Case Document 3 Filed 09/29/20 Page 1 of 22

am

IN THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF 

UNITED STATES OF AMERICA
V.

NIKA NAZAROVI

a/k/ a Nika Utiashvili

a/k/a Mihail Atansov

a/k/a Stefan Trifonov Zhelyazkov
MARTINS IGNATJEVS

a/k/a Yordan Angelov Stoyanov

a/k/a Aleksander Tihomirov

a/k/a Svetlin Iliyanov Asenov
ALEKSANDRE KOBIASHVILI

a/k/a Antonios Nastas

a/k/ a Ognyan Krasimirov Trifonov

DMITRIJ KUZMINOVS
a/k/a Parush Gospodinov Genchev

VALENTINS SEVECS
a/k/a Marek aswilko
a/k/a Rafal 

DMITRIJ SLAPINS

ARMENS VECELS

ARTIOM CAPACLI

ION CEBANU

TOMASS TRESCINKAS

RUSLAN SARAPOVS

SILVESTRS TAMENIEKS

ABDELHAK HAMDAOUI .

PETAR ILIEV


Criminal N0. 7:25
.
(18 U.S.C. 1956(h))


Hm

SEP 29 2020

CLERK U.S. DISTRICT COURT
WEST. DIST. OF 

 

Case Documentis Filed 09/29/20 Page 2 df 22
. I 

The grand jUIy charges: 
Introduction 
At all times material to this Indictment: I
1. From in and around 2016, and continuing thereafter to in and ?aroiimd October 2019;,

the Defendants, and co?eonspirators known and unknown tothe grand jury,

transnational organized crime network known as QQAAZZ

laundering services to signi?cant cybercrimina'l organizations that Stole mon

victims in the United States and abroad.

2.

In order to launder stolen funds,'the Defendants and their co-c<

were members of La

 

1 provided monemy
ey from unwitting


)nspirators opene?d

and maintained hundreds of bank accounts at ?nancial institutions in numerous countries,

including Portugal, Spain, Germany, Turkey, the United Kingdom, Belgium ar

QQAAZZ used the bank accounts to receive funds stolen by cybercriminals fro

respective ?nancial institutions, including in the western District of 

After receiving the stolen funds, QQAAZZ transferred the funds

series of transactions. These transactions included traditional electronic fund

3.

1.

QQAAZZ?controlled bank accounts as well as the conversion of "the


After taking a fee of up to 40 .to 50?percent, QQAAZZ retur
the-stolen funds to the cybercriminals. In total, cybercriminals attempted to trans
of dollars to QQAAZZ?controlled accounts, and QQAAZZ successfully law


dollars stolen-from Victims around the world.

1d the Netherlands.

 

1n victims and their


a.

through a complex

3 transfers to othgr

stolen funds to

ned the balance (ff


I


fer tens of millions

ndered millions of

 

Case Document 3 Filed 09/29/20 Page 3 of 22 I

Members of the Conspiracy

4. The members of QQAAZZ were citizens of multiple countries, including Georgia,
Latvia, Romania, Bulgaria, and Belgium.

5. QQAAZZ was organized into a hierarchy with three primary levels: leaders, mid-
level managers, and money couriers, oftentimes known as ?money mules? and described as such
herein.

6. The leaders of QQAAZZ directed mid?level managers, developed strategies for .
opening bank accounts around-the world, advertised ?cash?out? services on cybercriminal internet

forums, and coordinated to receive stolen funds from and return laundered funds'to cybercriminals.
The phrase ?cash-out services.? refers to the ability to withdraw funds in currency from a bank
account.

7. Mid?level managers of QQAAZZ received direction from the organization?s
leaders, recruited money'mules to open bank accounts around the world, and arranged travel for
the money mules; Sometimes. mid?level members of the conspiracy also opened QQAAZZ-
controlled'bank ?accounts. 1

8. Money mules at times used aliases and false identification documents, and at other
times used their true identities, to register shell companies1 and open personal and corporate bank
accounts controlled by QQAAZZ at international ?nancial institutions. The primary purpose of
the accounts was to receive and launder stolen funds. The money mules were complicit in the

scheme, ?meaning that they were aware of the illegal source of victim funds.

 

1 As used herein, a ?shell company? is a corporate entity formed under the laws of a jurisdiction
outside of the United States for the purpose of opening bank accounts. A shell company does not
have an actual business function Outside of being the named owner of these bank accounts.

3 

Case Document3 Filed 09/29/20 Page-4 of 22

The Defendants

9.. NIKA NAZAROVI, formerly Nika Utiashvili, a/k/a Mihail Atanasov, a/k/a Stefan -
Trifonov Zhelyazkov, was a citizen of Georgia. NAZAROVI was a member of the conspiracy who -
managed co-conspirators in the opening of QQAAZZ-controlled bank accountsirNAZAROVl used
the alias Stefan Trifonov Zhelyazkov to register a shell company in Spain and open a 
control-led bank account, which was the intended recipient of funds attempted to be stolen from
two United States victims.

10. MARTIN IGNATJEVS, a/k/a Yodan Angelov Stoyanov, a/k/a Aleksander
Tihomirov Yanev, a/k/a Svetlin Iliyanov Asenov, was a citizen of Latvia, and he resided in the
United Kingdom. IGNATJEVS was a member of the conspiracy who managed co-conspirators in
the opening of QQAAZZ-controlled bank accounts. I

ll. ALEKSANDRE KOBIASHVILI, a/k/a Antoniosl Nastas, a/k/ a Ognyan Krasimirov 
Trifonov, was a citizen of Georgia. KOBIASHVILI used the aliases Antonios Nastas and Ognyan
Krasimirov TrifonOv to register-a shell company and open QQAAZZ?controlled bank accounts in
Portugal. One of the QQAAZZ?controlled bank accounts opened by KOBIASHVILI was the
intended recipient of funds attempted to be stolen from a United States victim. -

12. DMIT RU KUZMINOVS a/k/a? Parush Gospodinov Genchev was a citizen of
Latvia. KUZMINOVS registered shell companies and opened QQAAZZ?controlled bank accounts
in Portugal and Germany. One of the accounts opened in Portugal was the recipient of funds stolen
from a United States victim.

13. VALENTINS SEVECS, a/k/a Marek aswilko, a/k/a?Rafal was a citizen
of Latvia. SEVECS used the alias Marek aswilko to register a shell company in Portugal and open

at least 16 QQAAZZ-controlled bank accounts in that company?s name. Two of these corporate

4

Case Document 3 Filed 09/29/20 Page 5 of 22

bank accounts were the intended recipients of funds attempted to be stolen from three United States
victims.

l4. DMITRIJ SLAPINS was a citizen of Latvia. identi?cation was used
to register shell companies and QQAAZZ?controlled bank accounts in the United Kingdom and
Germany. SLAPINS also opened a personal bank account in Germany that was the intended
recipient of funds attempted to be stolen from a United States victim.

15. ARMENS VECELS was a citizen of Latvia. VECELS registered a shell company
in Portugal and opened QQAAZZ-controlled bank accounts in Portugal, Spain, and the United
Kingdom. The accounts VECELS opened in Portugal were the intended recipient accounts for
funds attempted to be stolen from ?ve United States victims.

16. ARTIOM CAPACLI was a citizen of Bulgaria. CAPACLI opened a 
controlled bank account in Spain, which received funds stolen ?om a United States victim.

17. ION CEBANU was a citizen of Romania. CEBANU opened a QQAAZZ-
controlled bank account in Spain, which received funds stolen from a United States victim.

18. TOMASS TRESCWKAS was a citizen of Latvia. TRESCINKAS opened a
QQAAZZ?controlled bank account in Spain, which received funds stolen from a United States
victim.

19. RUSLANS SARAPOVS was a citizen of Latvia. SARAPOVS opened 
controlled bank account in Spain, which received funds stolen from a United States victim.

20. SILVESTRS TAMENIEKS was a citizen of Latvia. TAMENIEKS opened a
QQAAZZ-controlled bank account in Spain, which received funds stolen from a United States

victim.

 Documentg3 Filed 09/29/20 PageB df 22 

i 
21. ABDELHAK HAMDAOUI was a citizen of Belgium. opened
QQAAZZ?controlled bank accounts in Belgium and Germany. One of the acicounts opened by

HAMDAOUI received funds stolen from a United States victim. I 


22. PETAR ILIEV was a citizen of Bulgaria. ILIEV opened a c?ontrolled

bank account in Portugal which was the intended recipient of funds attempted to be stolen from a

?ll

United States Victim.
Co- Conspirators Charged
in Related Indictment at Criminal No. 19-3042

23. Aleksej Tro'?movics, a/k/a Aleksej Tro?movich, a/k/ a Alexeyl Tro?movich, a/k/a

Aleko Stoyanov Angelov, was a citizen of Latvia. Tro?movics registered sh1l'all companies and
.  u .,
opened QQAAZZ?controlled bank acCounts inzPortugal that were the recipients, and intende?l

. all
recipients, of ?inds stolen and attempted to be stolen from United States victim-s.

24. Ruslans Nikitenko, a/k/ei Wojciech Lewko, a/k/a 'Milen Nikolchey
Nikolov, a/k/a Rafal Zimnoch, a/k/a Emil Raykov Yordanov,was from Latvia. Nikitenko was "a

member of the conspiracy who managed co?conspirators in the opening of QQAAZZ?controlled

ll
bank accounts. Nikitenko used the aliases Woj ciech Lewko, Milen Nikolchev Nikolov,

 

Rafal Zimnoch, and Emil Raykov Yordanov to register shell companies and open 

controlled bank accounts in Portugal, including accounts that were the recipients, and intended
ll

recipients, of funds stolen and attempted to be stolen from United States victims.
25_. Arturs Zaharevics, a/k/a Piotr Qinelli, a/k/ a Arkadiusz Szuberski, a/k/a Pawel

Tomasz Blitek, a/k/a Marcin Ostapowicz, was a citizen of Latvia, and at times he resided 1n the

 

2 On September 25, 2019, a federal grand jury in the Western District of returned a
one-count indictment at Criminal No. 19-3 04 charging QQAAZZ members Ale ksejs Tro?movics,
Ruslans Nikitenko, Arturs Zaharevics, Deniss Ruseckis, and Deinis Gorenko iNith conspiracy tb
commit money laundering, 1n violation of Title 18, United States Code, Section 1956(h), for their
involvement 1n the same conspiratorial conduct charged herein. 

6 ll

 

Case Document 3 Filed 09/29/20 Page 7 of 22

United Kingdom. Zaharevics was a member of the conspiracy who recruited and managed cou?
conspirators in the opening of QQAAZZ?controlled bank accounts. Zaharevios used the aliases
Piotr Ginelli and Arkadiusz Szuberski to register shell companies and open! QQAAZZ?controlled
bank accounts in Portugal.

26. Deniss Ruseckis, a/k/a Denis Rusetsky, a/k/a Sevdelin Sevdalinov Atanasov, was a
citizen of Latvia. Ruseckis registered shell companies and opened QQAAZZ?controlled bank
accounts in Portugal that were the recipients, and intended recipients, of funds stolen and attempted
to be stolen from United States Victims. I

27. Deinis Gorenko was a citizen of Latvia. Gorenko opened QQlAAZZ?controlled
bank accounts in Portugal that were the recipients of funds stolen from United States victims.

The Victims

28. QQAAZZ laundered money stolen from victims in the United States and other
countries, including the United Kingdom, Switzerland, and Italy. Victims included both businesseis
and individuals. Some of the victims in the United States held bank accounts at ?nancial
institutions headquartered in the Western District of 

29. Bank 1 was a ?nancial institution headquartered in Pittsburgh, in-the
Western District of Bank 1 was insured by the Federal Deposit Insurance
Corporation or chartered by the United States.

30. Bank 2 was a ?nancial institution headquartered in Pittsburgh, in the 
Western District of Bank 2 was insured by the Federal Deposit Insurance
Corporation or chartered by the United States. 

