`
`3:21-mj-70945-LB
`
`FILED
`
`SUSANY. SOONG
`CLERK, U.S. DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO
`
`Jun 07 2021
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 2 of 8
`
`have had the opportunity to conduct, coordinate, and participate in numerous investigations
`
`relating to computer-related crimes.
`
`I have participated in the execution of numerous search
`
`warrants conducted by the FBI and have participated in the seizure of computer systems.
`
`4.
`
`This affidavit is submitted pursuant to Rule 41 of the Federal Rules of Criminal
`
`Procedure, and 18 U.S.C. §§ 981(a)(1)(A) and (C), 981 (b)(1) and (2), 982(a)(1) and (b)(1), and
`
`103 0(i) for the issuance of a warrant (the “Seizure Warrant”) to seize and forfeit the Subject Funds.
`
`5.
`
`The facts and information contained in this affidavit are based upon my personal
`
`knowledge, as well as information from other law enforcement officers involved in this
`investigation. Statements made by witnesses and other individuals referenced in this affidavit have
`
`been paraphrased. While this affidavit does not contain every piece of evidence discovered to date,
`
`it does not omit evidence that would defeat the probable cause established herein.
`
`6.
`
`Based on my training and experience and the facts as set forth in this affidavit, there
`
`is probable cause to seize the property described above.
`
`LEGAL AUTHORITY FOR SEIZURE
`
`7.
`
`Title 18 U.S.C. §§ 981(a)(1)(C) and 1030(i) provide for the criminal and civil
`
`forfeiture of any property which constitutes or is derived from proceeds traceable to a violation of
`
`18 U.S.C. § 1030 (Computer Hacking) and any personal property that was used or intended to be
`
`used to commit or to facilitate the commission of such violations.
`
`8.
`
`Title 18 U.S.C. §§ 981(a)(1)(A) and 982(a)(1) provide for the criminal and civil
`
`forfeiture of any property, real or personal, “involved in” a violation of 18 U.S.C. § 1956 (Money
`
`Laundering), or any property traceable to such property.
`9.
`18 U.S.C. § 981(b) provides for the seizure of property subject to civil forfeiture.
`
`18 U.S.C. § 981(b)(3) further provides:
`
`Notwithstanding the provisions of rule 41(a) of the Federal Rules of Criminal
`Procedure, a seizure warrant may be issued pursuant to this subsection by a judicial
`officer in any district in which a forfeiture action against the property may be filed
`under section 1355(b) of title 28, and may be executed in any district in which the
`property is found, or transmitted to the central authority of any foreign state for
`
`2
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 3 of 8
`
`sewice in accordance with any treaty or other international agreement. Any motion
`for the return of property seized under this section shall be filed in the district court
`in which the seizure warrant was issued or in the district court for the district in
`which the property was seized.
`
`10.
`
`Title 18, U.S.C. § 1030(a)(2)(C), makes it a crime for an individual to intentionally
`
`access a computer , without authorization or exceed authorized access, and thereby I obtain
`
`information from a protected computer. The offense is a felony if “committed for‘ purposes of
`
`commercial advantage or private financial gain.”
`
`11.
`
`Title 18, U.S.C. § 1030(a)(5)(A), makes it a crime for an individual to knowingly
`
`cause the transmission of a program, information, code, or command, and as a result of such
`
`conduct, intentionally causes damage without authorization, to a protected computer.
`
`12.
`
`Title 18, U.S.C. § 103 0(a)(7)(C), makes it a crime to intentionally extort any person
`
`any money or other thing of value, transmit in interstate or foreign commerce any communication
`
`containing any demand or request for money or other thing of value in relation to damage to a
`
`protected computer, where such damage was caused to facilitate the extortion.
`
`13.
`
`Title 18 U.S.C. § 1956(a)(1), makes it a crime to engage or attempt to engage in a
`
`financial transaction with the proceeds of a specified unlawful activity: (1) with the intent to
`
`promote the carrying on of a specified unlawful activity; (2) with the intent to evade taxes; (3)
`
`knowing the transaction is designed, in whole or in palt, to conceal or disguise the source, origin,
`
`nature, ownership, or control of the proceeds; or (4) knowing the transaction is designed, in whole
`
`or in part, to avoid a transaction reporting requirement.
`
`14.
`
`Title 18 U.S.C. § 1956(11) makes it a crime to conspire to commit any ofthe offenses
`
`set forth in 18 U.S.C. § 1956.
`
`15.
`
`One of the chief goals of forfeiture is to remove the profit from crime by separating
`
`the criminal from his or her dishonest gains. See United States v. Newman, 659 F.3d 1235, 1242
`
`(9th Cir. 2011); United States v. Casey, 444 F.3d 1071, 1073 (9th Cir. 2006). To that end, if
`
`property appreciates in value or earns interest, any appreciation or interest is subject to forfeiture.
`
`See United States v. Betancouit, 422 F.3d 240, 250 (5th Cir. 2005); United States v. Hawkey, 148
`
`F.3d 920, 928 (8th Cir. 1998).
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 4 of 8
`
`DEFINITIONS
`
`16.
`
`I know from my training and experience as a Special Agent with the FBI that the
`
`following definitions apply to the activity discussed in this affidavit:
`
`17.
`
`
`Bitcoin: Bitcoin is a type of cryptocurrency, circulated over the Internet as a value
`
`that substitutes for currency. Bitcoin is not issued by any government, bank, or company, but
`
`rather is generated and controlled through computer software operating via a decentralized, peer—
`
`to-peer network. Bitcoin is just one of many types of cryptocurrency.1
`
`18.
`
`Bitcoin address: Bitcoin addresses are the particular Virtual locations to which
`
`bitcoin are sent and received. A Bitcoin address is analogous to a bank account number and is
`
`represented as a 26~to-35-character~long case-sensitive string of letters and numbers.
`
`19.
`
`Private Key: Each Bitcoin address is controlled through the use of a unique
`
`corresponding private key, a cryptographic equivalent of a password needed to access the
`
`address. Only the holder of an address’s private key can authorize a transfer of Bitcoin from that
`
`address to another Bitcoin address.
`
`20.
`
`Bitcoin Wallet: A Bitcoin wallet is a software application that interfaces with the
`
`Bitcoin blockchain and generates and stores a user’s addresses and private keys. A Bitcoin
`
`wallet also allow users to send and receive bitcoins. Multiple addresses can be stored in a wallet.
`
`21.
`
`Blockchain: All Bitcoin transactions are recorded on what is known as the
`
`Bitcoin blockchain. The blockchain is essentially a distributed public ledger, run by the
`
`decentralized network, containing an immutable and historical record of every transaction. The
`
`blockchain updates approximately six times per hour and records every Bitcoin address that has
`
`ever received bitcoin and maintains records of every transaction and all the known balances for
`
`each Bitcoin address. The blockchain is visible online to everyone.
`
`1 Since Bitcoin is both a cryptocurrency and a protocol, capitalization differs. Accepted
`practice is to use “Bitcoin” (singular with an uppercase letter B) to label the protocol, software,
`and community, and “bitcoin” (with a lowercase letter b) or BTC to label units of the
`cryptocurrency. That practice is adopted here.
`
`will:
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 5 of 8
`
`22.
`
`Blockchain Explorer: A blockchain explorer is software that uses API and
`
`blockchain nodes to draw data from a blockchain and uses a database to arrange and present the
`
`data to a user in a searchable format. These explorers are online tools that operate as a
`
`blockchain search engine that allows users to search for and review transactional data for any
`
`addresses on a particular blockchain.
`
`FACTS SUPPORTING PROBABLE CAUSE
`
`A.
`
`BACKGROUND
`
`23.
`
`The FBI is investigating suspected Violations of Title 18, United States Code,
`
`Section 103 O(a)(2)(C), Unauthorized Access to a Protected Computer to Obtain Information,
`
`Title 18, United States Code, Section lO30(a)(5)(A), Intentional Damage to a Protected
`
`Computer, Title 18, United States Code, Section 1030(a)(7)(C), Extortion Involving Computers,
`
`among other statutes, and Title 18, United States Code, Section 1956 (Money Laundering).
`
`24.
`
`Ransomware is a type of malicious software that infects a computer system and
`
`restricts a user from accessing that system or the files contained therein through encryption.2 These
`
`files and systems remain encrypted until a ransom is paid, at which time a decryptor, or a tool
`
`allowing for the decryption of files, is provided. Typically, threat actors utilizing ransomware will
`
`breach a network, exfiltrate data from the victim’s network, plant the malicious software to encrypt
`
`data, and demand a ransom. If the ransom is not paid, the threat actor often threatens to publish
`
`the stolen data online.
`
`2 Encryption is the method by which information is converted into secret code that hides the
`information's true meaning. By encrypting files on a system, a threat actor can make the files unreadable
`and unusable until the enCIyption is reversed, or the information is decrypted.
`
`5
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 6 of 8
`
`B.
`
`VICTIM X WAS TARGETED BY A RANSOMWARE ATTACK
`
`25.
`
`Victim X is part of the critical infrastructure sector of the United States. On or
`
`about May 7, 2021, Victim X reported to the FBI that it was the victim of an unauthorized
`
`network access and ransomware attack committed by individuals in a group known as DarkSide.
`
`26.
`
`Victim X indicated that employees saw a message on their screen that indicated a
`
`ransomware attack was taking place. A Tor website address was provided that claimed to have
`
`links to samples of data that had been exfiltrated and a ransom was demanded of approximately
`
`75 bitcoins (BTC). Systems that played a role in Victim X’s business were also affected, which
`
`led Victim X to take portions of its critical infrastructure out of operation.
`
`27.
`
`As described in more detail below, pursuant to an investigation conducted by the
`
`United States Government, the United States was able to locate approximately 63.7 of the
`
`bitcoins paid as ransom by Victim X.
`
`28.
`
`On or about May 8, 2021, Victim X advised the FBI that it was instructed to send
`
`a ransom payment of approximately 75 BTC, calculated to be worth approximately $4.3 million
`
`on that date, to cryptocurrency address XXXXXXXXXXXXL6quLgX5VEAFCbRXj c9fr.
`
`29.
`
`in reviewing the Bitcoin public ledger, the ransom payment address
`
`XXXXXXXXXXXXL6quLgX5VEAFCbRXj c9fr received two payments on May 8, 2021,
`totaling 75.0005 BTC.
`Ithen identified through blockchain explorer that on May 8, 2021, the
`
`75.0005 BTC was sent in one transaction from the ransom payment address to two different
`
`addresses: 0.00001693 BTC was sent to
`
`r
`
`. XXXXXXXXXXXXm9p48hx5y25gcvmncu65w43wfytpsf and 75.00034246 BTC was sent to
`
`XXXXXXXXXXXXGAZ75Df729Bnujk6Xg7q5X.
`
`30.
`
`Then, also on May 8, 2021 , 75.00034246 BTC was sent from address
`
`XXXXXXXXXXXXGAZ75Df729Bnujk6Xg7q5X to address
`
`XXXXXXXXXXXXm9p48hx5yz5govmncu65w43wfytpsf (the same address the additional
`
`0.00001693 BTC was previously sent to) and address
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 7 of 8
`
`XXXXXXXXXXXXVaSytth9Nchhx6etKycsm. According to public blockchain explorers,
`
`74.99998307 BTC was sent to address
`
`XXXXXXXXXXXXm9p48hx5yz5gcvmncu65w43wfytpsf and 0.00006748 BTC was sent to
`
`address XXXXXXXXXXXXVaSytth9Nchhx6etKycsm.
`
`31.
`
`Additionally, on May 8, 2021, 74.99998307 BTC was sent in one transaction
`
`along with an additional 0.00001693 BTC from address
`
`XXXXXXXXXXXXm9p48hx5yzS gcvmncu65w43wfytpsf to two addresses: 11.24962019 BTC
`
`was sent to address XXXXXXXXXXXXC65fsdd5kewcsfeag6sljgfhz99zwt and 63.74998561
`
`BTC was sent to address XXXXXXXXXXXXj 8kchqqenwzn7khcw4llfykeqwg45.
`
`32.
`
`On May 9, 2021, according to blockchain explorer, 63.74998561 BTC was sent
`
`from address XXXXXXXXXXXXj 8kchqqenwzn7l<hcw4llfykeqwg45 in one transaction to two
`
`addresses: 0.04976631 BTC was sent back to address
`
`XXXXXXXXXXXXj 8kcqdqqenwzn7khcw4llfykeqwg45 and 63.70000000 BTC was sent to
`
`address XXXXXXXXXXXXuRTnHQA8tNuG7SZchdeB.
`
`33.
`
`An online public blockchain explorer identified at least 23 other addresses
`
`collected together with address XXXXXXXXXXXXuRTnHQAStNuG7S2chdeB in one
`
`wallet.— on May 27, 2021, funds from the collection of addresses,
`
`totaling 69.60422177 BTC, including 63.70000000 BTC accessible from address
`
`XXXXXXXXXXXXuRTnHQA8tNuG7S2chdeB was transferred to address
`
`XXXXXXXXXXXX950klpj cawuy4uj39ym43hs6cfsegq (the “Subject Address”), and it has not
`
`moved since.
`
`34.
`
`The private key for the Subject Address is in the possession of the FBI in the
`
`Northern District of California.
`
`CONCLUSION
`
`35.
`
`Based on the investigation to date, my training and experience, and my
`
`consultations With other Special Agents with whom I work, Ihave probable cause to believe that
`
`
`
`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 8 of 8
`
`the aforementioned property may be seized pursuant to 18 U.S.C. §§ 98l(a)(l)(A) and (C),
`
`981(b)(1) and (2), 982(a)(1) and (b)(1), and 1030(i).
`
`I declare under the penalty that the foregoing is true and correct to the best of my
`
`knowledge and belief.
`
`Respectfully submitted,
`
` Special Agent
`
`Federal Bureau of Investigation
`
`Subscribed and sworrrto before me on June 1’, 2021
`,._
`g":
`E
`It;
`
`
`THE HONORABLE LAUREL BEELER
`UNITED STATES MAGISTRATE JUDGE
`
`