United States v. Bondarenko, Case No. 2:17-CR-306 JCM (VCF)

• Decision Date: 12 June 2019
• Docket Number: Case No. 2:17-CR-306 JCM (VCF)
• Parties: UNITED STATES OF AMERICA, Plaintiff(s), v. SVYATOSLAV BONDARENKO, et al., Defendant(s).
• Court: U.S. District Court — District of Nevada

UNITED STATES OF AMERICA, Plaintiff(s), v. SVYATOSLAV BONDARENKO, et al., Defendant(s).

Case No. 2:17-CR-306 JCM (VCF)

UNITED STATES DISTRICT COURT DISTRICT OF NEVADA

June 12, 2019

ORDER

Presently before the court is the matter of United States v. Bondarenko et al., case number 2:17-cr-00306-JCM-VCF. The following motions are pending:

(1) John Telusma's motion for leave to file reply (ECF No. 562);

(2) Magistrate Judge Peggy A. Leen's report and recommendation (ECF No. 534);

(3) Magistrate Judge Leen's report and recommendation (ECF No. 533);

(4) Magistrate Judge Leen's report and recommendation (ECF No. 529);

(5) Magistrate Judge Leen's report and recommendation (ECF No. 528);

(6) Magistrate Judge Leen's report and recommendation (ECF No. 527);

(7) Magistrate Judge Leen's report and recommendation (ECF No. 525);

(8) Magistrate Judge Leen's report and recommendation (ECF No. 524);

(9) Telusma, Frederick Thomas, Aldo Ymeraj, and Marko Leopard's motion to dismiss (ECF Nos. 476, 533);

(10) Telusma's motion to suppress (ECF No. 475);

(11) Valerian Chiochiu's motion to suppress (ECF No. 474);

(12) Chiochiu's motion to dismiss (ECF No. 473);

(13) Leopard, Telusma, Thomas, Chiochiu, Pius Wilson, and Ymeraj's motion to dismiss (ECF Nos. 471, 525);

(14) Leopard's motion to dismiss (ECF No. 468); and

(15) Thomas' motion to dismiss (ECF No. 467).

. . .

. . .

I. Background

This prosecution involves the takedown of Infraud Organization, a transnational cybercrime syndicate consisting of 10,901 members. (ECF No. 303). Infraud Organization operated a website that served as the premier destination to traffic contraband that criminals recovered through acts of identity theft and financial fraud. Id. Infraud Organization also used advertisements on its website to direct illicit activity to its members' automated vending sites, which were online platforms that transacted stolen personal and financial information. Id.

The purpose of Infraud Organization was to operate an online discussion forum that provided for the purchase and sale of high-quality contraband. Id. The forum, which was called "In fraud" and had the slogan "In Fraud We Trust," provided several safeguards to further the aims of the syndicate and protect its members from criminal liability. Id. All members remained anonymous to each other by interacting solely with usernames and concealed the nature of their transactions by using digital currencies. Id. The forum also allowed members to rate vendors as a means of maintaining the quality of contraband available on the Infraud website. Id.

In the early days of the syndicate, co-founder defendant Svyatoslav Bondarenko established rules that governed members' conduct on the website. Id. Infraud Organization routinely policed the forum for rule-violators such as "rippers," which are vendors of low-quality illicit goods or vendors that do not deliver goods and services in accordance with the terms of their transactions. Id. The enforcement of these rules and the successful operation of the forum required Infraud Organization to create the following hierarchy:

• Administrators, a.k.a. 4DMini57r470rz, formed the governing council of Infraud Organization. Id. They handled the long-term strategic planning of the syndicate and made day-to-day management decisions including but not limited to who can join the syndicate, rewards for loyal members, punishments for disloyal members, and retaliatory measures against rival criminal organizations. Id.

• Super moderators, a.k.a. Super M0DER470R5, oversaw subject-matter areas on the forum that were within their expertise or geographic area. Id. Super moderators would primarily review products, mediate disputes, and edit/delete posts. Id.

• Moderators, a.k.a. M0d3r470r2, had the same responsibilities as super moderators but Infraud Organization limited their authority to moderating one or two specific sub-forums. Id.

• Vendors, a.k.a. professors or doctors, sold illicit products and services to members of Infraud Organization. Id. Although these transactions often occurred on the vendors' own websites, the vendors would pay Infraud Organization so they could advertise their websites on the forum. Id. Vendors also sold products and services directly to customers by using email, private messages on the forum, and instant messaging services. Id.

• VIP members, a.k.a. fratello masons or advanced members, are longstanding or otherwise notable members of Infraud Organization. Id.

• Members, a.k.a. Phr4Ud573r, are general members of Infraud Organization. Id. They would use the forum to gather information about perpetrating criminal activities, solicit other members to engage in criminal schemes, pay for and post advertisements, and traffic contraband. Id. Members also relied on moderators or administrators to settle disputes that arose from transactions. Id.

Individuals would join Infraud Organization as members by having an administrator grant their request to join the forum. Id. After joining the syndicate, members could move up and down the hierarchy. Id.

Infraud Organization operated from October 2010 to February 2018 and caused more than $568,000,000.00 in losses. (ECF Nos. 303, 573). Bondarenko and defendant Sergey Medvedev created Infraud Organization shortly after Bondarenko was banned from Carder.su, which was another cybercrime syndicate that operated from November 2005 to January 2012. (ECF Nos. 467, 504). Carder.su and Infraud Organization had similar hierarchy structures, engaged in similar criminal activities, and had over 10,000 members. Id. However, Carder.su used a different online forum and had different leadership. Id. Due to the anonymity of the conspirators, it is unclear to what extent the memberships of the two syndicates overlapped. See (ECF Nos. 504, 510).

Three defendants in this litigation, Thomas, Lirdon Muslie, and John Doe #5, a.k.a. Deputat, were previously indicted in a separate case for their involvement in the Carder.su conspiracy. (ECF No. 504). Thomas joined Infraud Organization several months after the government took down Carder.su. Id. He continued to engage in illicit activities on the Infraud website up until November 2014, just one month before a federal court sentenced Thomas to sixty months of custody for his involvement in the Carder.su conspiracy. Id.

A fourth defendant, Leopard, is a resident of the Republic of North Macedonia. (ECF Nos. 468, 502). In 2016, a Macedonian court indicted Leopard for the crime of making and using fake payment cards in violation of Macedonia Criminal Code Art. 274-b(2). Id. The Macedonian indictment included allegations of cybercrime activities, such as selling stolen information through the website www.tonymontana.cc, that the government has also alleged in this case. See (ECF Nos. 303, 468-1). Leopard eventually admitted guilt and, on December 13, 2016, the Macedonian court sentenced Leopard to twelve months of imprisonment. (ECF Nos. 468, 468-2). Leopard completed his term of custody on August 25, 2017. (ECF No. 468-3).

A fifth defendant, Chiochiu, joined Infraud Organization in December 2012. (ECF Nos. 473, 503). According to the government, Chiochiu helped other members develop, deploy, and use malware as a means of harvesting data. Id. Chiochiu allegedly developed a variant of FastPOS software, which is a program designed to infect computers that handle credit card data and steal financial information. (ECF No. 503). Chiochiu also allegedly shared with other members a programming script that can create automatic vending websites for the sale of fraud-related products. (ECF Nos. 473, 503).

Several defendants, including Thomas, Leopard, Ymeraj and Telusma, were vendors in Infraud Organization. (ECF No. 303). Their alleged activities included operating websites that facilitated illicit activity. Thomas hosted a website that provided a look-up service, which allowed Infraud Organization members to obtain compromised social security numbers and other personal information. Id. Leopard, Ymeraj, and Telusma hosted websites that sold compromised credit card data. Id. Telusma's website also provided services that allowed Infraud Organization members to launder funds that they illicitly obtained. Id.

II. Procedural History and Warrants

On September 19, 2017, the government initiated this prosecution. (ECF No. 1). The second superseding indictment names thirty-six defendants and asserts nine counts: a single charge for racketeer influenced and corrupt organizations ("RICO") conspiracy in violation of 18 U.S.C. § 1962(d) and eight charges for possession of fifteen or more counterfeit and unauthorized access devices in violation of 18 U.S.C. § 1029(a)(3). (ECF No. 303).

Throughout the course of litigation, the government searched two premises that are relevant to the court's present inquiry. The first search was of Chiochiu's residence ("Chiochiu warrant") and the second search was of Telusma's residence ("Telusma warrants"). (ECF Nos. 474, 475).

A. Chiochiu warrant

On March 28, 2018, Chiochiu self-surrendered. (ECF Nos. 363, 474, 501). During his arrest, Chiochiu provided law enforcement officials with a home address at which he did not actually live. (ECF No. 474-1). Chiochiu also turned over three digital devices: two computer hard drives and an iPhone. Id. Later that day, Chiochiu pleaded not guilty and the court released him on a personal recognizance bond. (ECF Nos. 358, 360).

Forensic analysis of the devices revealed that, on the day before his arrest, Chiochiu "surgically wiped" the hard drives with a program called "CCleaner" and deleted data on the iPhone by resetting it to factory settings. (ECF No. 474-1). Chiochiu attempted to conceal these acts by leaving a large amount of innocuous data, such as personal photos and documents, on the hard drives. Id. However, one of the hard drives contained artifacts indicating the presence of FastPOS malware and cryptocurrentcy-related software. Id.

While examining these devices, Special Agent ...