United States District Court, D. Nevada
ORDER
Presently
before the court is the matter of United States v.
Bondarenko et al., case number 2:17-cr-00306-JCM-VCF.
The following motions are pending:
(1) John Telusma's motion for leave to file reply (ECF
No. 562);
(2) Magistrate Judge Peggy A. Leen's report and
recommendation (ECF No. 534);
(3) Magistrate Judge Leen's report and recommendation
(ECF No. 533);
(4) Magistrate Judge Leen's report and recommendation
(ECF No. 529);
(5) Magistrate Judge Leen's report and recommendation
(ECF No. 528);
(6) Magistrate Judge Leen's report and recommendation
(ECF No. 527);
(7) Magistrate Judge Leen's report and recommendation
(ECF No. 525);
(8) Magistrate Judge Leen's report and recommendation
(ECF No. 524);
(9) Telusma, Frederick Thomas, Aldo Ymeraj, and Marko
Leopard's motion to dismiss (ECF Nos. 476, 533);
(10) Telusma's motion to suppress (ECF No. 475);
(11) Valerian Chiochiu's motion to suppress (ECF No.
474);
(12) Chiochiu's motion to dismiss (ECF No. 473);
(13) Leopard, Telusma, Thomas, Chiochiu, Pius Wilson, and
Ymeraj's motion to dismiss (ECF Nos. 471, 525);
(14) Leopard's motion to dismiss (ECF No. 468); and
(15) Thomas' motion to dismiss (ECF No. 467).
I.
Background
This
prosecution involves the takedown of Infraud Organization, a
transnational cybercrime syndicate consisting of 10, 901
members. (ECF No. 303). Infraud Organization operated a
website that served as the premier destination to traffic
contraband that criminals recovered through acts of identity
theft and financial fraud. Id. Infraud Organization
also used advertisements on its website to direct illicit
activity to its members' automated vending sites, which
were online platforms that transacted stolen personal and
financial information. Id.
The
purpose of Infraud Organization was to operate an online
discussion forum that provided for the purchase and sale of
high-quality contraband. Id. The forum, which was
called “In fraud” and had the slogan “In
Fraud We Trust, ” provided several safeguards to
further the aims of the syndicate and protect its members
from criminal liability. Id. All members remained
anonymous to each other by interacting solely with usernames
and concealed the nature of their transactions by using
digital currencies. Id. The forum also allowed
members to rate vendors as a means of maintaining the quality
of contraband available on the Infraud website. Id.
In the
early days of the syndicate, co-founder defendant Svyatoslav
Bondarenko established rules that governed members'
conduct on the website. Id. Infraud Organization
routinely policed the forum for rule-violators such as
“rippers, ” which are vendors of low-quality
illicit goods or vendors that do not deliver goods and
services in accordance with the terms of their transactions.
Id. The enforcement of these rules and the
successful operation of the forum required Infraud
Organization to create the following hierarchy:
• Administrators, a.k.a. 4DMini57r470rz, formed the
governing council of Infraud Organization. Id. They
handled the long-term strategic planning of the syndicate and
made day-to-day management decisions including but not
limited to who can join the syndicate, rewards for loyal
members, punishments for disloyal members, and retaliatory
measures against rival criminal organizations. Id.
• Super moderators, a.k.a. Super M0DER470R5, oversaw
subject-matter areas on the forum that were within their
expertise or geographic area. Id. Super moderators
would primarily review products, mediate disputes, and
edit/delete posts. Id.
• Moderators, a.k.a. M0d3r470r2, had the same
responsibilities as super moderators but Infraud Organization
limited their authority to moderating one or two specific
sub-forums. Id.
• Vendors, a.k.a. professors or doctors, sold illicit
products and services to members of Infraud Organization.
Id. Although these transactions often occurred on
the vendors' own websites, the vendors would pay Infraud
Organization so they could advertise their websites on the
forum. Id. Vendors also sold products and services
directly to customers by using email, private messages on the
forum, and instant messaging services. Id.
• VIP members, a.k.a. fratello masons or advanced
members, are longstanding or otherwise notable members of
Infraud Organization. Id.
• Members, a.k.a. Phr4Ud573r, are general members of
Infraud Organization. Id. They would use the forum
to gather information about perpetrating criminal activities,
solicit other members to engage in criminal schemes, pay for
and post advertisements, and traffic contraband. Id.
Members also relied on moderators or administrators to settle
disputes that arose from transactions. Id.
Individuals
would join Infraud Organization as members by having an
administrator grant their request to join the forum.
Id. After joining the syndicate, members could move
up and down the hierarchy. Id.
Infraud
Organization operated from October 2010 to February 2018 and
caused more than $568, 000, 000.00 in losses. (ECF Nos. 303,
573). Bondarenko and defendant Sergey Medvedev created
Infraud Organization shortly after Bondarenko was banned from
Carder.su, which was another cybercrime syndicate that
operated from November 2005 to January 2012. (ECF Nos. 467,
504). Carder.su and Infraud Organization had similar
hierarchy structures, engaged in similar criminal activities,
and had over 10, 000 members. Id. However, Carder.su
used a different online forum and had different leadership.
Id. Due to the anonymity of the conspirators, it is
unclear to what extent the memberships of the two syndicates
overlapped. See (ECF Nos. 504, 510).
Three
defendants in this litigation, Thomas, Lirdon Muslie, and
John Doe #5, a.k.a. Deputat, were previously indicted in a
separate case for their involvement in the Carder.su
conspiracy. (ECF No. 504). Thomas joined Infraud Organization
several months after the government took down Carder.su.
Id. He continued to engage in illicit activities on
the Infraud website up until November 2014, just one month
before a federal court sentenced Thomas to sixty months of
custody for his involvement in the Carder.su conspiracy.
Id.
A
fourth defendant, Leopard, is a resident of the Republic of
North Macedonia. (ECF Nos. 468, 502). In 2016, a Macedonian
court indicted Leopard for the crime of making and using fake
payment cards in violation of Macedonia Criminal Code Art.
274-b(2). Id. The Macedonian indictment included
allegations of cybercrime activities, such as selling stolen
information through the website www.tonymontana.cc,
that the government has also alleged in this case.
See (ECF Nos. 303, 468-1). Leopard eventually
admitted guilt and, on December 13, 2016, the Macedonian
court sentenced Leopard to twelve months of imprisonment.
(ECF Nos. 468, 468-2). Leopard completed his term of custody
on August 25, 2017. (ECF No. 468-3).
A fifth
defendant, Chiochiu, joined Infraud Organization in December
2012. (ECF Nos. 473, 503). According to the government,
Chiochiu helped other members develop, deploy, and use
malware as a means of harvesting data. Id. Chiochiu
allegedly developed a variant of FastPOS software, which is a
program designed to infect computers that handle credit card
data and steal financial information. (ECF No. 503). Chiochiu
also allegedly shared with other members a programming script
that can create automatic vending websites for the sale of
fraud-related products. (ECF Nos. 473, 503).
Several
defendants, including Thomas, Leopard, Ymeraj and Telusma,
were vendors in Infraud Organization. (ECF No. 303). Their
alleged activities included operating websites that
facilitated illicit activity. Thomas hosted a website that
provided a look-up service, which allowed Infraud
Organization members to obtain compromised social security
numbers and other personal information. Id. Leopard,
Ymeraj, and Telusma hosted websites that sold compromised
credit card data. Id. Telusma's website also
provided services that allowed Infraud Organization members
to launder funds that they illicitly obtained. Id.
II.
Procedural History and Warrants
On
September 19, 2017, the government initiated this
prosecution. (ECF No. 1). The second superseding indictment
names thirty-six defendants and asserts nine counts: a single
charge for racketeer influenced and corrupt organizations
(“RICO”) conspiracy in violation of 18 U.S.C.
§ 1962(d) and eight charges for possession of fifteen or
more counterfeit and unauthorized access devices in violation
of 18 U.S.C. § 1029(a)(3). (ECF No. 303).
Throughout
the course of litigation, the government searched two
premises that are relevant to the court's present
inquiry. The first search was of Chiochiu's residence
(“Chiochiu warrant”) and the second search was of
Telusma's residence (“Telusma warrants”).
(ECF Nos. 474, 475).
A.
Chiochiu warrant
On
March 28, 2018, Chiochiu self-surrendered. (ECF Nos. 363,
474, 501). During his arrest, Chiochiu provided law
enforcement officials with a home address at which he did not
actually live. (ECF No. 474-1). Chiochiu also turned over
three digital devices: two computer hard drives and an
iPhone. Id. Later that day, Chiochiu pleaded not
guilty and the court released him on a personal recognizance
bond. (ECF Nos. 358, 360).
Forensic
analysis of the devices revealed that, on the day before his
arrest, Chiochiu “surgically wiped” the hard
drives with a program called “CCleaner” and
deleted data on the iPhone by resetting it to factory
settings. (ECF No. 474-1). Chiochiu attempted to conceal
these acts by leaving a large amount of innocuous data, such
as personal photos and documents, on the hard drives.
Id. However, one of the hard drives contained
artifacts indicating the presence of FastPOS malware and
cryptocurrentcy-related software. Id.
While
examining these devices, Special Agent Michael Adams
concluded that Chiochiu is a sophisticated software
developer. Id. Adams further concluded that Chiochiu
retained a body of prior work on other devices because
software developers often retain previous code so they can
efficiently solve similar problems in the future by making
minor adaptations to existing libraries. Id. Adams
believed, in his training and experience, that these other
devices were in Chiochiu's place of residence.
Id
In
October 2018, the government discovered that Chiochiu's
wife, Irina Calaras, was residing at 68 Borghese, Irvine,
California 92618 (“Borghese property”).
Id. Law enforcement officials surveilled the
property and, on October 25, 2018, observed Chiochiu at the
residence taking out the trash. Id. On November 5,
2018, Magistrate Judge Autumn D. Spaeth of the Central
District of California issued a search warrant on the
Borghese property and authorized law enforcement officials to
seize funds, devices, and instrumentalities related to
Chiochiu's trafficking of contraband. Id.
Two
days later, law enforcement officials executed the search
warrant. (ECF Nos. 474, 501). The government found Chiochiu
at the residence and arrested him for violating his terms of
pretrial release. Id. The government also seized
cards, cash, and twenty-one digital devices- laptops,
tablets, cell phones, and loose hard drives. Id.
B.
Telusma warrants
On
February 5, 2018, Magistrate Judge James Orenstein of the
Eastern District of New York issued a search and seizure
warrant for Telusma's residence located at 42 Paerdegat
5th Street, Brooklyn, New York (“Brooklyn
property”). (ECF No. 475-1). The warrant's
affidavit contained significant content of Telusma's role
as a vendor in Infraud Organization. Id. Telusma
primarily provided money laundering services and engaged in
carding-purchasing retail items with counterfeit or stolen
credit cards. Id.
The
affidavit also disclosed that the government recovered
Telusma's Infraud-registered email account,
peterelliot@live.com. Id. The account contained
emails revealing that Telusma received compromised credit
card numbers and that on one occasion he contacted Medvedev
with regards to a rule-violator. Id. The account
revealed that Telusma sent some of these emails with his
iPad. Id. According to the affidavit, the government
also discovered Telusma's Facebook account, which had
various posts related to illicit activities that included
images depicting his smartphone, iPad, and MacBook Pro.
Id.
The
affiant explained that, in her training and experience,
individuals who commit electronic and internet-based crimes
possess multiple digital devices. Id. The affiant
further explained that cybercriminals retain old devices
because they are aware that the devices contain contraband
and other evidence of criminal activity. Id.
Consistent with the contents of the affidavit, the affiant
concluded that Telusma possessed his smarphone, iPad, and
MacBook Pro and that the devices were likely located at
Telusma's place of residence. Id.
On
February 6, 2018, law enforcement officials executed the
search warrant for the Brooklyn property. (ECF Nos. 474,
515). The agents found Telusma sleeping in a bedroom and
observed an iPhone, external hard drive, MacBook Pro, USB
thumb drive, and a box filled with white credit card blanks.
(ECF No. 523). The government immediately obtained a
supplemental warrant, which authorized the seizure of the
above-referenced items. Id. On that same day, law
enforcement officials returned to the Brooklyn property and
seized an iPhone 8, iPhone X, iPad, MacBook Pro, external
hard drive, and credit card blanks. (ECF Nos. 475, 475-1,
515).
On
March 13, 2018, Homeland Security Investigations agents in
Las Vegas, Nevada received the devices and began examining
their contents in April 2018. (ECF No. 515). However, the
February search warrants did not authorize examination of the
devices. Id. Once the agents discovered this, they
ceased their activities and requested a search warrant from
Magistrate Judge Carl W. Hoffman of the District of Nevada.
Id. The warrant's affidavit explained the
government's mistake and incorporated by reference the
February warrants. (ECF Nos. 515-2). On July 6, 2018,
Magistrate Judge Hoffman authorized the search of all five
devices. Id.
C.
Pending ...