throbber
Case 3:21-mj-70945-LB Document 1 Filed 06/07/21 Page 1 of 8
`
`3:21-mj-70945-LB
`
`FILED
`
`SUSANY. SOONG
`CLERK, U.S. DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO
`
`Jun 07 2021
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 2 of 8
`
`have had the opportunity to conduct, coordinate, and participate in numerous investigations
`
`relating to computer-related crimes.
`
`I have participated in the execution of numerous search
`
`warrants conducted by the FBI and have participated in the seizure of computer systems.
`
`4.
`
`This affidavit is submitted pursuant to Rule 41 of the Federal Rules of Criminal
`
`Procedure, and 18 U.S.C. §§ 981(a)(1)(A) and (C), 981 (b)(1) and (2), 982(a)(1) and (b)(1), and
`
`103 0(i) for the issuance of a warrant (the “Seizure Warrant”) to seize and forfeit the Subject Funds.
`
`5.
`
`The facts and information contained in this affidavit are based upon my personal
`
`knowledge, as well as information from other law enforcement officers involved in this
`investigation. Statements made by witnesses and other individuals referenced in this affidavit have
`
`been paraphrased. While this affidavit does not contain every piece of evidence discovered to date,
`
`it does not omit evidence that would defeat the probable cause established herein.
`
`6.
`
`Based on my training and experience and the facts as set forth in this affidavit, there
`
`is probable cause to seize the property described above.
`
`LEGAL AUTHORITY FOR SEIZURE
`
`7.
`
`Title 18 U.S.C. §§ 981(a)(1)(C) and 1030(i) provide for the criminal and civil
`
`forfeiture of any property which constitutes or is derived from proceeds traceable to a violation of
`
`18 U.S.C. § 1030 (Computer Hacking) and any personal property that was used or intended to be
`
`used to commit or to facilitate the commission of such violations.
`
`8.
`
`Title 18 U.S.C. §§ 981(a)(1)(A) and 982(a)(1) provide for the criminal and civil
`
`forfeiture of any property, real or personal, “involved in” a violation of 18 U.S.C. § 1956 (Money
`
`Laundering), or any property traceable to such property.
`9.
`18 U.S.C. § 981(b) provides for the seizure of property subject to civil forfeiture.
`
`18 U.S.C. § 981(b)(3) further provides:
`
`Notwithstanding the provisions of rule 41(a) of the Federal Rules of Criminal
`Procedure, a seizure warrant may be issued pursuant to this subsection by a judicial
`officer in any district in which a forfeiture action against the property may be filed
`under section 1355(b) of title 28, and may be executed in any district in which the
`property is found, or transmitted to the central authority of any foreign state for
`
`2
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 3 of 8
`
`sewice in accordance with any treaty or other international agreement. Any motion
`for the return of property seized under this section shall be filed in the district court
`in which the seizure warrant was issued or in the district court for the district in
`which the property was seized.
`
`10.
`
`Title 18, U.S.C. § 1030(a)(2)(C), makes it a crime for an individual to intentionally
`
`access a computer , without authorization or exceed authorized access, and thereby I obtain
`
`information from a protected computer. The offense is a felony if “committed for‘ purposes of
`
`commercial advantage or private financial gain.”
`
`11.
`
`Title 18, U.S.C. § 1030(a)(5)(A), makes it a crime for an individual to knowingly
`
`cause the transmission of a program, information, code, or command, and as a result of such
`
`conduct, intentionally causes damage without authorization, to a protected computer.
`
`12.
`
`Title 18, U.S.C. § 103 0(a)(7)(C), makes it a crime to intentionally extort any person
`
`any money or other thing of value, transmit in interstate or foreign commerce any communication
`
`containing any demand or request for money or other thing of value in relation to damage to a
`
`protected computer, where such damage was caused to facilitate the extortion.
`
`13.
`
`Title 18 U.S.C. § 1956(a)(1), makes it a crime to engage or attempt to engage in a
`
`financial transaction with the proceeds of a specified unlawful activity: (1) with the intent to
`
`promote the carrying on of a specified unlawful activity; (2) with the intent to evade taxes; (3)
`
`knowing the transaction is designed, in whole or in palt, to conceal or disguise the source, origin,
`
`nature, ownership, or control of the proceeds; or (4) knowing the transaction is designed, in whole
`
`or in part, to avoid a transaction reporting requirement.
`
`14.
`
`Title 18 U.S.C. § 1956(11) makes it a crime to conspire to commit any ofthe offenses
`
`set forth in 18 U.S.C. § 1956.
`
`15.
`
`One of the chief goals of forfeiture is to remove the profit from crime by separating
`
`the criminal from his or her dishonest gains. See United States v. Newman, 659 F.3d 1235, 1242
`
`(9th Cir. 2011); United States v. Casey, 444 F.3d 1071, 1073 (9th Cir. 2006). To that end, if
`
`property appreciates in value or earns interest, any appreciation or interest is subject to forfeiture.