31. Examples of identi?ed victims living or conducting business. within the United 
States included:

a. a technology company inWindsor, Connecticut;

7

Case Document 3 Filed 09/29/20 Page 8 of 22

b. an Orthodox Jewish Synagogue in Brooklyn, New York;
0. a medical device manufacturer in York, 
d. an individual in Montclair, New Jersey;
e. an architecture ?rm in Miami, Florida; I
f. an individual. in Acworth, Georgia;
g. an automotive parts manufacturer in Livonia, Michigan;
h. a homebuilder in Skokie, Illinois;
1. an individual in Carrollton, Texas; and,
j. an individual in Villa Park, California.
32. In total, dozens of United States victims have been identi?ed. However, because

QQAAZZ served numerous cybercriminal organizations, the total number of victims whose funds
were stolen, or attempted to be stolen, through unauthorized electronic funds transfers is unknown.

COUNT ONE
Conspiracy to Commit Money Laundering
(18 U.S.C. 1956(h))

The grand jury charges:
33. The allegations contained in Paragraphs 1 through 32 of this Indictment are
repeated, re-alleged, and incorporated by reference as if fully set forth herein.

34. From in and around 2016, and continuing thereafter to in and around October 2019,

in the Western District of and elsewhere, the Defendants did knowingly and
intentionally conspire and agree with each other and other persons known and unknown to the
grand jury, to commit money laundering in violation of Title 18, United States Code, Section 1956,
that is:

a. to knowingly conduct and attempt to conduct ?nancial transactions
affecting interstate and foreign commerce, involving the proceeds of
speci?ed unlawful activity, namely, computer fraud, in violation of Title
18, United States Code, Section 1030, wire fraud, in violation of Title 18,
United States Code, Section 1343, and bank fraud, in violation of Title 18,
United States Code, Section 1344, knowing that the. transactions were
designed, in whole and in part, to conceal and disguise the nature, location,

8

Case Document 3 Filed 09/29/20 Page 9 of 22

source, ownership and control of the proceeds of said speci?ed unlawful
activity, and that while conducting and attempting to conduct such ?nancial
transactions knowing that the property involved in the ?nancial transactions
represented the proceeds of some form of unlawful activity, in violation of
Title 18, United States Code, Section and

b. to knowingly transport, transmit, transfer, and attempt to transport, transmit,
and transfer monetary instruments and ?nds from a place in the United
States to and through a place outside the United States, knowing that the
monetary . instruments and funds involved in the tran3portation,
transmission, and'transfer represent the proceeds of some form of unlaw?il
activity, and knowing that such transportation, transmission, and transfer
was designed, in whole and in part, to conceal and'disguise the nature,
location, source, ownership and control of the proceeds of specified
unlawful activity, namely, computer fraud, in violation of Title 18, United
States Code, Section 1030, wire fraud, in violation of Title 18, United States
Code, Section 1343, and bank fraud, in violation of Title 18, United States
Code, Section 1344, in violation of Title 18, United States Code, Section


Manner and Means of the Conspiracy

35. During all times relevant to the Indictment, the manner and means used to
accomplish the conspiracy included the following:

Overview of the Conspiracy

36. QQAAZZ members at times used aliases and false identi?cation documents, and at
other times used their true identities, to register shell companies and open personal and corporate-
bank accounts controlled by QQAAZZ at foreign ?nancial institutions. 

37. The primary purpose of the bank accounts was to receive money stolen by
cybercriminals from unwitting victims in the United States and abroad.

38. In order to attract business from cybercriminals, QQAAZZ members advertised the
group?s services on exclusive, underground cybercriminal online forums.

39. QQAAZZ members communicated with their criminal clients on these forums and

over Jabber, a secure online instant message software.

Case Document 3 Filed 09/29/20 Page 10 of 22

40. QQAAZZ provided cybercriminals with account information for speci?c bank
accounts controlled by QQAAZZ, which were designated to receive funds stolen by the
cybercriminals. 

41. After receiving account information from QQAAZZ, cybercriminals would attempt
to initiate an electronic funds transfer from the victim?s bank accounts to the recipient account
provided by QQAAZZ.

42. If the electronic funds transfer was successful, QQAAZZ ?cashed-out? (that is, 
withdrew) the funds and transferred the funds either to a different QQAAZZ-controlled bank
account or to ?tumbling? services where the funds were converted to through a
series of transactions designed to obfuscate the original source of the funds.

