Paige Thompson - Capital One hacker hit with superseding Indictment and trial moved to March 2022

The case’s docket is likely to go fallow for several months and I’m annoyed I had to redo my research because of Twitter - the links embedded are largely from the DOJ but Defendant Thompson’s roommate

As a practical matter I genuinely dislike having to redo my research —simply because of a Twitter suspension. Hope my stalkers, trolls and haters are super proud of yourselves for constantly targeting me. Which results in an enumerated amount of hours of solid research being flushed down the Twitter toilet. However that doesn’t mean I’m not going to redu my research or provide my followers/readers with timely updates. Because on July 1, 2021 there was a substantial update to the Capital One Hacker’s criminal case - but first let’s take a short trip down Fact Lane - it does have a Firearm detour because welp when Federal Law Enforcement was executing a search and seizure warrant —circa July 2019 - Defendant Thompson’s Roomate got caught up in that and he’s now in prison.

2019 Background

In the late summer of 2019 (I think it was July 11, 2019) I had someone send me a tip on a specific twitter account. So I sat and watched the account, archived the account and then cross referenced with her GitHub repository

To be clear it was this particular thread that someone sent me via DM that made me decide to sit back and archive what I thought was a crime in progress

July 29, 2019 Criminal Complaint

When the DOJ ¹ issued their press release that they had made an arrest and the Defendant Paige Thompson was charged via a criminal complaint which reads in part:

THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data.  On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. 

After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.  Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft.  This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data. 

Capital One @CapitalOne

If you want to learn more about the Capital One cyber incident, please visit

capitalone.com2019 Capital One Cyber Incident | What Happened | Capital OneGet more information about the Capital One cyber incident and its impact. Learn about what happened and what to do next.

12:43 AM ∙ Jul 30, 2019

---

August 28, 2019 Indictment

On August 28, 2019 ² issued a press release as to Defendant Thompson. in the DOJ-OPA it was disclosed that the Indictment cited more than 30 Victims of Data Intrusion and Theft - but as the DOJ-OPA states, in part:

THOMPSON is charged with wire fraud and computer fraud and abuse for the intrusion into data of Capital One and more than 30 other entities.  Law enforcement has identified many of the victims whose data was accessed and is working to notify them.  The indictment describes some of the victims as a state agency outside the State of Washington; a telecommunications conglomerate outside the United States; and a public research university outside the State of Washington.

Paige Thompson August 2019 indictment via DOJ-OPA

THOMPSON created scanning software that allowed her to identify customers of a cloud computing company who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.  THOMPSON used this access not only to steal data, but also used stolen computer power to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.” 

June 16, 2021 Superseding Indictment

Of which there is no DOJ-OPA or DOJ Link to the superseding indictment. So you can access it via ECF/PACER https://ecf.wawd.uscourts.gov/doc1/19719717022 or you can pull it down from my public drive. Now before we dive into the Superseder, I’d like to refer you to page 2 of the August 2019 Indictment. In my industry we call this the base line - and it helps you to understand what’s “new” in the Superseder. I now refer you to pages 2 and 3 of SR1 - the identified victims has increased from 4 to now 8:

But you’ll note the commonality of all the eight victims is “renting or contracting for computer services from the Cloud Computing Company”…given the addition of four “new” victims then the SR1 would have that information incorporated in the SR1 (see page 4 paragraph 16 of the August 2019 Indictment)

Now this is where you need to pay attention — the August 2019 Indictment (see page 5, paragraph 19 - for Count Two -Computer Fraud and Abuse) however Counts 3 thru 5 are new. And the additional facts elucidated in the SR1 provides actual dates that Defendant Thompson unlawfully hacked into Victims 3, 4 and 5. Those dates move the time line back by a full four months (from the July 2019 date)

Moving on to Counts 6 and 7 of the Superseding Indictment - you’ll note that Victim 6 was targeted on March 5, 2019 —Count 8 is actually brand spanking new because it directly alleges that Defendant Thompson targeted Victim 7 and Victim 8 from March 10, 2019 thru April 5, 2019 for “cryptocurrency mining” However previously the Government did say the Defendant had

“used stolen computer power to ‘mine’ cryptocurrency for her own benefit, a practice known as ‘cryptojacking’…”

But we didn’t know how long Defendant Thompson had engaged in this unlawful behavior. Now we do. And now that we know;

Victim 7 -is a technology company that provides “interaction-management solutions” and has a call center to assist its customers.

Victim 8 -is also a technology company that provides higher education “learning technology to educational institutes and other customers”

Count Nine - is entirely new and boy there is a lot to unpack in Count Nine - as alleged in the Superseding Indictment - Defendant Thompson;

• possessed and attempted to use PII

• 15 separate social security numbers

• more than 15 bank account numbers

To create counterfeit and unauthorized credit and debit cards. Thus in violation of 18 U.S.C. §1029(a)(3), (b)(1) and(c)(1)(a)(1) Fraud and related activity in connection with access devices

And then Count Ten gives us the initials of at least one “real person” Defendant Thompson allegedly purloined PII hence the new charge of Aggravated Identity Theft

Other Relavant Docket/Case Activity

June 25, 2021 Defendant Thompson was arraigned on her Superseding Indictment

• Minute Entry for proceedings held before Hon. Paula L McCandlis via Zoom video conference - CRD: K. Peter; AUSA: Andrew Friedman; Def Cnsl: Mohammad Hamoudi, Brian Klein; Court Reporter: Zoom Recording; Time of Hearing: 11:00am; ARRAIGNMENT as to Paige A Thompson (1) Count 1s,2s,3s-5s,6s-7s,8s,9s,10s held on 6/25/2021.

• Defendant present on bond and consents to appear by video conference. Defendant advised of charges and penalties in the superseding indictment. Defendant pleads NOT GUILTY to all charges. Defense Counsel requests discovery pursuant to Local Rule. Defendant remains on bond.

June 29, 2021 Defendant Thompson filed a Motion to Continue Trial ECF https://ecf.wawd.uscourts.gov/doc1/19719731342

Defendant Thompson Trial Moved to 2022

July 1, 2021 ORDER granting Defendant's 107 Unopposed Motion to Continue Trial as to Paige A Thompson. Jury Trial is continued to 3/14/2022 before Judge Robert S. Lasnik. Pretrial Motions are now due by 12/2/2021. Signed by Judge Robert S. Lasnik. ECF https://ecf.wawd.uscourts.gov/doc1/19719736735

… 20 terabytes is a TON of data…

• Government produced a significant amount of electronic data -around 20 terabytes of data

• includes sensitive material like malware and personally identifiable information of individuals, that defense counsel needs additional time to review the voluminous discovery and comply with the handling and storage of protected material, to conduct follow-up investigation

• The Court finds that the additional time requested between October 18, 2021 and the proposed trial date of March 14, 2022, is a reasonable period of delay as defense counsel needs additional time to review discovery and investigate the case.

• Defendant has executed a waiver indicating that she has been advised of her right to a speedy trial

• ORDERED that the trial date shall be continued from October 18, 2021 to March 14, 2022, and pretrial motions are to be filed no later than December 2, 2021, and shall be noted for consideration no earlier than the fourth Friday after they are filed.

So now you should be sufficiently caught up - I would expect for the docket to essentially go quite until early 2022 - it is more than possible that Defendant Thompson might ultimately agree to execute a plea agreement but thus far there’s nothing in the current public docket to suggest that’s something being considered by any party in this case.

Defendant Thompson’s former Roommate

On July 29, 2021 the DOJ-OPA Press Release stated that during the execution of a Court authorized Search and Seizure Warrant as to Defendant Thompson’s Residence. Federal Agents “during a safety sweep” found that her roommate Park Quan was in unlawful procession of dozens of guns. Park Quan was arrested and charged via a Criminal Complaint. The DOJ press release reads in part:

According to the criminal complaint, agents investigating the data theft were sweeping the residence for safety when they observed numerous firearms in a bedroom used by QUAN.  Agents observed approximately twenty firearms in the bedroom, including what appeared to be an AR15-style assault rifle, an AK47-style assault rifle, and handguns; firearm accessories, including bump stocks, scopes, and grips; ammunition; and gun powder.  Agents also encountered what appear to be fake grenades in the bedroom.

Criminal Complaint as to Defendant Park Quan via ECF https://ecf.wawd.uscourts.gov/doc1/19708691112 or via my public drive —I mean imagine being the Federal Agents showing up to execute a Court authorized search warrant of a hacker and the next thing you know they are looking at a mini arsenal that a convicted felon,

On June 12, 2020 the DOJ-OPA Press Release stating that Defendant Quan pleaded guilty for the illegal possession of a dozen firearms including assault rifles. Federal felony convictions from two states prohibit possession of firearms

On October 14, 2020 the DOJ-OPA Press Release that Defendant Quan was sentenced to four years in prison for the firearm related charges. The OPA release also embedded the USA Sentencing Memorandum

Oh and if you’re inclined here I recommend you read the July 2019 Search and Seizure Warrant executed on Defendant Thompson’s home - it’s kind of a riveting read because it shows you just how dogged the men and women of the FBI Cyber Crimes unit are - frankly it’s kind of glorious to read

July 2019 Search and Seizure Warrant

United States v. XXXX 28th Avenue South (Defendant Thompson’s home)m

Case No 2:19-mj-00342

Affidavit for Warrant https://ecf.wawd.uscourts.gov/doc1/19708673498 or via my public drive - for the record I did redact the Special Agent’s name and the address of Defendant Thompson’s former home. Because I’m not down with doxing or accidental disclosures

And to be clear yes there are ethical hackers. My employer/client contracts tout. We have minimal rules except a few cardinal rules 1) penetrate as far as you can, 2) ironclad NDAs, and 3) help identify holes so we can plug them. Ironically sometimes having an outsider try to “break in” helps harden your cyber defense and penetration our client’s networks saves them on the front and back end. But increasingly insider threats are proving to be far more pernicious and can have catastrophic consequences.

August 2019 S&SW returned Executed

Remember how I said that the execution of the judicially authorized search and seizure warrant unexpectedly took a wild turn? Well the August 2019 “returned” warrant actually itemized the computers, hard drives, memory cards and a whole lot of firearms, ammunition and scopes and bump stocks.
I now refer you to page 3 - via ECF https://ecf.wawd.uscourts.gov/doc1/19708707056 or via my public drive

And lastly I now refer you to page 4

Should you be inclined I also dumped the various court filings contained in this article to a Public Folder - found here - at any rate I’m likely taking the weekend off so don’t freak out if you aren’t receiving a double daily email with my newest newsletter - I’m taking some well deserved time off and I hope you and yours have a wonderful holiday weekend. -Filey

1

July 29, 2019 DOJ-OPA re Capital One Hack - https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company and had arrested Paige Thompson and charged her via a criminal complaint; https://www.justice.gov/usao-wdwa/press-release/file/1188626/download

2

August 28, 2019 DOJ-OPA -https://www.justice.gov/usao-wdwa/pr/former-seattle-tech-worker-indicted-federal-charges-wire-fraud-and-computer-data-theft - note “former Seattle Tech Worker” and the indictment https://www.justice.gov/usao-wdwa/press-release/file/1198481/download

Comments

[Barbara Vaughan]

Happy fireworks day!!!! And cookouts! Enjoy!

[Judy (not devin's cow)]

OMG! I was out of internet for 2 weeks! I have a lot of catching up! Have a great Holiday! Thank you for all your hard work!