USA v Dam

Case Document 1 Filed 02/19/20 Page 10143 Page ID . A0 91 (Rev. 11/11) Criminal complaint- Central District of California United States of Alnerica V. ARTHUR-IAN Defendant(s) UNITED STATES for the WET DI: rm?? ib?, m?J CLERK up; FEB 2020 ii? mm" CENTETAT. DleiaTcT o: DEFHI Case No. I CRIMINAL COMPLAINT I the complainant in this case, state that the following is true to the best of my knoWledge and belief: From on Or about April 20, 2018 to on or about May 29, 201 8, in the county of Los Angeles in the Central District of California the defendant(s) violated: Code Section . 18 (3 1030(a)(5)(A) (ii) This criminal complaint is based on these facts: Please see attached a?davit. Continued on the attached sheet. Tgned in my presence. TM: ngaet? - City and ESeTAngeTes, California O?ense Description Intentionally Damaging and Attempting to Damage a Protected Computer Complainant ?s .T?ignatgure ELLIOTT WEIDEMAN, Special Agent A Printed name and title MICHAEL R. 1111111159 Judge ?s signature . Hon. Michael R. Wilner, U.S. Magistrate Judge Printed name and title

Case Document _1 Filed 02/19/20 Page 2 of 43 Page ID AFFIDAVIT Elliott Weideman, being duly sworn, declare and state as fOllows: I. INTRODUCTION 1. I am a Special Agent With the Federal Bureau of .Investigation and have been so -employed? since September 2017. I am.currently assigned to the Los Angeles Field Office, Computer Intrusion SqUad, which is responsible for investigating .fraud and related-aetivity in connection with computers, including denialrof?service attacks, phishing attacks and malicious software injections. Since becoming an FBI Special Agent, I have received specialized and onttheejob training (including hundreds of hours of training at the FBI Academy-in Quantico, Virginia) regarding a variety of criminal activi_ties involving malware, computer intrusions, extortion, and various types of fraud and organized criminal activities. During my training, interactions with other Special Agents and law enforcement. officers, and on?the?job work with investigations, I have gained considerable knowledge and expertise in the . ?investigation of computer intrusions, malware analysis, and associated cyber crimes. I am a Certified Fraud Examiner and prior to being a Special Agent, I worked for approximately five .years as?a Private Investigator in hos Angeles, where I . conducted civil andcriminal investigations involving the detection of fraud and identifiCation of hidden assets.

Case DOCUment 1 Filed 02/19/20 Page 3 of 43 Page ID II. AFFIDAVIT 1. This affidavit is made in support of.a criminal complaint against, and arrest warrant for, ARTHUR JAN DAM for a violation of 18 U.S.C. l030(a)(5)(A), (Intentionally Damaging and- Attempting to Damage a Protected Computer). 2. -The facts set forth in this affidavit are based upon my personal observations, my training and experience, and information obtained from various law enfOrcement perso nnel and witnesses. This?affidavit is intended to show merely that there is sufficient probable cause for the requested Complaint and- warrant and does not purport to set forth all of my knowledge of or investigation into this matter. Unless specifically indicated otherwise, all cOnversations and statements described in this affidavit are related in substance and in part only. SUMMARY OF PROBABLE muss. . 3. The Los Angeles Field Office of the FBI has been investigating four cyber attacks which targeted and disrupted the website of.a political candidate for a congressional A diStrict in California (the As a result of the four cyber attacks, the Victim?s Website was down for approximately 21 hours during the campaign. The Victim reported suffering losses, including website downtime, a reduction in campaign donations, and time spent by campaign staff and Others. Iconducting critical.incident response. In June 2018, the Victim lost the primary election for the congressional distriCt.

Case Document 1' Filed 02/19/20 Page4 of 43 Page ID i 4; In the course of the investigation, and as described below, the FBI found that the cyber attacks originated from. Amazon Web Services and in particular, were tied tO'a Single AWS.account, which Was controlled by DAM.- DAM was found to be connected to the cyber attacks through subscriber 'information, IP addreSses,igeolocation history, and open- sources, including through his employer and his wife, K.O., who worked for one of the Victim?s oppOnents.r As described in further detail below, each of the four cyber attacks corresponds with logins to the AWS account from either residence orv from place of workiA'FurthermOre, DAM was found to hate, conducted extensive research on both the Victim and various cyber exploits, malicious toolkits, and cyber attacks, including the same kind of cyber attack used against the Victim, a distributed denial? ?of? ?service or_?DDoS? attack. The attacks caused the Victim to suffer loss in excess of 000, as described below. Therefore, there is probable cause to believe that DAM committed a violation of 18 U.S.C. 103o(a a) (5) (A), (MEL) (1). IV. STATEMENT OF PROBABLE CAUSE Description of Cyber Attacks against the Victim 5. In late 20l7, the Victim publicly declared Candidacy for.the ULS. House of Representatives in a California I congressiOnal district. A During the course of this investigation, the Victim provided the following information to the FBI:

Case Document. 1 Filed 02/19/20 Page 50f 43 Page ID a. As part of campaign efferts, in late 2017, the Victim established a website to provide campaign information and?, ireceive.donations, iThe website was hosted by the website? hosting company SiteGround. 3b. Between Apri12018 and May 2018, the Victim?s website was targeted and disrupted byfonr 0008 attacks._ At the time of each attack, the-Victimfs website was forced offline because of uncharacteristically high Internet traffic. The attacks caused the Victim?s website to crash and be ?unavailable for approximately 21 hours-cumulatively. . The Victim observed the four attacks beginning on or about the following dates and times (all Pacific Daylight Time i. April 20, 2018, at approximately 6:38 ii. April 21, 2018, at approximately 3:52 28, 2018, at_approximately 4:59 and. I iv. May 29, 2018, at approximately 8:00 I 7. Based on my training and-erperience, and conversations- with computer-scientists and law enforcement personnel, 1 know the following about attacks: 1 In a previous affidavit, it was reported that the Vietim first observed three of the attacks at times different than those above, that is, April 20, 2018 at 6:31 21, 2018 at 3:49 and May 29, 2018 at 9:09 p.m, I believe the times reported previously were the Victim?s and the Victim?s best understanding of when the attacks were initiated, according to their internal investigation, and not necessarily when the Victim first observed the activity. ,The times reported here correspond to when the Victim reported first observing the activity.

. case Documentl Filed 02/19/20 Page60f 43 PagelD#:6 a. AA attack is a cyber attack in which a perpetrator seeks to make a computer, website, or network resource unavailable to its intended user(s) by temporarily or indefinitely disrupting services of a host or provider that is connected to the Internet. . b; attacks are typically accomplished by iflooding the targeted computer with superfluous requests in an attempt to overload systems and prevent some or all legitimate _requests from being fulfilled. 8.. In October 2018, the FBI learned the following information from the Victim/s campaign manager and from the Victim?s IT Specialist: Following the second attack on or about April 21, ?2018, the Victim hired an IT specialist to troubleshoot the problem and prevent further attacks and diSruptions. ,Despite the efforts by the IT Specialist, the. website hosting Company, the Victimfs campaign manager, and, other campaign staff, the Victimfs website suffered additional attacks on or about April 28, 2018 and May 29, 2018. b. The attack on or about April 28, 2018, loccurred just before the start of a live political debate, which featured the Victim and his two opponents. This attack shut down the Victim?s website and it remained offline throughout the debate. ThefinalDDoS attack occurred on or about May -29, 2018, approximately one week prior to Primary'Election Day on June 5, 2018..

Case Document 1 Filed 02/19/20 Page 7 of_ 43 PagelD d. On or about June 5, 2018, the Victim lost the "primary election.by failing to gain enough votes to advance to the general election. . In May 2019, the Victim provided information to the FBI that as a result of the attacks, the Victim_suffered various harms, including a reduction in political donations and campaign visibility, and between approximately $27, and $30, 000 in- expenditures and lost time to reSpond to, .investigate, and mitigate the attacks. The Vict im also reported what he/she believed were other consequential harms suffered from the attacks, including losing the election by fewer than 3,000 votes, and having to donate $21,000 to the campaign after the election to cover shortfalls in fundraising targets in the last weeks of the campaign;- B. website Hosting Information and Attack Data .lO. During the investigation, the Victim provided the following information to the FBI regarding the campaign website: i The Victim?s website was hosted by the company S.iteGround. 1 Initially, the Victim maintained a website hosting package with SiteGround that provided limited website log files. This lower?tier package was used in order to minimize costs. b; Following each of the four attacks, .SiteGround emailed the Victim? campaign and reperted that factivity had been observed on the Victim? website and that it had been temporarily Shut down to avoid damage. In addition, after the DDOS attacks, Site?round investigated the website traffic to the Victimfs website.

'Case Document 1 Filed 02/19/20. Page-8 of 43 Page ID #18 1n April 2019', the Victim provided the FBI with internal campaign emails regarding the attacks. These emails included observations from campaign staff (the ?Campaign Emails?), emails from SiteGround (the ?SiteGround Emails?), as . well as several minimal log files provided by SiteGround regarding malicious activity to the Victim? 3 website from three of the 0003 attacks, on April 20, 2018, April 21, 2018, and April 28, 2018 (the ?April Log Files?). 11. During the investigation, SiteGround provided information to the FBI regarding the Victim?s website and the four attacks (the ?SiteGround Information?), 12. 'I-analyzed the campaiganmails, the SiteGround Emails and the SiteGround Information, and learned the folloWing: April 20, 2018 On or about April 20,2018, SiteGround emailed: the Victim and reported an abnormally high number of .simultaneous connections to the Victimfs website.l SiteGround stated that there were two possible explanations for the abnormal activity: a malicious attack designed to bring down the Website, orthe ?Slashdot effect.?2 or about April 20, 2018, a SiteGround Senior Technical Support employee emailed the Victim?s campaign and referred to the incident as an attack.? The SiteGround Technical 2 The Slashdot effect occurs when a popular website links to 'a smaller website, causing a massive increase in traffic. The large influx of web traffic overloads the smaller website and "causes it to slow down or even temporarily become unavailable.

Case Document 1 Filed 02/19/20' Page _9 of 43 Page ID .Support employee stated that multiple IP addresses3 were used Vto bring-the website down by generating a lot of access towards SiteGround flagged five addreSses as malicious. c. On or aboutApril 20, 2018, an employee from the Victimfs campaign emailed another campaign employee and stated I that SiteGround had advised that the April 20, 2018 attack occurred only to the Victim/s webSite, and not to other websites tor applications on SiteGround?s server,4 Based on my training and experience, I know that this information suggests that the 'Victim?s website was targeted specifically and that the incident i?was not the result of an unrelated problem with the server. April 21, 2018 d; On or about April 21, 2018, SiteGround emailed A the Victim and again reported abnormally high traffic to the Victim?s website; SiteGround again provided two possible explanations: a attack or the Slashdot effeCt. e; 'On or about April 21, 2018, another SiteGround Senior Technical Support employee emailed the Victim?s campaign and advised that the influx of traffic appeared to be coming from USAToday.com and that the incident, in fact, did not appear .to be a deliberate attack, but organic growth as a result of the Slashdot_effect. (As described below, later examination of the 3 An IP address, or Internet Protocol address, is the globally unique address of a computer or other device-connected to_a network, and is used to route Internet communications to. and from the computer or other'device. I 4.A server typically hosts multiple websites and/or applications; .

Case Document 1 Filed 02/19/20 PagelO of 43 Page ID #:101 traffic does not support this interpretation.) Regardless of Kattributionf SiteGround flagged 11 IP addresses as malicious? April 28, 2018 f. On or about April 28, 2018; SiteGround emailed? 'the Victim to again report abnormally'high traffic to the 'Victim?s website and again provided the same possible- explanations} a attack or the Slashdot effeCt; I -On or about April 28,?2018, SiteGround flagged 28 addresses as malicious.5 I h. .In an email between campaign employees on April 28, 2018, at approximately 5:15 me..PDTg one of the Victim?s rcampaign advisors stated, ?Just got attacked againf Same thing and our site is down; An hour befOre the biggest debate of the primary.? Approximately three hours later, the campaign advisor sent another email to?a campaign employee and said, ?Use Facebook and other social media to get your message out and to get around your site being down, to Spread your debate 7 performanCe.? 13.? During the investigation; the FBI investigative'team? analyZed the April Log Files from SiteGround and found the following information; 5 Prior affidavits_in support of search warrants in this investigation reported that SiteGround flagged Only 13 IP "addresses as malicious. In December 2019, after reviewing records obtained from SiteGround itself, it was discovered that while SiteGround?s initial communication with the Victim only identified 13 IP addresses} SiteGround?s internal communications reflected that it had identified an additional 15 IP addressesj as likely malicious.

Case Document 1 Filed 02/19/20 Page 11 of 43 Page. ID #:11 a. The April Log Files contained information from visitors to the Victim?s webSite, including the source address, the User Agent String (the and the referring Uniform Resource Locator (the ?referring Based on my training and knowledge, know that both the UAS and the referring URL are data points sent by the client to a server; however, the server does not_validate the UAS or the referring URL. Based on my training and experience,, pI know that an individual can ?spoof,? or falsify, the UAS or 'the referring URL, and that this type of activity is often need in an attempt to mislead thoseresponding to an incident.? A A review of theApril Log Files found that-the I.referring URLs to'the ViCtimfs websiteduring the time of the attacks ineluded URLs from USA Today, Google, and Engadget, all of which are legitimate information companies. However, a closer inspection of the referring URLs found that they were from webpages purportedly from the aforementioned companies, but ?whichdid not in fact exist.. This type of activity suggests that the referring URLs in the April Log Files were spoofed. 6'A.User Agent String is a ?string,? that is, a line of text, that identifies the browser and operating system (and' sometimes additional data) of a computer to a web Server, For example, such a string might look like the following: ?Mozilla/4QO (compatible; MSIE 6.1; Windows This would indicate that the computer was Using MicroSoft Internet Explorer (MSTE) version 6.1 as its browSer, and was running Windows XP as its operating system (among other data). 7 A Uniform Resource Locator is the address of a specific webpage or file on the internet. The ?referring is the web addreSs from which a user was led Or ?linked? to the current site or page. 10