43. QQAAZZ returned a portion of the laundered funds to the cybercriminals and kept
a portion for the group as a fee, which was typically between 40 to 50 percent of the total amount
of the stolen ?mds.

Aliases and Fraudulent Identi?cation Documents

44. In furtherance of the conspiracy, QQAAZZ members created and used alias names
and fraudulent identi?cation documents._ Some QQAAZZ members used multiple fraudulent .
identi?cation documents'with different aliases.

45. The fraudulent identi?cation documents included country identi?cation cards and
passports. These fraudulent identi?cation documents were used to register shell companies arid
open bank accounts at foreign ?nancial institutions. The defendants arranged} for funds stolen from
fraud Victims to be deposited into these foreign ?nancial institution accounts. .

.46. ?For example, VALENTINS SEVECS, a citizen of Latvia, use'd fraudulent Polish

identi?cation cards in the names Marek Jaswilko and Rafal as shown in EXHIBIT A.



10

Case Document 3 Filed 09/29/20 Page 11 of 22

47. NIKA NAZAROVI, formerly Nika Utiashvili, a citizen of Georgia, used a
fraudulent Bulgarian passport in the name of Stefan Trifonov Zhelyazkov as shown in EXHIBIT
B.

48. The table below summarizes some of the aliases and fraudulent identi?cation

documents used by QQAAZZ members:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

DEFENDANT, ALIASES FRAUDULENT
. IDENTIFICATION
DOCUMENTS
ALEKSANDRE Antonios Nastas Greek Passport
KOBIASHVILI Ognyan Krasimirov Trifonov Bulgarian Identity Card
DMITRIJS . . 
KUZMINOVS Parush Gospodlnov Genchev Bulgarlan 
Mihail Atansov Bulgarian Identity Card
NIKA NAZAROVI Stefan Trifonov Zhelyazkov Bulgarian Passport
Milen Nikolchev Nikolov Bulgarian Piassport 
Ruslans Nikitenko Woj ciech Lewko Polish Identi?cation
Rafal Zimnoch Cards 
Deniss Ruseckis Sevdelin Sevdalinov Atanasov Bulgarian Passport
VALENTINS Marek Jaswilko Polish Identi?cation
SEVECS Rafal Cards
Aleksejs Bulgarian Identi?cation
Tro?movics Aleko Stoyanov Angelov Card
Piotr Ginelli
5 . Arkadiusz- Szuberski Polish Identi?cation
Zaharev1cs Pawel Tomasz Blitek Cards .
Marcin Ostapowicz i

 

Beneficiary Accounts

 

49. In furtherance of the conspiracy, QQAAZZ members used aliases and true
identities to register shell companies and to open QQAAZZ-controlled bank accounts at ?nancial
institutions in numerous countries, including in Portugal, Spain, Germany, Turkey, the United

Kingdom, Belgium and the Netherlands.

11

Case 2:20-crr00295-MJH Document 3 Filed 09/29/20 Page 12 of 22

50. The shell companies used to open the corporate bank accounts conducted no known
legitimate business activity.

51. QQAAZZ members reserved and purchased travel arrangements' for other members
to travel to the many countries in which QQAAZZ members opened and maintained bank
accounts.

52. For example, a QQAAZZ member arranged a ?ight from London, United Kingdom
to Lisbon, Portugal for DMITRIJ KUZMINOVS on December 6, 2018.

53. i In total, QQAAZZ members opened hundreds of personal bank accounts and
corporate bank accounts at numerous ?nancial institutions for the purpose of using the accounts
to receive stolen funds from victims. I

54. QQAAZZ used corporate bank accounts to receive larger amounts of stolen funds

without raising the suspicion of bank of?cials.

