`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 1 of 7
`
`Presented to the Court by the foreman of the
`Grand Jury in open Court, in the presence of
`the Grand Jury and FILED in the US.
`DISTRICT COURT at Seattle, Washington.
`
`litigant
`
`W
`
`28’
`
`M.
`
`
`
`20 H
`
`00L, Clerk
`
`By
`
`"133qu
`
`UNITED STATES DISTRICT COURT FOR THE
`
`WESTERN DISTRICT OF WASHINGTON
`
`AT SEATTLE
`
`UNITED STATES OF AMERICA,
`Plamt‘ff
`
`v.
`
`PAIGE A. THOMPSON,
`
`16 R 1 9 In fl 5 g 85'—
`INDICTMENT
`
`Defendant.
`
`
`The Grand Jury charges that:
`
`COUNT 1
`
`(Wire Fraud)
`
`1.
`
`Beginning in or before March 2019, and continuing until in or after July
`
`2019, at Seattle, within the Western District of Washington, and elsewhere, PAIGE A.
`
`THOMPSON, with the intent to defraud, devised and intended to devise, a scheme and
`
`artifice to defraud and to obtain money and property by means of materially false and
`
`fraudulent pretenses, representations, and promises.
`
`A.
`
`Background
`
`2.
`
`The “Cloud Computing Company” is a company that provides cloud-
`
`computing services to individuals, companies, and governments. Cloud computing is the
`
`practice of using a network of remote servers hosted on the Internet, commonly referred
`
`to as “the cloud,” rather than a local computer or server, to store, manage, and process
`
`Indictment — 1
`-
`-
`United States v. Page A. Thompson
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 981 01
`(206) 553-7970
`
`\Dooqotmhwm._.
`
`NMNMNMNMNHHD—‘b—‘Hb—dh—IHHD—l
`
`mQONM-PWNV—‘OKOOOQO‘xUl-bwwr—‘O
`
`
`
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 2 of 7
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 2 of 7
`
`OOONQM-bWNy—a
`
`NNNNNNNNNHi—tb—‘r—Iv—ti—tv—Ir—Ip—Ar—I
`
`OOQQLII-PUJNP—‘OOOOQChm-PWNF—‘O
`
`data. The Cloud Computing Company provides services through server farms that are
`
`located throughout the world and maintained by the Cloud Computing Company.
`
`3.
`
`Capital One Financial Corporation (“Capital One”) is a bank holding
`
`company that offers credit cards and other services to customers throughout the United
`
`States. Capital One supports its services, in part, by renting or contracting for computer
`
`servers from the Cloud Computing Company. The servers on which Capital One stores
`
`credit card application and other information generally are located in states other than the
`
`State of Washington, and they store information regarding customers, and support
`
`services, in multiple states. Deposits of Capital One are insured by the Federal Deposit
`
`Insurance Corporation.
`
`4.
`
`Victim 2 is state agency of a state that is not the State of Washington.
`
`Victim 2 supports its services, in part, by renting or contracting for computer servers
`
`from the Cloud Computing Company.
`
`5.
`
`Victim 3 is a telecommunications conglomerate located outside the United
`
`States that provides services predominantly to customers in Europe, Asia, Africa, and
`
`Oceania. Victim 3 supports its services, in part, by renting or contracting for computer
`
`servers from the Cloud Computing Company.
`
`6.
`
`Victim 4 is a public research university located outside the State of
`
`Washington. Victim 4 supports its services, in part, by renting or contracting for
`
`computer servers from the Cloud Computing Company.
`
`B.
`
`The Essence ofthe Scheme and Artifice
`
`7.
`
`The object of the scheme was to exploit the fact that certain customers of
`
`the Cloud Computing Company had misconfigured web application firewalls on the
`
`servers that they rented or contracted from the Cloud Computing Company. The object
`
`was to use that misconfiguration in order to obtain credentials for accounts of those
`
`customers that had permission to View and copy data stored by the customers on their
`
`Cloud Computing Company servers. The object then was to use those stolen credentials
`
`in order to access and copy other data stored by the customers on their Cloud Computing
`
`Indictment - 2
`-
`'
`Umted States v. Page A. Thompson
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 98101
`(206) 553-7970
`
`
`
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 3 of 7
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 3 of 7
`
`Company servers, including data containing valuable personal identifying information.
`
`The object also was to use the access to the customers’ servers in other ways for PAIGE
`
`A. THOMPSON’S own benefit, including by using those servers for “cryptojacking.”
`
`C.
`
`The Manner and Means ofthe Scheme and Artifice
`
`8.
`
`It was part of the scheme and artifice that PAIGE A. THOMPSON used,
`
`and created, scanners that allowed her to scan the publicly facing portion of servers
`
`rented or contracted by customers from the Cloud Computing Company, and to identify
`
`servers for which web application firewall misconfigurations permitted commands sent
`
`from outside the servers to reach and be executed by the servers.
`
`9.
`
`It was further part of the scheme and artifice that PAIGE A. THOMPSON
`
`then transmitted commands to the misconfigured servers that obtained the security
`
`credentials for particular accounts or roles belonging to the customers with the
`
`misconfigured servers.
`
`10.
`
`It was further part of the scheme and artifice that PAIGE A. THOMPSON
`
`then used the accounts for which she had obtained security credentials to obtain lists or
`
`directories of folders or buckets of data in the Cloud Computing Company customers’
`
`storage space at the Cloud Computing Company.
`
`11.
`
`It was further part of the scheme and artifice that PAIGE A. THOMPSON
`
`used the accounts for which she had obtained security credentials to copy data, from
`
`folders or buckets of data in the Cloud Computing Company customers’ storage space at
`
`the Cloud Computing Company for which the accounts had requisite permissions, to a
`
`server that PAIGE A. THOMPSON maintained at her own residence.
`
`12.
`
`It was further part of the scheme and artifice that, in taking these steps,
`
`PAIGE A. THOMPSON implicitly represented that commands to copy data that she sent
`
`using the accounts for which she had obtained security credentials were legitimate
`
`commands sent by users with permission to send such commands, rather than commands
`
`sent by a person who had stolen the security credentials and who lacked authority to use
`
`\OOOQQLh-bUJNi—n
`
`NNNNNNNNNHD—‘I—ll—IHt—‘D—IHF—ID—lOOQQLh-PUJNi—‘OOOOQO‘tm-PWNHO
`
`the accounts and send the commands.
`
`Indictment — 3
`.
`.
`Umtea' States v. Page A. Thompson
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 9810'
`(206) 553-7970
`
`
`
`Case 2:19-cr-00159—RSL Document 33 Filed 08/28/19 Page 4 of 7
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 4 of 7
`
`\OOOQQUI-F-UJNH
`
`NNNNNNNNNI—I—tu—ii—Ar—Ip—tr—tr—Ir—Iu—IOO‘lekh-PUJNt—‘OKOOOQQUI-hLDNt—‘O
`
`13.
`
`It was further part of the scheme and artifice that, in executing the scheme
`
`and artifice, PAIGE A. THOMPSON used virtual private networks (“VPNs”), including a
`
`VPN offered by the company IPredator, to conceal PAIGE A. THOMPSON’S location
`
`and identity from the Cloud Computing Company and from victim companies.
`
`14.
`
`It was further part of the scheme and artifice that, in executing the scheme
`
`and artifice, PAIGE A. THOMPSON used The Onion Router (“TOR”) to conceal PAIGE
`
`A. THOMPSON’s location and identity from the Cloud Computing Company and from
`
`victim companies.
`
`15.
`
`It was further part of the scheme and artifice that PAIGE A. THOMPSON
`
`copied data to her own server from servers rented or contracted by Capital One from the
`
`Cloud Computing Company, including data that contained information, including
`
`personal identifying information, from approximately 100,000,000 customers who had
`
`applied for credit cards from Capital One.
`
`16.
`
`It was further part of the scheme and artifice that PAIGE A. THOMPSON
`
`copied and stole data from more than 30 different entities, including Capital One,
`
`Victim 2, Victim 3, and Victim 4 that had contracted or rented servers from the Cloud
`
`Computing Company.
`
`17.
`
`It was fithher part of the scheme and artifice that PAIGE A. THOMPSON
`
`used her unauthorized access to certain victim servers — and the stolen computing power
`
`of those servers — to “mine” cryptocurrency for her own benefit, a practice often referred
`
`to as “cryptojacking.” (Cryptocurrency mining is the process by which cryptocurrency
`
`transactions are verified and added to the public ledger, i.e., the blockchain. Persons who
`
`verify blocks of legitimate transactions, often referred to as “miners,” are rewarded with
`
`an amount of that cryptocurrency. Successful mining operations consume large amounts
`
`of computing power and hardware.)
`
`C.
`
`Execution
`
`18.
`
`On or about March 22, 2019, at Seattle, in the Western District of
`
`Washington, and elsewhere, PAIGE A. THOMPSON, for the purpose of executing the
`
`Indictment - 4
`.
`.
`Umted States v. Page A. Thompson
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 98101
`(206) 553-7970
`
`
`
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 5 of 7
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 5 of 7
`
`\DOOQQUI-bUJNV—I
`
`NNNNNNNNNHI—ll—ID—‘fi—ib—lv—Ip—Ip—np—a“\IONm-PUJNt—‘OOOOQO‘Lh-PWNHO
`
`scheme and artifice described above, caused to be transmitted by means of wire
`
`communication in interstate commerce, from her computer in Seattle to a computer
`
`outside the State of Washington, writings, signs, signals, pictures, and sounds, that is, a
`
`command to copy data belonging to Capital One from servers, rented or contracted by
`
`Capital One from the Cloud Computing Company, to a server belonging to PAIGE A.
`
`THOMPSON in Seattle.
`
`All in violation of Title 18, United States Code, Section 1343.
`
`COUNT 2
`
`(Computer Fraud and Abuse)
`
`- 19.
`
`The allegations set forth in Paragraphs 1-18 of this Indictment are realleged
`
`and incorporated into this Count, as if fully set forth herein.
`
`20.
`
`Between on or about March 12, 2019, and on or about July 17, 2019, at
`
`Seattle, within the Western District of Washington, and elsewhere, PAIGE A.
`
`THOMPSON intentionally accessed a computer without authorization, to wit, a computer
`
`containing information belonging to Capital One Financial Corporation, and thereby
`
`obtained information contained in a financial record of a financial institution and of a
`
`card issuer as defined in Section 1602 of Title 15, and information from a protected
`computer, and the value of the information obtained eXceeded $5,000.
`
`All in violation of Title 18, United States Code, Section 1030(a)(2)(A) and (C),
`
`and (c)(2)(A) and (B)(iii).
`
`ASSET FORFEITURE ALLEGATION
`
`(Count 1)
`
`The allegations contained in Count 1 of this Indictment are hereby realleged and
`
`incorporated by reference for the purpose of alleging forfeiture pursuant to Title 18,
`
`United States Code, Section 981(a)(1)(C) and Title 28, United States Code, Section
`
`2461(0). Upon conviction of the offense charged in Count 1, the defendant, PAIGE A.
`Indictment - 5
`UNITED STATES ATTORNEY
`-
`-
`700 STEWART STREET, Sum: 5220
`United States v. Page A. Thompson
`SEATTLE, WAsumGTON 98! 01
`(206) 553—7970
`
`
`
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 6 of 7
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 6 of 7
`
`THOMPSON, shall forfeit to the United States any property, real or personal, which
`
`constitutes or is derived from proceeds traceable to such offense, including but not
`
`limited to a judgment for a sum of money representing the property described in this
`
`paragraph.
`
`(Count 2)
`
`The allegations contained in Count 2 of this Indictment are hereby realleged and
`
`incorporated by reference for the purpose of alleging forfeiture pursuant to Title 18,
`
`United States Code, Sections 982(a)(2)(B) and 1030(i). Upon conviction of the offense
`
`charged in Count 2, the defendant, PAIGE A. THOMPSON, shall forfeit to the United
`
`States any property constituting, or derived from, proceeds the defendant obtained, '
`
`directly or indirectly, as the result of such offense, and shall also forfeit the defendant’s
`
`interest in any personal property that was used or intended to be used to commit or to
`
`facilitate the commission of such offense, including but not limited to a judgment for a
`
`sum of money representing the property described in this paragraph.
`
`If any of the above-described forfeitable property, as a result of any act or
`
`(Substitute Assets)
`
`omission of the defendant,
`
`a. cannot be located upon the exercise of due diligence;
`
`b. has been transferred or sold to, or deposited with, a third party;
`
`c. has been placed beyond the jurisdiction of the Court;
`
`d. has been substantially diminished in value; or
`
`e. has been commingled with other property which cannot be divided without
`
`difficulty;
`
`\OOOQO‘lUl-hUJNn—n
`
`NNNNNNNNNHHF—‘D—‘l—‘I—‘D—‘HD—II—l
`
`mummAwN—‘ooooqmm-bwmwo
`
`Indictment - 6
`-
`.
`United States v. Page A. Thompson
`
`UNITED STATES ATTORNEY
`700 STEWART STREET, SUITE 5220
`SEATTLE, WASHINGTON 98101
`(206) 553-7970
`
`
`
`Case 2:19-cr-00159—RSL Document 33 Filed 08/28/19 Page 7 of 7
`Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 7 of 7
`
`1
`
`it is the intent of the United States, pursuant to Title 18, United States Code, Sections
`
`2 982(b) and 1030(i)(2), Title 21, United States Code, Section 853(1)), and Title 28, United
`
`3 States Code, Section 2461(0), to seek the forfeiture of any other property of the
`
`4 defendant, up to the value of the above-described forfeitable property.
`
`A TRUE BILL:
`
`DATED: Nova}: "(9, (Us ‘\
`
`Signature offoreperson redacted
`pursuant to the policy oft/1e Judicial
`Conference off/2e United States
`
`FOREPERSON
`
`5 6
`
`7
`
`8
`9
`
`1?
`
`12
`
`BRIAN T.
`
`RAN
`
`United States Attorney
`
`ORG/ER
`
`ANDREW C. FRIEDMAN
`
`Assistant United States Attorney
`
` STEVE
`
`S -
`
`.
`
`22 Assistant United States Attorney
`
`Indictment - 7
`
`United States v. Paige A. Thompson
`
`UNITED STATES A'I‘TORNEY
`700 STE\\’AR'I'S'I'R1{l-ll'.51511155220
`SEATTLE, WASHINGTON 98101
`(206} 553-7970
`
`