UNITED STATES OF AMERICA v. 113 VIRTUAL CURRENCY

1. https://twitter.com/UnitedStatesV/status/1234529937387859969
2. https://assets.documentcloud.org/documents/6791952/Complaint.pdf
3.  
4. UNITED STATES DISTRICT COURT
5. FOR THE DISTRICT OF COLUMBIA
6. UNITED STATES OF AMERICA,
7. Plaintiff,
8. v.
9. 113 VIRTUAL CURRENCY ACCOUNTS
10. Defendants.
11. Civil Action No. 20-606
12. VERIFIED COMPLAINT FOR FORFEITURE IN REM
13. COMES NOW, Plaintiff the United States of America, by and through the United States
14. Attorney for the District of Columbia, and brings this Verified Complaint for Forfeiture in Rem
15. against the defendant properties, namely: 113 virtual currency accounts (the “Defendant
16. Properties”), which are listed in Attachment A. The United States alleges as follows in accordance
17. with Rule G(2) of the Federal Rules of Civil Procedure, Supplemental Rules for Admiralty or
18. Maritime Claims and Asset Forfeiture Actions:
19. THE DEFENDANT PROPERTIES
20. 1. The Defendant Properties are comprised of miscellaneous financial instruments
21. (listed in Attachment A).
22. NATURE OF ACTION AND THE DEFENDANTS IN REM
23. 2. This in rem forfeiture action arises out of an investigation by the Internal Revenue
24. Service – Criminal Investigation’s Cyber Crimes Unit (“IRS-CI”), Homeland Security
25. Investigations (“HSI”), and the Federal Bureau of Investigation (“FBI”) into the laundering of
26. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 1 of 38
27. monetary instruments, in violation of 18 U.S.C. §1956, and operation of an unlicensed money
28. service business in violation of 18 U.S.C. § 1960.
29. 3. The Defendant Properties are subject to forfeiture pursuant to 18 U.S.C.
30. § 981(a)(1)(A), as property involved in, or traceable to, a financial transaction in violation of 18
31. U.S.C. §§ 1956 and 1960.
32. JURISDICTION AND VENUE
33. 4. This Court has jurisdiction over this action pursuant to 28 U.S.C. §§ 1345 and 1355.
34. These statutes confer original jurisdiction to district courts of all civil actions, suits, or proceedings
35. commenced by the United States and any action for the forfeiture of property incurred under any
36. act of Congress.
37. 5. Venue is proper pursuant to 28 U.S.C. § 1355(b)(1)(A) because acts or omissions
38. giving rise to the forfeiture occurred within the District of Columbia.
39. 6. Venue is also proper within this judicial district pursuant to 28 U.S.C. § 1355(b)(2),
40. because the property subject to forfeiture is located in a foreign country.
41. FACTS GIVING RISE TO FORFEITURE
42. I. Background
43. A. Bitcoin and Ethereum
44. 7. Bitcoin (BTC) and Ether (ETH) are pseudonymous virtual currencies. Although
45. transactions are visible on a public ledger, each transaction is referenced by a complex series of
46. numbers and letters (as opposed to identifiable individuals) involved in the transaction. The public
47. ledger containing this series of numbers and letters is called a blockchain. This feature makes
48. BTC and ETH pseudonymous; however, it is often possible to determine the identity of an
49. individual involved in BTC and ETH transactions through several different tools. For this reason,
50. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 2 of 38
51. many criminal actors who use BTC and ETH to facilitate illicit transactions online (e.g., to buy
52. and sell drugs or other illegal items or services) look for ways to make their transactions even more
53. anonymous.
54. 8. BTC/ETH addresses are unique tokens; however, BTC/ETH are designed such that
55. one person may easily operate many such accounts. Like an email address, a user can send and
56. receive BTC/ETH with others by sending BTC/ETH to a BTC/ETH address. People commonly
57. have many different addresses, and an individual could theoretically use a unique address for every
58. transaction in which they engage.
59. 9. To spend BTC/ETH held within a BTC/ETH address, the user must have a private
60. key, which is generated when the BTC/ETH address is created. Similar to a password, a private
61. key is shared only with the BTC/ETH-address key’s initiator and ensures secured access to the
62. virtual currency. Consequently, only the holder of a private key for a BTC/ETH address can spend
63. BTC/ETH from the address. A BTC user can also spend from multiple BTC addresses in one
64. transaction; for example, five addresses each holding five BTC can collectively send 25 BTC in a
65. single transaction.
66. 10. Although generally, the owners of BTC/ETH addresses are not known unless the
67. information is made public by the owner (for example, by posting the address in an online forum
68. or providing the BTC/ETH address to another user for a transaction), analyzing the public
69. transaction ledger can sometimes lead to identifying both the owner of an address and any other
70. accounts that the person or entity owns and controls.
71. 11. BTC/ETH are often transacted using a virtual currency exchange, which is a virtual
72. currency trading and storage platform. An exchange typically allows trading between the U.S.
73. dollar, other foreign currencies, BTC, ETH, and other virtual currencies. Many virtual currency
74. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 3 of 38
75. exchanges also store their customers’ virtual currencies. These exchanges act as money services
76. businesses and are legally required to conduct due diligence of their customers and have antimoney laundering checks in place. Virtual currency exchanges doing business in the United States
77. are regulated under the Bank Secrecy Act, codified at 31 U.S.C. § 5311 et seq., and must collect
78. identifying information of their customers and verify their clients’ identities.
79. B. Blockchain Analysis
80. 12. While the identity of the BTC/ETH address owner is generally anonymous (unless
81. the owner opts to make the information publicly available), law enforcement can identify the
82. owner of a particular BTC/ETH address by analyzing the blockchain. The analysis can also reveal
83. additional addresses controlled by the same individual or entity. For example, a user or business
84. may create many BTC addresses to receive payments from different customers. When the user
85. wants to transact the BTC that it has received (for example, to exchange BTC for other currency
86. or to purchase goods or services), it may group those addresses together to send a single
87. transaction. Law enforcement uses commercial services offered by several different blockchainanalysis companies to investigate virtual currency transactions. These companies analyze the
88. blockchain and attempt to identify the individuals or groups involved in the virtual currency
89. transactions. Specifically, these companies create large databases that group transactions into
90. “clusters” through analysis of data underlying the virtual currency transactions.
91. C. Peel Chains
92. 13. A “peel chain” occurs when a large amount of BTC sitting at one address is sent
93. through a series of transactions in which a slightly smaller amount of BTC is transferred to a new
94. address each time. In each transaction, some quantity of BTC “peel off” the chain to another
95. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 4 of 38
96. address – frequently to be deposited into a virtual currency exchange – and the remaining balance
97. is transferred to the next address in the chain.
98. 14. The chart below illustrates a simple peel chain example in which a subject seeking
99. to deposit 100 BTC into Exchange A uses a peel chain to make the transaction difficult to track.
100. From left to right, the subject forwards 100 BTC through a series of transactions with 20 peels in
101. inconsistent amounts, ultimately depositing the final five BTC into an exchange, at which point all
102. 100 BTC are deposited.
103. 15. The above chart is a relatively simple example of a peel chain. In practice,
104. sophisticated criminals often use peel chains of hundreds of transactions to obfuscate the path of
105. funds on the blockchain.
106. D. North Korea’s Documented Hacking of Virtual Currency Exchanges
107. 16. In its August 2019 report, the Panel of Experts established by the United Nations
108. Security Council to investigate compliance with sanctions against North Korea (“Panel of
109. Experts”) noted how the North Korean government has “used cyberspace to launch increasingly
110. sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to
111. generate income.” 2019 Report of the Panel of Experts, at 4.
112. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 5 of 38
113. 17. The Panel of Experts investigated:
114. the widespread and increasingly sophisticated use by the Democratic People’s
115. Republic of Korea of cyber means to illegally force the transfer of funds from
116. financial institutions and cryptocurrency exchanges, launder stolen proceeds and
117. generate income in evasion of financial sanctions. In particular, large-scale attacks
118. against cryptocurrency exchanges allow the Democratic People’s Republic of
119. Korea to generate income in ways that are harder to trace and subject to less
120. government oversight and regulation than the traditional banking sector.
121. Democratic People’s Republic of Korea cyber actors, many operating under the
122. direction of the Reconnaissance General Bureau, raise money for the country’s
123. weapons of mass destruction programmes, with total proceeds to date estimated at
124. up to $2 billion.
125. Id.
126. 18. Based on information provided by member countries and open source reports, the
127. Panel of Experts undertook investigations of at least 35 reported instances of North Korean actors
128. attacking financial institutions, cryptocurrency exchanges, and mining activity designed to earn
129. foreign currency.