55. QQAAZZ used personal accounts in order to more easily convert stolen funds into

5 6. The following table identi?es Defendants and charged conspirators who registered

shell companies and opened corporate bank accounts in the' names of those shell companies in

furtherance of the conspiracy:

 

 

 

 

 

 

DEFENDANT NAME USED TO SHELL COMPANY COUNTRY ACCOUNTS
- OPEN ACCOUNT 7 . . OPENED
Deinis Gorenko . Deinis Gorenko ??gfsgiafgi Portugal 6-
ALEKSANDRE Antoni? NaStaS Portugal 10
KOBIASHVILI Egbimtroots Umpessoal Portugal 7
Dmitrijs Kuzminvos giggizif 3D A Portugal 10
0V1 3:33:32?? Ste?laz S.L. Spain 1

 

 

 

 

 

 

 

?12

Case Document 3 Filed 09/29/20 Page 13 of 22

 

DEFENDANT

SHELL COMPANY

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NAME USED TO COUNTRY ACCOUNTS

OPEN ACCOUNT . OPENED

?g?fof Woj ciech fillivulte Unipessoal Portugal 11
Ruslans lid?liirlloljlkOIChev Portugal 11
Nikita? magma 3311;232:653? pomgal 9

$21332?? airing?? W1 7

Portugal Unknown
Deniss Ruseckis LDA 

Deniss Ruseckis 3:113:53: $113114; Portugal 13
Marek Jaswilko A Portugal 17
DMITRIJ Dmitrijs Slapins Slapincraft Ltd. E?gecliorlr Unknown
SLAPINS Dmitrijs Slapins Movers . German?y Unknown
Tomass Trescinskis Spain Unknown

. . 

Portugal 13 i
Aleksejs ?ilossoymv Eilhl??f?m Portugal. 5'
Atro? Design Ltd. ?gecllorn Unknown/n

liil?i?ivics fif? Desgnsemces $330111 Unknm
$51128 Armen Vecels ?Egif4Less Unipessoal Portugal 11

Zaharevics Arkadiusz Ezuberski {Pliifxsigg SPD A Portugal 7

 

 

 

 

 

13i

 

Case Document 3 Filed 09/29/20 Page 14 of 22

57.

Receipt of Stolen Funds

In furtherance of the conspiracy, QQAAZZ used the foreign bank accounts as the

bene?ciary account intended to receive unauthorized electronic transfer of funds that had been

stolen, or attempted to be stolen, by cybercriminals.

58.

The table below illustrates a sample of the hundreds of attempted and successful

unauthorized electronic transfers to QQAAZZ?controlled bank accounts of funds stolen and

attempted to be stolen from United States Victims:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

DATE VICTIM AMOUNT . BENEFICIARY BANK DEFENDANT
- ACCOUNT 2 1
32:33:33 12213133133113) ummown
11/22/16 PK SK $42,432 Egg?gs
9/20/17 JK $84900 ?ffif?rggi?ib ili?in?c?jivics
11/9/17 ?iil?ii?if??er 398/00 355$?
11/29/17 Architectural Firm $121,360 11311312131110

8/ 1 8 LC $29,500 Deniss Ruseckis
3/12/18 RV $150?000 3:13:21 Eg?gal?olft?gal) 
3/21/18 $355353? $300,000 Unknown

anufacturer
4/10/18 $59?426 A giroffgoggagl?fit?gag ?dhuarrsevics
8/30/18 ??mifil?; $99,693 11311111311;an
Manufacturer?

 

14

 

Case Document 3 Filed 09/29/20 Page 15 of 22

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

DATE VICTIM AMOUNT BENEFICIARY BANK DEFENDANT
ACCOUNT 
Automotive
. Sauvage Real LDA VALENTINS
8/30/18 Components I $498,536 Acct: X0006 (Portugal) SEVECS
Manufacturer? -
Automotive Parts Deinis Gorenko . . 
11/14/18 Manufacturer $112,921 Acct: x9194 (Portugal) 1 Detms Gorenko
Freight Forwarding Pixelcategory LDA DMITRIJ 
1216/18 Company $99528 Acct: x0725 (Portugal) KUZMINOVS
1. . Build4Less LDA 1 ARMENS
12/12/ 18 Charity Serv1ces $299,000 Acct: X0103 (Portugal) 1 VECELS
. . Build4Less LDA . 7 ARMENS
12/12/18 Charlty Serwces $150,327 Acct: x0103 (Portugal) VECELS
Automobile Parts Petar Valentinov Iliev 1 
12/12/ 18 Supplier $149,610 Acct: x2194 (Portugal) 1 PETAR ILIEV
Equipment I Nastas Construction ALEKSANDRE
12/12/18 Company $266960 Acct: x0126 (Portugal) KOBIASHVILI
Baked Goods Artiom Capacli 1 1 1 ARTIOM
22/ 19 Manufacturer $49?188 Acct: x7136-(Spain) 1 CAPACLI
1
1/22/19 353,331,: $293,831 
Acct: x9440 (Spain)
1
Baked Goods Ion Cebanu 1
?22/19 Manufacturer $49?182 Acct: x5434 (Spain) 1 ION CEBANU
Farming 
. Ruslans Sarapovs RUSLAN 
2/7/19 . $789123 Acct: x0217 (Spain) SARAPOVS
Retarler
Farming . . 1
. Sllvestrs Tamemeks SILVESTRS
2/7/19 Agricultural $73?441 Acct: x9561 (Spain) 1 TAMENIEKS
Retaller .-
Freight and .
. . . Abdelhak Hamda0u1 ABDELHAK
3/27/19 1535;15:1er Serv1ce $28263 Acct: x4350 (Belgium) HAMDAOUI

 

 

7" Indicates victim bank headquartered in the Western District of 

59.

In total, QQAAZZ-controlled bank accounts received tens of millions of dollars

stolen from victims worldwide, while millions more dollars were attempted to be transferred to

those accounts but were stopped before the transactions were completed.

15

 

Case Document 3 Filed 09/29/20 Page 16 of 22

Cybercriminal Forum Advertisements

 

60. In furtherance of the conspiracy, QQAAZZ advertised cash-out and money
laundering services on exclusive, underground, RussianLSpeaking,,online cybercriminal forums?

61. These forums provided virtual meeting places where vetted cybercriminal's sought
and Offered specialized technical skills, services, or products needed to engage in a variety of
cybercriminal activities.

62. One specialized service critical to the cybercriminal underground was the cash?out
and money laundering service provided by criminal groups including QQAAZZ.

63. In order to facilitate the sale and receipt of services, the underground forums rented
advertisement space to individuals or groups wanting to draw attention to their particular service.
These advertisements could-cost as much as $10,000 per year.

64. QQAAZZ advertised its cash-out and money laundering. services on the
underground forums. For example, QQAAZZ advertised on one such forum that it provided ?a
global, complicit bank drops service,? indicating the availability of bank accounts in numerous
countries throughout the world with ?drops? money mules) who were complicit in, arid
knowledgeable of, the criminal scheme.

65. Through these underground forum's, QQAAZZ developed numerous cybercriminal 
clients. Among cybercriminal clientele were several nefarious malware organizations,

including GozNym', Dridex, and Trickbot.

Jabber Communications with Cybercriminal Clientele

66. In furtherance of the conspiracy, QQAAZZ communicated, Usually in Russian,

with its cybercriminal clients using Jabber, a secure online instant message softw, are.

16

Case Document 3 Filed 09/29/20 Page 17 of 22

67. QQAAZZ members used several online monikers, including ?qqaazz,?
?globaquaazz,? ?markdevido,? ?richrich,??donaldtrump55,? ?manuel,? ?krakadil,? ?kalilinux,?
?ritchie,? ?totala,? and ?totala22.? These online monikers were often used by multiple members of
QQAAZZ at different times.

68. QQAAZZ used these online monikers to pass account information of QQAAZZ-
controlled accounts to the cybercriminal clients.

69. For example, on February 18, 2016, QQAAZZ used the moniker ?richrich? to pass
account information to a member of GozNym Malware Crime Group. During the chats, ?richrich?
stated that he was the ?drop handler? for the United Kingdom and Europe and that he had access
1 to corporate and personal bank accounts. The GozNym member requested ?drop? accounts, and
?richrich? provided the GozNym member with corporate bank accounts in the name ?Yaromu
Gida? at a bank in Turkey. As referenced in the table in Paragraph 58, on April 7, 2016,- Yarornu
Gida Acct. X5197 received 176,500 in funds stolen from a medical device manufacturer utilizing
a bank headquartered in the Western District of 

70. As another example, on November 21, 2017, QQAAZZ used the online moniker
?donaldtrump55? to pass account information to a known cybercriminal client. During the chats,
the cybercriminal client asked for a ?drop? in Portugal. ?donaldtrump55? provided details for
Selbevulte LDA, Account X3596, opened in Portugal by Ruslans Nikitenko using a fraudulent
Polish identification card with the alias Woj ciech Lewko. As referenced in the table in
Paragraph 58, on November 29, 2017, Selbevulte LDA Acct. 3596 was the intended recipient of a
$121,360 transfer from a United States victim.

Cash-Out and Laundering Services

 

71. In furtherance of the conspiracy, QQAAZZ members would transfer funds received

from cybercriminals to other QQAAZZ?controlled bank accounts or to ?tumbling? services where
17

Case Document 3 Filed 09/29/20 Page 18 of 22

the funds were converted to through a series of transactions designed to ob?Jscate
the original source of the ?lnds. A

72. QQAAZZ used personal bank accounts opened by money mules to receive funds
transferred from original accounts in order to more easily convert the funds 

Return of Laundered Funds

73. In furtherance of the conspiracy, QQAAZZ charged around 40- to 50-percent of the
stolen funds it received as a fee for lauhdering the money. 1

74. For example, as part of the Jabber chats between QQAAZZ. using the online
moniker ?richrich? and the member of GozNym described in Paragraph 69 above, ?richrich? stated
that he would take ?5 5 of the stolen funds.

75. As a result of the signi?cant amount of stolen funds received into QQAAZZ-
controlled accounts, QQAAZZ made millions of dollars providing its cash-out services to

cybercriminals.

All in violation of Title 18, United States Code, Section 1956(h).

718

Case Document 3 Filed 09/29/20 Page 19 of 22



Forfeiture Allegations

l. The allegations within this Indictment are re?alleged and by this reference fully
incorporated herein for the purpose of alleging criminal forfeiture to the United- States of America
of certain property in which the Defendants have an interest.

2. As a result of committing the money laundering offense alleged in Count One of
this Indictment, the Defendants shall forfeit to the United States, pursuant to Title 18, United States
Code, Section 982(a)(1), any property, real or personal, involved in the offense, or any property
traceable to such property.

Money. Judgment

3. The United States will seek a forfeiture money judgment for a sum of money equal

to the value of any property, real or personal;'involved in this offense, and any property traceable

to such property.



Substitute Assets
4. If any of the aboVe-described forfeitable property, as a result of any act or omission
of the defendants:
a. cannot be located upon the exercise of due diligence;
b. has been transferred or sold to, or deposited with, a third person;
c. has been placed beyond. the jurisdiction of the Court;
d. has been substantially diminished in value; or
e. has been commingled with other property which cannot be subdivided

without dif?culty;
it is the intent of the United States, pursuant to Title 18, United States Code, Section 982(b), to

seek forfeiture of any other property of the defendants up to the value of the above?described

forfeitable property.

19

Case Document3 Filed 09/29/20 Page_20 of 22-

A11 pursuant to me 18, United States Code, Section 

A T-. Bill,

   

 

SCOTT w; BRADY 
United States Attorney 
PA ID No. .88352

Ewe/2.44 Cam/1,
DEBORAH CONNOR
Chief, Money Laundering and
Asset Recovery Section
Criminal Division

 

20

 Page21of22-

- Fraudul?nt Polish? identi?cation Cains Used-By NTFINS SEVECS

 

. .
. . .
. I
I


1
. .

 

 

 

 

Cas? Diocgumentaf Filed 09/29/20 *Page 22 0:3f22 . 

.. . . I
I
I

Exhibit Fraudulent BulgariaII Passport Used By NIKA NAZAROVI
. 

. QF BULGARIA


Sunni?wags"
I ZHELIAZIIGII 

 

    

  
 
  
 
  

1mm



MWHISMGWA

24,041.90 
a - amam'l?mdln?i I

I mm; 
?hummus-II 5

 

11 DE 331!?

 

 

. F'szfiaien'z?ELump 
38mg 12213315; 9.0mm 11793424133 .