Case Document 1 Filed 09/03/20 Page 1 of 14 UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS Criminal No. 20-cr-10182 Violations: UNITED STATES OF AMERICA Count One: Conspiracy to Commit Intentional v. I Damage to a Protected Computer (1) BEHZAD MOHAMMADZADEH, (18 U-S-C- 371) a/k/a ?Mrb3hz4d,? and . Counts Two and Three: Intentional Damage to a (2) MARWAN ABUSROUR, a/k/a Protected Computer ?Mrwn007,? (18 U.S.C. 1030(a)(5)(A)) Defendants I Forfeiture Allegations: (18 U.S.C. 982(a)(2)(B) and 1030(i)) INDICTMENT At all times relevant to this Indictment: General Allegations 1. Defendant BEHZAD MOHAMMADZADEH (a/k/a ?Mrb3hz4d?) was a male hacker believed to be approximately 19 years old and a national of the Islamic Republic of Iran (?Iran?) who lived in Iran.1 As of the date of this Indictment, MOHAMMADZADEH has publicly claimed to have personally defaced more than 1,100 websites around the world with pro-Iranian and pro-hacker messages, which he began no later than on or about September 4, 2018, and has continued through the present day. 2. Defendant MARWAN ABUSROUR (a/k/a ?an007?) was a male and a A picture of MOHAMMADZADEH is attached to this Indictment as Exhibit A. Case Document 1 Filed 09/03/20 Page 2 of 14 stateless national of the Palestinian Authority.2 ABUSROUR was a selfudescribed spammer (33.9., sender of unsolicited emails for pro?t), carder (329., illicit trader in stolen credit cards), and black hat hacker (tie, a hacker who violates computer security for personal gain or maliciousness) who used the online moniker ?MrmeOT.? As of the date of this Indictment, ABUSROUR had publicly claimed to have defaced at least 337' websites around the world with pro-Islamic, pro-Palestinian, and pro-hacker messages, which he began no later than on or about June 6, 2016, and continued through at least in or about July 2020. 3. On or about January 2, 2020, the United States Department of Defense issued a public statement saying that, the direction of the President, the US. military has taken decisive defensive action to protect U.S. personnel abroad by killing Qasem Soleimani, the head of the Islamic Revolutionary Guard Corps?Quds Force, a U.S.-designated Foreign Terrorist Organization.? The statement explained that the ?strike was aimed at deterring future Iranian attack plans? and deScribed brie?y General Soleimani?s past actions and future plans. The United States? responsibility for General Soleimani?s death was publicized widely around the world. 4. Shortly after this announcement and, as a remit of the United States? killing of Soleimani, MOHAMMADZADEH knowingly transmitted computer code to approximately 51 websites hosted in the United States, and defaced those websites by replacing their content with pictures of the late General Soleimani against a background of the Iranian flag, along with the message, in English, ?Down with America,? and other text. Some of the websites defaced were hosted on computers owned and operated by a company with corporate headquarters within the 2 A picture of ABUSROUR is attached to this Indictment as Exhibit B. Case Document 1 Filed 09/03/20 Page 3 of 14 District of Massachusetts, and some of the defaced websites were viewed on computers located within the District of Massachusetts. 5. MOHAMMADZADEH conspired with ABUSROUR and others known and unknown to the Grand Jury to identify websites hosted in the United States with vulnerabilities, hack into those websites and deface them by replacing their content, some with pictures of the late General Soleimani against a background of the Iranian flag, along with the message, in English, ?Down with America,? and other text. 6. These website defacements were part of the defendants? ongoing efforts to hack into and deface websites across the globe. Obiects and Purposes of the Conspiracv 7. The objects of the censpiracy were to hack into and access protected computers that hosted websites in the United States and elsewhere; to transmit programs, information, codes, and commands to those protected computers and websites withOut authorization; and as a result of such conduct to intentionally cause people and corporations in the United States and elsewhere damage?that is, impairments to the integrity and availability of their computer data, programs, systems, and information?and loss?that is, costs to the victims for reasonably responding to the website hacks and defacements, conducting damage assessments, restoring the affected computer data, programs, systems, and information to their condition prior to the offense, and revenue lost, costs incurred, and other consequential damages incurred because of interruption of service. Case Document 1 Filed 09/03/20 Page 4 of 14 8. A principal purpose of the conSpiracy was to protest and retaliate. against the actions of the United States in an effort to seek revenge, to cause economic harm to the United States, and to draw attention to this protest. Manner and Means of the Conspiracy 9. Among the manner and means by which MOHAMMADZADEH, aikfa ?Mrb3hz4d,? ABUSROUR, a?o?a and co-conspirators known and unknown to the Grand Jury carried out the conspiracy were the following: a. Obtaining and developing tools to gain unauthorized access to websites hosted on computers in the United States and elsewhere (Ila, hacking) and to force them to display images and text selected by the co-conspirators rather than images and text selected by the websites? owners and operators (ta, defacing); b. Preparing the images and text they wished to display; c. Sharing these tools and images and text between and ameng co- conspirators, and communicating about the same; d. Identifying websites hosted on computers in the United States and elsewhere that were vulnerable to being hacked and defaced; e. Deploying their hacking and defacement tools against and on the vulnerable websites to display the co-conspirators? images and text; and f. Posting the results of their hacking and defacements on social media and other online accounts visible around the world in order to publicize their exploits. Case Document 1 Filed 09/03/20 Page 5 of 14 Overt Acts in Furtherance of the Conspiracv 10. Between on or about December 26, 2019 and March 4, 2020, MOHAMMADZADEH, afk/a ?Mrb3hz4d,? and ABUSROUR, ajkr'a ?an007,? and co? conspirators known and unknown to the Grand Jury committed and caused to be committed the following overt acts, among others, in furtherance of the conspiracy: a. On or about December 26 and 27, 2019, ABUSROUR provided MOHAMMADZADEH with access to compromised websites; No later than January 7, 2020, ABUSROUR provided MOWADZADEH with access to at least seven compromised websites in the United States; On or about January 7, 2020, MOMMADZADEH andfor ABUSROUR accessed at least seven websites hosted in the United States without authorization; On or about January 2020, MOHAMMADZADEH andi'or ABUSROUR transmitted without authorization programs, information, codes, and commands to those protected computers and websites to replace the websites? original content and to display instead, without authorization, the following image or images substantially similar to it: Case Document 1 Filed 09/03/20 Page Juli I1. e. Beginning on or about January 2020, and continuing thereafter until the websites were repaired to display their authorized content, the defaced websites directed viewers of the image to publicly-viewable Instagram account, which itself directed viewers to zone- h.org, a website on which people identifying themselves as computer hackers regularly post screenshots of the results of their network intrusions and website defacements under their hacker pseudonyms, on which MOHAMMADZADEH had approximately 400 posts on or about January 2020, including posts of Soleimani-related defacernents executed by Case Document 1 Filed 09/03/20 Page 7 of 14 and ABUSROUR together and Soleimani-related defacements executed by MOHAMMADZADEH alone; f. On or about January 7, 2020, ABUSROUR posted to his Instagram account, which had almost 11,000 followers, a screenshot of messages between him and MOHAMMADZADEH in which ABUSROUR listed the seven websites that they had defaced using, at least in part, code, (ii) ABUSROUR said that he was ?Finished MOHAMMADZADEH responded ?Wow? with two emoticons expressing amazement; and (iv) ABUSROUR superimposed on top of this exchange one statement saying, in Arabic, that gave him the shell so he can upload his index. He registered it in his zone H. Why do this Bahzad [ph] and another statement saying, in English, ?high levele [sic] seo [search engine optimization] sites hard night for American news sites,? both with emoticons. ABUSROUR commented about the images: ?Suddenly I ?nd myself Iranian hackers and I help them hit American sites?; and g. On and after January 2020, MOHAMMADZADEH continued to deface additional websites with similar Soleimani-themed images and text, under his own but not name. Case Document 1 Filed 09/03/20 Page 8 of 14 COUNT ONE Conspiracy to Commit Intentional Damage to a Protected Computer (18 U.S.C. 371) The Grand Jury charges: 12. The Grand Jury re?alleges and incorporates by reference paragraphs 1-11 of this Indictment. 13. Between on or about December 26, 2019 and March 4, 2020, in the District of Massachusetts, Iran, and elsewhere, the defendants, (1) BEHZAD MOHAMMADZADEH, ajkfa ?Mrb3hz4d,? and (2) MARWAN ABUSROUR, akaa ?an007,? who will first be brought to the District of Massachusetts, conspired with each other and with others known and unknown to the Grand Jury to commit an offense against the United States, to wit, intentional damage to protected computers, that is, to knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, to intentionally cause damage, without authorization, to protected computers belonging to people and companies located throughout the United States and elsewhere, to thereby cause impairment to the integrity and availability of data displayed on websites rendered by those computers, and further to damage at least 10 protected computers and to cause loss to one or more persons of at least $5,000 in aggregated value during one year, in violation of 18 U.S.C. 1030(a)(5)(A) and All in violation of Title 18, United States Code, Section 3'71. Case Document 1 Filed 09/03/20 Page 9 of 14 COUNT TWO Intentional Damage to a Protected Computer (18 U.S.C. 1030(a)(5)) 14. The Grand Jury re-alleges and incorporates by reference paragraphs 1-11 of this Indictment. 