the user conducted a Google Search?
for the Victim?s last name. i i
e. At 2:52 p.m. the user visited the Victim?s.
,campaign-website.
f. At 3:12 p.m. the user searohed for ?slow loris
nodejsthe user visited a webpage titled
?Slowloris: 'Unleash the Slew Loris? with information on how to

conduct a attack.

h, At 3:13 p.m. the user conducted a Google search

for the Victim?s full name.

1. At 3:25 p.m. the user visited the Victim?s

Twitter profile,

3.6

- Case Document 1 Filed 02/19/20 Page 38 of 43 Page ID #:38

j. At 3:26 ptm.?the user visited the website of the

'Victim?s employer. I . .
. At 3:29 p.m4 the user again searched_for ?slow.
loris nodejs.? i 
Vl. At the user again visited the webpage
titled ?Slowlorisinnleash the Slow Loris.? i
At 3:45 ppm. the uSer visited a Los Angeles Times
?4 news article on the Victim.

n. At 3:46 p.mJ the user conducted a Google search
for the Victim?s name and.the Victim?s employer. .

At 3:46 p,m. the user visited a Ballotopedia.org
page on the Victim. . .1 I.

p. At 3:47 p.m. the user searched for the name of
the campaign for the Victim?s opponent, employer.

q. At 3:47 p.m. the user visited a historical web
article on the Victim.

r. At 3:47 p.m. the user visited the campaign
website of the Victim?s opponent.' 

s. At 3:52 p.mJ the user searched for ?juniper?
which, as noted aboVe, corresponds to specialized 
equipment'that provides a platform with capabilities to conduct
activityanother example, on or about April 16, 2018, at the
approximate time listed (PDT), the user conducted additional? 
research on the Victim, the Victim?s website, DDQS attacks and 

other cyber attacks, including the following:

37

Case Document 1 Filed 02/19/20 Page 39 of443 Page ID #:39

a. At 12:26 p.m; the user searched for the Victimfs 
full name. . I .-

b. At 12:27 p,mJ the user visited Shodan,i0g

c: At 12:49 the user searched for ?Pure?FTPd-
exploit? (as noted above; an ?exploit? is?a tool designed to
take advantage oi a flaw in a computer system, typica11y_for
.malicious purposes; this search appears to target such a tool to
damage a particular kind of server); 

d. - At-2:27 the user searched for ?shareaholic
exploit.? 

e. At 2:28 p.m. the uSer searched for'?simple:
amplification.attack,? which, as noted above, is type of 
attack.? 1

?At 2:28 p.mJ the user visited a YouTube video 
titled ?Demonstration of.a Simple DNS Amplification Attack,?

.which I-know.to refer to another kind of attack.

Vg. .At'6:19 the user searched for ?wordpress
419.5eXp1oit.? A I,

1 h. 7:19 p.m. the user searched for_?wordpressi
pingback address,? and then ?wordpresstingback_access?; as
described above, a ?wordpress pingback? is a known method of
?conducting a attack.- .

i, At 7:28 p.m. the user searched for the Victim?s
full name. 1

Dj. i-At 7:29 p.mJ the user Visited the Victim?s

website:

38

. Case Document 1 Filed 02/19/20 Page 40 of 43 Page ID #:40

J. Interview of DAM

47. 'inor about November 13, 2019, I interviewed DAM and
K.O. at the Santa MOnicalReSidence, during which I learned the?
.following: 5 I
2 la.? DAM was familiar with AWS and its services.
b. DAM previously had an account with AWS for
?personal use. .

- Initially, DAM stated that he had closed hisAWS
account approximately eight years ago, that is, circa 2011. DAM-
1ater clarified that he did not remember exactly when he had

.'closed the AWS account, butlthatTit had been closed for several
years. When asked if he had paid for an AWS account in the last
-two years, DAM said he did not think he had, but said he could
double?check to see if there was an aCcount that was not

properly closed. He reiterated that such an account would have
been closed a long time ago, possibly when he lived in Amsterdam
or New York. K.O. clarified that they lived in New York from
2014 to 2015. I I

i. In July provided_information to

. the FBI that DAM is the subscribed user of a second AWS account,
AWS account 266864327451. This second account wascreated in
July 2016 and was active until at least July 2019. This second
Vaccount was subscribed to DAM and to his known facilities,
inCluding a rthurjdam@gmail. com and his telephone number ending
in ?4881. In other words, DAM had two active AWS accounts at
the time of the attacks in April 2018 and May 2018. In.

fact, DAM had accounts until September 2018, when the

?39

Case Documentl Filed 02/19/20 Page-410MB 

AWS AccOunt was self?suspended and closed, presumably by DAM,
and maintained the other AWS account until at least July 2019.
During the interview, I provided a list of
search terms, including  ?slow loris nodejs, ?simple 
amplification attack, and ?40000 seconds to heurs,? among other
terms taken from the search and browsing history of.DAM?s Google
accounts; In response, DAM told me the following:
4i. . DAM stated he was an engineer who creates
websites and ensures that they are safe from vulnerabilities
ii.- DAM stated that the provided search terms
often come up at his Work.
e. DAM stated that he conducts attacks as part
;of his job. These attacks are conducted on internal work
projects as part of penetration testing. 
DAM stated that he has conducted attacks on
his own projects. . I
DAM stated that he has never conducted a 
attack on someone else? 5 website or server.
K..f Interview of Supervisor
48.? On or about November 13, 2019, interviewed 
Isupervisor at Company A, O.K., from whom I learned the following
information:
DAM is very technical, and part of his job is to
troubleshoot any information technology issues for the office.
b. Company A occasionally uses AWS for special?

projects on behalf of clients. When AWS is used, the company

40

Case Document 1 Filed.02/19/20 . Page 42 of 43 Page ID #:42

specifically uses the AWS SB-service, which is a clOud storage
service. i A I
c. a Company A does not use AWS virtual machines.
stated that he could not think of?a reason why the company
would need to use AWS virtual machines or any AWS service to 
I rapidly expand computer environments. A
d. Occasionally, clients request penetration testing
on projects. O.K. advised that all penetration testing is done
by external, third?party companies for accountability and
integrity. O.K. was not aware of any internal penetration
testing conducted by employees. I
?Ve. O. K. provided the FBI a copy.of the company?s
employee handbook, which stated in  part that empl oyees are not
allowed to use company property or equipment in a way that
disrupts the networks of other users.

L. Search Warrant

49. in November 2019, the FBI executed search warrants at
-the Santa-Monica Residence and Company A?s offices, A
preliminary review of items seized revealed the following

information:

a. According to multiple digital devices, DAM was

the user of the telephone number ending in ~4881.

b. According to multiple digital devices, DAM was

the user.of 

0. ,'Electronic correspondence DAM had with others

confirmed his working knewledge of AWS and its servers.

41

Case Ddcument 1 Filed 02/19/20 Page 43 of 43 Page ID #:43

d. iPhone, the telephone number ending-?48Bl,
had cookies17 for the domain ?signinQaws.amazon.cOm? which is the
AWS-sign-in page; According to the cookies, iPhone
accessed the AWS sign?in page on September 22, 2018, or tuo days
after the AWS Account was self?suspended/closed. 

. CONCLUSION 
5 all the reasons described above, there is probable
cause to believe that ARTHUR JAN DAM violated 18 U.S.C.
1030(a)(5)(A)r 
(Intentionally Damaging and Attempting to Damage a Protected .

Computer).

ft
5/5
5P5

Elliott Weideman? ?pecial Agent
Federal Bureau of Investigation

Subscribed to and sworn before me
this 5&5 ?day of February, 2020.

MICHAEL R. WILNER 

 

HONORABLE MICHAEL R. WILNER
UNITED STATES MAGISTRATE JUDGE

 

A cookie is a string of characters and numbers stored on
a computer?s web broWser. Provide-rs often use cookies to
recognize when the same device returns to access an account.