P. 1
US v Hicks aka "OxideDox"

US v Hicks aka "OxideDox"

|Views: 218|Likes:
Published by bkatzoom
Criminal complaint against Joshua Hicks unsealed 6.26.12
Criminal complaint against Joshua Hicks unsealed 6.26.12

More info:

Published by: bkatzoom on Jun 26, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less






Approved: SE Assistant Before: United States Attorney HONORABLE ANDREW J. PECK United States Magistrate Judge Southern District of New York



- v. JOSHUA HICKS, a/k/a "OxideDox," Defendant.

1029(a) (3)


---------------SOUTHERN DISTRICT



Jordan T. Loyd, being duly sworn, deposes and says that he is a Special Agent with the Federal Bureau of Investigation ("FBI") and charges as follows: COUNT ONE (Access Device Fraud) 1. From on or about February 20, 2012, up to and including on or about February 28, 2012, in the Southern District of New York and elsewhere, JOSHUA HICKS, a/k/a "OxideDox," the defendant, knowingly and with intent to defraud, and affecting interstate and foreign commerce, possessed fifteen and more devices which were counterfeit and unauthorized access devices, to wit, HICKS possessed fifteen stolen credit card numbers. (Title 18, United States Code, Sections 1029(a) (3) and 2.) charge

The bases for my knowledge are, in part, as follows:

and for the foregoing

2. I have been personally involved in the investigation of this matter. This affidavit is based upon my investigation, my conversations with other law enforcement agents, and my

examination of reports and records. Because this affidavit is being submitted for the limited purpose of establishing probable cause, it does not include all the facts that I have learned during the course of my investigation. Where the contents of documents and the actions, statements, and conversations of others are reported herein, they are reported in substance and in part, except where otherwise indicated. 3. I have been a Special Agent with the FBI for approximately three years. For the past two years, I have been assigned to the computer intrusion squad in the FBI's New York Field Office. I have received training regarding computer technology, computer fraud, and white collar crimes. Background 4. Based on my training the following: on the UC Site and experience, I have learned

a. Carding: "Carding" refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals - including the account information associated with credit cards, bank cards, debit cards, or other access devices and using that information to obtain money, goods, or services without the victims' authorization or consent. For example, a criminal might gain unauthorized access to (or "hack") a database maintained on a computer server and steal credit card numbers and other personal information stored in that database. The criminal can then use the stolen information to, among other things: (1) buy goods or services online; (2) manufacture counterfeit credit cards by encoding them with the stolen account information; (3) manufacture false identification documents (which can be used in turn to facilitate fraudulent purchases); or (4) sell the stolen information to others who intend to use it for criminal purpoee s . "Carding" refers to the foregoing criminal activity generally and encompasses a variety of federal offenses, including, but not limited to, identification document fraud, aggravated identity theft, access device fraud, computer hacking, wire fraud, and bank fraud. b. Carding Forums: "Carding forums" are websites used by criminals engaged in carding ("carders") to facilitate their criminal activity. Carders use carding forums to, among other things: (1) exchange information related to carding, such as information concerning hacking methods or computer-security vulnerabilities that could be used to obtain personal identification information; and (2) buy and sell goods and

services related to carding, for example, stolen credit card or debit card account numbers, hardware for creating counterfeit credit cards or debit cards, or goods bought with compromised credit card and debit card accounts. Carding forums often permit users to post public messages (postings that can be viewed by all users of the site), sometimes referred to as "threads." For example, a user who has stolen credit card numbers may post a public "thread" offering to sell the numbers. Carding forums also often permit users to communicate one-to-one through so-called "private messages." Because carding forums are, in essence, marketplaces for illegal activities, access is typically restricted to avoid law enforcement surveillance. Typically, a prospective user seeking to join a carding forum can only do so if other, already established users "vouch" for the prospective user, or if the prospective user pays a sum of money to the operators of the carding forum. User accounts are typically identified by a username and access is restricted by password. Users of carding forums typically identify themselves on such forums using aliases or online nicknames ("nics"). 5. Based on my participation matter, I know the following: in the investigation of this

a. In or about June 2010, the FBI established an undercover carding forum (the "UC Site"), enabling users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things. b. The FBI established the UC Site as an online meeting place where the FBI could locate cybercriminals, investigate and identify them, and disrupt their activities.1 The UC Site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. The UC Site also allowed the FBI to record the Internet protocol ("IP") addresses of users' computers when they accessed the site.2

1 The registration process for the UC Site required users to agree to terms and conditions, including that their activities on the UC Site were sUbject to monitoring for any purpose.


Every computer on the Internet is identified by a unique number called an Internet protocol ("IP") address, which is used to route information properly between computers.

c. Access to the UC Site was limited to registered members and required a username and password to gain entry. Various membership requirements were imposed from time to time to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity. For example, at times new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site, or unless they paid a registration fee. d. New users registering with the UC Site were required to provide a valid e-mail address as part of the registration process. An e-mail message was sent to that email address containing registration instructions. In order to complete the registration process, the new user was required to open the e-mail.click on a link in it, and then enter an activation code specified in the e-mail message. The e-mail addresses entered by registered members of the site were collected by the FBI. e. In the course of the undercover operation, the FBI contacted multiple affected institutions and/or individuals to advise them of discovered breaches in order to enable them to take appropriate responsive and protective measures. Based on information obtained through the site, the FBI estimates that it helped financial institutions prevent many millions of dollars in losses from credit card fraud and other criminal activity, and has alerted specific individuals regarding breaches of their personal email or other accounts. f. At all times relevant to this Complaint, the server for the UC Site, through which all public and private messages on the UC Site were transmitted, was located in New York, New York. Access Device Fraud Committed by "OxideDox"

6. As set forth below, JOSHUA HICKS, a/k/a "OxideDox," the defendant, was a user of the UC Site who claimed to be able to steal credit card data by hacking into website databases. On or about February 28, 2012, agents involved in the investigation acting in an undercover capacity purchased 15 stolen credit card accounts from HICKS. 7. On or about October 28, 2010, a new user registered on the UC Site with the username "OxideDox." "OxideDox" provided his e-mail addressas ..monster66@yahoo.com" j for the purpose of receiving registration instructions.

8. "OxideDox" posted an introductory message himself on the UC Site on the day he registered.3


a. In that message, "OxideDox" stated, "I've been in the hacking scene for a while." He added, "I've stolen a lot of site db's. I recently sqli'd a site with like 800+ valid CC's." b. Based on my training and experience, I know that "SQLI" refers to an "SQL injection," a method commonly used by computer hackers to obtain unauthorized access into customer databases through company websites. Accordingly, I believe that, in this posting, "OxideDox" was claiming that he had hacked into many databases in this manner and had recently stolen credit card data from one database for over 800 valid credit card numbers. 9. On or about October 17, 2011, "OxideDox" posted a message on the UC Site stating, "I'm looking for a cardable site that sells DSLR [Digital Single-Lens Reflex] cameras it's urrrrrgent [sic] if you know of any, please let me know." Based on my training and experience, I believe that, in this posting, "OxideDox" was asking UC Site members to recommend any Internet sites with lax credit card security practices, through which it would be relatively easy to use stolen credit card data to purchase DSLR cameras. 10. On or about December 9, 2011, "OxideDox" posted a message on the UC Site stating in part: "I'm planning on getting a Canon DSLR from walmart or something (let me know if you know any other cardable sites) . . . how safe would it be to have it shipped to a friend's house? Would I be putting them in danger?" Based on my training and experience, I believe that, in this posting, "OxideDox" was stating that he intended to use stolen credit card data to purchase a DSLR camera, and he was asking UC Site members for their opinion on whether he should ship the camera to a friend or whether there was too much risk that doing so would expose his friend to investigation by law enforcement.


Unless otherwise noted, all postings and private messages referred to herein were posted or sent on the UC Site and were retained as part of the operation of the UC Site. Quotations from such messages and any other electronic communications are reproduced substantially as they appear in the original text; errors in spelling and punctuation have not been corrected.

11. On or about Febrary 3, 2012, I started a discussion thread on the UC Site using an undercover online identity. The discussion thread was titled "Instore in Manhattan, NY." The discussion thread concerned the use of stolen or counterfeit credit cards to make in-store (as opposed to online) purchases a practice that carders refer to as "instoring." In my posting, I asked UC Site members to recommend any stores in Manhattan where they had successfully obtained goods in this manner. 12. On or about February 7, 2012, "OxideDox" posted to this discussion thread, stating: "if you find any stores, let me know! pm [private message] me or something, I'm looking for some too. " 13. On or about February 7, 2012, I responded to "OxideDox" via the UC Site's private message system, asking "OxideDox" whether he had "had any luck in the city" and whether he had "cards" available. 14. "OxideDox" responded by private message later that day, stating that he had "a friend" from whom he could obtain "dumps/cards." Based on my training and experience, I know that "dumps" is a term used by carders to refer to credit card data in the form in which such data is stored on the magnetic strips on the backs of credit cards. 15. Through further private messages sent through the UC Site, "OxideDox" and I exchanged "ICQ" numbers. "ICQ" is an instant-message system on the Internet allowing users to send instant messages back-and-forth to one another, or "chat," online. ICQ users are identified by unique identification numbers. 16. 28, 2012, reviewing know the From on or about February 20 to on or about February I "chatted" repeatedly with "OxideDox" over ICQ. From these "chats," which were electronically preserved, I following:

a. On or about February 20, 2012, I asked "OxideDox" about his "friend" who could obtain "the dumps/cards." "OxideDox" responded: "he's in ca, I usually send cards to them and he embosses/encodes them." Based on my training and experience, I believe "OxideDox" meant that he usually sends stolen credit card data to a co-conspirator in California, who uses the data to manufacture physical, counterfeit credit cards. b. Later during the same chat on or about February 20, 2012, "OxideDox" stated, "I haven't instored in a while,"

but added, "I want to get some electronics though." "OxideDox" noted that he was specifically interested in obtaining a DSLR camera and an Apple iPad. I asked "OxideDox" whether he would be willing to "pass me some" cards in exchange for a DSLR camera or an iPad. "OxideDox" responded: "for sure! In that case I'll definitely have some by this weekend." Later in the conversation, "OxideDox" asked me, "do you want dumps? or physical cards?", adding that "dumps are much easier." I agreed to accept "dumps" in exchange for the DSLR camera. c. On or about February 22, 2012, "OxideDox" stated that he could give me "5 dumps for getting the DSLR" and that he could "sell any other ones you need" for approximately $25 each. "OxideDox" elaborated that "they're REALLY fresh dumps from florida and, since we're on the east coast, you'll get a good amount of money from them, like $150+ . . probably a lot more than $150." Based on my training and experience, I believe that "OxideDox" meant that the stolen credit card data he planned to send me had recently been stolen, so that I would be able to use each credit card account to obtain more than $150 in merchandise before the account was likely to be frozen by the credit card company. I agreed to a deal for 15 "dumps" in total, i.e., data from 15 stolen credit cards, including five in exchange for a DSLR camera and ten in exchange for approximately $250. d. On or about February 23, 2012, "OxideDox" sent data for five credit cards to me via ICQ. "OxideDox" noted: "those are 3 days fresh, so they should be fine." "OxideDox" stated that he would "pass the other 10" to another UC Site user who would act as an escrow for the transaction (the "Escrow User") . 17. On or about February 24, 2012, I sent approximately $250 in "Liberty Reserve" - an electronic form of currency - to the Escrow User. Later that day, "OxideDox" sent the Escrow User a private message through the UC Site, checking whether the Escrow User had received "$250 for some dumps of mine." Upon receiving a private message from the Escrow User confirming that the payment had been received, "OxideDox" sent the Escrow User a private message containing data for the remaining ten credit cards. The Escrow User then forwarded the data to me via a private message sent through the UC Site. 18. Based on records obtained from MasterCard, Visa, American Express, and Discover, I have confirmed that each of


the 15 credit card numbers "OxideDox" passed to a valid credit card account.4

to me corresponds

19. On or about February 28, 2012, I "chatted" further with "OxideDox" via ICQ and agreed to meet to give him the DSLR camera he wanted as payment for the first five "dumps." From reviewing this "chat," which was electronically preserved, I know the following: February New York. a. I agreed to meet "OxideDox" at 4 p.m. on or about 28, 2012, at an outdoor location in downtown New York,

b. I told "OxideDox" that the person delivering the camera would be wearing jeans and a shirt with "NASA" written on it. "OxideDox" described himself as follows: "a tall c. black guy . a lot of people say I look spanish, I'll be wearing a blue jacket." 20. On or about February 28, 2012, at approximately 4:10 p.m., I and other FBI agents conducted a controlled delivery of the DSLR camera to "OxideDox" at the designated meeting place. Another FBI agent acting in an undercover capacity ("UC-1") met with "OxideDox" while wearing an audio/video-recording device. I and other agents conducted surveillance of the meeting. From participating in the surveillance, debriefing UC-1, and reviewing the recording of the meeting, I know the following: a. At approximately 3:45 p.m., UC-1 arrived at the designated meeting location, wearing jeans and a shirt with "NASA" written on it. b. At approximately 4:10 p.m., a tall, lightskinned, black male, wearing a blue jacket, arrived at the designated meeting location and approached UC-1. c. greetings. camera. d. the area. UC-1 and the male in the blue jacket exchanged UC-1 handed him a shopping bag containing a DSLR The male in the blue jacket thanked UC-1 and left


The FBI has alerted the relevant compromise of the accounts.

credit card companies

to the

21. Later that evening, on or about February 28, 2012, I again "chatted" with "OxideDox" via ICQ. From reviewing this "chat," which was electronically preserved, I know the following: a. I asked "OxideDox" whether he liked the camera.

b. "OxideDox" responded: "101 it's alright." "OxideDox" added that the "t3i" - a different model DSLR camera - "is/would have been better but hey, a free camera is a free camera." Identification of JOSHUA HICKS a/k/a "OxideDox"

22. As noted above, when "OxideDox" registered with the UC Site, he provided his e-mail addressas ..monster66@yahoo.com ... j Based on a search of the Facebook website, I discovered a Facebook user with the username "Jmonster66." The contents of this user's Facebook page are accessible in part to public view, including numerous photographs and videos of the user. From reviewing those photographs and vf.deos, I recognize the user to be the same individual who picked up the DSLR camera at the February 28, 2012 meeting described above. On his Facebook page, the user states that his name is "Joshua Hicks" and that he resides in New York, New York. 23. Accordingly, I believe that the individual described above as "OxideDox," is JOSHUA HICKS, a/k/a "OxideDox," the defendant. WHEREFORE, I respectfully request that an arrest warrant be issued for JOSHUA HICKS, a/k/a "OxideDox," the defendant, and that he be arrested and imprisoned or bailed, as the case may be.

Sworn to before

day of


pecial Agent Federal Bureau

of Investigation

me this ,.


You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->