130. 19. “With regard to the foreign currency earned through cyberattacks, according to one
131. Member State, ‘These activities contribute to the DPRK’s WMD programme.’ Implementing such
132. attacks is low risk and high yield, often requiring minimal resources (e.g., a laptop and Internet
133. access).” Id. at 27. The Panel of Experts further noted that,
134. Democratic People’s Republic of Korea cyber actors steal cryptocurrency, use it to
135. launder proceeds in evasion of financial sanctions and mine it through
136. cryptojacking attacks for the purposes of revenue generation. According to a
137. Member State, cryptocurrency attacks allow the Democratic People’s Republic of
138. Korea to more readily use the proceeds of their attacks abroad. In order to obfuscate
139. their activities, attackers use a digital version of layering in which they create
140. thousands of transactions in real time through one-time use cryptocurrency wallets.
141. According to that Member State, stolen funds following one attack in 2018 were
142. transferred through at least 5,000 separate transactions and further routed to
143. multiple countries before eventual conversion to fiat currency, making it highly
144. difficult to track the funds.
145. Id.
146. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 6 of 38
147. 20. The Panel of Experts noted that North Korea mostly targets South Korean
148. cryptocurrency exchanges, and launches such hacking campaigns from within North Korea. The
149. Panel of Experts concluded that North Korea’s “cyberattacks on Republic of Korea [South Korean]
150. targets have been increasing in number, sophistication and scope since 2008, including a clear shift
151. in 2016 to attacks focused on generating financial revenue. In 2019, Democratic People’s
152. Republic of Korea cyber actors shifted focus to targeting cryptocurrency exchanges. Some
153. cryptocurrency exchanges have been attacked multiple times.” Id.
154. 21. The facts giving rise to this complaint involve the theft of virtual currency by North
155. Korean co-conspirators from four virtual currency exchanges (“The Exchange 1,” “The Exchange
156. 2,” “The Exchange 3,” and “The Exchange 4”), three of which were based in South Korea, and the
157. related laundering of the proceeds.
158. E. Money Transmission Business Regulatory Framework
159. 22. Federal law requires money transmitting businesses to be registered with the
160. Financial Crimes Enforcement Network (“FinCEN”), which is located in the District of Columbia.
161. The failure to register with FinCEN is a federal felony offense.
162. 23. Federal law bars money transmitting businesses from transmitting funds that were
163. known to be derived from a criminal offense or intended to be used to promote unlawful activity.
164. 24. In March of 2013, FinCEN issued guidance “to clarify the applicability of the
165. regulations implementing the Bank Secrecy Act (‘BSA’) to persons creating, obtaining,
166. distributing, exchanging, accepting, or transmitting virtual currencies.” March 2013 Guidance at
167. 1, available at https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf.
168. 25. The March 2013 Guidance confirmed that “[t]he definition of a money transmitter
169. does not differentiate between real currencies and convertible virtual currencies.” Id. at 3.
170. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 7 of 38
171. “Accepting and transmitting anything of value that substitutes for currency makes a person a
172. money transmitter under the regulations implementing the BSA.” Id.
173. 26. The March 2013 Guidance sets forth the types of virtual currency businesses that
174. must register under the BSA regulations. In particular, it states that an “exchanger that (1) accepts
175. and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency for
176. any reason is a money transmitter under FinCEN’s regulations, unless a limitation to or exemption
177. from the definition applies to the person.” Id. at 3. The Guidelines define an “exchanger” as “a
178. person engaged as a business in the exchange of virtual currency for real currency, funds, or other
179. virtual currency.”
180. II. Phase One: The Intrusion and Theft
181. 27. In late 2018, IRS-CI’s Cyber Crimes Unit learned that The Exchange 1 had been
182. hacked. The perpetrators of the hack stole nearly $250 million worth of virtual currencies (as
183. detailed below). The intrusion and subsequent laundering involved numerous electronic
184. communications made in furtherance of the scheme, including e-mail messages and other wire
185. communications related to the intrusion and the submission of false Know-Your-Customer
186. information to various virtual currency exchanges. These communications include wire
187. communications that transited through the United States.
188. 28. In mid-2018, an employee of The Exchange 1 communicated with a “potential
189. client” via email. While communicating with the “potential client,” the employee unwittingly
190. downloaded malware which attacked The Exchange 1.
191. 29. On or about the same day that The Exchange 1 was hacked, a co-conspirator in
192. North Korea researched The Exchange 1 and its CEO. This research, much of which was in
193. Korean, referenced:
194. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 8 of 38
195. a. Hacking;
196. b. Gmail hacker extension;
197. c. How to conduct phishing campaigns; and
198. d. How to exchange large amounts of ETH to BTC.
199. 30. Ultimately, the malware unwittingly downloaded by The Exchange 1 employee
200. provided remote access to The Exchange 1 and unauthorized access to private keys controlling
201. wallets to multiple virtual currencies.
202. 31. With control of The Exchange 1’s private keys, the North Korean co-conspirators
203. stole the following virtual currencies:
204. Currency Est. Amount Est. Dollar Value
205. BTC 10,777.94 $94,145,839.41
206. ETH 218,790 $131,005,511.85
207. Zcash (ZEC) 3,783 $1,020,809.45
208. Dogecoin (DOGE) 99,999,000 $560,944.39
209. Ripple (XRP) 3,043,268 $2,660,100.78
210. Litecoin (LTC) 11,000 $1,639,699.05
211. Ethereum Classic (ETC) 175,866 $3,304,763.96
212. Total $234,337,668.88
213. 32. The North Korean co-conspirators withdrew approximately 10,777.94 BTC from
214. The Exchange 1. Generally speaking, a single deposit of over 10,000 BTC would be easy to trace
215. as it would generate multiple “red flags” for the exchange that received the deposit. Additionally,
216. the exchange receiving the large deposit could freeze the account and leave the hackers with no
217. recourse. Thus, to obfuscate the BTC trail and decrease scrutiny, the North Korean co-conspirators
218. engaged in hundreds of automated transactions with new BTC addresses as “peel chains” to four
219. different exchanges.
220. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 9 of 38
221. 33. The North Korean co-conspirators failed to conduct a peel chain for the LTC they
222. stole from The Exchange 1. Instead they transferred all 11,000 LTC to
223. LLzTJFu3UcwXRrwaq2gLKnJaWWt3oGHVMK (Defendant Property 81).
224. III. Initial Laundering of the Proceeds of Phase One via Peel Chains
225. 34. Analysis of the blockchain and additional investigation revealed that over 10,500
226. of the BTC stolen from The Exchange 1 was deposited primarily into accounts at four virtual
227. currency exchanges (“VCE1,” “VCE2,” “VCE3,” and “VCE4”).
228. 35. Further analysis revealed that a substantial amount of other virtual currencies stolen
229. from The Exchange 1 was also deposited into accounts at VCE1, VCE2, VCE3, and VCE4. In
230. particular, one account at VCE1 (Defendant Property 64) directly received nearly all DOGE and
231. XRP stolen from The Exchange 1.
232. 36. The account at VCE4 into which the funds were laundered controlled the addresses
233. listed as Defendant Properties 98 through 111. This account was the same account that received
234. proceeds from approximately $30 million worth of virtual currency stolen by North Korean coconspirators from The Exchange 4, a South Korea-based virtual currency exchange, in or about
235. the summer of 2018.
236. 37. The main account at VCE1 (Defendant Property 64) was registered using an email
237. account from a South Korean engineering company, whose email accounts were compromised by
238. North Korean co-conspirators. In addition to the approximately 5,600.42737261 BTC
239. ($39,765,175.16), the account received approximately 600.1 ETH, 99,998,987 DOGE, 3,043,200
240. XRP, and 1,500 ZEC, which were converted to BTC and withdrawn. The South Korean
241. engineering firm was unaware that its infrastructure was being used for this purpose.
242. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 10 of 38
243. 38. In an attempt to circumvent VCE1’s Know-Your-Customer (“KYC”) program, the
244. North Korean co-conspirators submitted two fraudulent identification photos. As depicted below
245. in KYC Photo 1, one photo is of what appears to be an Asian male sitting in a chair holding his
246. South Korean government-issued photo ID in front of his face with two hands. Behind the
247. individual is a computer monitor displaying an encrypted web browser which conceals IP
248. addresses. Metadata from the photo revealed that it was altered.