15. From a date unknown, but no later than on or about September 4, 2018, and continuing until at least the date of this Indictment, in the District of Massachusetts, Iran, and elsewhere, the defendant, (1) BEHZAD MOHAMMADZADEH, a/kfa ?Mrb3hz4d,? who will first be brought to the District of Massachusetts, intentionally damaged protected computers, that is, he knowingly caused the transmission of a program, information, code, and command, and as a result of such conduct, intentionally caused damage, without authorization, to protected computers belonging to people and companies located throughout the United States and elsewhere, thereby causing impairment to the integrity and availability of data displayed on 10 and more protected computers during a one-year period, and further causing loss to one and more persons of at least $5,000 in aggregated value during one year. All in violation of Title 18, United States Code, Sections 1030(a)(5)(A) and Case Document 1 Filed 09/03/20 Page 10 of 14 COUNT THREE Intentional Damage to a Protected Computer (18 U.S.C. 1030(a)(5)) 16. The Grand Jury re-alleges and incorporates by reference paragraphs 1-11 of this Indictment. 17. From a date unknown, but no later than on or about June 6, 2016, and continuing through at least in and around July 2020, in the District of Massachusetts, Iran, and elsewhere, the defendant, (2) MARWAN ABUSROUR, ?it/a ?an007!? who will ?rst be brought to the District of Massachusetts, intentionally damaged protected computers, that is, he knowingly caused the transmission of a program, information, code, and command, and as a result of such conduct, intentionally caused damage, without authorization, to protected computers belonging to people and companies located throughout the United States and elsewhere, thereby causing impairment to the integrity and availability of data displayed on 10 and more protected computers during a one?year period, and further causing loss to one and more persons of at least $5,000 in aggregated value during one year. All in Violation of Title 18, United States Code, Sections 1030(a)(5)(A) and Case Document 1 Filed 09/03/20 Page 11 of 14 FORFEITURE ALLEGATIONS (18 U.S.C. 982(a)(2)(B) 1030(0) The Grand Jury further ?nds: 1. Upon conviction of one or more of the offenses in violation of Title 18, United States Code, Sections 371 and 1030(a), set forth in Counts One through Three of this Indictment, the defendants, BEHZAD MOHAMMADZADEH, afkfa ?Mrb3h24d,? and (2) MARWAN ABUSROUR, aflo?a ?an007,? shall forfeit to the United States, pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 103 any personal property used, or intended to be used, in any manner or part, to commit, or to facilitate the cmnmission of, such offense. 2. If any of the property described in Paragraph 1, above, as being forfeitable pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(i), as a result of any act or omission of the defendan a. cannot be located upon the exercise of due diligence; b. has been transferred or sold to, or deposited with, a third party; c. has been placed beyond thejurisdiction of the Court; d. has been substantially diminished in value; or c. has been with other property which cannot be divided without dif?culty; it is the intention of the United States, pursuant to Title 18 United States Code, Sections 982(b)(2) and 103 each incorporating Title 2] United States Code, Section 853(p), to seek forfeiture of any other property of the defendant(s) up to the value of the property described in Paragraph 1 above. Case Document 1 Filed 09/03/20 Page 12 of 14 All pursuant to Title 18, United States Code, Section 1030(i). A TRUE BILL fix/gag COTT L. GARLAND DAVID J. ASSISTANT UNITED STATES ATTORNEYS DISTRICT OF MASSACHUSETTS District of Massachusetts: September 3, 2020 Returned into the District Court by the Grand Jurors and ?led. Case Document 1 Filed 09/03/20 Page 13 of 14 UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS EXHIBIT A TO THE INDICTMENT Criminal No. 20-cr-10182 Violations: UNITED STATES OF AMERICA Count One: ConSpiracy to Commit Intentional Damage to a Protected Computer (18 U.S.C. 371) V. (I) BEHZAD MOHAMMADZADEH, a/k/a ?Mrb3hz4d,? Counts Two and Three: Intentional Damage to a Protected Computer (2) MARWAN ABUSROUR, a/k/a (13 use. 1030(a)(5)) ?Mrwn007,? Forfeiture Allegations: Defendants (13 982(a)(2)(B) and 1030(i)) Case Document 1 Filed 09/03/20 Page 14 of 14 UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS Criminal No. 20-cr-101 82 Violations: UNITED STATES OF AMERICA Count One: Conspiracy to Commit Intentional Damage to a Protected Computer (18 U.S.C. ?37l) V. BEHZAD MOHAMMADZADEH, a/k/a ?Mrb3hz4d,? Counts Two and Three: Intentional Damage to a Protected Computer (2) MARWAN ABUSROUR, a/k/a (l8 U.S.C. 1030(a)(5)) ?Mrwn007,? Forfeiture Allegations: Defendants (18 982(a)(2)(B) and 1030(i)) EXHIBIT TO THE INDICTMENT