Case Document 21-1 Filed 05/20/20 Page 1 of 18

EXHIBIT 1



Case Document 21-1 Filed 05/20/20 Page 2 of 18

Magistrate Judge Michelle L. Peterson

CERTIFED TRUE COPY
ATTEST: WILLIAM M. MCCOOL
Clerk, District Court
Western District of Washington

By 
Deputy Clerk

UNITED STATES DISTRICT COURT FOR THE
WESTERN DISTRICT OF WASHINGTON

 

AT SEATTLE
UNITED STATES OF AMERICA, N0   :g 
Plaintiff COMPLAINT
V.
DENYS Title 18, United States Code, Sections 371,

aka ?Denys Olegovich Iarrnak,? 1029(ax3)? and 2.

aka ?Denis Jarmak,? 
aka ?Denys Olehovych Yarrnak,?
aka ?gaktus,?

aka ?gaktusOl,?

aka ?denisj armak,?

Defendant.

- Filed Under Seal

 

 

BEFORE the Honorable Michelle L. Peterson, United States Magistrate Judge,
United States Courthouse, Seattle, Washington.
The undersigned complainant being duly sworn states:
COUNT 1
(Conspiracy to Commit Computer Fraud and Abuse)
I. OFFENSE
1. Beginning at a time unknown, but no later than September 2015, and

continuing through on or about November 20, 2019, Within the Western District of

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553?7970

1
United States v. Denys Iarmak

 






 

 

Case Document 21-1 Filed 05/20/20 Page 3 of 18

Washington, and elsewhere, the defendant, DENYS IARMAK, and others known and
unknown, did knowingly and willfully combine, conspire, confederate and agree together
to commit offenses against the United States, to wit: 

a. to knowingly and with intent to defraud, access a protected computer
without authorization and exceed authorized access to a protected computer, and by
means of such conduct further the intended fraud and obtain anything of value exceeding
$5,000.00 in any 1-year period, in violation of Title 18, United States Code, Sections
1030(a)(4) and and 

b. to knowingly cause thetransinission of a program, information,
code, and command, and as a result of such conduct, intentionally cause damage without
authorization to a protected computer, and cause loss to one or more persons during a 1?
year period aggregating at least $5,000.00 in value and damage affecting 10 or more
protected computers during a l-year period, in violation of Title 18, United States Code,
Sections 1030(a)(5)(A) and 

II. OBJECTIVES OF THE CONSPIRACY

2. The objectives of the conspiracy included hacking into protected computer
networks using malware designed to provide the conspirators with unauthorized access
to, and control of, victim computer systems. The objectives of the conspiracy further
included conducting surveillance of victim computer networks and installing additional
malware on the victim computer networks for the purposes of establishing persistence,
and stealing payment card track data, ?nancial information, and proprietary, private, and
non-public inforr'nation, with the intention of using and selling such stolen items, either
directly or indirectly, for ?nancial gain. The objectives of the conspiracy further
included installing malware that would integrate victim computers into a botnet that

allowed the conspiracy to control, alter, and damage compromised computers.

MANNER AND MEANS OF THE CONSPIRACY
3 The manner and means used to accomplish the conspiracy included the
following: 
COMPLAINT- 2 UNITED STATES ATTORNEY

700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 5534970

United States v. Denys Iarmak

 





 

 

Case Document 21-1 Filed 05/20/20 Page 4 of 18

a. The conspiracy developed and employed various malware designed
to in?ltrate, compromise, and gain control of the computer systems of victim companies
operating in the United States and elsewhere, including within the Western District of
Washington. The conspiracy established and operated an infrastructure of servers,
located in various countries, through which members coordinated activity to further the
scheme. This infrastructure included, but was not limited to, the use of command and
control servers, accessed through custom botnet control panels, that communicated with
and controlled compromised computer systems of victim companies.