`
`See United States v. Betancouit, 422 F.3d 240, 250 (5th Cir. 2005); United States v. Hawkey, 148
`
`F.3d 920, 928 (8th Cir. 1998).
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 4 of 8
`
`DEFINITIONS
`
`16.
`
`I know from my training and experience as a Special Agent with the FBI that the
`
`following definitions apply to the activity discussed in this affidavit:
`
`17.
`
`
`Bitcoin: Bitcoin is a type of cryptocurrency, circulated over the Internet as a value
`
`that substitutes for currency. Bitcoin is not issued by any government, bank, or company, but
`
`rather is generated and controlled through computer software operating via a decentralized, peer—
`
`to-peer network. Bitcoin is just one of many types of cryptocurrency.1
`
`18.
`
`Bitcoin address: Bitcoin addresses are the particular Virtual locations to which
`
`bitcoin are sent and received. A Bitcoin address is analogous to a bank account number and is
`
`represented as a 26~to-35-character~long case-sensitive string of letters and numbers.
`
`19.
`
`Private Key: Each Bitcoin address is controlled through the use of a unique
`
`corresponding private key, a cryptographic equivalent of a password needed to access the
`
`address. Only the holder of an address’s private key can authorize a transfer of Bitcoin from that
`
`address to another Bitcoin address.
`
`20.
`
`Bitcoin Wallet: A Bitcoin wallet is a software application that interfaces with the
`
`Bitcoin blockchain and generates and stores a user’s addresses and private keys. A Bitcoin
`
`wallet also allow users to send and receive bitcoins. Multiple addresses can be stored in a wallet.
`
`21.
`
`Blockchain: All Bitcoin transactions are recorded on what is known as the
`
`Bitcoin blockchain. The blockchain is essentially a distributed public ledger, run by the
`
`decentralized network, containing an immutable and historical record of every transaction. The
`
`blockchain updates approximately six times per hour and records every Bitcoin address that has
`
`ever received bitcoin and maintains records of every transaction and all the known balances for
`
`each Bitcoin address. The blockchain is visible online to everyone.
`
`1 Since Bitcoin is both a cryptocurrency and a protocol, capitalization differs. Accepted
`practice is to use “Bitcoin” (singular with an uppercase letter B) to label the protocol, software,
`and community, and “bitcoin” (with a lowercase letter b) or BTC to label units of the
`cryptocurrency. That practice is adopted here.
`
`will:
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 5 of 8
`
`22.
`
`Blockchain Explorer: A blockchain explorer is software that uses API and
`
`blockchain nodes to draw data from a blockchain and uses a database to arrange and present the
`
`data to a user in a searchable format. These explorers are online tools that operate as a
`
`blockchain search engine that allows users to search for and review transactional data for any
`
`addresses on a particular blockchain.
`
`FACTS SUPPORTING PROBABLE CAUSE
`
`A.
`
`BACKGROUND
`
`23.
`
`The FBI is investigating suspected Violations of Title 18, United States Code,
`
`Section 103 O(a)(2)(C), Unauthorized Access to a Protected Computer to Obtain Information,
`
`Title 18, United States Code, Section lO30(a)(5)(A), Intentional Damage to a Protected
`
`Computer, Title 18, United States Code, Section 1030(a)(7)(C), Extortion Involving Computers,
`
`among other statutes, and Title 18, United States Code, Section 1956 (Money Laundering).
`
`24.
`
`Ransomware is a type of malicious software that infects a computer system and
`
`restricts a user from accessing that system or the files contained therein through encryption.2 These
`
`files and systems remain encrypted until a ransom is paid, at which time a decryptor, or a tool
`
`allowing for the decryption of files, is provided. Typically, threat actors utilizing ransomware will
`
`breach a network, exfiltrate data from the victim’s network, plant the malicious software to encrypt
`
`data, and demand a ransom. If the ransom is not paid, the threat actor often threatens to publish
`
`the stolen data online.
`
`2 Encryption is the method by which information is converted into secret code that hides the
`information's true meaning. By encrypting files on a system, a threat actor can make the files unreadable
`and unusable until the enCIyption is reversed, or the information is decrypted.
`
`5
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 6 of 8
`
`B.
`
`VICTIM X WAS TARGETED BY A RANSOMWARE ATTACK
`
`25.
`
`Victim X is part of the critical infrastructure sector of the United States. On or
`
`about May 7, 2021, Victim X reported to the FBI that it was the victim of an unauthorized
`
`network access and ransomware attack committed by individuals in a group known as DarkSide.
`
`26.
`
`Victim X indicated that employees saw a message on their screen that indicated a
`
`ransomware attack was taking place. A Tor website address was provided that claimed to have
`
`links to samples of data that had been exfiltrated and a ransom was demanded of approximately
`
`75 bitcoins (BTC). Systems that played a role in Victim X’s business were also affected, which
`
`led Victim X to take portions of its critical infrastructure out of operation.
`
`27.
`
`As described in more detail below, pursuant to an investigation conducted by the
`
`United States Government, the United States was able to locate approximately 63.7 of the
`
`bitcoins paid as ransom by Victim X.
`
`28.
`
`On or about May 8, 2021, Victim X advised the FBI that it was instructed to send
`
`a ransom payment of approximately 75 BTC, calculated to be worth approximately $4.3 million
`
`on that date, to cryptocurrency address XXXXXXXXXXXXL6quLgX5VEAFCbRXj c9fr.
`
`29.
`
`in reviewing the Bitcoin public ledger, the ransom payment address
`
`XXXXXXXXXXXXL6quLgX5VEAFCbRXj c9fr received two payments on May 8, 2021,
`totaling 75.0005 BTC.
`Ithen identified through blockchain explorer that on May 8, 2021, the
`
`75.0005 BTC was sent in one transaction from the ransom payment address to two different
`
`addresses: 0.00001693 BTC was sent to
`
`r
`
`. XXXXXXXXXXXXm9p48hx5y25gcvmncu65w43wfytpsf and 75.00034246 BTC was sent to
`
`XXXXXXXXXXXXGAZ75Df729Bnujk6Xg7q5X.
`
`30.
`
`Then, also on May 8, 2021 , 75.00034246 BTC was sent from address
`
`XXXXXXXXXXXXGAZ75Df729Bnujk6Xg7q5X to address
`
`XXXXXXXXXXXXm9p48hx5yz5govmncu65w43wfytpsf (the same address the additional
`
`0.00001693 BTC was previously sent to) and address
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 7 of 8
`
`XXXXXXXXXXXXVaSytth9Nchhx6etKycsm. According to public blockchain explorers,
`
`74.99998307 BTC was sent to address
`
`XXXXXXXXXXXXm9p48hx5yz5gcvmncu65w43wfytpsf and 0.00006748 BTC was sent to
`
`address XXXXXXXXXXXXVaSytth9Nchhx6etKycsm.
`
`31.
`
`Additionally, on May 8, 2021, 74.99998307 BTC was sent in one transaction
`
`along with an additional 0.00001693 BTC from address
`
`XXXXXXXXXXXXm9p48hx5yzS gcvmncu65w43wfytpsf to two addresses: 11.24962019 BTC
`
`was sent to address XXXXXXXXXXXXC65fsdd5kewcsfeag6sljgfhz99zwt and 63.74998561
`
`BTC was sent to address XXXXXXXXXXXXj 8kchqqenwzn7khcw4llfykeqwg45.
`
`32.
`
`On May 9, 2021, according to blockchain explorer, 63.74998561 BTC was sent
`
`from address XXXXXXXXXXXXj 8kchqqenwzn7l<hcw4llfykeqwg45 in one transaction to two
`
`addresses: 0.04976631 BTC was sent back to address
`
`XXXXXXXXXXXXj 8kcqdqqenwzn7khcw4llfykeqwg45 and 63.70000000 BTC was sent to
`
`address XXXXXXXXXXXXuRTnHQA8tNuG7SZchdeB.
`
`33.
`
`An online public blockchain explorer identified at least 23 other addresses
`
`collected together with address XXXXXXXXXXXXuRTnHQAStNuG7S2chdeB in one
`
`wallet.— on May 27, 2021, funds from the collection of addresses,
`
`totaling 69.60422177 BTC, including 63.70000000 BTC accessible from address
`
`XXXXXXXXXXXXuRTnHQA8tNuG7S2chdeB was transferred to address
`
`XXXXXXXXXXXX950klpj cawuy4uj39ym43hs6cfsegq (the “Subject Address”), and it has not
`
`moved since.
`
`34.
`
`The private key for the Subject Address is in the possession of the FBI in the
`
`Northern District of California.
`
`CONCLUSION
`
`35.
`
`Based on the investigation to date, my training and experience, and my
`
`consultations With other Special Agents with whom I work, Ihave probable cause to believe that
`
`

`

`Case 3:21-mj-70945—LB Document 1 Filed 06/07/21 Page 8 of 8
`
`the aforementioned property may be seized pursuant to 18 U.S.C. §§ 98l(a)(l)(A) and (C),
`
`981(b)(1) and (2), 982(a)(1) and (b)(1), and 1030(i).
`
`I declare under the penalty that the foregoing is true and correct to the best of my
`
`knowledge and belief.
`
`Respectfully submitted,
`
` Special Agent
`
`Federal Bureau of Investigation
`
`Subscribed and sworrrto before me on June 1’, 2021
`,._
`g":
`E
`It;
`
`
`THE HONORABLE LAUREL BEELER
`UNITED STATES MAGISTRATE JUDGE
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket