throbber
Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 1 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 1 of 12
`
`Honorable Mary Alice Theiler
`
`
` — FILED
`LODGED
`
`ENTER?
`RECEIVED
`
`’JUL 2 9 2019
`AT SEATTLE
`CLERK U.S. DISTRICT COUFIT
`WESTERN DISTRICT OF WASHINGTON
`BY
`DEPUTY
`
`UNITED STATES DISTRICT COURT FOR THE
`
`WESTERN DISTRICT OF WASHINGTON
`
`AT SEATTLE
`
`UNITED STATES OF AMERICA,
`
`Plaintiff,
`
`Case No. MJ19-0344
`
`v.
`
`COMPLAINT FOR VIOLATION OF
`
`18 U.S.C. § 1030(a)(2)
`
`PAIGE A. THOMPSON,
`a/k/a “erratic”
`
`Defendant.
`
`Before, the Honorable Mary Alice Theiler, United States Magistrate Judge, United
`
`States Courthouse, 700 Stewart Street, Seattle, Washington.
`
`COUNT 1
`
`(Computer Fraud and Abuse)
`
`Between on or about March 12, 2019, and on or about July 17, 2019, at Seattle,
`within the Western District of Washington, and elsewhere, PAIGE A. THOMPSON
`
`intentionally accessed a computer without authorization, to wit, a computer containing
`
`information belonging to Capital One Financial Corporation, and thereby obtained
`
`information contained in a financial record of a financial institution and of a card issuer
`
`THOMPSON COMPLAINT / N0. M1 19-344 - l
`
`UNITED STATES ATTORNEY
`700 STEWART STREET. SUITE 5220
`SEATTLE, WASHINGTON 98101
`(206) 553—7970
`
`\OOOQGM-bwmu—t
`
`NNNNNNNNNt—Ab—Ir—II—Ir—nn—ni—Hp—AH
`
`WNONM-hUJNt—‘OWmflQm-RUJNHO
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 2 of 12
`Case 2:19-cr-00159—RSL Document 1 Filed 07/29/19 Page 2 of 12
`
`as defined in Section 1602 of Title 15, and information from a protected computer, and
`
`the value of the information obtained exceeded $5,000.
`
`All in violation of Title 18, United States Code, Section 1030(a)(2)(A) and (C),
`
`and (c)(2)(A) and (B)(iii).
`
`The undersigned complainant being duly sworn states:
`
`1.
`
`1, Joel Martini, am a Special Agent with the Federal Bureau of Investigation
`
`(FBI), currently assigned to the Seattle Field Office, and have been so employed since
`
`January 2017. I am assigned to the Cyber Squad, where I investigate computer intrusions
`
`and other cybercrimes. Prior to my employment as a Special Agent, I worked as a
`
`Computer Forensic Examiner for the FBI for approximately five years. The facts set
`
`forth in this Complaint are based upon my personal knowledge, information I have
`received from others during the course of my investigation, and my review of relevant
`
`documents.
`
`2.
`
`I am the case agent responsible for an investigation of PAIGE A.
`
`THOMPSON, also known by the alias “erratic,” for intruding into servers rented or
`
`contracted by a financial services company and issuer of credit cards, namely, Capital
`
`One Financial Corporation (“Capital One”), from a company that provides cloud
`
`computing services (the “Cloud Computing Company”), and for exflltrating and stealing
`
`information, including credit card applications and other documents, from Capital One.
`
`I.
`
`SUMMARY OF THE INVESTIGATION
`
`3.
`
`The FBI is conducting an investigation into a network intrusion into servers
`
`rented or contracted by Capital One. Capital One is a financial services company that,
`
`among other things, issues credit cards.
`
`4.
`
`Evidence linking PAIGE A. THOMPSON to the intrusion includes the fact
`
`that information obtained from the intrusion has been posted on a GitHub page that
`
`includes PAIGE A. THOMPSON’s full name — paigea*****thompson — as part of its
`
`digital address, and that is linked to other pages that belong to PAIGE A. THOMPSON
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEMTLE, WASHINGTON 9810]
`(206) 553-7970
`
`THOMPSON COMPLAINT / No. MJl9-344 - 2
`
`V
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 3 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 3 of 12
`
`and contain her resume. In addition, records obtained from Capitol One indicate that
`
`Internet Protocol addresses used by the intruder are controlled by a company that
`
`provides virtual private network services and that was used by PAIGE A. THOMPSON
`
`to make postings on the intemet service GitHub, including very close in time to
`
`intrusions. Moreover, PAIGE A. THOMPSON also has made statements on social media
`
`fora evidencing the fact that she has information of Capital One, and that she recognizes
`
`that she has acted illegally.
`
`11.
`
`TERMS AND DEFINITIONS
`
`5.
`
`For the purpose of this Affidavit, I use the following terms as described
`
`below:
`
`a.
`
`A server is a computer that provides services for other computers
`
`connected to it via a network or the intemet. The computers that use the server’s services
`
`are sometimes called clients. Servers can be physically located anywhere with a network
`
`connection that may be reached by the clients. For example, it is not uncommon for a
`
`server to be located hundreds (or even thousands) of miles away from client computers.
`
`A server may be either a physical or virtual machine. A physical server is a piece of
`
`computer hardware configured as a server with its own power source, central processing
`
`unit or units, and associated software. A virtual server typically is one of many servers
`
`that operate on a single physical server. Each virtual server shares the hardware
`
`resources of the physical server, but the data residing on each virtual server is segregated
`
`from the data on other virtual servers on the same physical machine.
`
`b.
`
`An Internet Protocol address (an “IP address”) is a unique numeric
`
`address used by devices, such as computers, on the intemet. Every device attached to the
`
`intemet is assigned an IP address, so that intemet traffic sent from, and directed to, that
`
`device may be directed properly from its source to its destination. Most intemet service
`
`providers control a range of IP addresses. Generally, a static IP address is permanently
`
`assigned to a specific location or device, while a dynamic IP address is temporary and
`
`\OOO‘sJONUl-IkUJNH
`
`NMNMNMNMNl—‘D—‘fi—‘D—‘l—‘HHb—‘Hb—l
`
`OO\IG\Ln-I=UJN—-O\ooo\10\m-I>~WNr—IO
`
`periodically changes.
`
`THOMPSON COMPLAINT / N0. M1 19-344 - 3
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE522°
`SEATTLE, WASHINGTON 9810]
`(206) 553-7970
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 4 of 12
`Case 2:19-cr-00159-RSL DOCument 1 Filed 07/29/19 Page 4 of 12
`
`c.
`The Onion Router (or “TOR”) is an anonymity tool used by
`individuals to conceal their identities, including the origin of their intemet connection,
`
`that is, their IP addresses. TOR bounces communications through several intermediate
`
`computers (relays), each of which utilizes encryption, thus anonymizing the IP address of
`
`the computer of the individual using TOR.
`
`d.
`
`A virtual private network (a “VPN”) is a secure connection over a
`
`less secure network, such as the intemet. A VPN uses shared public infrastructure, but
`
`maintains privacy through security procedures and tunneling protocols. It encrypts data
`
`at the sending end, decrypts it at the receiving end, and sends the data through a "tunnel"
`
`that cannot be "entered" by data that is not properly encrypted. A VPN also may encrypt
`
`the originating and receiving network addresses.
`
`6.
`
`Throughout this Affidavit, I also refer to a number of companies and to
`
`services that they offer:
`
`a.
`
`GitHub is a company that provides webhosting and allows users to
`
`manage and store revisions of proj ects. Although used mostly for software development
`
`projects, GitHub also allows users to manage other types of files.
`
`b.
`
`IPredator is a company that offers prepaid VPN service to
`
`customers, using servers based in Sweden.
`
`c.
`
`Meetup is an Intemet-based platform designed to let people find and
`
`build local communities, called “groups.”
`
`(1.
`
`Slack is a cloud-based set of team-collaboration software tools and
`
`online services. Slack allows users to establish “channels,” in which a team can share
`
`messages, tools, and files.
`
`e.
`
`Twitter is company that operates a social networking site that allows
`
`users to establish accounts, post short messages, and receive other users’ messages.
`
`\DOO\IO\UI4>~UJI\Jr—'
`
`NNNNNNNNND—‘l—‘D—‘D—lb—‘b—‘h—ID—lI—ll—i
`
`WflQm-PWNHOKDOOQQLh-LXWNHO
`
`THOMPSON COMPLAINT / N0. M1 1 9-344 - 4
`
`UNITED STATES ATTORNEY
`700 STEWART 8mm. SUITE 5220
`SEATTLE, WASHINGTON 98101
`(205) 553-7970
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 5 of 12
`Case 2:19-cr-00159—RSL Document 1 Filed 07/29/19 Page 5 of 12
`
`#LIJM
`
`A.
`
`The Intrusion and Exfiltration
`
`III.
`
`THE INVESTIGATION
`
`7.
`
`Capital One is a bank holding company that specializes in credit cards, but
`
`that also offers other credit, including automobile loans, as well as a variety of bank
`
`accounts. Capital One offers credit cards and other services to customers throughout the
`
`United States. Capital One supports its services, in part, by renting or contracting for
`
`computer servers provided by the Cloud Computing Company. The servers on which
`
`Capital One stores credit card application and other information generally are located in
`
`states other than the State of Washington, and they store information regarding
`
`customers, and support services, in multiple states. Deposits of Capital One are insured
`
`by the Federal Deposit Insurance Corporation. Based upon these facts, Capital One is a
`
`financial institution and a card issuer, and the computers on which it stores credit card
`
`applications are protected computers as those terms are defined in 18 U.S.C. § 1030(C).
`
`8.
`
`Capital One maintains an e—mail address through which it solicits
`
`disclosures of actual or potential vulnerabilities in its computer systems, so that Capital
`
`One can learn of, and attempt to avert, breaches of its systems. Among others who send
`
`e-mails to this address are individuals who sometimes are called “ethical" or “white hat”
`
`hackers.
`
`9.
`
`On July 17. 2019, an individual — who previously was unknown to Capital
`
`One — e-mailed this address.
`
`capifa/IOTI'ICI
`
`Responsible Disclosure(Shared) <responsihIedlsclosure@capiralone.com>
`
`
`[External Sender] Leaked 53 data
`
`_ Wed. Jul 1?. 2019 at 1:25 AM
`To: “respensibledisclosure@capitalonevcom' <responsibtedisclosure@cap'nalone.com)
`
`Hello there,
`
`There appears to be some leaked 53 data or yours in someone's github r gist:
`
`Imps Ilgist-gimUD-com_
`Let me know if you want help tracking them down.
`
`Thanks,
`
`THOMPSON COMPI ,MNT/ No. MJl9~344 . 5
`
`UNITED S'l‘A'l'liS ATTORNEY
`700 S'rswnirrS'I'iuai-rr, SUITE 5220
`SEATl'Ll-I, WASHINGTON 98101
`(206] 553-7970
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 6 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 6 of 12
`
`The individual’s e~mail stated that there appeared to be leaked data belonging to Capital
`
`One on GitHub, and provided the address of the GitHub file containing this leaked data.
`
`The address provided for this file was https://gist.github.com/* * ***/* ** * *.
`
`[Throughout
`
`this affidavit, I use ***** to substitute for other characters, sometimes fewer, but often
`
`more, than five characters] Significantly, one of the terms in this address was what I
`
`know from Department of Licensing records to be PAIGE A. THOMPSON’S full first,
`
`middle, and last name.
`
`10.
`After receiving this information, Capital One examined the GitHub file,
`which was timestamped April 21, 2019 (the “April 21 File”). Capital One determined
`
`that the April 21 File contained the IP address for a specific server. A firewall
`
`misconfiguration permitted commands to reach and be executed by that server, which
`
`enabled access to folders or buckets of data in Capital One’s storage space at the Cloud
`
`Computing Company.
`
`11.
`
`Capital One determined that the April 21 File contained code for three
`
`commands, as well as a list of more than 700 folders or buckets of data.
`
`I Capital One determined that the first command, when executed,
`
`obtained security credentials for an account known as *****-WAF-Role
`
`that, in turn, enabled access to certain of Capital One’s folders at the
`
`Cloud Computing Company.
`
`I Capital One determined that the second command (the “List Buckets
`
`Command”), when executed, used the *****-WAF-Role account to list
`
`the names of folders or buckets of data in Capital One’s storage space at
`
`the Cloud Computing Company.
`I Capital One determined that the third command (the “Sync Command”),
`
`when executed, used the *****-WAF-Role to extract or copy data from
`
`those folders or buckets in Capital One’s storage space for which the
`
`**** *-WAF-Role account had the requisite permissions.
`
`THOMPSON COMPLAINT / N0. M1 19-344 - 6
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 98101
`(206) 553-7970
`
`KOOOQONUI-PUJNH
`
`
`
`
`
`
`
`NNN[\J[\J[\J[\JNNv—I)—n)—|D—li—tv—d)—fi>-—ID—i)—|00\I0\L11hNNl—‘O\O00\JO\U!&OJN>-‘O.
`
`
`
`
`
`
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 7 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 7 of 12
`
`KOOOQONUI-waI—a
`
`
`
`NNNNNNNNNHHHHHHl—it—It—IHOO‘4O\U]-l>-UJNHO\D00\lO\'UI-bLA)NI--‘0
`
`12.
`
`Capital One tested the commands in the April 21 File, and confirmed that
`
`the commands did, in fact, function to obtain Capital One’s credentials, to list or
`
`enumerate folders or buckets of data, and to extract data from certain of those folders or
`
`buckets. Capital One confirmed that the more—than-700 folders or buckets of data listed
`
`in the April 21 File matched the actual names of folders or buckets of data used by
`
`Capital One for data stored at the Cloud Computing Company. Capital One reported that
`
`its computer logs reflect the fact that the List Buckets Command was in fact executed on
`
`April 21, 2019, and that the timestamp in Capital One’s logs matches the timestamp in
`
`the April 21 File.
`
`13.
`
`According to Capital One, its logs show a number of connections or
`
`attempted connections to Capital One’s server from TOR exit nodes, and a number of
`
`connections from IP addresses beginning with 46.246, all of which Capital One believes
`
`relate to activity conducted by the same person involved in the April 21, 2019, intrusion,
`
`because they involve similar unusual communications through the misconfigured firewall
`
`to the server discussed above. Specifically, according to Capital One, the logs show:
`
`I On or about March 12, 2019, IP address 46.246.35.99 attempted to
`
`access Capital One’s data.
`
`I know, fi'om checking publicly-available
`
`records, that this IP address is controlled by IPredator, a company that
`
`provides VPN services.
`
`I On or about March 22, 2019, the *****-WAF—Role account was used to
`
`execute the List Buckets Command several times. These commands
`
`were executed from IP addresses that I believe to be TOR exit nodes.
`
`According to Capital One, the *****-WAF-Role account does not, in
`
`the ordinary course of business, invoke the List Buckets Command.
`
`I Also on or about March 22, 2019, the *****-WAF~Role account was
`
`used to execute the Sync Command a number of times to obtain data
`
`from certain of Capital One’s data folders or buckets, including files
`
`THOMPSON COMPLAINT / No. MJl9—344 — 7
`
`that contain credit card application data. A number of those commands
`UNITED STATES ATTORNEY
`700 STEM“ Sm”. SUNF- 522°
`SEATTLE, WASHINGTON 98101
`(206) 553-7970
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 8 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 8 of 12
`
`\OOOQOKUI-fi-UJNr—t
`
`NNNNNNNNHD—‘t—lb—Il—‘HHb—ll—IH
`
`‘QO‘sUl-bLJJNF—IOKOOOQONLIIAWNHO
`
`N 00
`
`were executed from IP address 46.246.38.224.
`
`I know, from checking
`
`publicly-available records, that that IP address also is controlled by
`
`IPredator.
`
`I One of the files copied from Capital One’s folders or buckets on March
`
`22, 2019, was a file with the name *****cOOO.snappy.parquet (the
`
`“Snappy Parquet File”), and this was the only time the *****-WAF-
`
`Role account accessed the Snappy Parquet File between January 1, 2019
`
`and July 20, 2019.
`
`I A List Buckets Command was executed on April 21, 2019, from IP
`
`address 46.246.35.103. I know, from checking publicly-available
`
`records, that the IP address from which this command was executed also
`
`is controlled by IPredator. I also believe, based on the timestamp on the
`
`April 21, 2019 file, and the time that Capital One reports that the
`
`command appears in Capital One’s logs, that this was the command that
`
`was the source of the April 21 File.
`
`14.
`
`According to Capital One, the data copied from Capital One’s data folders
`
`or buckets includes primarily data related to credit card applications. Although some of
`
`the information in those applications (such as Social Security numbers) has been
`
`tokenized or encrypted, other information including applicants’ names, addresses, dates
`
`of birth and information regarding their credit history has not been tokenized. According
`
`to Capital One, the data includes data regarding large numbers of applications, likely tens
`
`of millions of applications. According to Capital One, that data includes approximately
`
`120,000 Social Security Numbers and approximately 77,000 bank account numbers.
`
`B.
`
`Evidence of PAIGE A. THOMPSON’S Involvement
`
`15.
`
`As noted above, the GitHub address where the April 21 File was posted
`
`includes PAIGE A. THOMPSON’s full name, paigea*****thompson. Clicking on the
`
`name paigea*****thompson in the address takes the user to the main GitHub page for a
`
`PAIGE A***** THOMPSON. The profile on that page contains a link to a GitLab page
`UNITED STATES ATTORNEY
`
`THOMPSON COMPLAINT / N0. M1 19-344 — 8
`
`70° STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 9810]
`(206) 553-7970
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 9 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 9 of 12
`
`\OOOQQM-D-UJNr—n
`
`NNNNNNNNNHHi—Ar—Ir—Ii—Ar—ni—ni—np—n
`
`mqmmeNHOKOOOQONLh-PUJNt—‘O
`
`at www.gitlab.com/net* * * * * (the “GitLab Net** * * * Page”). The GitLab Net* * *** Page
`
`includes, among other things, a resume for “Paige Thompson.” That resume indicates
`
`that Paige Thompson is a “systems engineer” and formerly worked at the Cloud
`
`Computing Company from 2015-16. Based on this evidence, I believe that PAIGE A.
`
`THOMPSON is the user of the GitHub and GitLab accounts described herein.
`
`- 16.
`
`An April 19, 2019, post in the GitHub account of “paigea** ** *thompson”
`
`includes a “Server List” of IP addresses associated with the account. All of the IP
`
`addresses in the Server List begin with 46.246. I have confirmed by checking publicly-
`
`available records that each of the IP addresses in the “Server List” is controlled by
`
`IPredator, the same VPN provider that controls multiple IP addresses from which Capital
`
`One reports malicious activity in this case, including malicious activity on April 19,
`
`2019.
`
`17.
`
`Based on open source research, I am aware of a particular Meetup group
`
`used by PAIGE A. THOMPSON. The Meetup page for this group indicates that its
`
`organizer is “Paige Thompson (erratic).” Notably, the alias “erratic” matches the
`
`username of a Twitter account, discussed below, associated with PAIGE A.
`
`THOMPSON. Within that Meetup group is a Slack invitation code for the Slack channel
`
`net* * * * * .slack.com (the “Net* * * * * Slack Channel”).
`
`18.
`
`I have reviewed postings on the Net***** Slack Channel. Among other
`
`things, on or about June 26, 2019, a user “erratic” posted a list of files that “erratic”
`
`claimed to possess. Among those files, two referenced “*****-WAF-Role.” Based on
`
`my review of the Sync Command in the April 21 File, and my training and experience, I
`
`know that the Sync Command would place extracted files in a directory with the name
`
`“*****-WAF-Role.” Accordingly, I believe that, “erratic” was claiming to have files
`extracted using the extraction command set forth in the April 21 File.
`
`19.
`
`On or about June 27, 2019, “erratic” posted about several companies,
`
`government entities, and educational institutions. Among these posts, “erratic” referred
`
`to “* * * * *-WAF-Webrole” and indicated that account was associated with Capital One.
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUTI'E 5220
`SEATTLE, WASHINGTON 98101
`(206) 553 -7970
`
`THOMPSON COMPLAINT I N0. M1 19-344 - 9
`
`

`

`]
`
`\DOOHJONLh-RLAJM
`
`.._. CD
`
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 10 of 12
`Case 2:19-cr-00159—RSL Document 1 Filed 07/29/19 Page 10 of 12
`
`Based on my training and experience, these communications appear to be references by
`
`“erratic” to other intrusions that “erratic” may have committed.
`
`20.
`
`On or about June 27, 2019, another user posted “don’t go to jail plz.” In
`
`response, “erratic” posted “Im like > ipredator > tor > 53 on all this shit.”
`
`1- APP 12:01PM
`
`sketchy shit
`
`don't go to jail plz
`
`<erratic> APP 12:01 PM
`
`W8 wa wa W8, wa W3 wa wa wa W3 wawaaaaaaaaaaaa
`
`lm like > ipredator > tor > 53 on all this shit ..
`
`I wanna get it off my server thats why Im archiving all of it lol
`
`they have > 500 docker containers
`
`its all encrypted
`
`| just dont want it around though
`
`I gotta find somewhere to store it
`
`that infobloxcto one is interesting
`
`I understand this to refer to the method PAIGE A. THOMPSON used to commit the
`
`intrusion. “[E]rratic” also posted “I wanna get it off my server that’s why Im archiving
`
`all ofit lol.”
`
`21.
`
`According to a screenshoot that Capital One provided, and that I have
`
`reviewed, on or about June 27, 2019, the user “paige*****” posted, “I’ve also got a leak
`
`proot‘lPredator router setup il‘anyone nneds [sic] it,” as well as a GitHub link that
`
`included “paigea*****thompson” in the link.
`
`I was not able to locate this post on
`
`Gitl—Iub myself, although that may be because it since has been deleted.
`
`22.
`
`According to a screenshot that Capital One provided, and that I have
`
`reviewed, on or about July 4, 2019, the user “paigea*****” posted a message seeking
`
`Tl'lOMl’SON COMPLAINT I NO. Mi 19-344 - It]
`
`UNITED STATES A'I"l'ORNEY
`
`700 STEWART STREET, SUITE 5220
`SEATI'LE, W'ASHINGTON 931m
`(206] 553—7970
`
`

`

`H
`
`CDOO‘JGUI-FLUJM
`owummeww—
`
`i—ni—np—as—A—np—nt—Ai—Ii—nr—n
`
`20
`
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 11 of 12
`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 11 of 12
`
`information about the Snappy Parquet File, one of the files exfiltrated from Capital One
`
`on March 22, 2019.
`
`23.
`
`On or about July 19, 2019, the user “paigea*****” posted information
`
`about one of her pets. Included in the post was an estimate from a veterinarian dated
`
`June 10, 2019, provided to “Paige Thompson” at the same address listed on the “Paige
`
`Thompson” resume described above. Based upon the information in the preceding
`
`paragraphs, I believe that PAIGE A. THOMPSON is the person who posted under the
`
`names “erratic” and “paigea**"‘**” on the Net***** Slack Channel.
`
`24.
`
`1 have learned, from Capital One and through open—source research, ofa
`
`Twitter account name @0XA3A9736C, with a username “ERRATIC.” I have reviewed
`
`photographs posted to the account of “ERRATI C,” and they appear to depict the same
`
`individual who appears in photographs posted on the Net***** Slack Channel under the
`
`username “paigea** ***.” Based upon the information in the preceding paragraphs, I
`
`believe that PAIGE A. THOMPSON is the user of the “ERRAT1C” Twitter account.
`
`25.
`
`According to a screenshot that Capital One provided, on June 18, 2019,
`
`Twitter user “ERRATIC” sent a direct message to the reporting source: “Ive basically
`
`strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it.
`
`I
`
`wanna distribute those buckets i think first.”
`
`Ive basieaiiy strapped myself with a bomb vest, fucking
`dropping capitol ones dox and admitting it
`
`0 I wanna distribute those buckets i think first
`
`Jun 18, 20191204 AM
`
`Q There ssns...with full name and dob
`
`Jun 18, 2019,12206 AM
`
`THOMPSON COMPLAINT IND. M} I 9-344 - ]
`
`l
`
`UNITED STATES AT'I'ORNIEY
`700 STEWART STREET. SUITI: 5220
`SEATTLE, \VASHINGTON 98ml
`(206) 553-7970
`
`

`

`Case 2:19-cr-00159-RSL Document 1 Filed 07/29/19 Page 12 of 12
`Case 2:19-cr-00159—RSL Document 1 Filed 07/29/19 Page 12 of 12
`
`1
`
`COON-JQM-PUJM
`Ni—Ap—Ii—Ap—It—Au—np—Iv—Ia—It—tODOOHQUI—P-UJMHO
`
`21
`
`I understand this post to indicate, among other things, that PAIGE A. THOMPSON
`
`intended to disseminate data stolen from victim entities, starting with Capital One.
`
`C.
`
`The Search of PAIGE A. THOMPSON’S Residence
`
`26.
`
`On July 26, 2019, I obtained a search warrant to search PAIGE A.
`
`THOMPSON’S residence for evidence in this case. On July 29, 2019, other FBI Special
`
`Agents and I executed that search warrant. Five individuals, including PAIGE A.
`
`THOMPSON, were present at the residence.
`
`27.
`
`A search of a bedroom believed to belong to PAIGE A. THOMPSON
`
`resulted in the seizure of numerous digital devices. During the initial search of some of
`
`these devices, agents observed files and items that referenced Capital One and the Cloud
`
`Computing Company, other entities that may have been the targets of attempted or actual
`
`network intrusions, and “erratic,” the alias associated with PAIGE A. THOMPSON.
`
`28.
`
`Based on the foregoing, I submit that probable cause exists to believe that
`
`PAIGE A. THOMPSON has committed a violation of Title 18, United States Code,
`
`Section 1030(a)(2).
`
`
` L MARTINI, Complainant
`
`
`
`.
`pecial Agent
`Federal Bureau of Investigation
`
`Based on the Complaint and Affidavit sworn to before me, and subscribed in my
`
`presence, I hereby find that there is probable cause to believe the defendant committed
`
`the offense set forth in the Complaint.
`Complaint and affidavit sworn to me before this 2% day ofJuly, 2019.
`
`Tl [OMI’SON COMPLAINT i No. M] [9-344 . 12
`
`
`
` MARY A ICE THEILER
`
`United States Magistrate Judge
`UNITED STATES ATTORNEY
`700 S'I'I:\\'ARTS'['REl-Tl'. Hunt; 5220
`SIEA’I'I'LE, “’ASIIINGTON 9810]
`(206) 553-7970
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket