DJ 00 U1 Case Document 1 Filed 12/12/18 Page 1 of 17 Presented to the Court by the foreman of the Grand Jury in open Court, in the presence of the Grand Jury and FILED in the US. DISTRICT COURT at Seattle, Washington. W176 ll .20 - . . ,mMcL,Clerk I UNITED STATES DISTRICT COURT OR THE WESTERN DISTRICT OF WASHINGTON - AT SEATTLE UNITED STATES OF AMERICARAJ Plaintiff INDICTMENT V. ANDREY TURCHIN, a/k/a, a/k/a, ?Andej Turchin,? a/k/a, ?Adik Dalv,? a/k/a, ?Vadim bld,? Defendant. The Grand Jury charges that: . . COUNTI- (Conspiracy to Commit Computer Hacking) A. Overview 1. The defendant, ANDREY TURCHIN, operating under the alias among others, is a computer hacker who resides In the country of Kazakhstan. 2. ANDREY TURCHIN, also known by the names ?Andej Turehin,? ?Adik Dalv,? and ?Vadim bld,? is a member of a proli?c, ?nancially motivated cybercriminal group composed of foreign actors that hacks the computer networks of a broad array of - Indictment - 1 UNITED STATESATTORNEY 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 United States v. urchin - Case Document 1 Filed 12/12/18 Page 2 of 17 corporate entities, educational institutions, and governments throughout the world, including the United States, and thereafter advertises and sells such unauthorized access to its Victims? protected Systems to interested buyers. Members of the cybercriminal group include individuals using such monikers as ?BigPetya,? ?Lampeduza,? ?Antony Moricone,? ?Nikolay,? ?Ares, and ?HeroKuma, among others. 3. The cybercriminal group uses various hacking techniques, such as brute force attacks and phishing email campaigns, to attack and Compromise victim networks. Once inside the victim?s system, the threat actors deploy additional malicious code, or malware, and move laterally throughout the network. The group ultimately attempts to locate and ex?ltrate administrative credentials, to gain broad access and control of the victim?s system, and to establish persistence through use of Remote Access Tools (RATS) and other malware implanted on network computers. I 4. Members of the cybercriminal group, including ANDREY TURCHIN, advertise Victim network access for sale, both through postings on various underground online forums and through private offerings to established or trusted buyers. The cybercriminal group frequents several forums known to host and facilitate criminal activity, such as Exploitin, fuckav.ru, ClubZCard, Altenen, Blackhacker, Omerta, Sniff3r, and L33t, among others. To date, the group has claimed access to, and advertised for. sale network access to, a total of more than 300 corporate entities, educational institutions, governments, and governmental agencies and departments, located in roughly 40 countries across six continents, including over 30 such entities located in the United States. 5. The cybercriminal group?s prices for network access typically ranges from thousands to tens of thousands dollars, but in some cases, exceeds a hundred thousand dollars, depending on the victim entity and the degree of system access and controls, and, the group has derived a substantial but unknown amount in illicit pro?ts from its Scheme. Victims incurred additional losses totaling in the tens of millions of 7 dollars identifying and remediating the implanted malware, unauthorized network access, and the consequential network damage. Indictment - 2 UNITED STATES ATTORNEY 1 - 700 STEWART STREET, SUITE 5220 United States v. urchin SEATTLE, WASHINGTON 98101 (206) 553-7970 ?Case Document 1 Filed 12/12/18 Page 3 of 17 Relevant Terms I 6. An Internet Protocol. address, or simply address,? is a unique numeric address used by devices, such as computers, on the Internet. Every device attached to the Internet must be assigned an IP address so that Internet-traf?c sent from and directed to that device may be directed its source to its destination. Most Internet service providers control a range of I IP addresses. I 7. A server is a computer that provides serviCes for other computers connected to it via a network or the Internet. The computers that use the server?s services are sometimes called ?clients.? Servers can be physically located anywhere with a network connection that may be reached by the "clients; for example, it is not uncommon for a server to be located hundreds (or even thousands) of miles away from the client Computers. A server may be either a physical or virtual machine. A physical server is a piece of compUter hardware configured as a server with its own power source, central processing unit or units and associated software. Avirtual server is typically one of many servers that operate on a single physical server. Each Virtual server shares the hardware resources of the physical server but the data residing on each virtual server is segregated from the data on other virtual servers that reside on the same physical machine. I 8. Remote Desktop Protocol (RDP) isa proprietary protocol developed by - Microsoft, which provides a user with a. graphical interface to connect to another computer over a network connection. RDP allows another computer to interact and control the computer remotely. Another computer can. connect to a computer with RDP enabled by I being in the same connected network and providing credentials to log in. If a computer is connected to the Internet and. has RDP enabled, any computer on the Internet can attempt to connect to that cemputer. Multiple companies not associated with Microsoft have created third party software that uses and interacts with RDP. I 9. The Onion Router, or ?Tor,? is an anonymity tool used by individuals when they wish to obfuscate the origin of the internet connection (entry point). This is Indictment 3 - UNITED STATES ATTORNEY . . - 700 STEWART STREET, SUITE 5220 United tatesv. urchin SEATTLE, WASHINGTON 98101 - (206)553?7970 KC 00 Ch i?a Case Document 1 Filed 12/12/18 Page 4 of 17 accomplished by bouncing the original internet connection through several intermediate computers (relays) that utilize thus anonymizing the entry point. 10. Malware is malicious computer code running on a cemputer. Malware can be designed to do a variety of things, including logging every keystroke on a computer, stealing ?nancial information or ?user credentials? (passwords or usemames), or commanding that computer to become part of a network of ?robot? or ?bot? computers known as a ?botnet.? In addition, malware can be used to transmit data from the infected computer to another destination on the Internet, as identi?ed by an IP address. 1 1. Phishing is a criminal scheme in which the perpetrators use mass email messages and/or fake websites to trick people into providing information, such as network credentials user names and passwords) that may later be used to gain access to the i victim?s systems. Phishing schemes often utilize social engineering techniques similar to traditional con-artist techniques in order to trick victims into believing they are providing their'information to a trusted vendor or other acquaintance. Phishing emails are also often used to trick a victim into clicking on documents or links that contain malicious software that will compromise the victim?s computer system. 12. Social engineering is a skill developed over time by people who seek to acquire protected information through manipulation of social relationships. People who are skilled in social engineering can convince key individuals to divulge protected 7 information or access credentials that the social engineer deems valuable to the achievement of his or her aims. 13. Brute force attacks are a technique developed over time by people who seek to obtain valid credentials to gain access to a protected system, software, or data. A brute force attack will use atrial?and-error method of consecutively guessing credentials against the protected medium until a guess is successful in obtaining access to the protected medium. A brute-force attack is typically conducted using automated software along with a list'of commonly used or known passwords, also known as dictionaries, to guess the credentials. Indictment 4 - UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 5220 Umted States v. urchin SEATTLE, WASHINGTON 98101 (206) 553-7970 iCase Document 1 Filed 12/12/18 Page 5 of 17 Offense 14. Beginning at a time unknown, but no later than October 2017, and continuing through on or about December 12, 2018, in King County and Cowlitz County, within the Western District of Washington, and elsewhere, the defendant, ANDREY A TURCHIN, and others known and unknown to the Grand Jury, did knowingly and willfully combine, conspire, confederate and agree together to commit offenses against the United States, to wit: 2 a. to intentionally access a computer without authorization, and exceed authorized access to a computer, and thereby obtained information from a protected I computer, and the offense was committed for purposes of commercial advantage or private ?nancial gain, and in furtherance of a criminal and tortious act in violation of the Constitution and the laws of the UnitedStates and the laws of a state, including Washington, andthe value of the information obtained exceeded $5,000, in Violation of Title 18, United States Code, Sections 1030(a)(2)(C) and (ii) and and, b. to knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage without authorization to a protected computer, and cause loss to one or more persons during a one? year period aggregating at least $5,000 in value and damage affecting 10 or more protected computers during a one-year period, in violation of Title 18, United States Code, Sections 1030(a)(5)(A) and D. Objectives of the Conspiracy 15. The objectives of the conspiracy included hacking into protected computer - networks using malicious software (hereinafter, ?malware?) designed to provide conspirators with unauthorized access to, and control of, victim computer systems; The objectives of the conspiracy further include conducting surveillance of victim computer networks, ex?ltrating and using administrative credentials, and installing additional malware on victim computer networks for purposes of establishing persistence, all for the Indictment - 5 UNITED STATES ATTORNEY 7' - - 700 STEWART STREET, SUITESZZO United States v. urchin SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 1 Filed 12/12/18 Page 6 of 17 purpose of selling such access to victim computer networks to other cybercriminal actors . for ?nancial gain. - I E. Manner and Means of the COnspiracy 16. The manner and means usedto accomplish the conspiracy included the following: a. The conspirators employed hacking techniques to gain access, Without authorization, to protected computer netwOrks, broadly targeting victims worldwide, including entities located in-the United States and speci?cally in the Western District of Washington. The cybercriminal group used various attack vectors to distribute and implant malware designed to gain unauthorized aCcess to, take control of, and ex?ltrate data from the computer systems of a broad array of corporate and governmental entities and educational institutions. I b. The conspirators often initiated brute force attacks or login credentials to access Internet-connected RDP-enabled computers on a Victim network. The conspirators scanned the Internet for open ports and performed surveillance on targeted victim networks in order to identify victim computers vulnerable to brute force attacks over RDP. - c. The conspirators also initiated attacks by delivering, directly and through intermediaries, one or more phishing emails with an attached malicious ?le or embedded Internet hyperlink, using wires in interstate and foreign commerce, to an employee of the targeted victim. The attached ?le usually contained embedded malware designed to allow the conspiracy to gain unauthorized access to the victim computer. The phishing emails were designed to deceive the recipient in order to induce the recipient to activate the malware, such as by opening an attachment or clicking on a link contained in the phishing email. If the recipient unwittingly activated the malware, thecomputer on which it was opened became infected and provided access to the infected computer to one or more computers controlled by the conspiracy. Indictment - 6 . UNITED STATES ATTORNEY ?t . - 700 STEWART STREET, SUITE 5220 6 States Turchm SEATTLE, WASHINGTON 98101 (206) 553?7970 0(3li Case Document 1 Filed 12/12/18 Page 7 of 17 d. OnCe the conspirators, using wires in interstate and foreign commerce, successfully gained access to the Victim computer and obtained valid login credentials, the conspirators gained the ability to connect one or more conspiracy? controlled computers to the Victim computer. e. The conspirators installed additional malware, including password- stealing malware and remote access troj an malware, to obtain and establish administrative and persistent remOte control of the victim computer. At times, the conspirators modi?ed antivirus software Settings to allow malware to continue to rUn undetected; f. The conspirators used the unauthorized access to the victim?s computer to conduct additional surveillance of other computer-systems located within the- victim?s computer network. The conspirators used the victim?s. computer to move laterally within the network, infecting other Victim computer systems on the network with malware to gain additional access within the victim computer network. The goal was to locate and steal login credentials for domain administrators of the victim computer network, which would allow the conspiracy to have full administrative control over the victim Computer network. I g. The conspirators also at times used the unauthorized access to a victim?s computer network to pivot into a Separate, speci?c company?s networks, effectively exploiting one victim?s existing relationships and connections to compromise its clients, partners, and others. in ?After gaining access to a victim computer network and establishing a 7 level of control-and persistence, the conspirators offered the access to the victim computer network for sale, typically through RDP or a ?backdoor? created on the victim networks through implanted malware. In marketing the access to prospective buyers, the conspirators often described the degree of access partial or full) and administrative control and set a purchase price for the particular network access. The group?s asking prices, which were often, but not always, consistent acrOss various forums, generally ranged from thousands to tens of thousands dollars, but in somelcases exceed $100,000,, Indictment - 7 UNITED STATES ATTORNEY United States v. urchin 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 1 Filed 12/12/18 Page 8 of 17 depending on the victim entity and the degree of system access and controls. With respect to some entities, for instance, those deemed potentially high-value targets ?nancial institutions), the group further negotiated a cut, or percentage, of future pro?ts derived by the buyer from use of the purchased unauthorized network access. i. Typically, the conspirators broadly advertised suCh unauthorized network access for sale on various underground criminal forums. Since OCtober 2017, group members have offered for sale the unauthorized network access to over 300 distinct victim entities across six continents, including over 30 entities located in the United States. Examples of advertised network access to US. entities include: On about October 12, 2017, ANDREY TURCHIN offered for sale on an online forum network access for numerous entities, including a port authority located in C0wlitz County, Washington a distributor of petroleum products based in Alaska, a law firm based in Colorado, an online money transfer and digital payment services company located in New York, and a software developer located in California, as well as the Ministry of Housing, Utilities and Urban Communities of an African country, an African bank, and a luxury hotel group with locations across Europe, North Africa, Latin America, and the Caribbean. . (ii) On about March 20, 2018, ANDREY TURCHIN offered for sale network access for numerous entities, including a port authority (Victim-1) and a U. S. airline based 1n New York, as well as the Ministry of Finance of an African country, the Ministry of Mining and Energy of an Asian country, a South Asian media company, and multiple ?nancial services of?ces. ANDREY TURCHIN further claimed to have access to more than 200 government and law enforcement networks in the United Kingdom, some of which were also advertised for sale. A On about April 1, 2018, ANDREY TURCHIN offered for sale access to point?of?sale terminals at various restaurants, cafes, retail stores, and other businesses in over a dozen countries, including a company headquartered in Seattle, . washington, and numerous other popular chains with locations in the Western District of Indictment 8 1 UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 5220 United States v. Turchm SEATTLE, WASHINGTON 98101 (206) 553?7970 Case Document 1 Filed 12/12/18 Page 9 of 17 Washington. . (iv) On about July 17, 2018, ANDREY TURCHIN offered .for sale network access to two hotel _chains, including a U.S. chain that operates hotels throughout . the United States, including the Western District in Washington, and abroad. (V) On about September 5, 2018, ?Antony Moricone,? ?Lampeduza,? and ?Nikolay? posted on separate online forums near-identical offers for sale of network access to multiple U.S. entities, including Computer networks of an U.S. county located in the state of Texas - (vi) On about September 9, 2018, ?Antony Moricone,? ?Lampeduza,? and ?Nikolay? posted on separate online forums similar offers for sale of network access to numerous entities, including an olive oil manufacturing business located in Chico, California, as well as an Asian pharmaceutical and biotechnology company. (vii) On about September 22, 2018, ?Antony Moricone? and .?Lampeduza? posted on separate online forums similar offers for sale of network access to the same entities, including a private school located in California, as well as multiple I college institutions "located in foreign countries, an African power company, and a. municipality 1n a Middle Eastern country. I On about September 25, 2018 ?Antony Moricone,? ?Lampedu?za,?_ and ?Nikolay? posted on separate online forums similar offers for sale of network access to a uniVersity located in Puerto Rico. j. At other times, the group members offered such unauthorized - network access to particular trusted or established buyer as part of a direct sale. In certain circumstances, the group offered bulk purchase discounts, namely, the bulk sale'of access to multiple victims network 1n exchange for a discounted price. A k. The group executed transactions through use of a broker service and allowed-buyers to effectively sample the network access before ?nalizing a purchase. More specifically, the potential buyer typically transmitted funds toward the agreed-upon purchase price into escrow arranged by the broker. The group then provided the Indictment 9 . UNITED STATES ATTORNEY . - - 700 STEWART STREET, SUITE 5220 United States v. urchin SEATTLE, WASHINGTON 98101 (206) 553?7970 00 DJ 00 x] DJ Case Documentl Filed 12/12/18 Page'10 of 17 prospective buyer with access for alimited period, e. a six?hour window, during which . the buyer could test the quality and reliability of the remote access and control established in the victim?s protected network. If acceptable, the deal was ?nalized, 'whereby the funds were released to the cybercriminal group and the buyer received the conspirators? unrestricted network access. 1. Following a sale, the conspirators typically provided the buyer with ongoing technical assistance with respect to purchased network access for a negotiated period of time. m. The conspirators took various steps to obfuscate their identity and location, For instance, cybercriminal group members typically used monikers and communicated with one another and with prospective customers through Jabber, a web- based instant messaging service that allows for person-to?person and group . communication across multiple platforms and that supports end-to-end The group members further often used Tor and other tools and methods to obscure the web traf?c and in turn their location and identity. The group members also made, efforts to conceal the ?ow of funds through use of such as Bitcoin, in various ?nancial transactions. I F. Overt Acts 17. In furtherance of the conspiracy, and to achieve the objects thereof, the defendant, and others known and unknown-to the Grand Jury, did commit and cause to be committed, the following overt acts, among others, in the Western District of Washington and elsewhere: a. On about October 2017', ANDREY TURCHIN started a thread on a' prominent Russian-language online forum commonly used by hackers and cybercriminals. ANDREY TURCHIN claimed the ability to sell access to various corporate netWorks,,servers, and their administrative accounts. b. On about October 1, 2017, one or ?more co-conspirators remotely accessed without authorization the protected computer network of a port authority Indictment - 10 - UNITED STATES ATTORNEY United States v. urchin 700 STEWART STREET, SUHE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 United States v. urchin Case Document 1 Filed 12/12/18 Page 11 of 17 (Victimfl) located in the Western District of Washington. 0. On about October 12, 2017, one or more co?conspirators remotely accessed the protected computer network of the port authority (V ictim? 1). d; On about October 12, 2017, ANDREY TURCHIN, on an online forum, posted for sale network access to numerous entities in multiple countries, including the pOrt authority (Victim? 1). I 6. On about November 14, 2017, a co-conspirator registered a Google account using the alias ?Ivan Ivanov? and other inaccurate information from an IP address resolving to a foreign country. f. On about November 15, 2017, a co-conspirator, using the alias ?Ivan Ivanov? and the aforementioned Google account, registered a domain with a U.S.?based service provider, paid for through one or more transfers. One or more con conspirators then used this domain to register and establish one or more of the IP addresses used to access the protected network of the port authority (Victim?1). g. On about November 19,2017, one or more 00? conspirators remotely accessed the protected computer network of the port authority (Victim~1). h. On about December 23, 2017, a co-cOnspirator accessed an administrative account on protected computer network of the port authority (Victim-1) through an IP address that resolved to Kazakhstan. i. On about December 23, 2017, ANDREY TURCHIN, on an online forum, posted for sale network access to numerous entities inmultiple countries, including full network access. to the port authority (Victim-1). I j. On about January 10, 2018, one or more co-conspirators remotely accessed the protected computer network of the port authority (Victim-1). I k. On about April 1, 2018, ANDREY TURCHIN, on an online forum, posted for sale, access to point-of?sale terminals at various restaurants, cafes, retail stores, 1 and other businesses, including a company headquartered 1n Seattle, Washington. - Indictment 11 UNITED STATES ATTORNEY . 700 STEWART STREET, SUITE 5220? SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 1 Filed 12/12/18 Page 12 of 17 1. 1 On about'September 30, 2018, ?Nikolay,? on an online forum, posted 8 that access to a US. county in TeXas (Victim-2) had been sold for $150,000. m. I On about October 22, 2018, ?Antony Moricone? and ?Lampeduza,? on separate online forums, posted for sale network access to the numerous entities, including the Ministry of Finance of an African country previously advertised by - All in violation of Title 18, United States Code, Sections 371. I w; (Unauthorized Access to. a Protected Computer) 18. The allegations set forth in Paragraphs 1 through 17 of this Indictment are re?alleged and incorporated as if fully set forth herein. 19. Beginning on or about October 1, 2017, and continuing until a date unknown, in Cowlitz County, within the Western/District of Washington, and elsewhere, - the defendant, ANDREY TURCHIN, and others known and unknown to the Grand Jury, intentionally accessed a computer without authorization, and exceeded authorized access to a computer, and thereby obtained information from a protected computer, speci?cally, one Or more protected computers of an entity, Victim-1, referenced above, and the offense was committed for purposes of commercial advantage or private ?nancial gain, (ii) the offense was committed in furtherance of a criminal and tortious act in violation of the Constitution and the laws of the United States and the laws of Washington, and the value of the information obtained exceeded $5,000. I All in violation of Title 18, United States Code, Sections 1030(a)(2)(C), 1030(b), (ii) and and 2. we (Intentional Damage to a Protected Computer) . 20. . The allegations setforth in Paragraphs 1 through 17'of this Indictment are - re?alleged and incorporated as if fully set forth herein. 21. Beginning on or about October 1, 12017, and continuing until a date unknown, in Cowlitz County, within the Western District of Washington, and elsewhere, Indictment - 12 . UNITED STATES ATTORNEY United States v. urchin 700 STEWART SUITE 5220 - SEATTLE, WASHINGTON 98101 (206) 553?7970 Documentl Filed 12/12/18 Page 13 of 17 the defendant, ANDREY TURCHIN, and others known and unknown to the Grand Jury, knowingly caused the transmission of a program, information, code, and command, and as . a'result of such conduct, intentionally caused damage without authorization, to a protected computer, speci?cally, one or more protected computers of an entity, Victim-1, referenced above, and the offense caused loss to one or more persons during a 1-year period aggregating at least $5,000.00 in value and (ii) damage affecting 10. or more protected computers during a l?year period. - . All in violation of Title 18, United States Code, Sections 1030(a)(5)(A), 1030(b), 1030(c)(4)(B), and 2.- I COUNT 4 (Conspiracy to Commit Wire Fraud) 22.. The allegations set forth in Paragraphs 1 through 17 of this Indictment are re?alleged and incorporated as if fully set forth herein. 23. 1 Beginning at a time unknown, but no later than October 2017, and continuing through on or about December 12, 2018, within the Western District of Washington, and elsewhere, the defendant, ANDREY TURCHIN, and others. known and unknown to the Grand Jury, did knowingly and willfully combine, conspire, confederate and agree together to commit offenses against the United States, to wit: to knowingly and willfully devise and execute and attempt to execute, a scheme and arti?ce to defraud, and for obtaining money and property by means of materially false and fraudulent pretenses, representations, and promises; and in executing and attempting to execute this scheme and arti?ce, to knowingly cause to be transmitted in interstate and foreign commerce, by 1 means of wire communication, certain signs, signals and sounds as further described below, in violation of Title 18, United States Code, Section 1343. 24. The objectives of the conspiracy included gaining increasing levels of access to, and control of, protected computers of victim entities through the use of deception and false representations and fraudulently obtained credentials. The objectives of the conspiracy further included, using such access and control obtained through deceptive Indictment - 13 UNITED STATES ATTORNEY United States v. urchin 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 1 Filed 12/12/18 Page 14 of 17 means, to compromise additional computers and networks both internally and externally to the victim entity. The ultimate purpose of the conspiracy involved the selling of access to victim computer networks to other cybercrirninal actors for ?nancial gain. . 25. The manner and means used to accomplish the conspiracy are forth in Paragraph 16, above, which is incorporated herein, and included the following: a. The conspirators, using wires in interstate and foreign commerce, gained unauthorized access to a computer through hacking techniques, all of which involved deceptive acts. At times, group members employed brute force attacks, which, when successful, involved the false representation that the hacker was an authorized person, such as an employee. Alternatively, group members at times employed phishing campaigns, which involved false representatiOns to induce the recipient to unwittingly activate malware and infect the computer.- b. Once the conspirators successfully gained access to the victim computer, the actor located and stole valid login credentials, which in turn were used to. gain further access to and control of the victim?s network through false representations, with the goal of establishing undetected persistence. c. Thereafter, the conspirators offered the access to the victim computer network for sale, typically through advertisement postings or through direct sales on various online forums. As part of any sale, the group provided buyers with stolen victim credentials, which enabled the purchaser to access the victim networks and the ability to deploy additional malware for the purchaser?s designs and purpleses, thereby eXpOSing the victim, as well as its employees, customers, and business partners, to a wide spectrum of illicit conduct. All in Violation of Title 18, United States Code, Sections 1349. - COUNT 5 (Access Device Fraud) 26. The allegations set forth in Paragraphs 1 through 17 of this Indictment are re-alleged and incorporated as if fully set forth herein. Indictment - 14 UNITED STATES ATTORNEY United States v. Turchin 700 STEWART STREET, SUITE 5220 SEATTLE, WASHINGTON 98101 (206) 553-7970 Case Document 1 Filed 12/12/18 Page 15 of 17 27. On or about December 23, 2017, in Cowlitz County, within the Western District of Washington, and elsewhere, the defendant, ANDREY TURCHIN, and others known and unknown to the Grand Jury, knowingly and with intent to defraud, used and traf?cked in unauthorized access devices, specifically, account usemames and passwords for Victim?'1, and other means of account access that can be used, alone and in conjunction with another access device, to obtain a thing of value, and by such conduct, obtained information with a value aggregating $1,000 or more during a one-year period; said activity affecting interstate and foreign commerce I All in violation of Title 18, United States Code, Sections 1029(a)(2) and and 2. 7 I FORFEITURE ALLEGATION 28.. The allegations contained in Count 1 of this Indictment are hereby realleged and incorporated by reference. for the purpose of alleging forfeitures pursuant to Title 18, - United States Code, Sections and 1030(i) and Title 28,-United States Code, Section 2461(0). Upon conviction of the offense charged in Count 1, the defendant shall forfeit to the United States-any property constituting, or derived from, proceeds the defendant obtained, directly or indirectly, as the result of the offense, including but not limited to a sum of money re?eCting those proceeds, as well as his interest any personal property that was used or intended to be used to commit or to facilitate the commission of the offense. I 29. The allegations contained in Counts 2 and 3 of this Indictment are hereby. realleged and incorporated'by reference for the purpose of alleging forfeitures pursuant to Title 18, United States Cede, Sections 982(a)(2)(B) and 1030(i). Upon conviction of any offense charged in Counts 2 and 3, the defendant shall forfeit to the United States any I property constituting, or derived from, proceeds the defendant obtained?, directly or indirectly, as the result of the offense including but not limited to a sum of money re?ecting those proceeds, as well as his interest in any personal property that was used or intended to be used to cemmit or to facilitate the commission of the offense. Indictment - 15 UNITED STATES ATTORNEY - 700 STEWART STREET, SUITE 5220 United States v. Turchm SEATTLE, WASHINGTON 98101 (206) 553?7970 Case Document 1 Filed 12/12/18 Page 16 of 17 30. The allegations contained in Count 4 this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18, United States Code, Section 981(a)(1)(C) and Title 28, United States Code, Section 2461(0). Upon conviction of the offense charged in Count 4, the defendantshall forfeit to the United States any property, real or personal, constituting, or derived from, proceeds the defendant obtained, directly or indirectly, as the result of the offense, including but not limited to a sum of money re?ecting those proceeds. 31. The allegations Contained in Count 5 of this Indictment are hereby realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1029(c)(1)(C). Upon conviction of the offense charged in Count 5, the defendant shall forfeit to the United States any property, real or personal, which constitutes or is derived from proceeds traceable to such offense,- including but not limited to a sum of money reflectng those proceeds, as well as his interest in any property used or intended to be used to commit the offense. Indictment - 16 UNITED STATES ATTORNEY - - 700 STEWART STREET, SUITE 5220 United States v. urchin SEATTLE, WASHINGTON 98101 (206) 553-7970 00 Case Document 1 Filed 12/12/18 Page the property described above, as a result of any act or omission of the defendant: a. cannot be located upon- the exercise of due diligence; b. has been transferred or sold to, or deposited with, a third party; c. has been placed beyond the jurisdiction of the court; . d. has been substantially diminished in value; or e. has been commingled With other property?which cannot be divided Without dif?culty, the United States of America shall be entitled to forfeiture of substitute property pursuant to Title 21, United States Code, Section 853(p), as incorporated by Title 28, United States Code, Section 2461(c). 7 A TRUE BILL: DATED: l2? It 2018 (Signature ofForeperson redacted pursuant to policy of the Judicial Conference) A FOREPERSON CW gfir/w?x ANNETTE L. HA United States Atto ey ch/ ANDREW C. FRIEDMAN Assistant United States Attorney Indictment 17 UNITED STATES ATTORNEY 700 STEWART STREET, SUITE 5220 United States v. urchin SEATTLE, WASHINGTON 98101 (206) 553?7970