oOo co ~~ HD MH SB W HNO —

BO pO dO KH KN HO KN BRD RD ee leet
Oo ~~ NWN mW BP WW NO KY CO HO DO AIT ND HA DBP WH NH | OS

 

 

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 1 of 7

Presented to the Court by the foreman of the
Grand Jury in open Court, in the presence of
the Grand Jury and FILED in the U.S.
DISTRICT COURT at Seattle, Washington.

Augu st 2 & 10 / g
W. M. OOL, Clerk
By ~ Deputy

UNITED STATES DISTRICT COURT FOR THE
WESTERN DISTRICT OF WASHINGTON

 

AT SEATTLE
UNITED STATES OF AMERICA, WRIQ9"—H5O xe
Plaintiff INDICTMENT
v.
PAIGE A. THOMPSON,
Defendant.
The Grand Jury charges that:
COUNT 1
(Wire Fraud)
1. Beginning in or before March 2019, and continuing until in or after July

2019, at Seattle, within the Western District of Washington, and elsewhere, PAIGE A.
THOMPSON, with the intent to defraud, devised and intended to devise, a scheme and
artifice to defraud and to obtain money and property by means of materially false and
fraudulent pretenses, representations, and promises.
A. Background

2. The “Cloud Computing Company” is a company that provides cloud-
computing services to individuals, companies, and governments. Cloud computing is the
practice of using a network of remote servers hosted on the Internet, commonly referred

to as “the cloud,” rather than a local computer or server, to store, manage, and process

Indictment - | UNITED STATES ATTORNEY

: . 700 STEWART STREET, SUITE 5220
United States v. Paige A. Thompson SEATTLE, WASHINGTON 98101

(206) 553-7970
Oo fe SI HD A BP WW NNO —

pO po DOD BH WN NHN KH KN NYO KF RF FF RF RF RP Oe eS Re
on KN UN BP WH NY KF OD OO MNT DH NH FP W NHN KF S&S

 

 

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 2 of 7

data. The Cloud Computing Company provides services through server farms that are
located throughout the world and maintained by the Cloud Computing Company.

3. Capital One Financial Corporation (“Capital One”) is a bank holding
company that offers credit cards and other services to customers throughout the United
States. Capital One supports its services, in part, by renting or contracting for computer
servers from the Cloud Computing Company. The servers on which Capital One stores
credit card application and other information generally are located in states other than the
State of Washington, and they store information regarding customers, and support
services, in multiple states. Deposits of Capital One are insured by the Federal Deposit
Insurance Corporation.

4. Victim 2 is state agency of a state that is not the State of Washington.
Victim 2 supports its services, in part, by renting or contracting for computer servers
from the Cloud Computing Company.

5. Victim 3 is a telecommunications conglomerate located outside the United
States that provides services predominantly to customers in Europe, Asia, Africa, and
Oceania. Victim 3 supports its services, in part, by renting or contracting for computer
servers from the Cloud Computing Company.

6. Victim 4 is a public research university located outside the State of
Washington. Victim 4 supports its services, in part, by renting or contracting for
computer servers from the Cloud Computing Company.

B. The Essence of the Scheme and Artifice

7. The object of the scheme was to exploit the fact that certain customers of
the Cloud Computing Company had misconfigured web application firewalls on the
servers that they rented or contracted from the Cloud Computing Company. The object
was to use that misconfiguration in order to obtain credentials for accounts of those
customers that had permission to view and copy data stored by the customers on their
Cloud Computing Company servers. The object then was to use those stolen credentials

in order to access and copy other data stored by the customers on their Cloud Computing

Indictment - 2 UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

United States v. Paige A. Thompson
oOo Oo TDD wA PW NH —

DO BN BH DN BD HY DN DO Rw Om me
oOo sa HD nA FP WwW HY |$& CO OO THN KH A BP WD WN |= CO

 

 

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 3 of 7

Company servers, including data containing valuable personal identifying information.
The object also was to use the access to the customers’ servers in other ways for PAIGE
A. THOMPSON’s own benefit, including by using those servers for “cryptojacking.”
C. The Manner and Means of the Scheme and Artifice

8. It was part of the scheme and artifice that PAIGE A. THOMPSON used,
and created, scanners that allowed her to scan the publicly facing portion of servers
rented or contracted by customers from the Cloud Computing Company, and to identify
servers for which web application firewall misconfigurations permitted commands sent
from outside the servers to reach and be executed by the servers.

9. It was further part of the scheme and artifice that PAIGE A. THOMPSON
then transmitted commands to the misconfigured servers that obtained the security
credentials for particular accounts or roles belonging to the customers with the
misconfigured servers.

10. ‘It was further part of the scheme and artifice that PAIGE A. THOMPSON
then used the accounts for which she had obtained security credentials to obtain lists or
directories of folders or buckets of data in the Cloud Computing Company customers’
storage space at the Cloud Computing Company.

1]. ‘It was further part of the scheme and artifice that PAIGE A. THOMPSON
used the accounts for which she had obtained security credentials to copy data, from
folders or buckets of data in the Cloud Computing Company customers’ storage space at
the Cloud Computing Company for which the accounts had requisite permissions, to a
server that PAIGE A. THOMPSON maintained at her own residence.

12. It was further part of the scheme and artifice that, in taking these steps,
PAIGE A. THOMPSON implicitly represented that commands to copy data that she sent
using the accounts for which she had obtained security credentials were legitimate
commands sent by users with permission to send such commands, rather than commands
sent by a person who had stolen the security credentials and who lacked authority to use

the accounts and send the commands.

Indictment - 3 UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

United States v. Paige A. Thompson
o So 4 DB ww FSF WY NY KF

NO bw DO KN LH HD NH NH WN HR = = HS Se Se FF eS ee
on DN OH FP WH YP KH CO CO CO INIT KH A FP W NO KS CO

 

 

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 4 of 7

13. It was further part of the scheme and artifice that, in executing the scheme
and artifice, PAIGE A. THOMPSON used virtual private networks (“VPNs”), including a
VPN offered by the company IPredator, to conceal PAIGE A. THOMPSON’s location
and identity from the Cloud Computing Company and from victim companies.

14. It was further part of the scheme and artifice that, in executing the scheme
and artifice, PAIGE A. THOMPSON used The Onion Router (“TOR”) to conceal PAIGE
A. THOMPSON’ location and identity from the Cloud Computing Company and from
victim companies.

15. It was further part of the scheme and artifice that PAIGE A. THOMPSON
copied data to her own server from servers rented or contracted by Capital One from the
Cloud Computing Company, including data that contained information, including
personal identifying information, from approximately 100,000,000 customers who had
applied for credit cards from Capital One.

16. It was further part of the scheme and artifice that PAIGE A. THOMPSON
copied and stole data from more than 30 different entities, including Capital One,

Victim 2, Victim 3, and Victim 4 that had contracted or rented servers from the Cloud
Computing Company.

17. It was further part of the scheme and artifice that PAIGE A. THOMPSON
used her unauthorized access to certain victim servers — and the stolen computing power
of those servers — to “mine” cryptocurrency for her own benefit, a practice often referred
to as “cryptojacking.” (Cryptocurrency mining is the process by which cryptocurrency
transactions are verified and added to the public ledger, i.e., the blockchain. Persons who
verify blocks of legitimate transactions, often referred to as “miners,” are rewarded with
an amount of that cryptocurrency. Successful mining operations consume large amounts
of computing power and hardware.)

C. Execution

18. On or about March 22, 2019, at Seattle, in the Western District of

Washington, and elsewhere, PAIGE A. THOMPSON, for the purpose of executing the

Indictment - 4 UNITED STATES ATTORNEY

. . 700 STEWART STREET, SUITE 5220
United States v. Paige A. Thompson SEATTLE, WASHINGTON 98101

(206) 553-7970
Oo fF AND NH FP WW YN =

Nm NHN Bw BH BR BRD ND BRD ORDO wm wees
oN HD A F&F WD NY KH DOD OO CH IT HD A BP WD VP KH OC

 

 

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 5 of 7

scheme and artifice described above, caused to be transmitted by means of wire
communication in interstate commerce, from her computer in Seattle to a computer
outside the State of Washington, writings, signs, signals, pictures, and sounds, that is, a
command to copy data belonging to Capital One from servers, rented or contracted by
Capital One from the Cloud Computing Company, to a server belonging to PAIGE A.
THOMPSON in Seattle.

All in violation of Title 18, United States Code, Section 1343.

COUNT 2
(Computer Fraud and Abuse)
- 19. The allegations set forth in Paragraphs 1-18 of this Indictment are realleged
and incorporated into this Count, as if fully set forth herein.

20. Between on or about March 12, 2019, and on or about July 17, 2019, at
Seattle, within the Western District of Washington, and elsewhere, PAIGE A.
THOMPSON intentionally accessed a computer without authorization, to wit, a computer
containing information belonging to Capital One Financial Corporation, and thereby
obtained information contained in a financial record of a financial institution and of a
card issuer as defined in Section 1602 of Title 15, and information from a protected
computer, and the value of the information obtained exceeded $5,000.

All in violation of Title 18, United States Code, Section 1030(a)(2)(A) and (C),
and (c)(2)(A) and (B)(iii).

ASSET FORFEITURE ALLEGATION
(Count 1)

The allegations contained in Count 1 of this Indictment are hereby realleged and
incorporated by reference for the purpose of alleging forfeiture pursuant to Title 18,
United States Code, Section 981(a)(1)(C) and Title 28, United States Code, Section

2461(c). Upon conviction of the offense charged in Count 1, the defendant, PAIGE A.

Indictment - 5 UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

United States v. Paige A. Thompson
Oo Oo SN DB NH FP WD PO —

NO PO NY ND NH LDN NH LN NO KR =| HB Se Se Se Se ee
oo nN NHN UH BP WHO NY KF DOD CO wWOnxI HH BPW NY KH OS

 

 

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 6 of 7

THOMPSON, shall forfeit to the United States any property, real or personal, which
constitutes or is derived from proceeds traceable to such offense, including but not
limited to a judgment for a sum of money representing the property described in this
paragraph. .

(Count 2)

The allegations contained in Count 2 of this Indictment are hereby realleged and
incorporated by reference for the purpose of alleging forfeiture pursuant to Title 18,
United States Code, Sections 982(a)(2)(B) and 1030(i). Upon conviction of the offense
charged in Count 2, the defendant, PAIGE A. THOMPSON, shall forfeit to the United
States any property constituting, or derived from, proceeds the defendant obtained, ©
directly or indirectly, as the result of such offense, and shall also forfeit the defendant’s
interest in any personal property that was used or intended to be used to commit or to
facilitate the commission of such offense, including but not limited to a judgment for a
sum of money representing the property described in this paragraph.

(Substitute Assets)

If any of the above-described forfeitable property, as a result of any act or
omission of the defendant,

. cannot be located upon the exercise of due diligence;

a
b. has been transferred or sold to, or deposited with, a third party;

c. has been placed beyond the jurisdiction of the Court;
d. has been substantially diminished in value; or
e. has been commingled with other property which cannot be divided without
difficulty;
Indictment - 6 UNITED STATES ATTORNEY

700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970

United States v. Paige A. Thompson
Co me HT DWH NH FP WW YH Ke

WY NH NY NY NY NK eee ew ae oe ea
DARE BN HF SO e® ADU HES

 

 

bo
Co

Case 2:19-cr-00159-RSL Document 33 Filed 08/28/19 Page 7 of 7

it is the intent of the United States, pursuant to Title 18, United States Code, Sections
982(b) and 1030(i)(2), Title 21, United States Code, Section 853(p), and Title 28, United
States Code, Section 2461(c), to seek the forfeiture of any other property of the

defendant, up to the value of the above-described forfeitable property.

Koa QE

BRIAN T- MORAN

United States Attorney

A TRUE BILL:
DATED: Draes 14 (TON
Signature of foreperson redacted

pursuant to the policy of the Judicial
Conference of the United States

 

FOREPERSON

Ch Ct

ANDREW C. FRIEDMAN
Assistant United States Attorney

Cie —

STEVEN T-MA SADA

Assistant United States Attorney

Indictment - 7
United States v. Paige A. Thompson

UNITED STATES ATTORNEY
700 STEWART STREET, SUITE 5220
SEATTLE, WASHINGTON 98101
(206) 553-7970