249. KYC Photo 1
250. 39. Another account at VCE1 (Defendant Property 63) received approximately
251. 112.047 ETH and converted it to BTC. North Korean co-conspirators also submitted two
252. fraudulent photos for this account as well, in a continued attempt to circumvent VCE1’s KYC
253. policy. As demonstrated below in KYC Photo 2, one photo is of what appears to be a Caucasian
254. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 11 of 38
255. male standing behind a computer monitor holding a German government-issued photo ID in front
256. of his face with two hands. The face in the photo is noticeably altered. There are publicly available
257. versions of the photo depicting this person, one of which was used in this photo. The white t-shirt
258. with black writing being worn by the individual is the exact same t-shirt being worn in the photo
259. submitted for the other account. That is, the North Korean co-conspirators used the exact same
260. photo of the body, but added in different photos of the faces when submitting KYC documents.
261. KYC Photo 2
262. 40. The account at VCE3 receiving the 264.454103 BTC ($1,818,972.13) (which
263. included Defendant Properties 50 through 52) also involved altered KYC photos. One photo is a
264. Caucasian male holding a sheet of paper with the name of VCE3 and the date written on it in one
265. hand and an Australian passport open to the photo page in the other hand. The face in the photo
266. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 12 of 38
267. was noticeably altered. Ultimately, VCE3 was not satisfied with the image and requested a video
268. conference with the account holder, which the account holder refused.
269. 41. An account at VCE2 (Defendant Property 112) received approximately 406.095468
270. BTC ($3,408,849.46). This account at VCE2 was linked to the account at VCE4 (which included
271. Defendant Properties 98 through 111) that received BTC from The Exchange 1 and the summer
272. 2018 theft from The Exchange 4. In total, the VCE4 account received approximately
273. 6,138.10855889 BTC ($46,461.524.35).
274. 42. The BTC received by the accounts was then withdrawn from the four exchanges,
275. and again the North Korean co-conspirators reconstituted the funds by conducting hundreds of
276. transactions with new BTC addresses and multiple peel chains. During this period, additional
277. BTC was included in the layering.
278. 43. Included below as Exhibit 1 is a diagram that details a sample of the larger peel
279. chain that IRS-CI’s Cyber Crimes Unit analyzed in the course of the investigation.
280. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 13 of 38
281. 44. Exhibit 1 reflects that:
282. - After The Exchange 1 was hacked, 5,600.42737261 BTC was laundered into an
283. account at VCE1 (Defendant Property 64) via 146 transactions from May 10, 2018 to
284. July 6, 2018.
285. - The North Korean co-conspirators then laundered 3,484.46623432 BTC (of the
286. approximately 5,600 BTC) to 80 BTC addresses via 83 transactions from June 25,
287. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 14 of 38
288. 2018 to July 6, 2018.
289. July 11, 2018
290. - On July 11, 2018, at 3:35 am, the subjects then had all 80 addresses transfer 3,800 BTC
291. to Address B.
292. o That is, a review of the blockchain shows the 80 addresses sent the BTC as
293. part of a single transaction to Address B.
294. o Such transactions typically occur when a user storing BTC in software on their
295. computer creates a single transaction to transfer the funds to an exchange so
296. that the user can begin the process of cashing out the BTC for fiat currency.
297. - The subjects began peeling off bitcoin from this large address and sent it in small
298. transactions to two other virtual currency exchanges (“VCE5” and “VCE6”).
299. Accounts at VCE5 (Defendant Properties 65-70) and VCE6 (Defendant Properties 55-
300. 62) received the bulk of the laundered funds from the hack of The Exchange 1. An
301. example of how the funds were laundered into VCE5 and VCE6 is as follows:
302. July 12, 2018
303. - At 1:00 am, the subjects laundered 20 BTC from Addresses A to an account at VCE6
304. (Defendant Property 59).
305. - At 1:00 am, the subjects laundered 30 BTC from Addresses A to an account at VCE5
306. (Defendant Property 68).
307. - At 2:02 am, the subjects peeled off 20 BTC from Address B and laundered it to an
308. account at VCE5 (Defendant Property 68).
309. - At 2:02 am, the subjects laundered the remaining 3,780 BTC from Address B to
310. Address C.
311. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 15 of 38
312. - At 2:02 am, the subjects peeled off 30 BTC from Address C and laundered it to an
313. account at VCE6 (Defendant Property 59).
314. - At 2:02 am, the subjects laundered the remaining 3,750 BTC from Address C to
315. Address D.
316. - At 2:11 am, the subjects peeled off 1 BTC from Address D and laundered it to another
317. address.
318. - At 2:11 am, the subjects laundered the remaining 3,749 BTC from Address D to
319. Address E.
320. - At 2:11 am, the subjects peeled off 500 BTC from Address E and laundered it to
321. Address F.
322. - At 2:11 am, the subjects laundered the remaining 3,249 BTC from Address E to
323. Address G.
324. - At 2:11 am, the subjects peeled off 1,000 BTC from Address G and laundered it to
325. Address F.
326. - At 2:11 am, the subjects laundered the remaining 2,249 BTC from Address G to
327. Address H.
328. - At 2:28 am, the subjects peeled off 300 BTC from Address H and laundered it to
329. Address F.
330. July 14, 2018
331. - At 12:59 am, the subjects peeled off 10 BTC from Address H and laundered it to an
332. account at VCE5 (Defendant Property 68).
333. - At 12:59 am, the subjects peeled off 30 BTC from Address F and laundered it to an
334. account at VCE6 (Defendant Property 57).
335. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 16 of 38
336. - At 12:59 am, the subjects laundered the remaining 290 BTC from Address H to
337. Address I.
338. - At 1:40 am, the subjects peeled off 25 BTC from Address I and laundered it to an
339. account at VCE5 (Defendant Property 65).
340. - At 1:40 am, the subjects laundered the remaining 265 BTC from Address I to Address
341. J.
342. - At 2:21 am, the subjects peeled off 39 BTC from Address J and laundered it to an
343. account at VCE5 (Defendant Property 68).
344. - At 2:21 am, the subjects laundered the remaining 226 BTC from Address J to Address
345. K.
346. July 15, 2018
347. - At 2:12 am, the subjects peeled off 30 BTC from Address K and laundered it to an
348. account at VCE5 (Defendant Property 68).
349. - At 2:12 am, the subjects laundered the remaining 196 BTC from Address K to Address
350. L.
351. - At 2:12 am, the subjects peeled off 20 BTC from Address L and laundered it to an
352. account at VCE5 (Defendant Property 68).
353. July 16, 2018
354. - At 3:29 am, the subjects peeled off 35 BTC from Address F and laundered it to an
355. account at VCE6 (Defendant Property 58).
356. 45. The transactions that occurred in the peel chain were automated. That is, the North
357. Korean co-conspirators had a computer script that rapidly laundered the BTC to and from
358. addresses and exchanges. In fact, many of the transactions occurred during the same minute. This
359. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 17 of 38
360. is a known tactic used by money launderers when trying to move large amount of BTC rapidly.
361. Because of the complexity of addresses and number of transactions, human error could easily lead
362. to the loss of funds. While a bank can claw back funds sent to an errant address, no such remedy
363. exists for BTC. As such, money launderers use computer programs to ensure precision when
364. transferring in high volumes at a high frequency.
365. 46. The above peel chain analysis is a representative sample of the many peel chains
366. involved in the money laundering scheme. The funds stolen from The Exchange 1 continued to
367. be laundered via hundreds of peel chain transactions largely mirroring those described above,
368. illustrated in substantive part in Exhibit 1. Within the many peel chains, multiple BTC address
369. (Defendant Properties 35-43) maintained a balance of BTC traceable to the theft.
370. IV. North Korean Attribution and Obfuscation in Phase One
371. A. Celas LLC
372. 47. Proceeds of the theft of BTC from The Exchange 1 were used to perpetuate
373. additional schemes by paying for infrastructure, to include domain registration for websites like
374. Celas LLC, site hosting from service providers that focus on client anonymity, and virtual private
375. networks. The North Korean co-conspirators sent 0.003526 BTC ($22.43) of the stolen BTC,
376. which was previously laundered via the peel chain layering process, to pay for the registration of
377. 12 months of business email services for celasllc.com on or about July 11, 2018.
378. 48. The same North Korean co-conspirators registered the domain “celasllc.com.”
379. According to its website, Celas LLC, a/k/a Celas Limited, purported to offer a cryptocurrencytrading platform, called Celas Trade Pro, which could be downloaded from celasllc.com. In
380. actuality, forensic analysis revealed that Celas Trade Pro was a malicious software code that
381. provided the North Korean co-conspirators direct access to the downloader’s system.
382. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 18 of 38
383. 49. According to security researchers, Celas LLC shared a server IP address and an
384. encryption key with the known malware named Fallchill. A joint technical alert published by the
385. Department of Homeland Security and the Federal Bureau of Investigation associated Fallchill
386. with the government of North Korea.
387. 50. A specific command line in the Celas Trade Pro application and Fallchill are
388. consistent with North Korean hacking campaigns against the financial industry dating back to
389. 2016.
390. 51. Celas Trade Pro used a language code associated with North Korea.
391. 52. The North Korean co-conspirators caused the upload of a version of Celas Trade
392. Pro to Website A in June 2108, shortly after the application had been compiled. Website A is a
393. website that aggregates many antivirus products and online scan engines to check for viruses.
394. Within minutes of the upload, the North Korean co-conspirators voted on the file as being safe.
395. That is, the North Korean co-conspirators were attempting to see whether the malware would be
396. detected, and then attempted to provide credibility to the program by voting it as safe.
397. B. Phishing Campaign
398. 53. The North Korean co-conspirators who emailed The Exchange 1 malware were also
399. engaged in a massive phishing campaign in an attempt to infect other users with malware. To
400. provide credibility to the online personas, fake social media profiles were created. For example:
401. a. A Twitter account was created with the name “Waliy Darwish” that made
402. various posts related to cryptocurrency and included a link to celasllc.com;
403. b. The same user created a LinkedIn page for “Waliy Darwish,” listing him as a
404. business developer at Celas LLC with a bachelor’s degree from Rotterdam
405. University; and
406. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 19 of 38
407. c. The same user also created a Facebook and Instagram page.
408. 54. The phishing campaign targeted thousands of email accounts at exchanges around
409. the world and personal email accounts of prominent people within the cryptocurrency ecosystem,
410. to include CEOs of major exchanges. The phishing emails were primarily three types:
411. advertisements for Celas LLC; developers looking to work with/for the targeted exchange; or a
412. prospective client. The emails often contained a link to celasllc.com or an attachment.
413. Additionally, the Waliy Darwish LinkedIn account messaged multiple people as well.
414. 55. To aid in the phishing campaign, the North Korean co-conspirators used various
415. email plugins. Plugins are add-on tools that can help with email tracking, task management, and
416. other tasks. Some of the plugins included:
417. a. A tool to compose one email that is then automatically individually addressed to
418. many recipients. It also allowed the sender to receive an email notifying them
419. when a recipient has opened and read an email. This email contained the IP
420. address, browser type, and user agent of the recipient.
421. b. A tool to customize the email’s signature block with company contact
422. information, pictures, and other information to make an email look professional.
423. c. A tool that enables human editors to write and respond to email for a client,
424. ensuring “perfect English.” The editors optimize grammar, punctuation, word
425. choice, sentence rhythm, and tone.
426. C. Additional Connections to North Korea
427. 56. One of the North Korean co-conspirators who was involved with the conspiracy to
428. deliver the malware to The Exchange 1 researched the following:
429. a. North Korea;
430. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 20 of 38
431. b. North Korean Special Forces and the North Korean military;
432. c. the United States military in regard to the North Korean military; and
433. d. Kim Jong Un.
434. 57. In spite of using VPN services to mask their addresses, law enforcement was able
435. to trace back logins to an IP address within North Korea.
436. V. Laundering of Phase One and Phase Two Illicit Proceeds by "田寅寅" and "李家东"
437. A. Laundering of Proceeds from Hack of The Exchange 1 (Phase One)
438. 58. Ultimately, after being laundered via hundreds of peel chain transactions, a bulk of
439. the stolen BTC was deposited into four accounts at VCE5 (Defendant Properties 67 and 70) and
440. VCE6 (Defendant Properties 56 and 62).
441. 59. The accounts at VCE5 and VCE6 (Defendant Properties 56, 62, 67, and 70)
442. belonged to "田寅寅" (a/k/a Tian Yinyin) and "李家东" (a/k/a Li Jiadong), also known by their
443. registered usernames “snowsjohn” and “khaleesi” respectively.
444. 60. Tian Yinyin and Li Jiadong are both Chinese nationals with government
445. identification numbers and Chinese phone numbers.
446. 61. Between in or about 2018 through in or about April 2019, Tian Yinyin and Li
447. Jiadong engaged in $100,812.842.54 in virtual currency transactions, which primarily consisted of
448. their exchange of virtual currency traceable to the hack of The Exchange 1. Tian Yinyin and Li
449. Jiadong would convert such virtual currency into fiat currency and transfer it to customers, for a
450. fee.
451. 62. Tian Yinyin’s and Li Jiadong’s virtual currency accounts at VCE5 (Defendant
452. Properties 67 and 70) had multiple connections. The accounts had significant transfers between
453. each other and third party accounts.
454. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 21 of 38
455. 63. Tian Yinyin linked a bank account at China Guangfa Bank (“CGB”) to his VCE5
456. account less than a week after the intrusion and theft of The Exchange 1. This CGB account
457. received approximately 491 deposits from VCE5 for 233,889,970 CYN (approximately
458. $34,504,173.43) and represents proceeds from his money laundering activities.
459. 64. The same CGB bank account was linked to Tian Yinyin’s VCE6 account
460. (Defendant Property 62).
461. 65. Tian Yinyin’s accounts at VCE5 (Defendant Property 70) and VCE6 (Defendant
462. Property 62) had no deposits for approximately two months prior to the hack of The Exchange 1.
463. 66. Tian Yinyin also had an account at VCE7 (Defendant Property 83, which included
464. the deposit address identified as Defendant Property 84), a U.S.-based exchange, where he sold
465. BTC in exchange for prepaid Apple iTunes gift cards, a known method of money laundering.
466. 67. Tian Yinyin’s VCE7 advertisement stated that no ID was necessary for trades.
467. 68. On multiple occasions, Tian Yinyin, using his account at VCE7 (Defendant
468. Property 83), engaged in financial transactions to convert virtual currency to U.S. dollars with
469. customers in the United States.
470. 69. Li Jiadong laundered approximately 9.71443 BTC from his VCE5 (Defendant
471. Property 70) and VCE6 (Defendant Property 62) accounts to Tian Yinyin’s account at VCE7
472. (Defendant Property 83).
473. 70. Tian Yinyin exchanged approximately $1,448,694.74 worth of BTC for iTunes gift
474. cards via 8,823 transactions from his account at VCE7 (Defendant Property 83).
475. 71. Li Jiadong’s advertisement on another virtual currency exchange (“VCE8”) noted
476. that he was operating a professional business and gave his hours and payment information. Li
477. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 22 of 38
478. Jiadong maintained multiple addresses on VCE8, consisting of Defendant Properties 71 through
479. 80.
480. 72. Li Jiadong linked bank accounts at nine Chinese banks—Agricultural Bank of
481. China, China Everbright Bank, China CITIC Bank, CGB, China Minsheng Bank, Huaxia Bank,
482. Industrial Bank, Pingan Bank, and Shanghai Pudong Development Bank—to his VCE5 account
483. (Defendant Property 70). These bank accounts received approximately 2,000 deposits from VCE5
484. for 229,282,960.97 CYN (approximately $32,848,567.00) and represent proceeds from his money
485. laundering activities.
486. 73. Tian Yinyin’s VCE6 account (Defendant Property 62) sent approximately 25 BTC
487. (approximately $175,000) to Li Jiadong’s VCE5 account (Defendant Property 67).
488. 74. Tian Yinyin and Li Jiadong exchanged approximately 2,165.39 BTC
489. (approximately $15,529,934.00) and equivalent fiat currency between each other via VCE5.
490. 75. The chart in Exhibit 2, below, depicts an overview of the laundering of funds from
491. the hack of the Exchange 1.
492. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 23 of 38
493. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 24 of 38
494. B. Laundering of Proceeds from the Hack of The Exchange 2 (Phase Two)
495. 76. YINYIN’s accounts at VCE5 and VCE6 were also used to launder the proceeds of
496. the hack of The Exchange 2, a South Korea-based virtual currency exchange. Due to the role these
497. funds played in the larger money laundering activity, the activity surrounding this hack is referred
498. to herein as “Phase Two,” though it occurred earlier in time than Phase One.
499. 77. On or about December 19, 2017, The Exchange 2 announced through its website
500. and various media outlets that it had been a victim of a hack and subsequent theft of approximately
501. 17% of its total assets.
502. 78. The Panel of Experts subsequently attributed this hack to North Korean actors.
503. 79. At or about the same time of the hack of The Exchange 2, a single virtual currency
504. address at The Exchange 2 routed funds to two addresses in a rapid series of transactions. One
505. address received approximately 16 deposits of the same amount over a period of 15 minutes,
506. totaling approximately $2.49 million; the second address received approximately 20 deposits
507. totaling approximately $2.88 million. Later that same day, the originating virtual currency address
508. at The Exchange 2 stopped making withdrawals, just as The Exchange 2 stated it was suspending
509. trading.
510. 80. Almost immediately following the initial withdrawal of the stolen funds from The
511. Exchange 2, the funds were directed to an account at VCE1. At VCE1, the North Korean coconspirators converted the stolen virtual currency to BTC, withdrew the funds, engaged in multiple
512. peel chains, and ultimately deposited said proceeds into Tian Yinyin’s accounts at VCE5 and
513. VCE6, as demonstrated in Exhibit 3, below.
514. 81. While the BTC was being laundered, a portion was sent to a cluster that had sent
515. funds to two North Korean co-conspirator accounts, including Defendant Property 64.
516. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 25 of 38
517. VI. Phase Three: The November 2019 Intrusion and Theft
518. 82. On or about November 27, 2019, The Exchange 3, a South Korea-based virtual
519. currency exchange, had approximately 342,000 ETH ($48.5 million) stolen from it.
520. 83. Over the subsequent few days, the ETH began to umbrella outward via multiple
521. peel chains in attempt to obfuscate the trail before being deposited into various virtual currency
522. exchanges. Exhibit 4, below, illustrates an example of the flow of a portion of stolen ETH from
523. The Exchange 3 into an account at another exchange (Defendant Property 82) via approximately
524. 14 transactions approximately seven days later.
525. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 26 of 38
526. The Exchange 3
527. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 27 of 38
528. 84. Notably, as the ETH splintered from the main trail, portions often circled back and
529. regrouped with the main trail. This reflects that the stolen funds were still controlled by the same
530. North Korean co-conspirators.
531. 85. Ultimately, as shown in Exhibit 4, approximately 5 ETH was deposited into an
532. account at another virtual currency exchange (“VCE9”) (Defendant Property 113) on December
533. 4, 2019. The KYC information for this account reflected a purported South Korean individual.
534. 86. A portion of the deposited ETH was converted into BTC using VCE9’s over-thecounter trading platform. Less than two hours after the ETH was deposited, BTC was withdrawn
535. to a cluster. The deposits to this cluster originated at various exchanges that received stolen ETH
536. that was converted to BTC.
537. 87. By converting ETH to BTC, the North Korean co-conspirators switched the stolen
538. proceeds from the ETH blockchain to the BTC blockchain. One of the primary purposes of doing
539. this was to obfuscate the trail of the funds.
540. 88. Included below as Exhibit 5 is a diagram that illustrates approximately 18 different
541. clusters, comprised of approximately 200 different BTC addresses (including Defendant
542. Properties 1 through 34 and Defendant Property 91), that received 383.79970162 BTC
543. ($2,781,754.23) from November 29, 2019 through January 4, 2020. Each of these clusters
544. received BTC that was converted from ETH proceeds traced to the theft of The Exchange 3. To
545. further connect these clusters and illustrate the common ownership, the diagram shows how
546. accounts at various exchanges withdrew to multiple clusters listed and some of the clusters
547. exchanged BTC amongst themselves.
548. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 28 of 38
549. 89. From these 18 clusters, the subjects began to layer with peel chains and mix the
550. BTC, in order to obfuscate the trail as they converted it to fiat currency. The peel chains from
551. these clusters were connected to each other. Some of the accounts that received the stolen ETH
552. still maintain a balance of stolen virtual currency and are held at various virtual currency
553. exchanges, including VCE 4 (Defendant Properties 92-97), VCE10 (Defendant Properties 44-49),
554. VCE11 (Defendant Properties 85-90), and VCE12 (Defendant Properties 53 and 54).
555. VII. North Korean Attribution and Obfuscation in Phase Three
556. 90. The North Korean co-conspirators’ campaign, which included the theft of funds
557. from The Exchange and related money laundering, continued with the theft from The Exchange 3
558. and related money laundering.
559. 91. North Korean co-conspirators had targeted The Exchange 3 in May 2019, although
560. this previously attempted theft failed. Specifically, emails originating from North Korea falsely
561. gave the impression that The Exchange 3 was requesting information from its customers about a
562. fictional sweepstakes payout.
563. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 29 of 38
564. 92. As to the November 2019 theft, the North Korean co-conspirators continued to
565. submit digitally altered KYC photos to virtual currency exchanges. This included by again using
566. publically available photos for identification documents as well manipulating images to
567. circumvent KYC checks.
568. 93. The North Korean co-conspirators logged in from Pyongyang and used North
569. Korean cell phone infrastructure to perpetrate this scheme.
570. 94. The North Korean co-conspirators researched reporting related to the hack of The
571. Exchange 3. In one instance, they researched a cyber security platform that was tracking the ETH
572. stolen from The Exchange 3 to various exchanges and naming such exchanges. Additionally, the
573. North Korean co-conspirators researched hacking tactics in Korean.
574. VIII. Failure to Register as a Money Transmitting Business
575. 95. As explained in detail above, Tian Yinyin and Li Jiadong engaged in over $100
576. million in virtual currency transactions. Tian Yinyin and Li Jiadong’s primary source of virtual
577. currency was proceeds of the hacks of virtual currency exchanges, including The Exchange 1 and
578. The Exchange 2.
579. 96. Tian Yinyin and Li Jiadong would convert such virtual currency into fiat currency
580. and transfer it to customers, for a fee. Tian Yinyin and Li Jiadong’s business included customers
581. and financial accounts within the United States.
582. 97. Tian Yinyin and Li Jiadong failed to register with FinCEN as money transmitting
583. businesses.
584. 98. Tian Yinyin and Li Jiadong maintained the BTC addresses identified in the property
585. to be forfeited, which represent a portion of the defendant properties, further identified as
586. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 30 of 38
587. Defendant Properties 55-62, 65-80, and 83-84, and previously referenced within the substantive
588. descriptions of their illegal activity above.
589. FIRST CLAIM FOR RELIEF
590. (18 U.S.C. § 981(A)(1)(A))
591. 99. The United States incorporates by reference the allegations set forth in Paragraphs
592. 1 to 98 above as if fully set forth herein.
593. 100. The Defendant Properties were involved in, and traceable to, a conspiracy to violate
594. and substantive violations of:
595. a. Title 18, United States Code, Section 1956(a)(1)(A)(i), that is, by
596. conducting financial transactions which in fact involved the proceeds of
597. specified unlawful activity, to wit, violations of: section 1343 (relating to
598. wire fraud) and section 1960 (relating to illegal money transmitters),
599. knowing that the property involved in such financial transactions
600. represented the proceeds of some form of unlawful activity, with the intent
601. to promote the carrying on of said specified unlawful activity;
602. b. Title 18, United States Code, Section 1956(a)(1)(B)(i), that is, by
603. conducting financial transactions which in fact involved the proceeds of
604. specified unlawful activity, to wit, violations of: section 1343 (relating to
605. wire fraud) and section 1960 (relating to illegal money transmitters),
606. knowing that the property involved in such financial transactions
607. represented the proceeds of some form of unlawful activity, and knowing
608. that the transactions were designed in whole or in part to conceal or disguise
609. the nature, the location, the source, the ownership, or the control of the
610. proceeds of said specified unlawful activity; and
611. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 31 of 38
612. c. Title 18, United States Code, Section 1956(a)(2)(A), that is, by transporting,
613. transmitting, and transferring, or attempting to transport, transmit, and
614. transfer monetary instruments and funds from places outside of the United
615. States to and through a place inside the United States, and from a place in
616. the United States to or through a place outside the United States, with the
617. intent to promote the carrying on of specified unlawful activity, to wit,
618. violations of: section 1343 (relating to wire fraud) and section 1960 (relating
619. to illegal money transmitters).
620. 101. As such, the Defendant Properties are subject to forfeiture, pursuant to Title 18,
621. United States Code, Section 981(a)(1)(A), as property involved in a transaction or attempted
622. transaction in violation of 18 U.S.C. § 1956, or property traceable to such property.
623. SECOND CLAIM FOR RELIEF
624. (18 U.S.C. § 981(A)(1)(A))
625. 102. The United States incorporates by reference the allegations set forth in Paragraphs
626. 1 to 98 above as if fully set forth herein.
627. 103. The Defendant Properties were involved in a scheme to operate an unlicensed
628. money transmitting business.
629. 104. As such, the Defendant Properties are subject to forfeiture, pursuant to Title 18,
630. United States Code, Section 981(a)(1)(A), as property involved in a transaction or attempted
631. transaction in violation of 18 U.S.C. § 1960, or property traceable to such property.
632. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 32 of 38
633. PRAYER FOR RELIEF
634. WHEREFORE, the United States of America prays that notice issue on the Defendant
635. Properties as described above; that due notice be given to all parties to appear and show cause
636. why the forfeiture should not be decreed; that a warrant of arrest in rem issue according to law;
637. that judgment be entered declaring that the Defendant Properties be forfeited for disposition
638. according to law; and that the United States of America be granted such other relief as this Court
639. may deem just and proper, together with the costs and disbursements of this action.
640. Dated: March 2, 2020
641. Respectfully submitted,
642. TIMOTHY J. SHEA
643. United States Attorney
644. By: /s/
645. Zia M. Faruqui, D.C. Bar No. 494990
646. Christopher B. Brown
647. Assistant United States Attorneys
648. 555 Fourth Street, N.W.
649. Washington, D.C. 20530
650. (202) 252-7117 (Faruqui)
651. /s/
652. C. ALDEN PELKER
653. Trial Attorney
654. Computer Crime & Intellectual Property Section
655. 1301 New York Ave NW
656. Washington, D.C. 20005
657. (202) 514-1026
658. Attorneys for the United States of America
659. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 33 of 38
660. VERIFICATION
661. I, Christopher Janczewski, a Special Agent with the Internal Revenue Service-Criminal
662. Investigations CCU, declare under penalty of perjury, pursuant to 28 U.S.C. § 1746, that the
663. foregoing amended Verified Complaint for Forfeiture In Rem is based upon reports and
664. information known to me and/or furnished to me by other law enforcement representatives and
665. that everything represented herein is true and correct.
666. Executed on this 2nd day of March, 2020.
667. /s/ _
668. Special Agent Christopher Janczewski
669. Internal Revenue Service-Criminal Investigations
670. I, Thomas Tamsi, a Special Agent with the Homeland Security Investigations, declare
671. under penalty of perjury, pursuant to 28 U.S.C. § 1746, that the foregoing amended Verified
672. Complaint for Forfeiture In Rem is based upon reports and information known to me and/or
673. furnished to me by other law enforcement representatives and that everything represented herein
674. is true and correct.
675. Executed on this 2nd day of March, 2020.
676. /s/ _
677. Special Agent Thomas Tamsi
678. Homeland Security Investigations
679. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 34 of 38
680. I, Christopher Wong, a Special Agent with the Federal Bureau of Investigation, declare
681. under penalty of perjury, pursuant to 28 U.S.C. § 1746, that the foregoing amended Verified
682. Complaint for Forfeiture In Rem is based upon reports and information known to me and/or
683. furnished to me by other law enforcement representatives and that everything represented herein
684. is true and correct.
685. Executed on this 2nd day of March, 2020.
686. /s/ _
687. Special Agent Christopher Wong
688. Federal Bureau of Investigation
689. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 35 of 38
690. PROPERTY TO BE FORFEITED
691. Funds associated with the following virtual currency addresses and accounts:
692. 1 113vSKMWvuM8Weee2neMScXqdtXFLvy8z7
693. 2 12DCmGuX87aCzxCDneyAxZdVWapuza9UyR
694. 3 12JSAKyUMFMFp2ao5Rqt3s3X4xrQMXMzkr
695. 4 12urwZAF7JvdhiQcYVbNG7VtKP3165pPnf
696. 5 13Bcq6AcWusG3YKsYadBRNwnfezUrhRDER
697. 6 13u7zCciSC7yGKfe8qqvQxK7BnGiwpdAbQ
698. 7 14jP1TjTjrFBVFKUMcGaPjGRHaWAK6QVr7
699. 8 14umE3q9knsWKZhjPgLQyv4rrCNjfXpAuF
700. 9 16RWbMVHvERVUjrh28rRugmrgeDW1nweoo
701. 10 17PSv7hd2cvSmgMTFw8CA3hjdYtGWuPh98
702. 11 18LX9wjgjDbmRZXYhDLzZWCQ3pkUGB6gFf
703. 12 19RfkmQPS3wBF5XhjcZwnbpMkd96GoituJ
704. 13 19V5YCatY8sfdNuskawrGmbrZEohLkqV3d
705. 14 1Ax8m2gy1Ta6vQTMStnWdCh71oMX7Z4nen
706. 15 1Bht2x8Y8tJLpXxqK9LX4ehtLNk6kh3FLk
707. 16 1C3K6yYxr1xomotxkEbMLAcm3jVKDSyFBd
708. 17 1C4hPundX3pBSiNbhkLpuLp246Ggc8gmwx
709. 18 1C5S12fBSmeVedaEAqQzFf29H9hUucojPA
710. 19 1JCWsAC86pokjDrvQsRWoU2jm9qA9Wc4qh
711. 20 1K2FgtrdGk767RoLf8dN8tr5XsVc5st6RZ
712. 21 1L5mPKvfKzGY2J99HtpoefxqbpLDxyMAZq
713. 22 1LcsVyCd6yEyibDQS2WcxzTBT1iJGAqLhS
714. 23 1MVkopW6PPWZtSAtP4295B6KfH93YKToZU
715. 24 1Nmd7KBc3P6RgYcZ5n8ftdbw7z4jEzUSVj
716. 25 1NMpPj2zUSPodncvZGp7owP2nttAgyFuY3
717. 26 17UwTn7cVxu5ivkBnkPo83Gjtowi8dx75Q
718. 27 1A3uGGvHFBauSmjZvdZFF6gjc8VSjgF7UY
719. 28 1Bm659Wu5xVppUNRh7jKNFMboTbDepgmbm
720. 29 18atn6kuyKzhnsWK554Uj6j1PAv3sPmx2p
721. 30 18YNDeHouezsyxcvntohev9kANrMXiGBxr
722. 31 1CD483mLYrMJwZF5drZnoPKSBbFTMSVvGf
723. 32 1P8y7bj28tsq76anvKLgmhbbnTc1ZGcUVa
724. 33 1Pa32FPFQJ5VdozwmMGE1ANNWVGB3XQJie
725. 34 15pPmUErhTb8CaWF5x8iQggX3zK1y99ZN1
726. 35 1EFWRRLUM3jy2poCpY7ALq2m7PPakyvns1
727. 36 37JN1EDYCGYVabtofvyKKLtpA6uU3UBMLo
728. 37 39PAYsdx2zi7GUhV71cx1zpp1N8495t58f
729. 38 3ACmZQBNZsDDDs3UGoC6DeKMKHTe9RW1yu
730. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 36 of 38
731. 39 3AUHHS4NQjJRAMbjdkeTdLDv9ZFeA9n1o3
732. 40 3GAwA7PvLiHKjcmN2nsrHEpN7Qt9jwMQ4h
733. 41 3HoJydELfq2kyZk9M6yug6CLQmYCS7FrJj
734. 42 3M23QTysjRsfmJz4aDdc9RpaXjVZmbWKEt
735. 43 3Nis34RW9uGV5mbovNidNNsxRTWwwqb1PS
736. 44 User ID 36020326 at VCE10
737. 45 User ID 35802038 at VCE10
738. 46 User ID 35977393 at VCE10
739. 47 User ID 35978286 at VCE10
740. 48 0x8bdd991a7b8e2fe1bfcb6b19ac3cf3e146cba415
741. 49 User ID 38785599 at VCE10
742. 50 1FKMe2Nyue2SDufB4RciiXsEEpAxtuBxD3
743. 51 0xc4f9ee31626c8dee0ec02744732051e8b416e63e
744. 52 User ID 9fdbd2ca-3994-411b-9ddb-f5318b63049d at VCE3
745. 53 VCE12 internal transaction ID Fnc4bjm7ehwhdk6h4d
746. 54 VCE12 internal transaction ID pd7e8fxxkuy2gfge7f
747. 55 1EfMVkxQQuZfBdocpJu6RUsCJvenQWbQyE
748. 56 Account 1000079600 at VCE6
749. 57 134r8iHv69xdT6p5qVKTsHrcUEuBVZAYak
750. 58 14kqryJUxM3a7aEi117KX9hoLUw592WsMR
751. 59 15YK647qtoZQDzNrvY6HJL6QwXduLHfT28
752. 60 1F2Gdug9ib9NQMhKMGGJczzMk5SuENoqrp
753. 61 1PfwHNxUnkpfkK9MKjMqzR3Xq3KCtq9u17
754. 62 Account 1000021204 at VCE6
755. 63 0xA4b994F1bA984371ecCA18556Fe1531412D5C337
756. 64 User k*****@****** at VCE1
757. 65 17UVSMegvrzfobKC82dHXpZLtLcqzW9stF
758. 66 19YVKCETP8yHX2m2VbEByVgWgJUAZd5tnS
759. 67 User IDs 458281 & 4582819 at VCE5
760. 68 1AXUTu9y3H8w4wYx4BjyFWgRhZKDhmcMrn
761. 69 1Hn9ErTCPRP6j5UDBeuXPGuq5RtRjFJxJQ
762. 70 User IDs 1473600 & 14736005 at VCE5
763. 71 39eboeqYNFe2VoLC3mUGx4dh6GNhLB3D2q
764. 72 39fhoB2DohisGBbHvvfmkdPdShT75CNHdX
765. 73 3E6rY4dSCDW6y2bzJNwrjvTtdmMQjB6yeh
766. 74 3EeR8FbcPbkcGj77D6ttneJxmsr3Nu7KGV
767. 75 3HQRveQzPifZorZLDXHernc5zjoZax8U9f
768. 76 3JXKQ81JzBqVbB8VHdV9Jtd7auWokkdPgY
769. 77 3KHfXU24Bt3YD5Ef4J7uNp2buCuhrxfGen
770. 78 3LbDu1rUXHNyiz4i8eb3KwkSSBMf7C583D
771. 79 3MN8nYo1tt5hLxMwMbxDkXWd7Xu522hb9P
772. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 37 of 38
773. 80 3N6WeZ6i34taX8Ditser6LKWBcXmt2XXL4
774. 81 LLzTJFu3UcwXRrwaq2gLKnJaWWt3oGHVMK
775. 82 0x01facd1477e6df9e27fe9f0a459aaa0769c9af82
776. 83 User 881051 at VCE7
777. 84 3F2sZ4jbhvDKQdGbHYPC6ZxFXEau2m5Lqj
778. 85 0X7175D1FA4461676AB8831483770FF84483F26501
779. 86 Account 14167009 at VCE 11
780. 87 0X93D8EDBC42E547C571CE5AF95F70C291D706925C
781. 88 Account 14166934 at VCE 11
782. 89 0XB35DFF36FF3D686A63353FA01327F3FF4874CF21
783. 90 Account 14166961 at VCE 11
784. 91 BC1Q39HKR7TA25E65D7U0PM09L99JVFNY4LP3VAM4Q
785. 92 0X81B34F7A426B31E77E875B8D00D830F8A5B044CB
786. 93 User DavidniColinDC3 at VCE4
787. 94 0XFC3D6AEE062C45B31E946BA49A7AA5ADDF1B53C6
788. 95 User Ep4444 at VCE4
789. 96 0XBD72F2CFB28ED38B7CEA94E26603983CE028C927
790. 97 User Sma414 at VCE4
791. 98 17KS1C6DxViF68YaSAhWUrnaCtxzbMq7CB
792. 99 1MP62xKDtbL79wQ8f8LbAg9dPpUHFTEVbJ
793. 100 1GsAS3z7eG4Vw2QbyVqnR7cRQmpeRsCpt1
794. 101 1K7cMd9RgwhThXi6VDu3Roti2W4241MLfG
795. 102 1FhsTJ7hQKvpFXPRFFjsFPHQT4pQMQpgw1
796. 103 1FzKR8XDmdrTRYfMcZRf3NPvSgyrUoG8kq
797. 104 1AsHQhhCYwgd71cxnHA9a8dWeEh22ivdqn
798. 105 1DZdJNQsEutzud3YX28DFXfzKVyEfoN8t2
799. 106 1K83LzD1QR2iUVtHckFMUzzdF3xUhtNdYb
800. 107 1DX3zJV4djK9CgCP48Ym3LEryq5RVdhWH8
801. 108 1EFNjtGnJ7WohXd8L17NGA4N5osKRj98QN
802. 109 1EU4tNd1RbhDCfkiQrtj6nfzxeRxRA9rBm
803. 110 17Wx3A1tmiTnxJ9FAq7em1n6SxtXSG4r5F
804. 111 1QBbEUUhG7CRJzJrSEnUvwrycYZzKB8YEq
805. 112 1K1fa3ydmpWMuX8gWHk5W6gnVFX7nGQJsu
806. 113 0xC137c3135EB8E94aa303D52c607296Ba470E1a57
807. Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 38 of 38
808. CIVIL COVER SHEET
809. JS-44 (Rev. 5/12 DC)
810. I. (a) PLAINTIFFS
811. (b) COUNTY OF RESIDENCE OF FIRST LISTED PLAINTIFF _____________________
812. (EXCEPT IN U.S. PLAINTIFF CASES)
813. DEFENDANTS
814. COUNTY OF RESIDENCE OF FIRST LISTED DEFENDANT _____________________
815. (IN U.S. PLAINTIFF CASES ONLY) NOTE: IN LAND CONDEMNATION CASES, USE THE LOCATION OF THE TRACT OF LAND INVOLVED
816. (c) ATTORNEYS (FIRM NAME, ADDRESS, AND TELEPHONE NUMBER) ATTORNEYS (IF KNOWN)
817. II. BASIS OF JURISDICTION
818. (PLACE AN x IN ONE BOX ONLY)
819. III. CITIZENSHIP OF PRINCIPAL PARTIES (PLACE AN x IN ONE BOX FOR
820. PLAINTIFF AND ONE BOX FOR DEFENDANT) FOR DIVERSITY CASES ONLY!
821. o 1 U.S. Government
822. Plaintiff
823. o 2 U.S. Government
824. Defendant
825. o 3 Federal Question
826. (U.S. Government Not a Party)
827. o 4 Diversity
828. (Indicate Citizenship of
829. Parties in item III)
830. Citizen of this State
831. Citizen of Another State
832. Citizen or Subject of a
833. Foreign Country
834. PTF
835. o 1
836. o 2
837. o 3
838. DFT
839. o 1
840. o 2
841. o 3
842. Incorporated or Principal Place
843. of Business in This State
844. Incorporated and Principal
845. Place of Business in This State
846. Foreign Nation
847. PTF
848. o 4
849. o 5
850. o 6
851. DFT
852. o 4
853. o 5
854. o 6
855. IV. CASE ASSIGNMENT AND NATURE OF SUIT
856. (Place an X in one category, A-N, that best represents your Cause of Action and one in a corresponding Nature of Suit)
857. o A. Antitrust
858. 410 Antirust
859. o B. Personal Injury/
860. Malpractice
861. 310 Airplane
862. 315 Airplane Product Liability
863. 320 Assault, Libel & Slander
864. 330 Federal Employers Liability
865. 340 Marine
866. 345 Marine Product Liability
867. 350 Motor Vehicle
868. 355 Motor Vehicle Product Liability
869. 360 Other Personal Injury
870. 362 Medical Malpractice
871. 365 Product Liability
872. 367 Health Care/Pharmaceutical
873. Personal Injury Product Liability
874. 368 Asbestos Product Liability
875. o C. Administrative Agency
876. Review
877. 151 Medicare Act
878. Social Security
879. 861 HIA (1395ff)
880. 862 Black Lung (923)
881. 863 DIWC/DIWW (405(g))
882. 864 SSID Title XVI
883. 865 RSI (405(g))
884. Other Statutes
885. 891 Agricultural Acts
886. 893 Environmental Matters
887. 890 Other Statutory Actions (If
888. Administrative Agency is
889. Involved)
890. o D. Temporary Restraining
891. Order/Preliminary
892. Injunction
893. Any nature of suit from any category
894. may be selected for this category of case
895. assignment.
896. *(If Antitrust, then A governs)*
897. o E. General Civil (Other) OR o F. Pro Se General Civil
898. Real Property
899. 210 Land Condemnation
900. 220 Foreclosure
901. 230 Rent, Lease & Ejectment
902. 240 Torts to Land
903. 245 Tort Product Liability
904. 290 All Other Real Property
905. Personal Property
906. 370 Other Fraud
907. 371 Truth in Lending
908. 380 Other Personal Property
909. Damage
910. 385 Property Damage
911. Product Liability
912. Bankruptcy
913. 422 Appeal 27 USC 158
914. 423 Withdrawal 28 USC 157
915. Prisoner Petitions
916. 535 Death Penalty
917. 540 Mandamus & Other
918. 550 Civil Rights
919. 555 Prison Conditions
920. 560 Civil Detainee – Conditions
921. of Confinement
922. Property Rights
923. 820 Copyrights
924. 830 Patent
925. 840 Trademark
926. Federal Tax Suits
927. 870 Taxes (US plaintiff or
928. defendant)
929. 871 IRS-Third Party 26 USC 7609
930. Forfeiture/Penalty
931. 625 Drug Related Seizure of
932. Property 21 USC 881
933. 690 Other
934. Other Statutes
935. 375 False Claims Act
936. 400 State Reapportionment
937. 430 Banks & Banking
938. 450 Commerce/ICC
939. Rates/etc.
940. 460 Deportation
941. 462 Naturalization
942. Application
943. 465 Other Immigration
944. Actions
945. 470 Racketeer Influenced
946. & Corrupt Organization
947. 480 Consumer Credit
948. 490 Cable/Satellite TV
949. 850 Securities/Commodities/
950. Exchange
951. 896 Arbitration
952. 899 Administrative Procedure
953. Act/Review or Appeal of
954. Agency Decision
955. 950 Constitutionality of State
956. Statutes
957. 890 Other Statutory Actions
958. (if not administrative agency
959. review or Privacy Act)
960. United States of America 113 VIRTUAL CURRENCY ACCOUNTS
961. Zia M. Faruqui, Assistant U.S. Attorney
962. U.S. Attorney's Office for the District of Columbia
963. 555 Fourth Street, N.W.
964. Washington, D.C. 20530
965. Unknown
966. Case 1:20-cv-00606 Document 1-1 Filed 03/02/20 Page 1 of 2
967. o G. Habeas Corpus/
968. 2255
969. 530 Habeas Corpus – General
970. 510 Motion/Vacate Sentence
971. 463 Habeas Corpus – Alien
972. Detainee
973. o H. Employment
974. Discrimination
975. 442 Civil Rights – Employment
976. (criteria: race, gender/sex,
977. national origin,
978. discrimination, disability, age,
979. religion, retaliation)
980. *(If pro se, select this deck)*
981. o I. FOIA/Privacy Act
982. 895 Freedom of Information Act
983. 890 Other Statutory Actions
984. (if Privacy Act)
985. *(If pro se, select this deck)*
986. o J. Student Loan
987. 152 Recovery of Defaulted
988. Student Loan
989. (excluding veterans)
990. o K. Labor/ERISA
991. (non-employment)
992. 710 Fair Labor Standards Act
993. 720 Labor/Mgmt. Relations
994. 740 Labor Railway Act
995. 751 Family and Medical
996. Leave Act
997. 790 Other Labor Litigation
998. 791 Empl. Ret. Inc. Security Act
999. o L. Other Civil Rights
1000. (non-employment)
1001. 441 Voting (if not Voting Rights
1002. Act)
1003. 443 Housing/Accommodations
1004. 440 Other Civil Rights
1005. 445 Americans w/Disabilities –
1006. Employment
1007. 446 Americans w/Disabilities –
1008. Other
1009. 448 Education
1010. o M. Contract
1011. 110 Insurance
1012. 120 Marine
1013. 130 Miller Act
1014. 140 Negotiable Instrument
1015. 150 Recovery of Overpayment
1016. & Enforcement of
1017. Judgment
1018. 153 Recovery of Overpayment
1019. of Veteran’s Benefits
1020. 160 Stockholder’s Suits
1021. 190 Other Contracts
1022. 195 Contract Product Liability
1023. 196 Franchise
1024. o N. Three-Judge
1025. Court
1026. 441 Civil Rights – Voting
1027. (if Voting Rights Act)
1028. V. ORIGIN
1029. o 1 Original
1030. Proceeding
1031. o 2 Remand
1032. from State
1033. Court
1034. o 3 Remanded from
1035. Appellate Court
1036. o4 Reinstated or
1037. Reopened
1038. o 5 Transferred from
1039. another district
1040. (specify)
1041. o 6 Multi-district
1042. Litigation
1043. o7 Appeal to
1044. District Judge
1045. from Mag. Judge
1046. VI. CAUSE OF ACTION (CITE THE U.S. CIVIL STATUTE UNDER WHICH YOU ARE FILING AND WRITE A BRIEF STATEMENT OF CAUSE.)
1047. VII. REQUESTED IN
1048. COMPLAINT
1049. CHECK IF THIS IS A CLASS
1050. ACTION UNDER F.R.C.P. 23
1051. DEMAND $
1052. JURY DEMAND:
1053. Check YES only if demanded in complaint
1054. YES NO
1055. VIII. RELATED CASE(S)
1056. IF ANY
1057. (See instruction) YES NO If yes, please complete related case form
1058. DATE: _________________________ SIGNATURE OF ATTORNEY OF RECORD _________________________________________________________
1059. INSTRUCTIONS FOR COMPLETING CIVIL COVER SHEET JS-44
1060. Authority for Civil Cover Sheet
1061. The JS-44 civil cover sheet and the information contained herein neither replaces nor supplements the filings and services of pleadings or other papers as required
1062. by law, except as provided by local rules of court. This form, approved by the Judicial Conference of the United States in September 1974, is required for the use of the
1063. Clerk of Court for the purpose of initiating the civil docket sheet. Consequently, a civil cover sheet is submitted to the Clerk of Court for each civil complaint filed.
1064. Listed below are tips for completing the civil cover sheet. These tips coincide with the Roman Numerals on the cover sheet.
1065. I. COUNTY OF RESIDENCE OF FIRST LISTED PLAINTIFF/DEFENDANT (b) County of residence: Use 11001 to indicate plaintiff if resident
1066. of Washington, DC, 88888 if plaintiff is resident of United States but not Washington, DC, and 99999 if plaintiff is outside the United States.
1067. III. CITIZENSHIP OF PRINCIPAL PARTIES: This section is completed only if diversity of citizenship was selected as the Basis of Jurisdiction
1068. under Section II.
1069. IV. CASE ASSIGNMENT AND NATURE OF SUIT: The assignment of a judge to your case will depend on the category you select that best
1070. represents the primary cause of action found in your complaint. You may select only one category. You must also select one corresponding
1071. nature of suit found under the category of the case.
1072. VI. CAUSE OF ACTION: Cite the U.S. Civil Statute under which you are filing and write a brief statement of the primary cause.
1073. VIII. RELATED CASE(S), IF ANY: If you indicated that there is a related case, you must complete a related case form, which may be obtained from
1074. the Clerk’s Office.
1075. Because of the need for accurate and complete information, you should endure the accuracy of the information provided prior to signing the form.
1076. /s/Zia M. Faruqui
1077. 18 U.S.C. § 554(a), 18 U.S. C. § 981(a)(1)(C), and 18 U.S.C. § 1956 - money laundering and export control violations
1078. ✘
1079. ✘
1080. 03/02/2020
1081. Case 1:20-cv-00606 Document 1-1 Filed 03/02/20 Page 2 of 2
1082. CLERK=S OFFICE CO-932
1083. UNITED STATES DISTRICT COURT Rev. 4/96
1084. FOR THE DISTRICT OF COLUMBIA
1085. NOTICE OF DESIGNATION OF RELATED CIVIL CASES PENDING
1086. IN THIS OR ANY OTHER UNITED STATES COURT
1087. Civil Action No. 20-CV-606
1088. (To be supplied by the Clerk)
1089. NOTICE TO PARTIES:
1090. Pursuant to Rule 40.5(b)(2), you are required to prepare and submit this form at the time of filing any civil action which is
1091. related to any pending cases or which involves the same parties and relates to the same subject matter of any dismissed related cases.
1092. This form must be prepared in sufficient quantity to provide one copy for the Clerk=s records, one copy for the Judge to whom the
1093. cases is assigned and one copy for each defendant, so that you must prepare 3 copies for a one defendant case, 4 copies for a two
1094. defendant case, etc.
1095. NOTICE TO DEFENDANT:
1096. Rule 40.5(b)(2) of this Court requires that you serve upon the plaintiff and file with your first responsive pleading or motion
1097. any objection you have to the related case designation.
1098. NOTICE TO ALL COUNSEL
1099. Rule 40.5(b)(3) of this Court requires that as soon as an attorney for a party becomes aware of the existence of a related case
1100. or cases, such attorney shall immediately notify, in writing, the Judges on whose calendars the cases appear and shall serve such notice
1101. on counsel for all other parties.
1102. _______________
1103. The plaintiff , defendant or counsel must complete the following:
1104. I. RELATIONSHIP OF NEW CASE TO PENDING RELATED CASE(S).
1105. A new case is deemed related to a case pending in this or another U.S. Court if the new case: [Check appropriate box(e=s)
1106. below.]
1107. (a) relates to common property
1108. (b) involves common issues of fact
1109. (c) grows out of the same event or transaction
1110. (d) involves the validity or infringement of the same patent
1111. (e) is filed by the same pro se litigant
1112. 2. RELATIONSHIP OF NEW CASE TO DISMISSED RELATED CASE(ES)
1113. A new case is deemed related to a case dismissed, with or without prejudice, in this or any other U.S. Court, if the new case
1114. involves the same parties and same subject matter.
1115. Check box if new case is related to a dismissed case:
1116. 3. NAME THE UNITED STATES COURT IN WHICH THE RELATED CASE IS FILED (IF OTHER THAN THIS
1117. COURT):
1118. 4. CAPTION AND CASE NUMBER OF RELATED CASE(E=S). IF MORE ROOM IS NEED PLEASE USE OTHER SIDE.
1119. v. C.A. No.
1120. DATE Signature of Plaintiff /Defendant (or counsel)
1121. /s/Zia M. Faruqui/AUSA
1122. Case 1:20-cv-00606 Document 1-2 Filed 03/02/20 Page 1 of 1