Case Document 1 Filed 02/19/20 Page 12 of 43 Page ID #:12 14.\ In April 2019, the-Victim told the FBI that during the.? .timeframe of the DDOS attacks (April 2018 and May 2018), Ithe Victim was not aware of any USA Today articles involving him/her or the campaign (and thus, presumably, no reason for the referral URLs seen in the logs.to in fact be from USA_Today). gThe Victim was not aware of any viral or rapidly circulating news articles, blogs, or reports that circulated information about him/her. The Victim stated that despite running fOr ?political office, there could have been no Slashdot effect to generate the inoreased traffic because there were no major news articles that covered the Victim or his/her campaign. H.15. During the course of the investigation, I searched for USA Today and Engadget articles and other articles which Could ?have generated interest and high website traffic to the Victim?sx ?website, However, I did not find any USA Today or Engadget articles on the Victim or any other suCh articles to support the Slashdot effect theory. _16. During the inveStigation, the Victim? IT Specialist provided the following information to the FBI: a.7 Following the third attack on or about April 28, 2018, the Victim increased cybersecurity measures in orderh to mitigate activity, including upgrading the SiteGround account and retaining a separate website security company which specializes-in mitigation. However, on or about May 29, 2018, the Victim?s website was disrupted by a fourth attack. IFollowing this fourth attack, the Victim?vaI ?Specialist obtained a website traffic log file from SiteGround 11

Case Dbcument 1 Filed 02/19/20 Page 13 of 43 Page (the ?May Log File?). In October 2018, the Victim?s IT 'Specialist provided the May Log File to the FBI, '17. I reviewed the May Log_ File and found that it reflected website traffic to the Victim?s website on or about May 29, 2018. Ba_sed on this information, I found that 17 IP I addresses each accessed or attempted to access the Victim?s website more than 10,000 times over an approximate two? ?hour ?period. 18; Therefore, according to the April Log Files, the May "Log File, and the SiteGround Emails, I found that'a.total of 46 unique IP addresses (the ?46 IP addreSses?)lacCessed or 7attempted to access the Victim?s website in a manner consistent with activity between April 2018 and May 2018. As noted above, 15 addi tio nal IP addresses were apparently identified by SiteGround.in its internal review of the traffic toward the Victim?s site. However, as those 15 addresses were not included in the correspondence with the Victim, they were not part of my initial inveStigation. .C. ANS Ac?ount Information_ 19. conducted Whois8 Searches on each of the 46 IP addr esSes, plus the 15 additional IP addresses later identified from SiteGround?s records. From these searches, I learned that all 61 of these IP addresses were owned by Amazon Web Services 8 Whois is a query? and? response protecol that is publicly available and widely used for querying databases that store the registered users ,or assignees of an Internet reSource, Such as a_ domain name or address block. Whois query responses provide the contact information for the individual responsible for registering the domain name or the Internet Service Provider which owns the IP block. ?12

.Case Document 1 Filed 02/19/20 Page 14 of 43 Page ID #:14 I (AWS). a company that provides onedemand cloud computing platforms to individuals and companies, on a payeas~you?go basis.? AWS alloWs a subscriber to create multiple.virtual environments at one time. A A i A 20.' Between November 2018 and April 2019, AWS provided the 'following information to the FBI about the originally identified? 4'6 ?addr?sses: . a. All 46 IP addresses were assigned to the same AWS 'account during the time each was used to conduct an attack: Amazon Account Number 619452895481 (the Account?). The AWS Account was subscribed with Ithe email address to the name ?Mike at the fictitious address ?1234, Brooklyn,pNY 11211. 7' c. Billing information for the AWS Account, however, Hidentified the name ?Arthur Dam? (DAM), a telephone number .ending in ?4881, and a billing address on 4th Street in Brooklyn, New Yorkknow, based on my training and experience,, that it is not uncommon? for persons wishing to disguise their identity on the Internet to use false or .fictitious information when setting up -online accounts, and many providers of such ,aocounts do not have any mechanism.to verify the identities of their users. However, where those accounts are not free' services, individuals often are obliged to provide information 9 The complete phone number and address were in the records; only limited information is included here for privacy purposes. 13

Case Document 1 . Filed. 02/19/20 Page 15 of 43 'Page ID #:15 I about their true'identities and/orlocations-in order to pay for the services. . . maintained limited logs on the activity of the AWS Account, but these logs did include information' A regarding the computer which accessed the account, in additicn' to dates, times, and IP addresses of user logins and API calls.? - e. rAlthough AWS did not retain detailed activity logs of the AWS account, their records did reflect that the account was active in April 2018 and May 2018. During this time 4 period, the AWS Account was used and.was billed for several AWS ?services, including the following: AWS Data Transfer, Amazon ElaStic Compute Cloud (ECZ), Amazon EC2 Container Registry (ECR) and Amazon Simple Storage Service If i.l I know, based on my training and experience and publicly available information about AWst services, that the services described above, used by the AWS Account in April 2018 and May 2018,.provide the infrastructure and capabilities for a user to rapidly create multiple VPS-instances? and make An API call, also known as an Application Programming a software intermediary that allows two computer applications to communicate, one to send a request and the other to receive and interpret the request. Developers use API calls to request another-computer or program perform a task. - llA VPS, or virtual private server, can be thcught of as a digital container that has all of the general processing capabilities of a physical computer, but which is not confined to a particular piece of physical hardware. VPSs_can even be ?moved or stored in different physical locations, and multiple VPSs can be stored on a single piece of physical hardware. An? ?instance? is the term used to describe this digital container, to distinguish it from an actual, physical device. Thus, having multiple VPS instances would be equivalent to having multiple physical servers, without having to acquire the hardwarep 14

Case Document 1 Filed 02/19/20 Page 16 of 43 Page'ID #:16 ?various?API calls.~ These services effectively create a self? contained platform from which the user can conduct activity (among other things, including of course legitimate uses). All files or code repositories can be stored in the -Amazon S3 cloud storage, and can be accessed by API calls from the Amazon Data ?Transfer service.? The code-can then be run from a virtual machine operating as Amazon EC2. The number of virtual machines can scale significantly according to the Code requested in the AEI call. 21. In March 2019, the FBI received information from AWS that the AWS Account was suspended on or aboutheptember 20, ?2018, IIn-March 2019, I conducted openusource research and found (a news article dated September 20, 2018, in which the Victim publicly reported the attacks to an online news agency.l I alSo found several other news articles published on or about the A'same date that referenced the Victim and the original article: I conducted followwup investigation with AWS regarding they I details of the suspension of the AWS Account. AWS advised that it did not suspend or close the AWS Account, and clarified that customers can suspend or close their own accounts at any time. 'According to AWS, there is no distinction between a suspended account and a closed account. iTherefore, this data indicates that the AWS Account used to conduct the attacks was selfe suspended/closed on or about September 20, 2018, oneself, and instead by paying for capacity on someone else? hardware (such as The VPS user maintains the ability to direct what the instance is used to do and who has access to it (hence, ?private? ?15

Case Document 1 Filed 02/19/20 Page 17 of 43 Page ID #:17 contemporaneously with the publication of news reports on the attacks. 22. iRecords from AWS further reflect following information: I. I a. On or about April 20, 2018 at approximately 6:31- that is, a few minutes before the Victim observed the first attack, the five IP addresses which SiteGround- flagged as malicious were assigned to the AWS Account. b. On or about April 21,12018, at approximately 3:46 p. m. that is, a few minutes before the Vietim observed the second attack, the 11 IP addresses which SiteGround flagged as malicious were assigned to the AWS Account. c. 'On or about April 28, 2018, at approximately 5:46 the 13 IP addresses which SiteGround first flagged as nmalicious were assigned to the AWS Account. This is consistent ?with logs provided by SiteGround regarding malicious activity on- the Victim? site from these 13 IP addresses, which show activity at exactly 5:46 p.mp PDT. While records were requested from AWS regarding the additional 15 IP addresses identified by SiteGround in its own records relating to the attacks on this. ?date, AWS has indicated that it does not have, or has no longer- Iretained, records identifying a partiCulariAWS account those IP: addresses were used by during the relevant timeframe. . i, Notably, the Victim recalled that the activity on April 28, 2018, began at approximately 4:59 which is earlier than AWS reflect the previously identified 13 IP addresses being assigned to account. 16

Case Document 1 Filed 02/19/20, Page 18 of 43 Page ID #:18 However, the internal SiteGround communications included logs showing malicious activity_with the 15 previously unknown IE addresses beginning at least as early as 4:56 p.m. PDT, which.is 2 consistent with what the Victim reported.? The Combination of the logs from. SiteGround, Ithe AWS records, and the Victim?s observations suggest that there may have been at least two technically separate attacks On the Victim? site within approximately an hour, but in all likelihood, the Victim simply experienced this as one ongoing attack. di On or about May 29, 2018, at approximately 7:53 p. that is, a few minutes before the Victim nOticed the attack, the 17 IP addresses which SiteGround flagged as I maliciOus were assigned to the AWS Account. .D.V Investigation of the AWS Account Email and Phonex 'Number 23.? In January 2019, Microsoft provided information to the FBI that preatorian_ @hotmail. com the email address used in -the Account_subscription records m_was created using the subscriber. name ?Arthur Slam? in 2002. 24;. In January 2019, Verizon provided information to the FBI that the phone number_ending in *4881 listed in the AWS ?Account information was subscribed to a business, hereafter referred to as ?Company A. 25. In April 2019, the California Employment Development Department provided information to the EBI that DAM has received wages from Company A since at least_2017l 17

Case Document 1. Filed?02/19/20- Page 19 of 43 Page ID #:19 E. Open-source Research Regarding DAM and K.O. 26; In December 2018 and.January 20l9, I conducted open?I sourCe research and.discovered the following information: i a. Open?sourcepublic records databases reported an individual named Arthur DAM with a current address at a residence in Santa Monica, California (the ?Santa Monica The public records databases reported-DAM?s historical addresses.in New York, including the same 4th Street, Brooklyn, New York address that was the billing address for the AWS b. Company A is a digital advertising company with offices located internationally and across the United States, including in New York, New York and Venice, California. 0. Numerous online business and marketing profiles reported that DAM worked for Company A. d. - DAM was found to have a personal website, A arthurdam. com. The website is not aCtive currently; however, a publicly viewable archive from March 2016 revealed that the website displayed work affiliation with Company The archive also reported that DAM was fluent in various computer programming languages, including JavaScript, TypeScript,ththon, and.C++. e.7 A wedding website was found providing information on the wedding reception for DAM and K. O. Accordingvto the? website, DAM worked for Company A, while K. 0. studied politicalf science in college and was previously involved in local politics in her hometown. 18?

Case Document 1 Filed 02/19/20 Page 20 of 43 Page ID #:20 f. Public records revealed that DAM ande. lived at.the Santa Monica Residence?was found. to maintain active social media :profiles. K. O. publicly disclosed her employment With the Victim?s opponent, who was the eventual election winner. According to social media posts, K.O. was a consultant for the Victimfs opponent and active member of the oppOnent?s campaign: I A F. Further Analysis of -27. Detailed analysis of the AWS logs and associated records for the AWS Account shoWed information on login timestamps, connecting source IP addresses, and limited aCcount activity, as noted below: A I a. Between April 2018 and May 2018, the AWS Account was logged into a total of eight times, at the following _approximate dates/times (all in PDT): 1.2 ?April 1, 2018, at 4:36 11. April 2, 2018, at 11 26 111.* April 20, 2018, at?6:1l iv. April 21, 2018, at 3:44 v. April 22, 2018, at 10:05 vi. April 24, 2018, at 3:38 vii. April 28, 2018, at 4:16 and May 29, 2018For each of the eight logins listed above, *connections to the AWS Account were made_from one of two IP 19

Case Documentl Filed 02/19/20 Page?21of43 'addresses: 96.251.72.21712 (?Subject IP Address and 847.151.141.158 (?Subject 19 Address and together With Subject IP Address 1,-the ?Subject IP Addresses?). That isI to. Isay, only these two IP addresses were used to connect to the AWS AcCount and direct activ ities therefrom during the time period in which the attacks were launched from the 46 IP addresses known to be controlled by the AWS Account. 1 1.. I obtained reCords from Frontier Communications, the Internet Service Provider (ISP) that hosts both of the Subject IP Addresses. Those records showed that Subject IIP Address 1 was subscribed to Company A in Venice,- California. SubjeCt IP Address 2 was subscribed to 0. at the Santa Monica Residence. I . In Specific relation to the four attacks, the AWS logs showed logins to the AWS Account on or about the following relevant times (all in PDT): . i. April 20, 2018, atI 6:11 p. from Subject IP 'Address 1; I I 11. April 21, 2018, at 3:44 p.m1 from Subject IP Address I April 28, 2018, at 4:16 p.ml from Subject IP Address 1; and A. i. i iv; xMay 29, 2018, at 7:43 p.m. from Subject IP Address 1. Previous affidavits related to this matter contained a typographical error in the IP address inadvertently listing the first number as 95 rather than 96. The correct records were requested and received from the ISP - . 2O

Case Document 1 Filed 02/19/20 Page 2.2 of 43 Page ID #:22 d. To summarize information from the AWS_logs and related research: 5 On or about April 20, 2018, at 6:11 plm. the. AWS Account was accessed from Subject IP_Address l, which is subscribed to employer, COmpany A. The first attack initiated approximately 20 minutes later from IP addresses that 'were assigned to the AWS Account just before the attack, at approximately 6:31 p.m. ii. 'On or about April 21, 2018, at 3:44 the AWS Account was accessed from Subject lP Address 2, which is subscribed to K.O. at the Santa Monica Residence. Two minutes ,later, five IP addresses were assigned to the AWS accOunt, and approximately six minutes after that, at approximately 3:52 p.mi, the Victim observed the second attack from those IP 'Addresses. On or about April 28, 2018, at 4:16 _the AWS Accdunt was accessed frOm Subject IP Address 1, Company A: At approximately 4: 59 p. m. the Victim observed the effects of the third attack, and SiteGround?s records reflect malicious activity from IP addresses owned by AWS at least as early as 4:56 p.m. At approximately 5: 46 m. 13 IP addresses were assigned to the AWS account. At approximately the same time, 5:46 13 IP addresSes were used to send malicious traffic to the Victim?s website. - iv. on or about May 29, 20l8, at 7 43_p the AWS Account was accessed from Subject IP Address 1, Company Ten minutes later, at approximately 7:53 17 IP addresses 21?

Case Document 1. Filed 02/19/20 Page-23 of'43 Page were assigned to the AWS Account. SiteGround records reflect malicious traf fic from several Of these IP addresses beginning as early as 7: 56 p. m. ,'and the Victim observed the effects of the attack just several minutes later, at approximately 8:00 p.m, with later?downloaded logs reflecting traffic from all 17 of these IP addresses. G. Information from Other Service Providers 28. In March 20l9, Apple Inc. (?Apple provided information to the FBI that DAM maintained an Apple account, subscribed in his name and with his address listed as the Santa Monica Residence, and listing two email addresses: e. _the email address subscribed to 'the AWS Account and created under_the name ?Arthur Slam? with Microsoft) and arthurjdamGgmail.com.' 29. In March 20l9, Google LLC (?Google?) provided to the the following information regarding the second email, arthurjdam@gmail.comf the recovery email ?for the account. - know, based on my training and experience, that providers like Google will often ask users to provide a l?recovery? or ?secondary? email in order to make it easier for a [user to regain access to their account if they for.get their password or are locked out, Thus, both the primary and recovery email are by nature usually controlled.by the same person. 22

Case Dbcument 1 Filed 02/19/20 Page '24 of 43 'PagelD#:24' b. was subscribed -in the name ?Arthueram? and with the same telephone number ending in ?4881 as the AWS Account. 30. In March 2019, Microsoft provided additional information to the FBI regarding the email address, including email headers of messages sent to and -from the email address preatorian_ @hotmail. com. Based on these email headers, I found that on or about Saturd ay, April 28, i i 2018, the day of one of the attacks, several emails were 'sent a Craigslist email address 'ending in Craigslist is?a classified advertisement website which allows users, among other things, to list items for sale and to exchange communications with other users who may wish to purchase those items. For privacy purposes, Craigslist anonymiZes the email addresses of all individuals who post or reply to advertisements. When a Craigslist subscriber creates a post, a unique osting ID is assigned by Craigslist, and all emails to or from _the poster use a Craigslist email address which incorporates the posting ID. i? For example, if the Craigslist_posting ID was 123456, then Craigslist will automatically mask the poster?s true email -address with an email address ending in 123456@sa1e. craigslist. org. Similarly, if a user responds to an advertisement, Craigslist will assign an anonymized address like lthat ending in ?42abe@rep1y.Craigslist.org to which the address sent messages. 23

Case Doc?ument 1 Filed 02/19/20 Page 25 of .43 Page ID #:25 31._ In April 2019, 'Craigslist provided_ information to the FBI regarding the Craigsli-st account associated with the preatorian @hotmail. com email address (the ?Craigslist .Account?). This Craigslist Account was subscribed to the user ?Arthur? with no last name provided, Based on. the informatiOn provided by Craigslist, I found that on or about April 26, 2018, _the Craigslist AcCOunt created raigslist posting ID 6572766908, iwhich was an advertisement to sell a small drone. The posting listed ?Arthur? as the contact name and was created from Subject IP AddreSs 1, Company 32. ?In April provided additional. information to the FBI regarding the preatorianm@hotmail.com email address, including contents of communications within the account. ?Included in this.information were copies of the communications with the anonymized Craigslist email addreSS ending in ?42abe@reply. Cra igslist. org which were sent on or about Saturday, April 28, 2018 i. e. the date of one of the attacks. From these emails, I discovered that the- individual communicating via the email addreSS ending in 742abe@reply.Craigslist.org (the ?Craigslist Buyer?), expreSSediintereSt in buying the small drone. The email correspondence from April 28,2018 between I preatorian @hotmail com and the Craigslist Buyer appears below: .April 28, 2018, ?10: 20 a. m. PDT, Craigslist Buyer: Hello I am interested in your.Mavic Pro. Still available? has it ever_been crashed? April 28, 2018, 11:22 a. m. PDT, preatorian_ @hotmail.comg Hi [Craigslist Buyer], Yep, it?s still available. No .crashes at all and the drone is in great condition 24

Case Document 1 Filed 02/19/20 Page 26 of 43' Page ID #:26 April 28, 2018, 11:32 a.m. PDT, Craigslist Buyer: Great! Are yOu available today to come check it out? April 28, p.m. PDT, If you?re cool on the asking price your7re definitely. welcome to have a look. The drone is at my office in .Venice, want to swing by there later tOday? What time would work? . ?April 28, 2018, 2:12 p.m. PDT, Craigslist Buyer: I am cool with the asking price. I can head out as soon as possible. What time Works for you? April 28, 2018, 2:17 p.m. PDT, If it helps; my wife is actually heading to Santa Clarita later today. She has no idea how the thing works or anything, so it might be a bit difficult of a sell. Otherwise, I can be in veniCe anywhere after Bilipm. The address is [Company A?s street address], give me-a ring on [redacted]4488l once you?re (the doOrbell doesn?t really work) -3 - - April 28, 2018, 2:19 p.m. PDT, Craigslist Buyer:i Thank you for.the kind gesture, but was hoping to having in the venice area anyway so I don?t mind heading to venice. I?ll giye you a ring once I am close. Thanks? . again - . April 28, 2018, 2:24 sounds good, see you then! - 33. Thus, based on this correspondence between and the Craigslist Buyer, I learned the following: a. _The user of uSed the telephone number ending in ?4881, i.e. the telephone number subscribed to the AWS Account. b. The user of worked at the~ street address for Company A?in Venice, California, which is 25

Case Document 1 Filed 02/19/20 Page 27 of 43 PageilD #:27 ?also the location of Subject IP Address 1, which accessed the AWS Account. .The user of requested the Craigslist Buyer come to the user?s workoffice at Company A on the afternoon of April 28, 2018, in order to see and buy.the -small drone. -H. MEeting at Company A Prior to.the April 28, 2018 Attack . I June 2019, the Craigslist Buyer provided the follOwing-information to the FBI: 8 A a. In April 2018, the Craigslist Buyer was browsing postings for small drones on Craigslist.. On or about the morning of Saturday, April 28,-2018, the Craigslist Buyer found the public posting.from the Craigslist AccOunt. The Craigslist_ Buyer initially replied to the advertisement by using the Craigslist email button on the website. The Craigslist-Buyer7 emailed the poster several times. The poster?s email address was (As_described above, -Craigslist anonymiZes the email addresses of individuals who post advertisements and incorporates the posting 1D into the anonymized email address.) In their email correspondence, the Craigslisthuyer inquired whether the drone was still for sale its condition. The poster advised the Craigslist Buyer that. "the drone was at the poster?s office in Venice, California and vthat the Craigslist Buyer could come after 3:15 p.m. on April 28, 2018, to see the drone in person. The poster advised that Company A?s street address in Venice, California was the 26

Case DoCument 1 Filed 02/19/20 Page 28 of 43 Page ID #:28 . ?poster?s office and-where the drOne was located. -The poster? also provided the telephone number ending in ?4881, and . requested that the Craigslist Buyer call upon arrival at the officeabout the afternoon of April 28, 2018, the Craigslist.Buyer arrived at the office building located at the street address for Company A in Venice, California. Upon Ia.rriva1, the Craigslist Buyer called the provided number ending in ?4881. The Craigslist Buyer thought that the office was closed because no employees or visitors were present. A tall13 white male emerged from the office and escorted theCraigslist Buyer inside, where the drone Was sitting. The Craigslist Buyer tunde_rstood the office to be the male? 3 place of work. The Craigslist Buyer advised that the male appeared to be the only persOn inside the office. The Craigslist Buyer inspected the' drone and agreed to buy it for $660. The Craigslist Buyer paid- the male in cash and departed. The Craigslist Buyer did not rec all the male? 5 name. I c. As described above, the AWS Account was accessed from CompanyA in, Venice, California on or about April 28, 2018 at approximately 4:16 p.mJ ?Shortly thereafter, a attack was initiated against the Victim via the AWS ACcount. d. yIn May 2019, the FBI received informat_ion from JP ?_Morgan Chase Bank regarding accounts maintained by DAM. According to this information, I found that on or about April 30, 2018, a $660.00 cash deposit was made into checking .B DAM is approximately six feet, seven inches tall. 27

Case Document 1 I Filed 02/19/20 Page ?29 of 43 Page ID #:29 account.' A review of this account and_DAM?s other known accounts revealed that DAM seldom makes cash deposits, ?TherefOre, I believe this cash deposit was the money received from selling the drone to the Craigslist Buyer on or about April: 28, 2018. I. Further Information from Google 35. In June and July 20l9, Google provided additional. information-about two Google accOunts, arthurjdam@gmail. com and arthur@[Company com. The first of theSe is one of the two email aCcounts tied to Apple account, subscribed in name. The second is an enterprise ?email account for Company A provided by Google.b This account is also Subscribed to DAM and his known identifiers, including the telephone number ending in f4881 (the same-telephone number subscribed to the AWS Account). Google provided contents of? communications for these accounts, as well as location -information, and searching and browsing history. Based on my .training and experiende, I know that Google location history is a Google Accountelevel setting that tracks a subscriber?s physical location and account aCtivity, based on a variety of? _inputs, including cellular data, GES information, address,? past activity and other information} The Service is enabled by ?default on every mobile device of a Subscriber who is signed into his/her Google account.; For example, a subscriber?s location can be tracked when a search is conducted, an app is The actual company name for Company A is part of the email address, but is anonymized in this affidavit. 28

Case Document 1 Filed 02/19/20 Page 30 of 43 Page ID #:30 accessed, or when another Coogle service or product is used. IThe Searching and browsing history reflects searches conducted using Googlefs search engine by the user of a Google account, and_web pages browsed to using the Google?s Chrome browser, .while the user is logged into their Google account. 1. Relevant Email Contents 38. Within the email contents for the account arthurjdam@gmail. Com was a 'mess age sent on or about April 28, 2018, at approXimately 10: 28 p. to an email address belonging to the Victim?s opponent?s campaign (and employer). Zhe_ subject of the email was ?Guestlist? and theemail body contained a chart of donors, contribution amount, date. ,That is to say, the user of this email account emailed the Icampaign of the Victim?s opponent what appeared to be campaign' information, just several hours after the start of the third attack on the Victim? 3 site and after the conclusion of the televised political debate. 2. Relevant L0cation History 37. The Google location data history for the account- arthur@[Company com revealed the following information. a. I Shortly before three of the four attacks, the user of the account was physically located at Company A, in Venice, California at the approximate times the AWS Account was accessed frOm Subject IP Address 1 ,vwhich is subscribed to Company A.in Venice, California. Specifically, the location A data shows that the user of the arthur@[Company A].com account 29

0 Case Document 1 Filed 02/19/20 Page 31 of 43? Page ID #:31 (presumably DAM) was at 00mpany A on or about the following . relevant dates/times (PDT): i. April 20, 2018, at 6:55 ii. April 28, 2018, at 3:54 and May 29, 2018, at 5:52 p.m. lb. The_location data history further showed that the user of this-account was at the Santa Monica ResidenCe at the' japproximate time the AWS Account was accessed from that same? location prior to the remaining attack.? Specifically, the user was a the Santa Monica Residence on or about April 21, 2018 at 3:32 p:m. PDT. Therefore, I believe this information shows that DAM was in the same location from_which the 'Account was accessed, at the same approximate time of the logins to the AWS Account, just prior to the initiation of each of the four attacks against the Victim. In addition, the location history data showed that the user of this ac count was in the vicinity of the Santa Monica Residence on or about April 22, 2018, at approximately 10:31 a.m: As noted previOusly, according to login information from AWS, on or about April 22, 2018, at approximately 10:05 ya.m., the'AWS Account was accessed from subject IP Address 2, or the Santa Monica Residence. That is to say, thelocation history of arthur@[Company A].com Geogle account showed that the user was at_the same general location where the AWS ?Account was accessed at nearly the same time it was accessed. 30

Case DoCumentl Filed 02/19/20 Page 32 'of 43 Relevant Search and Browsing History- 38. The search and browsing history records from Google shewed that between March 2018 June 2018, the user of both the arthur@[Company A].com and arthurjdam@gmail.com15 accounts (believed to be DAM) visited the'Victimfs website the same website that was targeted and attacked by the fonr attacks in April 2018 and May 2018 and conducted extensive research on the Victim, en the structure and programs Othhe Victim?s website, and on how to conduct various types of attacks and other cyber attacks. I '39. As specific examples, this data showed that on or about March 31, 2018, April 16, 2018, and June 5, 2018, the user of the account arthurjdam@gmail.com conducted several Google searches for the Victim?s name and his employer?s name, viSited- websites relating_to the Victim and the Victimfs employer, and I visited the Victimfs Twitter profile. Interspersed between some of these searches and website visits, the user-conducted a -variety of searches.on terms-relating to mechanisms. 40.4 Further, the data showed that the user of the arthurjdam@gmail com acconnt visited the Victimfs campaign website on or about the following dates/times (PDT): a. .March 31, 2018, at 2:52 p.m April 16, 2018, at 7:29 p.mJ, and Sc. June 5,-2018, at 7:00 p.m. In prior affidavits, the Search and browsing history information reported in this section was inadvertently attributed only A].com.? The information is correctly associated with both of Google accounts, as written above. 31

I'Case Document 1. Filed 02/19/20 Page 33 of 43 PagexID #:33 41. In addition, the data showed that the user of the account visited the ViCtim?s campaign ?website on or about June 5, 2018 at approximately 11:21 a.m.v 42. On or about March 31, 2018, shortly after visiting_the Victim?s campaign website, the user searched for ?slow loris nodejs,? Based on my training and experience, I know that a ?Slow Loris? (or ?Slowloris?) attack is a kind of attack, designed to take down a web server computer through the use of only minimal bandwidth by sending requests that seem slower_than normal but otherwise mimic regular traffic.l6 lhe tool generally works by making partial connection requests to the targeted web" server. -The targeted server?s maximum concurrent cOnnection pool is then filled with partial requests and connections, which then deny additional incoming connection requests-from legitimate visitors. The reference to ?nodejs? in the search? refers to tnode.js,? which is an open?source server environment ?that executes JavaScript code outside of a browser. This.wouldr be the environmentin which the attacker would attempt to run? the Slow LOris attack. On or about MarCh 31, 2018,after conducting- additional searches about the Slow Loris attack and about the? Victim, and then visiting the Victim?s opponent?s campaign -Website, the uSer conducted several searches for physical equipment with the capabilities to conduct activity.? Specifically, the user of the arthurjdam@gmail-com account. hj? Apparently named after a small primate from Southeast Asia, the slow loris, which is known for moving slowly and .making little or no noise, but which has a toxic bite. 32

Case Document 1 Filed 02/19/20 Page 34 of 43 Page ID *searched for ?juniper ex3300? and and 'then visited Juniper Networks? website regarding the Juniper EX3300 Ethernetrswitch. AThiS~device is deSigned to scale rapidly expanding networks and is marketed .to school campuses and data centers, where demand for computer power might quickly increase. The equipment allows a single User to quickly amplify computer_environments. BaSed on my training and experience, know that this type of Ethernet switch can be used to effect DDoS.activity, as a single.uSer can quickly generate multipler computer environments and direct aCtivities therefrom. -44; _On or about April 16, 2018, the user of the arthurjdam@gmail;com account also searched for and visited the website of asearch engine known as ?Shodan? at Shodan is an open?Source research tool that, among other things, provides information on the types of programs and content I dmanagement systems used by a website or IP address. Based on my training and experience, I know that Shodan is typically used by. both cybersecurity researchers and cyber Criminals to identify vulnerabilities of_a computer, website, or netWork the former users to heighten security measures and the latter users for exploitation. After searching for and visiting Shodan?s I website, the user of arthurjdam@gmail.com conducted-Google searches for specific vulnerabilities relating to the _configuration of the Victim?s Website. For example: a. On or about April 16, 2018, 'the user searched for ?_?shareaholic exploit.? I know, based on my training and experience, that an ?exploit? refers to a softWare tool designed 33

Case Document 1 Filed 02/19/20 Page 35 of 43 Page ID #:35 3 to. take advantage of a law in a comput-er system, typically for malicious purposes such as installing malware or identifying a vulnerable point of attack. According to open?source-research, the Victim?s website features ?Shareaholic? plugins. Based on my training and experience, I know that Shareaholic is.an online marketing company that provides website plugins and other tools for users to market and promote a website. Notably, Shareaholic offers ?social share buttons? which users can embed into their websites for visitors to easily share content on any social sharing service. I am aware that cyber criminalssometimes .target thirdeparty plugins or software, such as ShareaholicFS? social share buttons, in order to gain unauthorized access about April 16, 2018, the user searched-for ?wordpress 4.9.5 exploit? and ?wordpress pingback address. According to open?source research, the Victimfs website used the system software WordPress. WordPress is an open?sourcecontent? management system, which is typically used to build and maintain websites. Based on my training and experience, I know that a ?pingback? is a method for website authors to obtain notification when other authors link to one of their domains. know that WordPress is one of several companies which supports automatic pingbaCks, and that a webSite developer can configure the automatic pingbacks to.a specific website. Based On my ?training and experience, I know that cyber criminals have exploited WordPress? 5 automatic pingback system so that regular 34

Case Document 1 Filed 02/19/20 Page 36 of 43 PagelD #:36 and legitimate traffic to certain websites creates-DDOS activity against a target website. i c. .On or about April 16, 20l8, the user searched for ?simple amplification attack? and visited a XouTube video which ?dichSsed how to conduct DDOS attacks. I am aware, based on my training and experience that an ?amplification attack? refers to?. ?a kind of bDoS attack that leverages other internet sites and I tools, such as DNS resolvers used to look up website-addresses. In an amplification attack; the attacker sends a small query to one of these sites that causes'it to generate a large response, (henCe is then directed to the victim computer in order to attempt to overwhelm that computer. The tuser then searched ?40000 seconds to hours?; I believe this? latter query was an attempt to understand in meaningful terms how.long a 40,000 second attack would last (as such attacks are usually measured in seconds) that is; approximately ll hours; A d. On or about April 16,-2018, the user searched for 5.6.36 exploit? and visited a web page with partial code on how to conduct a denialfof?service attack using Based on my trainingand eXperience, I know that is an open? source relational database management systeml which is often used to support web servers and email servers; ?The numbers 5.6.36 from the user?s search reflect the version of used; by the Victim?s webSiten 35

Case Document 1 Filed 02/19/20 Page 37 of ?43 ?Page ID #:37 4} Expanded Timeline of Search and Browsing History 45. Examinind the search and browsing histOry data in expanded detail for certa1n dates revealed- additional information abOut the specific aotiOns of the user of this acoount. For example, on or about-March 31, 2018, at the approximate times listed user of the arthurjdamGgmai1.oom acoount conducted the rollouing-activity (among other activity): At 2:51 p. m. the user conducted a Google searoh .for the name of the Victim? employer. b. 'At 2:51 p.m. the user visited the website of the Viotim?s employer. I C. At 2:52 p.m. the user visited the Wikipedia page of the Viotimfs employer. 3 d. At 2:52 p;m. the user conducted a Google Search? for the Victim?s last name. i i e. At 2:52 p.m. the user visited the Victim?s. ,campaign-website. f. At 3:12 p.m. the user searohed for ?slow loris nodejsthe user visited a webpage titled ?Slowloris: 'Unleash the Slew Loris? with information on how to conduct a attack. h, At 3:13 p.m. the user conducted a Google search for the Victim?s full name. 1. At 3:25 p.m. the user visited the Victim?s Twitter profile, 3.6

- Case Document 1 Filed 02/19/20 Page 38 of 43 Page ID #:38 j. At 3:26 ptm.?the user visited the website of the 'Victim?s employer. I . . . At 3:29 p.m4 the user again searched_for ?slow. loris nodejs.? i Vl. At the user again visited the webpage titled ?Slowlorisinnleash the Slow Loris.? i At 3:45 ppm. the uSer visited a Los Angeles Times ?4 news article on the Victim. n. At 3:46 p.mJ the user conducted a Google search for the Victim?s name and.the Victim?s employer. . At 3:46 p,m. the user visited a Ballotopedia.org page on the Victim. . .1 I. p. At 3:47 p.m. the user searched for the name of the campaign for the Victim?s opponent, employer. q. At 3:47 p.m. the user visited a historical web article on the Victim. r. At 3:47 p.m. the user visited the campaign website of the Victim?s opponent.' s. At 3:52 p.mJ the user searched for ?juniper? which, as noted aboVe, corresponds to specialized equipment'that provides a platform with capabilities to conduct activityanother example, on or about April 16, 2018, at the approximate time listed (PDT), the user conducted additional? research on the Victim, the Victim?s website, DDQS attacks and other cyber attacks, including the following: 37

Case Document 1 Filed 02/19/20 Page 39 of443 Page ID #:39 a. At 12:26 p.m; the user searched for the Victimfs full name. . I .- b. At 12:27 p,mJ the user visited Shodan,i0g c: At 12:49 the user searched for ?Pure?FTPd- exploit? (as noted above; an ?exploit? is?a tool designed to take advantage oi a flaw in a computer system, typica11y_for .malicious purposes; this search appears to target such a tool to damage a particular kind of server); d. - At-2:27 the user searched for ?shareaholic exploit.? e. At 2:28 p.m. the uSer searched for'?simple: amplification.attack,? which, as noted above, is type of attack.? 1 ?At 2:28 p.mJ the user visited a YouTube video titled ?Demonstration of.a Simple DNS Amplification Attack,? .which I-know.to refer to another kind of attack. Vg. .At'6:19 the user searched for ?wordpress 419.5eXp1oit.? A I, 1 h. 7:19 p.m. the user searched for_?wordpressi pingback address,? and then ?wordpresstingback_access?; as described above, a ?wordpress pingback? is a known method of ?conducting a attack.- . i, At 7:28 p.m. the user searched for the Victim?s full name. 1 Dj. i-At 7:29 p.mJ the user Visited the Victim?s website: 38

. Case Document 1 Filed 02/19/20 Page 40 of 43 Page ID #:40 J. Interview of DAM 47. 'inor about November 13, 2019, I interviewed DAM and K.O. at the Santa MOnicalReSidence, during which I learned the? .following: 5 I 2 la.? DAM was familiar with AWS and its services. b. DAM previously had an account with AWS for ?personal use. . - Initially, DAM stated that he had closed hisAWS account approximately eight years ago, that is, circa 2011. DAM- 1ater clarified that he did not remember exactly when he had .'closed the AWS account, butlthatTit had been closed for several years. When asked if he had paid for an AWS account in the last -two years, DAM said he did not think he had, but said he could double?check to see if there was an aCcount that was not properly closed. He reiterated that such an account would have been closed a long time ago, possibly when he lived in Amsterdam or New York. K.O. clarified that they lived in New York from 2014 to 2015. I I i. In July provided_information to . the FBI that DAM is the subscribed user of a second AWS account, AWS account 266864327451. This second account wascreated in July 2016 and was active until at least July 2019. This second Vaccount was subscribed to DAM and to his known facilities, inCluding a rthurjdam@gmail. com and his telephone number ending in ?4881. In other words, DAM had two active AWS accounts at the time of the attacks in April 2018 and May 2018. In. fact, DAM had accounts until September 2018, when the ?39

Case Documentl Filed 02/19/20 Page-410MB AWS AccOunt was self?suspended and closed, presumably by DAM, and maintained the other AWS account until at least July 2019. During the interview, I provided a list of search terms, including ?slow loris nodejs, ?simple amplification attack, and ?40000 seconds to heurs,? among other terms taken from the search and browsing history of.DAM?s Google accounts; In response, DAM told me the following: 4i. . DAM stated he was an engineer who creates websites and ensures that they are safe from vulnerabilities ii.- DAM stated that the provided search terms often come up at his Work. e. DAM stated that he conducts attacks as part ;of his job. These attacks are conducted on internal work projects as part of penetration testing. DAM stated that he has conducted attacks on his own projects. . I DAM stated that he has never conducted a attack on someone else? 5 website or server. K..f Interview of Supervisor 48.? On or about November 13, 2019, interviewed Isupervisor at Company A, O.K., from whom I learned the following information: DAM is very technical, and part of his job is to troubleshoot any information technology issues for the office. b. Company A occasionally uses AWS for special? projects on behalf of clients. When AWS is used, the company 40

Case Document 1 Filed.02/19/20 . Page 42 of 43 Page ID #:42 specifically uses the AWS SB-service, which is a clOud storage service. i A I c. a Company A does not use AWS virtual machines. stated that he could not think of?a reason why the company would need to use AWS virtual machines or any AWS service to I rapidly expand computer environments. A d. Occasionally, clients request penetration testing on projects. O.K. advised that all penetration testing is done by external, third?party companies for accountability and integrity. O.K. was not aware of any internal penetration testing conducted by employees. I ?Ve. O. K. provided the FBI a copy.of the company?s employee handbook, which stated in part that empl oyees are not allowed to use company property or equipment in a way that disrupts the networks of other users. L. Search Warrant 49. in November 2019, the FBI executed search warrants at -the Santa-Monica Residence and Company A?s offices, A preliminary review of items seized revealed the following information: a. According to multiple digital devices, DAM was the user of the telephone number ending in ~4881. b. According to multiple digital devices, DAM was the user.of 0. ,'Electronic correspondence DAM had with others confirmed his working knewledge of AWS and its servers. 41

Case Ddcument 1 Filed 02/19/20 Page 43 of 43 Page ID #:43 d. iPhone, the telephone number ending-?48Bl, had cookies17 for the domain ?signinQaws.amazon.cOm? which is the AWS-sign-in page; According to the cookies, iPhone accessed the AWS sign?in page on September 22, 2018, or tuo days after the AWS Account was self?suspended/closed. . CONCLUSION 5 all the reasons described above, there is probable cause to believe that ARTHUR JAN DAM violated 18 U.S.C. 1030(a)(5)(A)r (Intentionally Damaging and Attempting to Damage a Protected . Computer). ft 5/5 5P5 Elliott Weideman? ?pecial Agent Federal Bureau of Investigation Subscribed to and sworn before me this 5&5 ?day of February, 2020. MICHAEL R. WILNER HONORABLE MICHAEL R. WILNER UNITED STATES MAGISTRATE JUDGE A cookie is a string of characters and numbers stored on a computer?s web broWser. Provide-rs often use cookies to recognize when the same device returns to access an account.