b. . The conspiracy targeted victims in the Western District of
Washington, and elsewhere, using, among other things, phishing techniques to distribute
malware designed to gain unauthorized access to, take control of, and ex?ltrate data from
the computer systems of various businesses. The conspiracy typically initiated its attacks
by delivering, directly and through intermediaries, a phishing email with an'attached
malicious ?le, using wires in interstate and foreign commerce, to an employee of the
targeted victim company. The attached malicious file was embedded malware. The
phishing email, through false representations and pretenses, fraudulently induced the
recipient to open the attachment and click on the file to unwittingly activate the malware.

c. If the recipient activated the malware, the computer on which it was
opened would become infected and connect to one or more command and control servers
controlled by conspiracy to report details of the newly infected computer and download
additional malware. The command and control infrastructure relied upon various servers
in multiple countries, including, but not limited to, the United States.

(1. The conspiracy typically would install additional malware to

establish remote control of the Victim computer. Once a victim?s computer was

compromised, the conspiracy would incorporate the compromised machine or ?bot? into

a botnet.

e. The conspiracy used its access to the victim?s computer network and

information gleaned from surveillance of the victim?s computer systems to install

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

3
United States v. Denys Iarmak

 

 




mqom?bwmwoongazas:5

 

 

Case Document 21-1 Filed 05/20/20 Page 5 of 18

additional malware designed to target and extract particular information and property of
value, including payment card data and proprietary and non?public information.

f. The conspiracy frequently targeted payment cards used at the victim
companies by customers making legitimate point-of-sale (POS) purchases. In those
cases, the conspiracy configured malware to extract, copy, and compile the payment card
data, and then to transmit the data from the victim computer systems to servers controlled
by conspiracy.

g. The conspiracy then monetized that stolen payment card data by,

among other things, offering the payment card data for sale on various websites dedicated

to such carding activity.

IV. OVERT ACTS

4. In furtherance of the conspiracy, and to achieve the objects thereof, the
defendants, and others known and unknown, did commit and cause .to be committed, the
following overt acts, among others, in the Western District of Washington and elsewhere:

a. On or about August 8, 2016, the conspiracy sent multiple phishing
emails, containing a file embedded with malware, to an employee of the Emerald Queen
Hotel and Casino (EQC), a federally recognized Native American Tribe with locations in
Pierce County, Within the Western District of Washington.

b. - Between on or about March 24, 2017, and April 18, 2017, the
conspiracy harvested payment card data from point?of?sale devices from Chipotle
Mexican Grill, including dozens of locations in the Western District of Washington.

. c. On or about April 28, 2017, DENYS IARMAK commimicated with
another member of the conspiracy in furtherance of the hacking activity, including .
discussing the creation and use of phishing emails. -

d. On or about on July 24, 2017, DENYS IARMAK and another

member of the conspiracy discussed information stolen from a victim company.

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553?7970

4
United States v. Denys Iarmak

 






 

 

Case Document 21-1 Filed 05/20/20 Page ?6 of 18

c. On or about October 27, 2017, DENYS IARIVIAK and another
member of the conspiracy discussed information about the compromised computer
system of a victim company,

All in violation of Title 18, United States Code, Section 371.

COUNT 2
(Access Device Fraud)

5. The allegations set forth in above paragraphs are re?alleged and
incorporated as if fully set forth herein.

6. Beginning at a time unknown, and continuing through on or about
November 20, 2019, within the Western District of Washington, and elsewhere, the
defendant, DENYS IARMAK, and others known and unknown, knowingly and with

intent to defraud, possessed ?fteen or more counterfeit and unauthorized access devices,

namely, payment card data, account numbers, and other means of account access that can

be used, alone and in conjunction with another access device, to obtain money, goods,

services, and any other thing of value, and that can be used to initiate a transfer of funds,
and aided and abetted such conduct; said activity affecting interstate and foreign
commerce. 

All in violation of Title 18, United States Code, Sections 1029(a)(3), 1029(b)(l),
1029(c)(1)(A), and 2.

And the complainant states that this Complaint is based on the following
information:
I, Briana L. Neumiller, being ?rst duly sworn on oath, depose and say:
I. INTRODUCTION AND AGENT BACKGROUND 1
7. I am a Special Agent with the Federal Bureau of Investigation (FBI), and
have been since 2009. I am assigned to the Cyber squad Where I investigate computer
intrusions. My experience as an FBI Agent includes the investigation of cases involving

the use of computers and the Internet to commit crimes. I have received training and

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553?7970

COMPLAINT- 5
United States v. Denys Iarmak

 






 

 

Case Document 21-1 Filed 05/20/20 Page 7 of 18

gained experience in interviewing and interrogation techniques, arrest procedures, search
Warrant applications, the execution of searches and seizures, Cybercrimes, computer
evidence identi?cation, computer evidence seizure and processing, and various other
criminal laws and procedures. I have participated personally in the execution of search
warrants involving the search and seizure of computer equipment. I

8. As set forth herein, I submit that probable cause exists to establish that the
defendant, DENYS IARMAK, knowingly and intentionally participated in a scheme to
hack the protected computer networks of various victim entities and steal payment card
data and information, which constitute unauthorized ?access devices,? in violation of
federal law, to include Conspiracy to Commit Computer Fraud and Abuse, in violation of
Title 18, United States Code, Section 371, and Access Device Fraud, in' violation of Title
18, United States Code, Sections 1029(a)(3), 1029(b)(1), 1029(c)(l)(A), and 2.
Accordingly, I seek the issuance of an arrest warrant for IARMAK.

9. The facts set forth in this Af?davit are based on my own personal
knowledge; knowledge obtained from other individuals during my participation in this
investigation, including other law enforcement personnel and computer scientists; review
of documents and records related to this investigation; communications with others who
have personal knowledge of the events and circumstances described herein; and
information gained through my training and experience. Because this Af?davit is
submitted for the limited purpose, it does not set forth each and every fact that I or others
have learned during the course of this investigation.

11. SUMMARY on PROBABLE CAUSE

A. Background

10. US. authorities are investigating a transnational cybercriminal group
engaged in a hacking and fraud scheme. Since at least September 2015, and continuing
to the present, the group has attacked the protected computer networks of hundreds of
businesses with the goal of infecting computer systems with malicious software (or,

?malware?) that allows the group to access and steal non?public information, such as
6 UNITED STATES ATTORNEY

- 700 STEWART STREET, SUITE 5220
United States v. Denys Iarmak SEATTLE, WASHINGTON 98m}

(206) 5534970

 






 

 

Case Document 21-1 Filed 05/20/20 Page 8 of 18

customer payment card data. Based on the initial estimates, this hacking scheme has
stolen tens of millions of payment card numbers and has caused over 100 million dollars
(U.S.) in losses to US. ?nancial institutions and companies.

11.

systems of businesses, primarily in the restaurant, gaming, and hospitality industries,

The hacking group generally, but not exclusively, targeted computer

including numerous con?rmed victims located in the Western District of Washington.
For instance, con?rmed victims of the hacking group who have publically acknowledged
being attacked include numerous restaurant chains, such as Chipotle Mexican Grill,
including multiple store locations within the Western Washington. For example, between
approximately March 24, 2017, and April 18, 2017, the group, having successfully
breached the protected systems of numerous Chipotle restaurant locations, harvested
payment card data from point-of-sale devices, including dozens of locations in the
Western District of Washington.

12. The group also targeted the Emerald Queen Hotel and Casino (EQC), a
hotel and casino owned and operated by a federally recognized Native American Tribe
with locations in Pierce County, within the Western District of Washington. For
instance, on or about August 8, 2016, the group, either directly or through intermediaries,
sent multiple phishing emails, containing a ?le embedded with malware, to an employee
of EQC. 

13. Credit cards compromised through the group?s proli?c hacking activity
affected accounts held at dozens of federally insured ?nancial institutions and credit
unions, including, among others, BECU, a credit union headquartered in the Western
District of Washington. For example, on or about March 10, 2017, stolen card data
related to accounts held at BECU, compromised through the computer network intrusion
of a. con?rmed victim of this hacking group, was used to make unauthorized purchases at

a merchant in Puyallup, ?Washington. 

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

COMPLAINT- 7
United States v. Denys Iarmak

 




asaasacaoeasaazaczs

 

 

Case Document 21-1 Filed 05/20/20 Page 9 of 18

The Hacking Group?s Attack Methodology

14. The hacking group generally has targeted restaurants, hotels, and other
businesses that engage in high volumes of point-of?sale payment card transactions.
Generally, the hacking group attacks victim companies with phishingI emails that have
attachments that either contain malware or link to malware. The phishing campaign will
often involve a call to the recipient of a phishing email and the use of social engineering
techniques to encourage the recipient to open the attachment and activate the group?s
malware.

15. For example, as part of a phishing campaign, a member or'affiliate of the
hacking group may call a hotel?s customer serVice representative under the pretense of
being a customer who wants to make a reservation. The caller will claim falsely that the
details of the reservation request can be found in a ?le attached to an email previously
sent by the caller. If the employee opens the attachment and activates the embedded
malware, the computer on which it was opened will become infected and connect to the
hacking group?s command and control servers to report details of the newly infected
computer and to download additional-malware. The additional malware will run
automatically and will connect to additional servers used by the scheme to establish
remote control of the infected computer.

16. After gaining access to a victim?s computer, the hacking group will deploy
a wide variety of malware tools to conduct surveillance, control infected computers, and

steal data. One of the hacking group?s primary goals is to target point-of-?gsale systems

 

1Phishing is a technique in which the perpetrators use email messages and/or fake
websites to trick people into'providing information, such as network credentials 
user names and passwords) that may later be used to gain access to the victim?s systems.
Phishing often utilizes social engineering techniques similar to traditional con?artist
techniques in order to trick victims into believing they are providing their information to
a trusted vendor or other acquaintance. Phishing emails are also often used to trick .a
victim into clicking on documents or links that contain malicious software that will

compromise the Victim?s computer system.
8
United States v. Denys I armak

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98 i 01
(206) 553-7970

 






 

 

Case Document 21-1 Filed 05/20/20 Page 10 of 18

that process high volumes of payment card transactions. Once the hacking group locates
a point-of?sale system, it will use malware to capture and steal payment card data. The
stolen data will then be sold on various criminal underground forums or through private
sales.

17. The hacking group remains extremely active. The hacking group continues
to launch extensive phishing attacks and steal point-of?sale information from businesses,
such as fast food restaurants, that process a large volume of point-of?sale transactions.
Additional phishing campaigns also indicate-that the hacking group has expanded its
reach, and is now attacking victims such as law firms and other service providers with
access to customer lists or con?dential financial information.

The Hacking Group?s Use of a Virtual Work Environment

1.8. The hacking group does not have a central office or work location. Instead,
the hacking group uses a distributed work force that relies on a secure, virtual work
environment to coordinate its illegal activity. This virtual work environment allows
members in different cities and countries to remotely attack, access, and control victim
computers in an organized fashion. This virtual work environment also allows the
hacking group to control who can access the work environment, thereby
protecting the group?s illegal activity.

19. One component of the virtual work environment is an elaborate network of
servers located throughout the world that the hacking group uses as part of its command
and control infrastructure. US. authorities have identi?ed and examined a number of
these command and control servers. This examination revealed that the servers are used
to host control panels that allow the hacking group to remotely access and control
compromised victim computers. Log data and intercepted communications demonstrated
that members of the hacking group routinely access the Control panels from their
residences.

20.

communication servers located throughout the world that the hacking group uses to

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 9810}
(206) 553-7970

Another component of the virtual work environment is a number of

9
United States v. Denys Iarmak

 






 

 

Case Document 21-1 Filed 05/20/20 Page 11 of 18

facilitate the malware scheme. US. authorities have identi?ed and?examined a number
of these servers. This examination demonstrated that the servers provide the hacking
group with both secure channels of communication and virtual platforms on which they
coordinate their attacks against victim companies even though each member is working
from a remote location. For example, in approximately August 2017, foreign law
enforcement provided US. authorities with a forensic image of a physical server used by
the hacking group (hereinafter, Analysis of the image showed that Server?l
contained numerous virtual communication servers, including a private Jabber server that
permitted members of the hacking group to have communications about their
illegal activity. Jabber is an instant messaging service that allows members to send
communications through a public or private server. In order to have an
account within a private Jabber server, an administrator of the server must create an
account for the user. I

2 

US. authorities to identify many members of the hacking group and their roles in the

Examination of the hacking group?s Jabber communications has allowed

illegal enterprise. Although members of the hacking group generally used aliases and
concealed their true names from? each other, members regularly provided identifying
information in Jabber communications with certain high-level members of the group to
receive payment for their participation in the scheme. This information included
information such as true names, addresses, bank account information, and information to
receive digital currency or money order transfers.

22.

instant messaging, and ?le?sharing program. Examination of the HipChat servers

Server-l also contained virtual HipChat servers. HipChat is a group chat,

showed that the hacking group used HipChat to coordinate their efforts to breach the
network securities 'of victim companies, to share stolen data such as payment card
information, and to interview and recruit new members.

23. Through this investigation, which has included review of evidence obtained

from foreign authorities, US. authorities obtained and examined a forensic image of

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

COMPLAINT- 10
United States v. Denys Iarmak

 






 

 

Case Document 21-1 Filed 05/20/20 Page 12 of 18

another physical server used by hacking group (hereinafter, ?Server-2?) in approximately
November 2017. Like Server-l, Server-2 contained numerous virtual communication
servers used to facilitate the malware scheme. Both Server-l and Server?2 contained
virtual IRA servers. IRA is a project management and issue?tracking program
commonly used by software development teams. JIRA allows team members to create
?projects? containing posted ?issues? under which other team members can make
comments and share data. This feature thereby facilitates collaboration between team
members who may be working from different locations or during different hours.

24.

hacking group used the JIRA servers to collaborate on their efforts to breach and steal

Examination of Server?l and Server?2 revealed that members of the

data from victim companies. Often, hacking group members would create ?issues? in
JIRA with names that referenced a particular victim. Under each IRA ?issue?, members

would track?their progress breaching the victim?s security, upload data stolen from the

victim, and provide guidance to each other. The JIRA servers logged activity related to

an ?issue? and tracked a variety of information including the user who created the
?issue?, users who commented under or uploaded ?les under the ?issue?, and users who
otherwise had access to the ?issue?. This information has allowed investigators to link
members to attacks against speci?c victims.

25.

that the group?s virtual work environment allowed the members of the group to work

The hacking group?s Jabber, HipChat, and JIRA communications con?rm

together closely even though the members were working from computers at their
residences or from their mobile devices. In numerous conversations, members of the
hacking group made reference to working at home or the need to go offline in order to
run domestic errands such as going to the doctor?s office. Notably, members of the
hacking group were required to work late at night in order carry out malicious activity,
such as sending phishing emails, during the business hours of victim companies who

were located several time zones away.

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 5534970

11
United States v. Denys Iarmak

 

 




mummnmeoESSE?L?EE3533

 

 

Case Document 21-1 Filed 05/20/20 Page 13 of 18

Examination of Devices Belonging to Members of the Hacking Group

26.

members of the hacking group indicates that members of the hacking group keep

The U.S. authorities? examination of devices belonging to individual

extensive evidence of their illegal activity on their personal computers and mobile
devices, including data that is exchanged through the hacking group?s virtual work
environment. For example, U.S. authorities examined a laptop seized by foreign
authorities from the home of a member of the hacking group. The laptop contained many
of the malware too1s used by the hacking group in addition to credentials to remotely
access the hacking group?s servers. One of the malware tools was used over 1,200 times
over the course of a 16-month period. Forensic examination of communications on the
laptop indicate that the owner of the laptop was largely working from home when he
developed phishing emails, attempted to breach victim computer systems, and stole data
from compromised computers. In addition, the laptop had numerous folders, each
dedicated to a speci?c victim, which contained data stOlen from that victim. This stolen
data included addresses for internal victim servers, .login credentials (user name and
password) for victim Servers, tax information, customer order information, and other non-
public information. Most notably, the laptop contained a variety of stolen ?nancial
information, including stolen credentials that could be used to access a victim?s online
bank accounts and over 4,000 unique payment card numbers. The laptop also contained
extensive communications with dozens of members of the hacking group, including over
80,000 Jabber messages. In certain of these communications, the user of the laptop
requested money order transfers in return for work performed on behalf of the hacking
group.
27.

from a different member of the hacking group while he was on vacation in a foreign

Through this investigation, U.S. authorities also examined a laptop taken

country. As with the ?rst laptop, the second laptop contained extensive evidence of the
malware scheme and information exchanged through the hacking group?s virtual

workspace. For example, the second laptop contained malware tools, credentials to

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

12
United States v. Denys Iarm ak

 






 

 

Case Document 21-1 Filed 05/20/20 Page 14 of 18

access the hacking group?s servers, data stolen from victims, and over 4,000 payment
card numbers. The laptop also contained over 85,000 Jabber communications with other
members of the hacking group in which the owner of the laptop discussed his efforts to
breach victims? networks, shared stolen data, and requested payment in digital currency
for his Work. Notably, the Jabber communications indicate that the hacking group was
using a wide?variety of digital currency services or exchanges including, but not limited
to, Binance, Electrum, and Monero.

28.

also use mobile devices to facilitate the malware scheme. In addition to private Jabber,

U.S. authorities have obtained evidence that members of the hacking group

HipChat, and JIRA servers, the hacking group uses a variety of other 
communication services such as Mumble, Telegram, Threema and Viber. U.S.
authorities have gathered evidence that members of the hacking scheme access these
communication services from their mobile devices. For example, pursuant to a mutual
legal assistance request, U.S. authorities examined a mobile phone taken from one of the
previously mentioned hacking group members while he was on vacation. The mobile
phone contained communications with other members of the hacking group regarding the
group?s illegal activity, including Telegram, Threema, and Viber communications.
B. I Denys Iarmak

29. U.S. authorities have identi?ed multiple members of the hacking group,
including DENYS IARMAK, also known as Denys Olegovich Iarmak, Denis Jarmak,
and Denys Olehovych Yarmak, a resident and citizen of Ukrainian. Since at least 2016,
IARMAK, who used online aliases such as ?gaktus,? ?denisjarmak?, and ?gaktusOl?
served as a hacker within the group and was involved in attacking multiple victim
companies, including the successful hacks of several restaurant chains located in the
United States.

30.

work environment to collaborate and coordinate with other group members. For instance,

As with other members of the hacking group, IARMAK used the virtual

on July 24, 2017, IARMAK used Jabber to exchange stolen victim information with

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

13
United States v. Denys [arm ak

 






 

 

Case Document 21-1 Filed 05/20/20 Page 15 of 18

another group member, edir Hladyr, charged in this (United States v. Hladyr,
Furthermore, on March 3, 2017, IARMAK, using the alias ?gaktus,?
updated a JIRA issue he had created for a speci?c victim company and uploaded data he
had stolen from that US. company. IARMAK had access to approximately 25 JIRA
issues on Server-1 and 20 JIRA issues on Server-2.

31. In a Jabber conversation between IARMAK and Hladyr on October 20,
2017, Hladyr provided user credentials for a compromised US. business. On October 27,
2017, IARMAK replied back to Hladyr with internal system information of compromised
machines related to the US. business. Through this investigation, authorities have
con?rmed that this hacking group stole payment card data from that US. business.

32. IARMAK frequently used the aliases ?denis.jarmak? and ?gaktus? when
communicating with other members of the hacking group. For example, on December
24, 2016, in a Jabber communication between Hladyr and IARMAK
(denis.j armak@j abber.ru), according to a machine translation, IARMAK told Hladyr to
add him into a room and provided the name ?GakTus.?

33. Like other members of the group, IARMAK provided his true name in
order to receive payment for his work in furtherance of the group. For example, in a
December 26, 2016 Jabber chat with one of the leaders of the hacking group, IARMAK
(denis. armak@j abber.ru) sent his PrivateB ank account number to receive salary
payments. Further, through the investigation, authorities further identi?ed IARMAK
through his email account. For instance, authorities identi?ed and later obtained a search
warrant for personal email account which Was
linked to the PGP public key IARMAK used to have communications with
other group members in furtherance of the coordinated hacking activities. According to
records obtained from Google, the subscriber for this email account is Denis Jarmak.

This email account contained photos of Ukrainian passports and other

identi?cation documents. According to this and other documentation,?

IARMAK is believed to
UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220

SEATTLE, WASHINGTON 9810]
(206) 553-7970

    
 
 

United States v. Denys Iarmak

 



.


 

 

Case Document 21-1 Filed 05/20/20 Page 16 of 18

currently reside in Kyiv, Ukraine. The passport listed date of birth as
The email account also contained a copy of resume (which,
acCording to a machine transliteration, was in the name Denys Olegovych Yarmak), with
the same date of birth, and listed his father?s, mother?s, and sister?s names, which was
corroborated through other sources. resume listed work experience as a
system administrator for multiple companies. The email account also contained a
registration email for the aforementioned Jabber account (denis.j armak@jabber.ru) and
account creation and security alerts for one of linked email accounts,
gaktusO @gmail.com, among others.

34. IARMAK also used the email account denis.j armak@gmail.com in
furtherance of the group?s scheme. For example, in early April 2017, IARMAK
exchanged multiple messages with an Anti-Virus (AV) company related to activating an
AV product. also forwarded copies of these emails two other known members
of the hacking group. Through the investigation, authorities have determined that one of
the techniques used by the group is to check their various malware against AV products
disconnected from Internet. This technique allows the group to determine whether the
malware is being detected by the AV product as malicious without providing a copy of
the malware to the AV companies.

35.
IARMAK and edorov, another known group member charged in this District
(United States v. Fedorov, CR18-004RSM), IARMAK explained to Fedorov how to

In a translated Jabber communication on April 28, 2017, between

create the malware payload for a phishing document and referenced going into the
machine with AV. IARMAK noted that a particular payload was detected by two AV
companies, which meant that it was ?burned somewhere.? When Fedorov noted another
tool used by the group that was tested against AV, IARMAK sought details on whether

the testing was done with the interface to the Internet turned off. This conversation was

consistent with the known methodology of the hacking group.

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

15
United States v. Denys Iarmak

 






 

 

 

Case Document 21-1 Filed 05/20/20 Page 17 of 18

36. in that same conversation, IARMAK also discussed phishing emails and
speci?cally advised that he usually replaced the default picture of the embedded file
which deploys malware it?double clicked with some other image speci?c to the targeted
company. As noted above, the investigation and security community reporting have
obsewed that the phishing messages sent by this hacking group usually seek to
manipulate targeted victims into double clicking on an image in the message attachment

to activate malware and compromise machines on the victim network.

37.

IARMAK also was implicated by other members of the hacking group. In

 




STATES 
700 STEWART STREET, Sum: 5220
WAsmNe'mN 98101
(206) 553-7970

COMPLAINT- 16
United States v. Denys Iarmak

\oo?qoxmewwhn



 

 

Case Document 21-1 Filed 05/20/20 Page 18 of 18

CONCLUSION
38. Based on the above facts, I respectfully submit that there is probable cause
to believe that DENYS IARMAK did knowingly and intentionally committed the
offenses of Conspiracy to Commit Computer Fraud and Abuse, in violation of Title 18,
United States Code, section 371, and Access Device Fraud, in violation of Title 18,

United States Code, Sections 1029(a)(3), 1029(b)(1), 1029(c)(1)(A), and 2.

?aw 
Briana L. Neumiller, Complainant
Special Agent, Federal Bureau of
Investigations

Based on the Complaint and Af?davit sworn to before me, and subscribed in my 1
presence, the Court hereby ?nds that there is probable cause to believe the Defendant

committed theoffenses set forth in the Complaint.
Dated this day of November, 2019.

MICHELLE L. PETERS ON
United States Magistrate Judge

 

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

17
United States v. Denys Iarmak