UNITED STA~gS DJ,STRICT

SOUTHERN DISTRICT OF NEW YORK UNITEP STATES OF AMERICA
- v. -

COURT

SEALED INDICTMENT
82 11 Cr. 878

VLADIMIR
DMITRI VALERI

TSASTSIN,

ANDREY TAAME:,

TIMUR GERASSIMENKO,

KONSTANTIN

JEGOROV, ALEKSBJEVi
i

~OLTEV, and lJe£endants.

ANTON IV~OV

~--------------COTJN'l' ONE

x

(Conspiracy

to Commi.t Wire Fraud)

The Grand Jury charges:
Overview of the Soheme

1. in or about
elsewhere,

From at least October

in or about Southern

2007, up to and inclUding Di:strict of N'ewYork and

:2 01.1, in the TSASTSIN!

Vl,AD!MIR

ANlJREiY 'I'AAMEl, TIMOR GERASSIM.ENKO,

DMITRI JEGOROV; VALERI ALEKSEJBV, KONSTANTIN
IVANOV,the defendants (collectively,

POLTEV, and ANTON
If )

"the defendantS

I

and others

known and unknown, engag~d in a massive! and acpb.i s t Lca t ed scheme that infected countries at least
four

mi.LLi.on computers software,

Locat ed in OVE)r 100
II 1

with

malicious

orl'ma,lware.

Wit.hout; the

1 Attached as Exhibit A is a glossary used in this Indictment.

of computer-related .

terminology

computer users/knowledge hijacked the infected

or permission,

'the malware digitally the defendants' be.l.ow,

comput.ers to facilitate advertising fraud/

commission" Victims'

o.f Internet

as described

computers were infected

with the malware when, among other

means, their

computers visited
software enabled

certain websites,
including,

or when victims but not limited online. operated

downloaded certain to, sof'tware 2, and controlled that

from websites victims

to view videos

'The defendants

and tbeir co-con9pirators

companies that masqueraded as leg:Ltimate participants industry. Through those companies, entered into the

in the Internet advertising defendants and their

co-conspirators

agreement~ under Internet or based

which they would be paid based upon the number- of times that
users "clioked!! on the links
for certain

advertisemsl1-ts

I

upon th~ number of times 'chat cez-t.aa.n on ce~tain those devised "infected websites ,.
I

advez-t.Lsemenus were displayed under Lnat.ead (the

Rather

than earn money legitimately co-conspirators of computers

agreements

the de t endarrt a and their scheme to infect
II )

a criminal computers

millions

with mal.war e that

~urreptitiously that

redirected would As

those computers to the websites and advertisements
generate described illicit below1

advertising revenue
components of this Indictment "advertising refers

for

the defendants. fraud

advertising to as
(i)

scheme

Lnc.Ludad what this
f

\I,click hijacking Moreover I in

z aud" i and

(ii)

replacement
2

fraud""

order

to protect

the scheme from being thwarted, and their co-coonapd.r-at.oxa software

the malware used to prevent the

:by the dgfendants the

was designed

insrtallat10n o'f anti-virus
computers, and their

updates

- lea'i{ing

infected defendant's

users r unable to detect. or stop the

malWare, and vulnerable

to other

malware.

The Click Hijack.ing Fraud
3. One component of t.he defendants" fraud scheme

involved
clicked query
I

click

hijacking.
result

When the user of an infected link displayed

computer

on a search instead

through a Search engine

of being brought to the website to which the user asked to a different

to go, the malware caused the computer to be re-routed website

designated

by

the defendants { so as to trigger payment
contracts.

to

the defendants hijacking

under one or more advertising

This click search results

occurred. f;or clic]cs on so-called "organic'! on "l3ponsored,1 links.
2

as well as clicks hijacking

Examples of how the click

fraud worked include

the following:

Exhibit

B is an illustration

of how the user of an infected Apple-iTune,s website,

computer bu.t was

c=licked on a link

for the of.ficial

\\Organic" search results are the unpaid links that appear in r espcnae to a user! 9 search query. "Sponsored" links are, in essence, advertisements that appear in response to a useris search query - often at the top of or to the right of organic search results. search engines typically receive money, on a per-click basis, when a sponsored link is clicked by a user.
3

2

instead taken to a different Website.
using

As Exhibit B illustrates!

the Google search engine,
IT

the user searched for the term
I

"itunes.

The searcli results displayed a number of linlcs
link to •• ww.apple.com/itunes!" w

the'very

first being a purported

- which iSI

'in fact., the domain name for the official iTunes website maintained
by

Apple, link,

Inc.

The user of the infected computer then clicked on
being taken to th~t

that

but "nsteaClof

websi.te, the link -

by the defendants'

design ~ opened a website for
which is to sell a business unaffiliated

www.idownload~store-music?oom!
with Apple

J:nc. that
I

purported

Apple so,ftware,

The

defendants

then received money for that fraudulently engineered

b.

Tne Netflix

Example.

Attached as Exhibit

'C

is

an illustration of hoW the user of an infeoted
a link for Netflix, unrelated using but was instead

computer clicked on
for an

taken to the website
II

business called "BudgetMatch,

As Exhibit

C

iilustratesr

the Bing search engine, the user searched for the term
The search results displayed a number of links
I

l'l.1etflix.'1

including a purported link to •• ww.netflix.com" w

- which is; in facti

t.hedomain name for the official website of NetfliX, a movie rental business. The user of the infected computer then clicked on that website
I

link, but instead of being taken to that
defendants'

the link

- by the

design - opened a website fOr www.budge.tmatch.netiwhich
II

is not affiliated for that

with Netflix. engineered

The defendants "c1ick.1I

then received

money

fraudulently c.

The Internal Revenue Service Example. D is an illustration of how the user of an infected Revenue Service" tax preparation engine, displayed but was

Atta.ched as Exhibit computer clicked instead taken

on a link for the Internal for a major

to 'the website

business. the user a number - which Reverrue on that - by the

As Exhibit searched of links, is/

D illustrates, for the term " irs. the first being

using
It

the Yahoo search results

The search link

a purported

to ..www.irs.goV./I of the. Internal clicked the link

in fact,

t.he domain name for the website The user of the infected

Service.. link, but

computer then website for
r

instead
I

of being taken to that - opened
r

defendants

design

a websit'e

H&:R Block with the IRS. The

(www.hrblock..oom) defendants "click.
rr

which

is not affiliated money for that

then .received

fra.udulently

engineered

The Advertising 4. Anot.her component replacement and their with

Replacement

Fraud fraud scheme

of the defendants' fraud. In this

inVOlved advertising scheme, t.he defendants advertif:l€!mentson triggered advert.ising payments

component of the legitimate that

co~ccmspirators substitut€ld

replaced

websites

advertisements

to the defendanes. fraud worked
5

Examples of how the include the follClwing:

replacement

a..

The Wall

Stree,t

Journal

Examp],.e.

Attached

as

Exhib.it Ii: are side-by-side Street

scr-eenshot e of the publication of the Wall

Journal

(\IWSJI!)

website's ncrne -paqe on May 31, 2010.

Both

screenshots were obtained by using a computer's
to \\http://Qnline.w~j.com/home~page.'1 was obtained from a non-infect.ed

web browser to go
on the

The screenshot

left

computer, whereas the screenshot computer.
On the

on the right. was obtained non-infected
advertisement American
computiex
I

from an infected

computer, the WSJ home-page prominently displayed an (in the lower right hand side of the webpage) for
I

Express

advertising

lIThe l?lum

Card .. 11

On the

infected
I

that advez t Lsemerrt had been replaced
an adve,rtisement for b. "Fashion

- by the defendants Girl LA."

design

- with

The Amazon. com Example.

At t'ached as Exhibit

F

are

side-by-side

screenshotsof

the Amazon,com website.,

The

screenshot

on the left was obtained from a non-infected computerl
was obtained

Whereas the screenshot on the right computer.
was

from an infected
advertisement

On the non- infected computer,

a prominent

displayed on the lower right Explorers,
On the

hand side of the webpage for Windows advertisement

Internet

ipfected computer, that

had been replaced with an advertisement
- for
.'

- by the defendants' design

an email

marJ.;:eting business.

c.
side-oy'- side

The ESPN Example. Attached
of the ESPNwebsite.
6"

a$

Exhibit G are

screenshots

The ac.re eriahot; on the

left was ohtained from a non-in;Eected compute:r:,whereas the screenshot on the right
the non-infected a soft-drink, was obtained from an infeoted advertisements

computer.

On

computer, prominent

'for Dr. Pepper, On the infected

we;r:edisplayed on ESPN's webpage.

computer, defendants

the Dr. I?epperadverti~ements
I

had been replaced ~ by l:he for a t.imeshare business.

desi.gn - with an advertisement
As a result of this

5.
TAAME, TIMOR

scheme, VLADIMIR 'I'SASTSIN ANDREY I
JEGOROV, VALERI ALEKSEJEV,

GERASSIMEN1<O,. DMITRI

KONSTANTIN

POLTEV, and ANTON IVANOV, the defendants,

and their
gains

co-conspirators,

reaped at least $14 million in ill~gotten

through click l1ijcwking and adve r t Lsernent; 'replacementfraud;
more than four million oomput.ez-s

Of the

infected with malware as a part of in the United government

the schemel
States
I

at lea.st 500,000 Were infected computers
belong.ing to trnited

among them computers
r

states

agencies

such as t.he National

Aeronautics

and Space Administration

("NASAl!)i ed\lcational institutionsi
commercial businesses
i

non-profit

organizations;

and individuals·. of Anti~VirUB Software

'l'heBlocking

6.

~s a further part of the scheme; and to prevent

its

d~tectiol'lrVLAD;I:MIRTSASTBIN, ANDREY TAAME, TIMUR GER~SSIMENKO, DMITRI JEGOROV,
IVANOV the r

VALERI JU,E1<SEJEVi KONSTANTIN

POLTEV, and ANTON desig~1.edthe

defendants,

and their co-conspirators,

malware to disable anti-virus protections on the infected corrrput.ez-a,
7

Specifically.
infected computers

the malware prev9.nted anti-virus
I

software on the

computers
I

as well as security featu:r.esof the infected·
systems
I

operating

J:romreoeiving updates
As

that. otnerwise

could havGl detected
infected computers distributed
by other

the malware and stopped it. were left vulnerable
cybercriminals use:r:i3' valuable

a result./the
by malware

to infections
I

which could

among other harms, financial

steal, the computers

personal

and

information,
7.· Attached as Exhibit Hare of an infected

screenshots

showing what to acceSf3 updat!:!s.

occurred websites attempt
infected

when the user

computer tried

that host anti-virus and/or operating system to access a Microsoft
ecmputez- resulted

An

operating

system update from an
l

in the message

"The page cannot

be
/I

displayed.
An attempt

The page you are looking- for is currently unavailable. to access Avast I anti-virus sQ·ftware resulted Ln the
An attempt

message;

"Error, Ca;nnot connect to server."
software resulted in the

to access

AVG anti-virus failed.
II

message;

"Connection

Accordingly,

the <defendants'

scheme -, in addition

to

harming

computer users by hij acking computer' seaz che s and bringing to visit

users to website::; and. advert.isements they never intended - further harmed. computer users by disabling
software

their anti-virus
to othe:L

protections and leaving

their computers vulnerable

malware.
8

B. website

The defendants

i

scheme also

depr Lved legitima.te monies' and as a result of

operat:Qr~

and adve,rtisers

of substantial
revenues

advertisi.ng

revenue.

Search engines l06t
on their

the hi] acking of clioks Advertisers be bona fide fact lost

sponsored search results that

listi.ngs.
to

money by paying for clicks
by

they believed

clicks

Lnt.er ee t.ed computer users,
defenaan·l:s.

but which were in

fraudulently

engineered by the

Furthermore

I

the

defendan.ts' conduct risked r~putational

harm to businesses that paid

to advertise

on the Internet - but that had no knowledge or de:::;ire
websi t.ee or advertisements

for computer users to be directed to their
.through the

fraudulent means used by the defendants.
The De~endants and Relevant ~ntities relevant to this Indictment
i

9'.

At all

times

VlADIMIR

T8AST13IN, TIMUR GERABSTMENKO,

DMITRI JEGOROV,

VALERIALEKSEJ'EV,
r

KONSTANTIN POLTEV, and ANTON IVANOV, nationals
rel"Jiding

the defendants

were Estonian

in Estonia.

10.
TAAME[ the

At all

times relevant to this
national

IndiGtment,

ANDREY

defendant, was a Russian 11.

reslding in Russia.

At various times relevant to this Indictment,
I

VLADIMIR

TSASTSIN

ANDREY TAAME, TIMOR GERASSIMENKO,

DMITRI

JEGOROV,

VALERI ALEKSEJEV,

l<ONSTliNTINPOLTEV, and ANTON IVANOV, the
co-conspirators, fraudulent
9

defendants, and their
entities

operated

and controlled scheme and to

used to execute the

advertising

launder the illicit profits companies, among otheJ;S:
a.

from it

j

including

the following

Rove Digi.tal,

all

Estonian corporation,

Which

was :purportedly in the business of, among other things, software
deve Lopmerit; i

b.
purportedly was a real

Tamme Arendus, "an Estonian
estate

corporation,

which

development business and whieliacquired

most of Rove Digital's
c.
SPB

assets;
Group, rented

the entity name under which T8ASTSIN from a data center in New Yorlt;:., New

and his co-conspirators

York (the I\Manhatt~n Data Cent-erl!)several aerveri3 and other technology
advertising infrastructure

that enabled 'the click hijacking 'and
frauds;

replacement
, d,

Cernel Inc., a California

company

("Cernel")!
I

Internet Path Limi t ed , a New York company (" Inte~TIet: Path")
Limited, a Ukrainian company (\\P:J:omnet',)
I

F~omnet

Pro:L:Lte Limited, a Russian

company

("ProLite"), and Front Communications,

a New York company of IE addresses

("Front")! which were used to register thousanos assigned to the defendants' scheme; e.
(1iPurox'l)
I

computers in furtherance

of

the .fraud

Furox Ape
d/b/a

I

d/b/a 1\(jathi, com, " a Dani.sh company
"utterSearch. com". (\\Onwal')" a

onwa Limited,

Repuhlic of Seychelles

company, and Lintor Limitedl
lO

d/b/a

f

1'Crossnets. com," a Britisl~ company agreements with advertising
and IT Consulting,
I

("Lintor")

I

that entered into

broJce:rs to deliver

Internet traffic, as

discussed belowi

f. Estonia,TIcompanf.es maintained
places,

Infradata, and Novatech,al1 Furox and onwa ,

which, along with Rove D:hgital,

accounts in Cyprus, Denmark

and Elstonia, among other
in advertising fees derived

that received millions of dollars

from the fraudulent

advertising

scheme.

Internet Advertising 12. industry websites. Internet advert.ising is
at

multi-billion

dollar

in which website owners sell advertising Two common adve;rtising arrangements

spaoe on their

are the so-called.. model.. Under to as a an

\\pay per clickli

model and the "pay per impression" a w.ebsite operator

either arrangement, "publisher
ll )

(also referred to display

eontrStot.swith an advertiser on the website.

advertisement 13.

Unde:rthe "pay per clicki' model, and in its simp.lest

form, the advertiser pays the publisher a certain amoune of money each time a visitor advertisement to the we~site clicks on a particular which provides the

and is sene to another website information

vi~itor with additional service,

about the advertised product or

11

14"
I

Under

the "pay per impression

model,"

and in its

sin1plest form, the advertiser

pays the publisher
is displayed

a certain amount
on a webpage that

of money each time an adv~rtisement is viewed, but not necessarily

clicked

on, by a visitbr.

15.
advertisers relationship third-party

There are millions

of website publishers and
instead of baving a direct advertisers with often rely on

on the Internet. with
'lad

As a result, publisher,

a Website

brokers" to website

to contract publishers.

and deliver

their than often join

advertisement-s contract together

Similarly, rather
website publishers to contract

with ad brokers individually, to form "publisher networksf!

with. ad brokers

collectively. 16,. .Internet advertisements digitally
I

appearing "tagged.
Ii

on websitea Thus, when a user ad broker which

pursuant to such contract-sare
views or clicks distributed.

on. an. advertisement

the appropriate

the ad and the website publisher

network which displayed

the ad can be identified,

and payment can be remitted

to th~m,

The Defendallts' Scheme to Commit Advertising Fraud Through the.ir Operation of Publisher Networks
1-7,

From at least

in or about 2007, up to and including controlled and operated publisher and LintQ::t:

in or about various

October 2011, Which

the defendants

companies

purported

to be legitimate to
I1UliOX,

networks,

including

but not limited
12

Onwa,

(collectively,

"the Defendants

r

:Publisher Networlcs").

'Those

Publisher Networks entered into adv9t"tising
ad proker,g, giving

agreements with multiple motive to maximize the
and the nurnbez' of ad

the defendants
on the adverttser

a financia.l websi'tes,

number of clicks

displays,

attributable
1:.11,(3

to .the Defendants'

publisher

Networks.

,Stl'ttedanother way, Publisher

more Internet traffic that the Defendants'
r

Networlcs drove to the advertisers

websites

and display

ads / the more money the defendants would earn under their agreements

with the ad brokers.
18.
T'SASTSIN
i

In truth and in fact, however, and as VLADIMIR
DMITRI JEGOROV
r

ANDREY TAAME, TIMOR G·ERASSIMENKO,

VALERI

ALEKSEJEV,KONSTANTIN POLTEV, and ANTON IVANOV, the defendants,

well

knew, most, if not all, of the websites
of the Defendants
by
I

that purported

to be part

Publisher

Networks were bogus webe it.e controlled s

the defendants 19.

to enable a massive fraud.
"earnedll

The defendants

millions

of dollars under displaying
but instead by

their advertising
advertisements

agree.ments.,not by legitimately
their

through

Publisher Networks,

using malware advertiser

to

f raudu

l.errt drive Internet Ly

t"raffic to certain the defendants

websil:.esand display ads.

Furthermore,

took steps to make it appear to adVertisers from legitimate Defendants' clicks and ad displays Networks

that this traffic was from the

originating

Publisher

and their member websites,
13

The Defendant;:!' Use of "Rogue DNS Serversll and "DNS Changer Malwarei( to Exeoute the Scheme
20 . TAAME, TIMUR To car.ry

out the 'scheme
DMITRI

r

VLADIMIR

TSASTSIN

I

ANDREY

GERASSIMENI(;O,

·JEGOROV r VALERI

ALEKSEJEV,
I

KONSTANTIN PQLTEV r

and ANTONIVANOV, the

de f endan't.s

and their

co-conspirators
.( "DNsn) servers,

used what are known as "rogue"

Domain Name System t.he DNSServer
I

and malware that was designed to alter computers (the "DN,S .Changer

settings

on infected

Malware")

as

described below.
21. website into
By way of background, by either

a computer user

can access

a

on the Internet

of two principal either that the Internet website.

ways: by entering Protocol
("IP")

the computer's

web browser
I

address,

or the domain neme

for

The IF address

ilS

a unique numerical address associated
123.45; 6.78)
I

with a webffite (~,
street add:r'ess; whersas a

akin to a home or business
easy-to-remember
(such as
;'WWW.

domain name is a simpl'e! computers
on the Internet

way for humans' to idemtity irs. gov") . a website
by its

22. domain name, it

When a computer aeeks uses a DNSserver

to access

to first
fOl;"

corrvext; or "resolve" website.

the

domain name into

the IF address

that

The cornputer t s the IP
by the ISP I

internet
addresses and that

service provider

("ISI?If) typically

transmits operated

for one o:t:" ore legi timate 'DNS m servers information

i6 stored

in the
14

compute;r:'s operating

system.

(Th(il DNS settings -t.he user's

of a llS.er's

computer

also

can be changed

without the

permission

by malware.)

After the comput.s r receives t.hen uses and display that IP address

I:fl adores s from a Dl,>:J'S server, the requested 23. works
I

it

to f.1nd webpages .

websi te and retrieve

the relevant

Using the IRS website entered

to illustrate

how a DNB server
·'WWW.

if a comput.sx user

the domain name

irs. gov" into refer to the

the computer's
DNS

web browser,

the web browser
I

WOl,lldfirst

server as direct.ed
the DNS Server
gc)y i

by the computer

s operating

system; tlten to

contact WWW. irs. connected

to obtain

the

IP address

cQrresponding the

and then use the

IP address

to locate

computer and,

to the Internet to retrieve 24.

that hosts and display

the www.irs.gov that website for

website the user.

ul'timately,

DNS liIervers are

thu::l critical to the proper rely on DNSservers
I

functioning correctly the coriect
a.CC8S9

of the Int.ernet. re1301ve domain names If address

Computer users
So

to

that

the users

computers receive accordingly, users

information

and so that,

the websites
25.

they intended.
li

A "rogue

DNS ~erver

is

a DNS server

that II? addr'e as , and

intentionally therefore

resolves

a domain name to an incorrec1: to an incor.rect of the

directs 26.

a. computer user

website.

Here, in furtherance

scheme, VLADIMIR, DMITRI
I

TSASTSIN,

ANDREY

TAAME, TIMOR GERAS8IMENK01

JEGOROV,

VALERI and

ALEKSEJEV, KONSTANTIN POLTEVr

and ANTON IVANOV
15

the defendants,

their servers

co- con sp i.r-at.oz-s controlled , (the
"Rogu~ DNS servers"')
I

and operated Locat.ed in,

dozens of rogue DNS
among other

places

!

New York, New York and Chicago 27. As a further

Illinois.
of the scheme r the defendants and the DNS changer Malware that was
I

part

their co-conspirators distributed designed to alter
route the infected

the DNS ~erver settings on victims computers to -Rogue DNSServers
r

ccmputez-si to inst,ead of

le';3'itimate DNS servers. altered the operating
controlled
DNS

Specifically,
stored

the DNS Changer Malware

server IF addresses

in the infected computers'

systems to the IP addresses of the Rogue DNS Servers and operated by the defendants and their co-conspirators. means/ the DNS Changer Malware infected the victims'

Among other

computers when those computers visited certain websites, or when victims downloaded certain software
limited tOI software that enabled from weba Lt es including, but not victims to view videos online. c:o-conspir~tors then to

2B. caused divert that

The defendants

and their

the Rogue DNS Servers that they controlled users of the infected computers to websites to visi t
I

~nd operated

and adve r't Laemerrt s

the users

did not intend

but for which the defendants

and their co- conspirators received fees based on t.heInternet traff Lc agreements brOKers. between the Defendants' publisher Networks and the ad

16

Ii

29.
the

Thus I to carry

out; the eJliclc hij a.c.I<:ing fraud, 3 (c) above,

using
of

IRS example discussed

in. paragraph

when the user
1/

an infected computer

compute!' conducted a Yahoo search for" irs,

the infected

first contacted one of the Rogue DNS Servers for the IP webpaqe , Instead of returning the

ad;dress of Yahoo' Sf search results

IP address of the true Yahoo search results server instead webpagecreated
search results

webpage, the Rogue DN'S

returned the II? address of a fraUdulent / imitat,ion
by the defendants webpage.

to resemble the legitimate Yahoo clicked on a

When the computer user then

link to a result on this imitation Yahoo webpage, "the click was
\\hijacked" by the defendants

and their website

co-conspiratori3 who instead
of the defendants'
II

diverted

the user

0

a different

and their

co-conspirators' revenue.
30,.

choosing, for which they

earned" advertising

Similarly,'

to carry out the advertising replacement

.frauo,

the defendants and their co-conspirators caused the Rogue DNS advertisements on certain webaLt ea when

Servers to di~play alternate
the
UJ;;leTS

of infected
When the

computers viewed those web:l!lites uBing'a
executed the

web

browser.

web browser

Lf.nka associated with

a particular advertisement,

ao.vertising banner, in order to display that
the Rogue DN'SServers

resolved the domain names in
the sub(3titute

those links to IP addresses of computer:s hosting advertisements.
17

31 , As a further par t of the scheme they were paid advertising

I

and to en~ure that and

fees by ad brokers, the defendants

their co.-conspirators caused informatio.n relating to. a particular hij acked click or substitute
it

advar t Lsement; to. be manipulated to make

fraudulently

appear t.hat the click and adve;r;tisement. haC! Networks, rather

originated from Dne of the Defendant's publisher

than from the search engine

o.rthe w,ebsite on which the click or

advertisement:. actually appeared.
3~. The defendants and their co.-conspirators caused

advertising

fees paid by ad brokez's to. the Defendants'

Publisher
I

Networks to be depoa i.ted into various bank accounts held in the name
or for the benefit, of the defendants
I

including

accounts

in Cyprus

I

Denmark

and Estonia.

The defendants used a portion of these funds
of the Rogue DN,SServers in New Yorl~ and Chicago.

to pay for the rental 33.

In furtherance

of the scheme; the defendant::land

their co-conspirators associated

controlled more than 1,000 IP addresses aOweveT, to conceal their

with the Rogue DNS Servera.

CQntrol and operation registered

of the Rogue DNS Servers, the defendants IP addresses in the names of

the Rogue DNS Servers'

ProLite, Promnet, Internet Path, Cernel, and/or other entities with which the defendants

had no.public affiliation,

but which they IP addresses

pont-rolled.

By using different

entities to register

for the Rogue DNS Servers, the defendants furth~rmore concealed the
18

relationship

between the Defendants'

Publishing ~etworJ(s and the

.~ague DNS Servers .. STATTJTO~Y ,A.LLEGATIONS 34. F'rom at least in or about 2007
r

up to and including

in or about October 2011, in the Southern District of New York and elsewhere, VLADIMIR TSASTSIN, ANDREY TAAME, TIMUR GERA.SSIMENKO, POLTEV, and ANTON and
and

DMITRI JEGOROV, VALERI ALEKSEJEV, KONSTANTIN

IVANOV, the defendants, and others known and unknown; willfully
knowingly combined, conspired, confederated, and agreed together

with eaoh other to commit wiJ;ef:r·aud in violation
States Code, Section 1343,

of Title 18, United

35.

It was a part and an object of the conspiracy that ANDREY TAAME, TIMUR GERASSIMENKO, DMITRI JEGOROV I

VLADIMIR TSASTSIN,

VALERI ALEKSElJEV, KONSTANTIN
defendants
I

POLTEV, andA.NTON IVANOV, the

and others known and unknown, having devised and

intending obtaining
pretenses
I

to devise a scheme and artifice t.odefraud, and for money and property by mea.ns of false and fraudulent
representations and promises, would and did transmit and

cause to be transmitted by means of wire, radio, and television communication
signals,

in interstate and foreign commerce, writings, signs, and sounds for the purpose of executing such

picturea,

scheme and artifice, in violation of Titl~ 18, United States Code,
Section 1343.

19

OVERT

ACTS

36.

In furtherance
r

of the conspiracy
t

and to effect the among others
I

illegal obj ect;thereof committed

the

fol.lowing overt acts

were

in the South.ern District
a.

of New 'York and 23
t

elsewhere: the

On or abou t: October

2 DO 7, ANTO:W IVANOV, of IP addresses

defendant,

C'ientan email

confirming

ownership

85.255,112.0

to 85.255.127.255.
"b. On or

about .August

11,

2006,

VALERI ALEKSEJEV,

the defendant,

sent to VLADIMIR

TSASTSIN,

the defendant,

an email

(the "Emai1") containing a lin]( to'an online r.eport about rogue DNS servers which identified TSASTSIN commented
c.

several servers by their IF addresses;

in the email: "There are our IPs,"
On or about August 11! 200B
i

'l'SASTSIN forwarded

the Email to other co-conspirators wi th the comment
I

not named as defendants

herein,

"Read about us. I' On or about August is, 2008, after receiving a

d.

copy of the Email and in an apparent response to it, TlMUR
GElRASSIMENKO! the. defendant, sent an email to DMITRI JElGOROV, the

defendant

t

instructing

J'EGOROV to assign a new IP address to one of

the servers ident.ified in the online report referenced in the Email.
E!:.

On or about August
JEGOROVsent

15/ 20D8,

in response to
an

GERASSIMENKO'

s ~equest,

GERASSIMENKO

lemail

containing

a new IP address for the serITer.
20

"

.

f.

On or about August

15, 2008, ANDREY

TAAME,

the
to

defendant

r

sent

an email to TS;1;.STSIN asking if r:r:SASTSIN intended
with ad brokeJ;s. 5, 20081

use a fake name ;Eor contracts

g,
POLTEV the defendant i should

On or flbout September
I

KONSTANTIN
if POLTEV

sent

an email

to TSASTSINinquiring domain names. TSASTSIN

use fake information h.

to

register

On or about March 24, 2009, technical assistance

sent an

electronic Data Center.

message requesting

to the Manhattan

(Title

lS,

United States
r

Code,
TWO

Section

1349 ..)

COUNT

(Conspi;racy to Commit

computer Intrusion)

The Grand Jury further charges:
37. The allegations;in paragraphs 1 to 33 and 36 are as though fully

repeated, realleged set
forth

and incorporated

by reference

herein. 38 . From at least in or about 2007 I up to and in.cluding of New Yor]cand
r

in or about october
elsewhere, DMITRI Vl,ADIMIR ,JEGOROV,

2011, in the Southern District
TSASTSIN
I

ANDREY TAAME t KONSTANTIN

TIMUR GERASSIMENKO PQLTEV,
I

VALERI ALEKSEJEV,
I

and

ANTON

IVANOV the I

defendants

and others

known and unknown

willfully

and and

knowingly combined,

conspired,

confederated,

and agreed together

21

with

each other
(a)

to violate
(A)

Title

18, United States

Code, secti.ons
and

1Q30

(4) r

(a) (5)

and (B) I

(c) (3) (A)

I

and (c) (4) (A)

(l3). that
I'

39.
VLADIMIR TSASTSIN, A,LEKSEJEV

It was a part and an object of the conspiracy
ANDREY TAPJIIIE I TIMUR
I

GERASS IMENKO

f

DMITRI
r•

JEGOROV

VALERI

KONSTANTIN

J?OLTEV rand

AMTON IVANOV

the

def eridarrt.a, and others

known and unknown, knowingly a protectBd

and with intent

to defraud, would and did access authorization,and

computer without
access, and by

would and did exceed authorized

means of such conduct would and did further the intended fraud and
obtain

anything of value, in violation
1030 (a) (4) and It was a further
TSASTSIN,

of Title

18, United States

Code, Sections 40.

(e) (3) CA) • part and an obj act of the conspiracy
TIMOR POLTEV
i

that VLADIMIR
JEGOROV, VALERI

ANDREYTAAME,

GERASSIMENKO,
and ANTON

DMITRI
I

ALE KSElJEV / KONSTAlilTIN

IVANOV

the

defendants,

and others

known and unknown,

knowingly and willfully code
I

would and did cause the transmiSsion

of a program, information, would and did
te

and command, and as a ;result
intentionally computer,

of such conduct,

cause damage without

authorization,

a protected

and would and did cauae loss to one and more persons during period aggregating at: least $5,000 in value, and would during

anyone-year

and did cause damage affecting anyone-year Sections

10 and more protected

computers

period, in violation of Title
(5) (Al
I

18, 'United

states Code,

1030 (Ei)

(c) (4) (El (i)
22

and (c) (4) (A.)(Il and (VI).

41.

It was a further part and an obj set of the conspiracy TlMUR GERASSIMENKO, DMITRI

that VLADIMIR TSASTSIN, ANDREY T~Er
JEGOROV
I

VALERI AL'EI<:SEJEV ,KONSTANTIN

POLTEV I and ANTON IVANOV, the

defendants,

and others

known and unknown, would and did intentionally and as a result damage,. and would period

access a protected
of such conduct, and did cause aggregating affecting
1088

computer without authorization, would and did re.cklessly to one and more persons
$5,000

cause

du.ring-any one-year

at least

in value;

and would and did cauae damage

10 and more protected
of.

computers during any one-:yea~ period, Code, Sec1;.ions 1030 (a) (5) (B)

in violaj:.ion
and (c) (4)

Title

lB, United States
and (VI).

(A) (i) (I)

OVERT ACTS 42. illegal In furtherance
I

of t.he conspiracy overt acts,

and to effect. among others
r

the were

obj ect s thereof

the following

committed

in the Sout.hern District
a. On

of New York and elsewhere:
23, 2007, ANTON IVANOV, the

or

about

Oc)::.ober

de fendant

I

sent an email

confirming

ownership

of IP addres5Jes

85.255.112.0

to 85.255.127,255. b. On or about August 11[ 2008
r

VALERI ALEKSEJElV

j

the defendant, (the

sent

to VLADIMIR TSASTSIN, the to an online severa.l the .email: servers

defendant,

an email

\iEmail ••)oontaining.alink which identified in

report
by 'their

about rogue DN'S
IP addresses;

servers

TSASTSIN commented

"There are

our IPs. ('

2i

c.

on or about

August

11 ( 2008,

TSASTSIN forwarded

the Email with

to other

co-conspirator$ about us."

not named as de:Eendants herein,

t:.hecomment { "Read d.

On or about

August

15, 2008,

after

receiving

a

copy of the Email GERASSIMElNKO, defendant)

and in an apparent

reSpODl3e to it) TIMUR to DMITRI a neW JEGOROVr the

the defenciant,

sent an email to assign

instructing

JEGOROV

II? address

to one

of the servers Elmail.

identified

in the online

report. referenced in the

e. GERASSIMENKO'r;; containing

On or about JEGOROV

August

lSI ;2,008,in response an email

to

request!

sent GERASSIM:ENKO

a new IF address
.. f

for the server . August 15, :2008/ ANDRElY TAAME, intended the to

On or about

defendan.t,

sent an email

to TSASTSIN

ask;ing if TBASTSIN

use a fake name for contracts
g, POLTEV I the

with ad brokers.
september 5, 2008, KONSTANTIN
if POLTEV

On or about
I,sent

defendant

an ernai.L to TSASTSIN

inquiring

should

use fake information t;o:t;'esister
h.

domain names.
TSASTSIN sent an to the Manhattan

On or about March 24, 20091 requesting technical assistance

electronic

message

Data Center. (Title 181 United States Cods, Section l030(b) .. )

24

COUNT
(Wire
,

THRElE
Fraud)

The Grand Jury further charges:
43. The allegations of paragraphs 1 to 33 and, 36 are

repeated, rea11e.sred and irtcorporated set forth herein. 44.
in or about

by reference

as though fully

From at least in'or about 2007, up to and including
20111 in the Southern
j

October

Dis'tric't

of New Yorlc and

elsewhere, VLADIMIR TSASTSIN
DM1TRI ,JEGOROV, VALERI

ANDREY TAAME, TIMURGERASSIMENKO,
i .

ALEKSEJEV

KONSTAN'I'IN

POLTEV

I

and

ANTON

IVANOV ,the

def~l1dants,

and others

known and unknown, having devised artifice to defraud, and for and fraudulent and caused to

and intending obtaining

to devise a scheme,and

money and property

by means o f false

pretenses, ,l;'epresentations

and promises,

transmitted

'be transmitted, and attempted and television writings, executing Internet signs, communication signals
i

t.o transmit, by rnearia of wire, radiol
in interstate and toreign commerce, of

pi.ctrur'ee , and sounds for

the purpose

such I3cheme advertising
I

iand artifice, to wit, fraud scheme described
r

in furtheranCe

of the
J.

above in paragraphs
JEGOROV
I

through 33 / 'J;'SASTSIN
POLTElV, IVA.NOV and

TAAME, GERASSIMENlW

AltERS EJEV ,

their

co-conspirators

caused mal ware to be
and

distributed

to computers world-wide

through ~he Internet,

operated Rogue DNS Servers located

in NewYork I NewYork and elsewhere

that received DNS queries and transmitted fraudulent DNS query results,
over the Internet. 113, united States code , Sections 1343 and 2.)

(Title

COTJNTFOUR

(Comput.er

Intl;"usion

Furthering !f;z;-aud) charges:
Citra

The Grand Jury fur't.har

45.

The allegations of paragraphs 1 to 33 and 36

repeated, realleged and incorporated by reference as though fully set forth herein. 46. From at least in or about 2007, up to and including

in or about October 2011, VLAD1MIR TSASTSIN; ANDREY TAAME, TIMOR GERASSlMENKO, DMITRI JEGOROV, VALERI ALEKSEJEV, the defendants, and others KONST2-\NTINPOLTEV,

and ANTON IVANOVt

known and unknown,

knowingly and with intent

to defraud; accessed a'protected computer

without authorization

l

and exceeded authorized access, and by means

of such conduct: furthered the intended fraud and obtained anything of value, to wit, TSASTSIN, TAAME, POLTEVt
GERASSIMENI<:O,

JEGOROV, ALEKSEJEV,

IVANOV and their co-conspirators

caused malware to be

d.istributed

to computers world-wide through the Internet, and

operated Rogue PNS Servers located in New York, New York, and elsewhere that received DNS qUeries from computers infected

with the

DINS Changer-Malware,

including NASA computera,

and transmitted computers, Ln

fraudul'ent DNS query results to those infected
26

furtherance paragraphs

of the advertising 1 to J).

fraud scheme described above in

(Tit.Le 1B, United States Code
103

I

a

Sections 1030 (a)(4),
2.)

(c)
\

(3) (A)

I

and

COUNT
(CQmputer Intrusion

.FIVE
by

Transmitting

Data)

~1e Grand Jury
4'7. The

further

charges:
1 to 33 and 36 are

allegations of paragraphs
by

repeated,
get forth

real1eged and incorporated hereie. 48.

refElrence a51 though fully

From at least in-or about 2007, up to and including ANDREY 'I'AAME, TIMUR
KONSTANTIN POLTEV
I

in or about October 2D11, VLADIMIR TSASTSIN,
GElRASS IMENKO
I

DMITRI

JEGOROV,

VALERI

ALEKSEJEV!

and ANTON IVANOV, the defendants,
Jcnowingly and willfully

and ,others

known and unknown, of a program,

caused the transmission

information, intentionally
oomputer
I

code,' or command,

and as a result of such conduc t , to a protected

caused damage without authorization,

and. caused loss to one and more persons

during anyone-year

period aggregating
af£ecting to wit,

at least $5,000 in valuer

and caused damage
period,
POL.TEV,

10 and more protected computers during anyone-year
TSASTSIN, TAAME, GERA8SIMENlW,

JEGOROV, ALEKSEJEV,

IVANOV and their co-conspirat.ors

caused malware to be dlstributed

27

to computers fraudulent'DNS Changer

world-wide query

thro,ugh the

Internet

ana transmitted
with the DNS

results

to comput.ezs infected but not. limit~d to,

Malwars,

including,

more t-han 10 NASA

computers

thereby oausing NASA damages in excess af $601000.
18, United State~ Code, -sec t Lons 1030 (a) (s) (A) 1 (c) (4) ('A) (i) (I) and (VI), (c) (4) (B) (i), and 2.)

(,Title

COUNT SIX (Money LaUndering 49. repeated, The allegations - Promotion) 1 to 33 and 36 are as though fully

of paragraphs

realleged

and. incorporated

by reference

set forth herein.
50. October From at least. i-n or about 2008 District
I
f

up to and in Qr about

201.1., in the Southern

of New York and elsewhere, affecting interstate and

VLADIMIRTSASTSINI the defendant and foreign attempted commerce, transported, to transport, a place transmit,

in an offense transmitted, and transfer

and transferred, a monetary

instrument a place

and fundst.o out .. side

in the United States with the intent:

from and through

the Uniteo. States, unlawful

to promote the carrying to promote the wire fraud

on of specified

activity, off·enses

to wit, charged

and comput.ex intrusion

in Counts One through to b,e sent

rive

TSASTSINcaused money derived an account. he controlled account

from those offenses

(1) from

in Estonia

to the Manhattan nat.a Center's

at JPMorgan chase Bank in NsW York! NeWYork (the \iManha t tan
28

Data Center-Chase

Account")

I

(2) from the

Furox-tTSD Account in in Chicago, IllinQis

Denmarlc to the account (the

of a data center maintained

located

\1Chicago Data. Center") (the "Chicago

at the !3an]{of America in Account"), and (::,;) from an

Virginia

Data Center-BofA

adverti'sin,g

network

in Canada to the

Manhattan

Data Center-Chase

Account.
(Title 18, United States Code, Sections 1956(a) (2) (A) and 2.)

COUNTS SEVEN TO TWENTY~SEVEN (;Engaging in Monetary 'I'ransactions Ln property Specified Unlawful Activity) Derived from

The Grand Jury
51. repeated, set fort~

fUrther charges:
of paragraphs 1 to 33 and 36 are as though

The allegations

Eealleged herein. 52.

and incorporated

by reference

fu11y

On or about the dates
I

setforl:h

below,
I

in the Southern
the defendant
r

District

of New York, and elsewhere

VLADIMIR TSASTSIN

Willfully 'transa~tionj criminally

and J.;:nowinglyengaged and attempteC! to engage in a monetary in and affecting dari ved property from specifi.ed frauds interstate and foreign 'Commerce
."
I

in

of a value unlawful
'I ••

greater activity,

than $10,000 and which namely
I

was derived

wire and
to wit! proceeds

computer-related TSASTSIN effected

charged in Counts One through Five, wire transfers involving

the following

derived from fraud:
29

CDUN'r

DATE

'WIRE
THE

TRANIiIFERS

FROM: ACCOUNT IN
N1IME OF:
7

AMOUNT OF W1RE TRANSFER

(USD)

TO ACCOUNT IN THE NAME OR FOR THE BENEFIT OF:

3/13/200;1 4/3/2009 5/5/2005) 5/14/2009 5/20/2009
6/5/2009

Rove Digital
ROVt'i!

41,814.00

Chicago Data Center Manhattan Data Center Chicago Da.ta Center Manhattan Data Cent.er Charles Schwab
&

e
I ,

Digital

25,060.71 17;397,20
24,048,00
750,ClOO.OO

~

9

~

Rove Digital
~

10
11

Rove Digital Furox Rove Digital Rove Digital Rove Digital Furox Furox Furox Furox Furox Furox Furox furox
.

Co.

12
13

11,34(5.00

Chicago Data Center Chicago Data Cents;r
I

7/29/2009 9/113/2009 11/28/2009
1/20/2010 2/11/2010

10,621.00
23,646,00
780,000,00

14 15 16 17
19

Chicago

Data

center
~ ,

Onwa (Cyprus)

150,000,00 160,000,00 210,000.00 500,000,00 30,100.00 300,000.00 120,000.00
~ ~

onwa
Onwa

(Cyprus)

Onwa (Cyprus)
(Cyprus)

3/11/2010 5/6/2010 6/2/2010 6/28/201Q 7/1.9/2010 9/7/2010 9(21/201Q 12/14/2010 12/21/2010
12/23/2010

19 20 21 22 23
24

Onwa (Cyprus) M.B.V.
O:o:wa (Cyprus)
i

~

Onwa (Cyprus) Onwa (Cypru:s) Onwa
~ ~~
(C)'p];"US)

Furox Furox Furox Furox
~

140/000.00
100,000.00 180,000.00 33,332.58 91,000.00

25
~

Onwa (Cyprus) Chicago Data Center Onwa (Cyprus)
~

26
2'7

Furox
States

(Title

lS, United

Code/

Sections

1957

and 2.)

30

FORFEITURE 53.

ALLEGATIONS

AS TO COUNTS

ONE AND THREE

fraud States

As the result of committing one or more of the wire .. and conspiracy offenses, in violation of Title 19, United Code/ Sections 1343 and 1349, VLADIMIR alleged in counz s One and Three VALERI
I

of this Indictment,

TSASTSIN, TIMURGERASSIMENKO,

ALEKSEJEV,DMITRIJE:GOROV / KON.STANTIN J?OLTE:V I and ANTON IVANOV the defendan'ts,
United Sta.tes

shall

forfeit

to the United states
98l(a)
(1) (c)

pursuant

to Ti t.Le 18 I

Code, Section 2461( all

and Title

281 Uni~ed States which

Code, Section constitutes including

property,

real

and personal, traceable

and is derived but not limited
A.t

from proceeds

to the offensesl

to the following: $l4/ ODD; DOD in united is property obtained that
States

a..

least

currency, or is

in that such sum in aggregate tracr=able to the gross recsi.pts

represents

as a re,sult of t he wire fraud

offenseSi
b. other monetary Any and a:ll United credi.ted States currency, funds or

instruments
i.

bo the

following

accounts: Nos.

Norde.a Banle Danmark
in the

A/S Account

DK3520005036250625

and DK352000S036246059,

name of Furo:x: Aps; No'.

Li ,

Eank. of

Cyp·rusAccount the benefit

C:Y270020015500'OD00406i1626106', for
ll.~ .
jJ~ ]

of Onwa Limited,

. . Banc a f Cyprus Account No.

CY3B002 0 015500 Do 004046 80 7606!

for 31

the benefit

of

Lin

or

Limitedl'

iv.
CY66Q02001550000004081187006, CY20002001S500000040811B8901,

Barik of Cyprus Account

Nos. and

CY7200200155000000D113088200,

for the benefit: of Danona Limitedi
Marfin Popular and Bank in Cyprus Account

v:
Nos.

CYS0003001580000016832019.961

CYOa0030Q16800000i68l1019441',

for the benefit
Mar:Ein Popular

of Lex Capital Ltdj

vi,

Sank in CyPrus Account

No. CY920030017900000179322646~11
vii. @tates Account Nos.

for the benefit: of Onwa Limited;
Bro]l:ers LLC in the United
i

Interactive

U5El5997and U595413

in the name of Lex Capital

Limited;

viii.
EE063~003334J€i290009,

Sampo

B.anJli: in

Estonia

Account NQ.

in the name of Onwa Lim.ited;
Lx , Vorarlberger Landes in Austria, Account

No. AT755B00020497851D1Br
x.

for the benefit of Lintor Limited;
EM! Offshore Bank in the Republic of

Seychelles

Account No. 3000Q00055.88/
c.

in the name of Onwa Limit@d; in all computers and

The defendants' interests

computer

peripheralsi':
i. associated
67.:nO.D.O

wi th IP addresses
through
i

85.255.112.0

through

85.255.:1,27,2.55; 0 through

67.210.15.2551 through 64.28.176.0

93,188 .l60.

9'3.188 .l67. 255

77.6'7.93.0

77.67.83.255;

213.109.64.0

thrQugh 213.109.79,255; 32

throu.gh 64.213.191.2.55;
174.123.205.190; 64.20.51.2; 65.60.9.238; 72.18.192.60, 72.233.76.58; 65.254.50.10, 216.180.243.10; (the "TARGET IP

69.197.13.2.58:

72.233,76.82; 2l6.137.191.66; 65.60.9.237;

174.133:7.122;

184.82.214.2;

65.60.S.234;

65.60.9.235;

65.60.9.236;

66.152.177.58; 72.18.192~61; 72.233.76.69; 72.9.238.202;

12.18.192.58; 72.233.76.66; 72.233.76,'0; 75.127.76.194;

72.18.192.59, 72.233.76.67; 65.254.36.122, 207.210.119,170;

64,111.197.186;
ADDRESSES") i

66.230.167.218;

and 69.93.95.234

ii. iii.

located at the Manhattan

Data Center;

located at the Chicago Data Center;
loc"ated at ThePlanet located in Houston,
Texasi

iv.
v.

at Multacom corporation

in Canyon

County, California;
vi.
TeXas I

located

at Layered Technologies

in plano,

vii.
in Scranton, PeruAsylvaniai viii CitYr
+

Looat.edat Network Operations

Center, Inc.

located

at Wholesale Internet

in J~ansas

Missouri;
Lx. x, located located at SingleHop in. Chicago at premiaNet
I

Illinois
Nevada.

1 I

in Las Vegas r

xi.

located at Interserver in Secaucus, New
33

Jersey;
xd i., located at ISPrime" LLCI in Weehawken, New

Jersey; and
xiii. located at Global Net ACcess LLC1 in

Atlantal

Georgiaj

and
Th.e

d. ADDRESSES.
54.

defendants'

interests in the TARGET IP

If any of the above-described

forfeitable

property,

as a result

of any act or omission of the defendants a.
cannot be located

upon the exercise

of due

diligence;
b.

has ~een transferred or sold to, or deposited

with, a third party;
c. has been p'l acad beyond the jurisdiction of he

courti d.
e ,.,

has been saubstantially
naa been commingled

diminished with

in value i or whi ch

onhez' property

cannot be divided without diff,icul'tYi
it is the intention States code
I

of the United States,

pirr.suant;

to Title

21, United

Section 853 (p) , to seek forfei ture of any other property property.

of the defendant·s up to the va Lue of the forfeitable

(rritle ~81 United States Code, Sections 981, 1343, 1349 i Title 28, United States Code, 8ection 2461; and Title 21, United States Code, Section 653.)
34

.

FORFEI~URE ss,

ALLEGATIONS As a.resul t of

AS TO COUNTS

TWO,

-

FOUR

AND

FIVE

committing one or more of the computer
I

intrusion and conspiracy offenses, in violation of Title 18

United

States Code, section 1030, alleged in Counts Two, Four and Five,
VLADIMIR ALEKSEJEV TSASTSIN,
I

ANDREY

TAAME,

TIMUR GEAASSrMENKO, .]?OLTEVI and
i

VALERI

DMITRI
I

,JBGOROV! KONSTANTIN

ANTON IVANOV I the to 18 U. S. C.

defendants
§

shall forfeit

to the United States

pursuant

982(a)

(2) (B) i any property constituting,

p,nd derived from;

proceeds obtained directly and indirectly as a result of the
offenses,

including but not limited to the following: a.
At least approximately

$14 million
is

in United

stat~s

currency,

in that such sum in aggregate

property

representing offenses; and

the amount of proceeds obtained as a result of the

b,

Any and all United States qurrency, funds or credited to the following accounts: Nordea Bank Danmark

other monetary instruments
i.
DK3520005036250625

AI S

Account Nos.

and DK3520005036246'0591 in. the name of Fur-oxAps; ii.
Bank of Cyprus Account
for the benefit Bank of Cyprus for

No.
Limited;

CY27002001SS0000004061626106!

of Onwa

.iii.
·CY380020015S0000004046B07606,

Account; No. Limited;

the benefit of Lintor

35

iv . CY660D20015500000040811B7006, CY200020D15S00D00040s1188901,

Bank of

Cyprus Account; Nos. and

CY720020D1550000000113088200,

for the benefit of Danona Limited;
Marfin popular
Bank. in

v.

Cyprus Account

Nos. CYS0003001680000016832019961
CYDB00300.1680000016B1I019441, for Marfin

and
the

benefit of Lex Capital

Ltd;

vi.

Popular

Bank in Cyprus ,Account

No. CY92Q03D01790000017932264691, vii.
States Account Nos.,
US6S

for the benefit of Onwa Limited;
Brokers I.LC

Interactive

in the

United

997 and U595413r in the name of Lex Capital

Limitedj
viii. EE063300333436290009, Sampo BanJ~in Estonia Account No.

in the name of Onwa Limited;
ix.
Vorarlberger the Lande s in A:\.'Lst ria
r

Account

No. AT755B00020497851018"for
x.

benefit of Li,ntor
Bank in the

Limited;
of

EMI Offshore in

tihe Republic

,seychelles Account: c. computer peripherals:

No. 3D0000005588/
Th~ defendants'

name of in all

Onwa Limitedj cornputer5, and

interests

i. ii.

associated with the

TARGET lP ADDRESSES;

located at the Manhattan Data center;
located at. the
located at 36

iii. iv.

Chicago Data Center;
in Housl:on,'l'exEl.s;

ThePlanet

v,

located

at Multacom Corporation

in Canyon

county;

Californi,a; vi. located at Layer€d 'l"echnologie's in Plano
f

TexaSi

vii. in Scranton, pennsylvania; viii. Ci,ty" Missouri; ix. x,

located

at Network Operations

Center,

Inc.

located

at wholesale Internet

in Kansas

located located located

at single!iop

in Chicago,

Illinois,.

at PremiaNet in Las Vegas; Nevada; at Interserver in Secaucus, New

xi. Jersey;
xii. Jersey,; and xiii. Atlanta, Georgia; d. and

located

at ISPriroe

I

LLC, in Weehawken, New

located

at Global Nel: Access .LLC,

in

The defendants

I

Lnt e re at.s in

the

TARGET IF

ADDRESSES.
56. A.s a result of committing one or more o:Ethe computer

in~,ru,sion and conspiracy States

offenses, alleged

in violation in Counts

of

Title

18, United

Code., Section 1030,
TSASTSIN DMITRI
r

Two, Wour and Five,
I

VLADIMIR
ALE!<BEJEV,

ANDREY TAAME~ TIMUR GERASSIMENI\D
I

VALERI

JEGOROV

KONSTANTIN POLTEV

r

and ANTON IVANOV,the

37

defendants,
§

shall
I

forfeit

to the United states, in any personal

pursuant: to 18 V,S.C. property
that was

1030 (i) (1)

their

interests

used

and intended

to be used 1:0 commit and to fa.cilitate including a. but not limited

the commission

of the offenses(

to the following: in all computers and

The defendants'

intere:::t.s

computer

peripherals:
i. ii.

associated with the TARGET IF ADDRESSES; loca.ted at the Manhattan Data Center,' located at the chicago Data Cente.r; locE!.tedat ThePlanet in Houston, Texas;
i

iii. iv.
v. County, California;

Loria tied at Mul acom Cor]?oration in Canyon t

vi.
Texas i

located

at:. Layered Technologies

in Plano

I

vii. in Scranton, Pennsylvania; ~iii. City, Missourii Lx,

located

a.t Network opexati Lons Center

i

Inc.

located

at Wholesale Internet

in Kansas

located located

at SingleHop j_nChicago I Illinois at PremiaNet in Las Vegas at Interserver
I

i

Nevada;
i

xd.,

located

in Secaucus

New

JerseYi xii.
located at. ISPrime, LLC
38
r

in Weeb:awken

I

New

xiii. Atlanta, Georgia; and b. ADDRESSES.

located at Global Net A.ccess LLC, in

The defendants

I

interests in the TARGET IP

Subst~tute
5,7. If any of t he

Assets

pro'lli_sion

above-described

forfeitable property,

as a result of any act or omission of the defendants:

a.
dili,genc~i

cannot be located upon the exercise of due

b. with, a third party; c.
court;

has been transferred or sold to, or deposited

has been placed beyond the jurisdiotion

of the

d. e. cannot be divided it is the intention
982 (b)
i

has been substantially

diminished in valuei or

has been commingled with other property which without diffioulty; o! the United States
of any other
J

pursuant to 18 U.S.C,

§

to' seek forfeiture

property

of the defendants,

.up to t.he value of the above-described
(Title 18, United sta'tes Code United States
i

forfeitable
853.)

property.

Code, Section I

Sections 982 arid1030, and Title 21,

39

FORFEITOR.E ALLEGATIONS AS TO COUNTS SIX TO TWENTY-SEVEN'
58.
~9

a result

of committing one or more of the money
in counts Six to Twent.y-Seven, VLADIMIR pursuant involved

laundering o f f erine s alleged
TSASTSIN, the defendant,
to 18U,S.C.
§'

shall

forfeit to the Uni ted Sta.tes,
real andperiOlonal,

982(a) (1).1 all property,

in

such off~nse but

and all
not a.

prope;r;tytraceable
to the following:

to such property,

including

liTllited

At least

$14 million
is

in United

States

cur xency ,

in

that

such

sum in aggregate

property traceable
United

which was involved

in the
i

money laundering of.fense
h.

or is

to such property
States

and

Any and all

currency, htnds or

other monetary instruments
i.
DK352000503(5250625

credited to the following accounts;
Nordea Bank Panmark"A/ S Account Nos.

and DIO.52000S036246059,

1n the name of Furox Aps;

ii,
CY2700200155000000406162610S,

13ank of

Cyprus

Acoount

No.

for the benefit of Onwa Limitedi
Cyprus Account No.

iii.CY38002001550000004046807606,

. Bank of

for the benefit of Lintor Limited;
Bank of Cyprus Accourrt Nos.
anq

Lv ,
CY660D200155000000408118'7006, CY200020Q15S000000408118890l;

CY720D2001550000000113088200,

for the benefit of Danona Limited;

40

V.
Nos.

Marfin

~opular
and

Ban].;:in Cyprus

Account,

CYS0003001680000016832019961

CY08003001680000016811019441,

for the benefit

of Lex capita~

Ltd;

vi.

Marfin

popular

Eank in Cyprus Account

No. CY92003001790000D17932264691,

for the benefit

of Onwa Limitedi
the United

vii.
States Account; Nos,

Interactive
I

Broker~ LLCin

U565997 and U595413

in t.he marne of Lex Capital

Limited; viii. E'E;06330G3334.36290009, Sampo Ban].;: in

Estonia

Account No.

in the Lx,

name of

Dnwa Limited;

vorarlbe:rger
for BMI

Lande s in Austria,
Of Lintor

Account

No. AT7SSB00020497851018i

the benefit

Limited;

x.
Seychelles Account

Offshore Bank in the Republic
in the name of Onwa

of

No. 300000005588,

Limited;

c.

The de.fendants'

interests

in all

compu.ters

and

computer

periphera15: i. ii.
iii. iv.

associated.

with the TARGET

IF ADDRESSEl8,

locs,ted at the Manhattan
located
located

Data center;

at the Chicago Data'Centeri
at Tnel?lanet at Mul tacom

in Houston,

Texas; in Canyon

v. County, Califor.nia; vi.

located

Corporation

located

at Layered TeChnologies 41

in Planor

TexaSi

vii.

locat.ed at

Network Operations

Center

I

Inc.

in Scrantonr

pennsylvania; viii. located
at Wholesale

Internet in Kansas

City, Missouri;
Lx,
x,

located located
located

at singleHop in Chicago! Illino::Ls;

at premiaNet in Las

Vegas

I

Nevada New

i

xi.
JerseYi

at Interserver in Secaucus,

xii.

located

at ISPrime, LLC, in Weehawken, New

Jeraey; and xiii. located Atlanta, Georgia
I and
d.

at Global

Net Access LLC, in

The defendants

I

inte.rests

in the

TARGETIP

ADDRESSES,

substitute Assets
59.

Provision
.forfeitable property,

If any of the above-described

as a result

of any act or omission of the defendant:
a, cannot be located upont::he exercise of due

'dili.gence

i

b.

has been transferred or sold to, or deposited

with, a third partYi

42

c..

has been placed beyond the Jur'isdiction of the

court .• d.
e.

has been substantially diminish~d in value

i

or

h~s been commingled with other property which

cannot be divided without difficult.y; it is the intention of the United States, pursuant to 18 U.S.C.
§

.982(b)

r

to seek forfeiture

of any other property

of said defendant

up to the value of the above-described forfeitable property.
(Title 181 Oni'ted States Code, Sections 9821 1956 and 1957, and Title 2~1 United States Code, Section 853.)

Foreperson

PREET

BHARA..RA

United States Attorney

43

EXHIBIT A

GlosiiliaryofRelexant
};>

Campute.r Terms

A domain name is a simple, easy-to-remember way for humans to identify computers on the Internet, For example, "www.irs.gov" is a domain name for the Internal Revenue Service's website .. Domain Name System ("DNS") servers are computers connected to the Internet that convert or "resolve" domain names, which are easy 1'0:-';: humans to remember, into IP addresses, which computers use to identify other computers on the Internet. Irrter uet Protocol addresses ("IP addresses") are uniCJ.u€! combinations of numbers that computers use to identify each other OI\ the Internet. An IP address looks likes a series of four numbers, each in the range of 0·255, separated by periods (a..g,_, 123..45"6.78), Every computer that is connected to the Internet must be assigned one or more IP address so that Internet traffic sent from. and directed to that computer is routed properly from its source to its destination. In this respect, an IP address acts much like a home or business street address, website or file on the Internet. If clicked: on by a user or otherwise executed by a web browser, a link can, for example, bring up a webpage, playa video, or run a program. "malware" is computer code that is designed to, among other things, infiltrate or damage a compute!' or computer network without the computer's owner's knowledge 'or consent.
01'

>-

)- A link is code which specifies a particular

)- Malicious software

>
»

An operatlng system is a set of programs that, among other things, manages a computer's resources and permits other programs, such as webbrowsers, discussed below, to function. Search engines) such as Gocglo.com, Yahoo.com, and Hmg.corn, are' web sites that permit computer users to find information and locate other webeiteson the Internet, often by conducting searches using specific terms or words, Search engines typically present the user with search results that consist of a list of "links" to websites that are intended to be responsive to the user's search query, A web browser is a computer program that permits computer users to, among' other things, retrieve and display webpages or other information from other computers connected to the Internet, Users can access wsbpages and other information on the Internet by, among other means, entering into the web browser either the IF address or domain name associated with the particular computer thai, hoststhe webpages 01' other information to be retrieved.

>

)- A website is a collection of webpages, which can contain. text, video, graphics, OI' other information. A website is (a) hosted on one 01' more computers that are connected to the Internet, (b) accessible over the Internet using a web browser and (c) typically identified by a domain name.

EXHIBIT B

l ~d C. s
~ ". f ~+
t

~~ ~ I§ 'J" ~

......,

... aJ
:s

'I~ "

~"
e ~

W

i !., ot r·'I
~I

·,~
f .. ~ij

E

~!il

c~

-c

U

0

.", .. fa ~ .!

...
OJ C


~

iH• "V
• t;t

i !!!

QJ ......

u

..
J:
~

U

-

fa ._..

r.:l
["!l

.
I

'\

u .-

u

C
I

Z

o

EXHIBIT C

OJ .... ::::J

...
C.

[ ..
·..:.=: u .•
ta
I

E o u -c QJ
_CIJ '-C .

.... u

-II I
:~\Y :

..:.=:

::E:

.u

... ....,
GJ
QJ

u

u ._.(IJ
C
I

...., " e Z

E o u

:s c.

o

EXHIBIT D

... ....,
Q)

:l

a.

s:: ..::.=: u
::I: .::.=:

DIll

o u -c QJ
• •
i

E

QJ '-I

...

u

.-

ra '-a
J

C -

J
~

i

U .-

~

i
1
I,

~"l ! U r"
rtij

f

C
I

Z

o

EXHIBIT E

(JJ ....,

I..

Q.

::::s

E
o

u -c CIJ ....,

.! e

u

o z

e

I

EXHIBIT F

...
.c ....
OJ

...

E

-a
~

E o u
CIJ

OJ ::::J C.

ra D!:
;GJ

GJ

u

...
C

u

C.
GJ

-

.... e
E
GJ
Ii-

._ .., '"
> -c
<C
GJ

-,
s::
I

z

o

EXHIBIT G

I

,

OJ ...,

.._,

:s c.

-c
I-I

u

E o
Q)

.... u
GJ
C

-

Ul

rna
~...J

I\J> ..Jet
(u:

0:

I

C
I

z

o

EXHIBIT H

II

I

I

:1

III

O'!

:B
GJ
~J III

c::

11 c.
U
fIJ

-c Q.
:J
In

.... ra
C1J

fit

-:5
0)

J:
'0
OJ it:l

::

-a
CU
.?

~
VI

Q!

c.
.... QJ
X
(;j

:n ~.
"', r~
c,
C'I

.ra ..._
0 .....,
I:

.~

c.

....

._ ....., _ >

::::s ._

.'iii

c

u

:;:) QJ

aJ

iT.l! ::J 0

'"
CO
LJ

s:::

't

~

_ .:.:::

c:c

&::

~ .. > :p
U (:; I::

OJ

:::

0 U
Ii Ii

f:

"-' ijJ

0 u I::

V)

.s:
0 CO

tW

.~
.f:
(fj
,;;;

~

:tl

:... ._
~ e ~ ~ (J) ~ ~ ~ :...
!:l
LCb

:::I i:J"
b

-

U

u .," e,
i'tI

:"_":l It1

§
0-

c
:(::1

> .....
CC
""
ijJ I};

D

C

c.l

it! u :p

-:Ei

.!!.l

::Ei
:J

C Q!

Jl,!

-i::1

X G

m
"""[i

tI QI

E i'tJ '-=

f!.I

.~
V,I Vi

~ ~

~

~ ~
:1=1
0 w f!.I C. I:: 0

!l.\
,1-"

~ ~ .'
(fJ

UJ

0.

0;)

,_

:::t

(r)

(fJ

::J

n,

IIJ

D

U.C'I

OliJ

I

I

I

I

,

i
0

"'"

1!

ill

8

~

:::._
en

-lil

S

-c
::J

...
."

[

OJ
fa

1 i
OJ

!
s
,~

I
;;l

..
aJ

::...
OJ

tl

..... u
e
c
CU

0

C.
In

~ ~

1
"
'Ii

.> -..... C
c:c
~

::s L.

~
");;

l
"';"

..,
U

0 0
t:
C

§'

= s

i
" §

~ ~ ~ I!

.U

bIl I: Q

,

1.::(

w

.. " ~~
.2 Ii:
'l
II)

:::
£t
~ ~ .,
oS

U
(/)

to

11 ~I
,~

c,
IjJ

:~
'l

0 ~~ c, :> ,i2 ~ '"'

ti
0

" E
u

fC

('I

....

I
;;)

.. a .. '"
a
o,

]

Ii

!
<"

~

]

~

u

~ ~

... ._ > ._ .....
<C
CI)

••

::1

-. ...., lC
ra

I:

cu '" .., -c
tv

:J
U)

Q.

-c c .~

0

~

~

c .0 CO

Q.Q

~ ~ ~ ~
:f;

i >"15.
'0 .0
01-'
!])

-

U

~

.~
e
c
0
c: .~

@l

r:!]

a
OJ

~
o o

Oi
C';l

Co
(].I

...
:6 ,,_
.l;;;
II) ". OJ II)

~

B

.,
a.

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK

UNITED STATES OF AMERICA
- V.-

VLADIMIR TSASTSIN, ANDREY T AAME, TIMURGERASSIMENKO, DMITRI JEGEROV, VALERI ALEKSEJEV, KONST ANTIN POL TEV and ANTON IV ANDV, Defendants

INDICTMENT
11 Cr.

(Title 18, United States Code, Sections l030(a)(4), (a)(5)(A)~(!B),(b), 1343, 1349, 1956(a)(2)(A), and 1957;)

f'REET BHARARA United States Attorney.