THE CYBERSQUATTED SUBJECT DOMAINS

78. The FBI’s investigation revealed that Doppelganger leased numerous cybersquatted domains from U.S. companies Namecheap, NameSilo, and GoDaddy using four online personas, which I refer to as Kethorn, Kamcopec, Kaspartill, and Anguillet. Each of these personas used email accounts that incorporated the persona’s name in the email address. I believe that the identity information provided to lease the domains is false given inconsistencies in names, mailing addresses, and naming conventions of the associated email addresses. These four online personas had significant overlap in the legitimate news sources their cybersquatted domains impersonated. All four personas leased domains impersonating Der Spiegel,[i] three personas leased domains impersonating Bild[ii] and T-Online,[iii] and two personas leased domains impersonating Reuters,[iv] Delfi,[v] and Süddeutsche Zeitung.[vi]
79. The personas used a similar pattern of cryptocurrency[vii] payments and Proton Mail email addresses.[viii] In general, Doppelganger actors took steps to obfuscate the origin of the cryptocurrency by using services like ChangeNOW and cryptocurrency mixing algorithms to obfuscate the originating cryptocurrency wallet used in their transactions.
80. Based on the commercially available cryptocurrency analysis tools[ix] and analysis by an FBI cryptocurrency subject matter expert, these personas’ cryptocurrency transactions with NameSilo and Namecheap show that the transactions originated with a cluster of cryptocurrency wallets. In this case, the FBI determined that the aforementioned cluster of wallets was funded by an account at a virtual currency exchange (“VCE-1”).[x]
81. Records received from VCE-1 pursuant to legal process revealed that the funding account belonged to an individual referred to herein as “Konstantin”,[xi] Those records showed that Konstantin provided Russian identification documents to VCE-1 and only accessed his account at VCE-1 through IP addresses that resolve to Russia. On March 7, 2024, Konstantin was interviewed by U.S. law enforcement regarding his VCE-1 accounts and suspected criminal activity. Konstantin stated he was a “point to point” exchanger on VCE-1. In describing his business, Konstantin stated the funds that went through his accounts came from point-to-point requests and he had no direct communication with the people he moved the funds for, nor did he know the origin of the funds. Based on these facts and the analysis described above, I believe there is probable cause to believe the funds used to lease the SUBJECT DOMAINS by the four personas as described below, originated from outside the United States.
82. An analysis of the registrar account login records for the personas revealed that the vast majority of the login timestamps roughly correspond to Moscow business hours. The IP addresses used to access the registrars all resolved to either VPS services, or IP addresses that the cybersecurity company Spur[xii] previously associated with criminal cyber actors who compromise IP addresses and sell access to them, to allow buyers to gain further anonymity online. Even the VPS services used by the personas were accessed through other VPS services and paid for using cryptocurrency.
83. For example, the Kamcopec persona used particular IP address from a VPS service to lease one of the domains discussed herein. Records received pursuant to legal process revealed that a VPS service leased that IP to an account, which used another operational email address[xiii] and a second VPS service to access the first VPS. That second VPS account accessed a GitHub repository which contained a script for layering VPSs. Based on the use of that repository, I believe the Kamcopec persona was using at least three layers of VPS services to obfuscate their true identity and location. Based on my training and experience, this layering on top of layering of VPSs and operational email addresses, like Russian nesting dolls, are indicative of a high level of technical sophistication evidencing an intentional, willful desire to conceal identities and whereabouts that is commonly associated with state-sanctioned action. As noted above, internal SDA documents revealed that SDA actively sought to reduce the chance ofdetecting the ‘Russian footprint ‘ in the proposed project,” by using “a multi-level security infrastructure” including VPN services and physical servers located in the U.S.
84. Based on the aforementioned similarities, I assess that these personas were all used in coordination and furtherance of the Doppelganger campaign either by individuals working for the sanctioned entities SDA and STRUCTURA, as well as ANO Dialog, and/or their co-conspirators, at the direction of KIRIYENKO, a sanctioned person, and the Russian government. Furthermore, as described herein, there is probable cause to believe that the funds used to lease the SUBJECT DOMAINS originated outside the United States.

[i] Der Spiegel is a German news magazine and website based in Hamburg using the domain spiegel.de.

[ii] Bild isa German newspaper and website based in Berlin using the domain bild.de.

[iii] T-Online is a German news website based in Berlin using the domain t-online.de.

[iv] Reuters is a joint British/Canadian news agency that is one of the largest news companies in the world. It uses the domain reuters.com.

[v] Delfi is a news website in Estonia, Latvia, and Lithuania using the following domains delfi.ee, delfi.lv, delfi.lt, pl.delfi.lt, and en.delfi.lt.

[vi] The Süddeutsche Zeitung, published in Munich, Bavaria, is one of the largest daily newspapers in Germany and uses the domain sueddeutsche.de.

[vii] Based on my training and experience and consultation with FBI subject matter experts, I know that many criminal actors used virtual currencies or cryptocurrency, like Bitcoin, in order to obfuscate their activity In general, transactions involving cryptocurrencies are posted to a public ledger, like the Bitcoin Blockchain (which can be reviewed through any number of open-source blockchain explorer websites or proprietary software programs that provide user-friendly interfaces to view data from the Bitcoin Blockchain). Although transactions are visible on the public ledger, each transaction is only listed by a complex series of numbers that do not identify the individuals involved in the transaction. This feature makes virtual currencies pseudo-anonymous; however, it is sometimes possible to determine the identity of an individual involved in a transaction through several different tools that are available to law enforcement. Bitcoin are sent to and received from Bitcoin addresses.” A Bitcoin address is somewhat analogous to a bank account number and is represented as a 26-to-35-character-long case-sensitive string of letters and numbers.

[viii] Proton Mail is an end-to-end encrypted email service based in Switzerland.

[ix] While the identity of the address owner is generally anonymous, law enforcement may be able to ascertain information about the identity of the owner of a particular address by analyzing the Blockchain. The analysis can also reveal additional addresses controlled by the same individual or entity. For example, a user or business may create many addresses to receive payments from different customers. When the user wants to transact the cryptocurrency that it has received, it may group those addresses together to send a single transaction. Law enforcement uses sophisticated, commercial services offered by several different Blockchain-analysis companies to investigate transactions. These companies analyze the Blockchain and attempt to identify the individuals or groups involved in the transactions. Specifically, these companies create large databases that group transactions into “clusters” through analysis of data underlying transactions. Through numerous unrelated investigations, law enforcement has found the information provided by these companies to be reliable. The third-party Blockchain-analysis software utilized in this case is software used by banks and law enforcement organizations worldwide. This third-party Blockchain analysis software has supported many investigations and been the basis for numerous search and seizure warrants, and as such, has been found to be reliable. Computer scientists have independently shown that they can use “clustering” methods to take advantage of clues in how cryptocurrency is typically aggregated or split up to identify addresses and their respective account owners. See generally United States v. Sterlingoy, 2024 WL 860983 (D.D.C. Feb. 29, 2024) (analyzing reliability of commercial Blockchain- analysis software).

[x] A virtual-currency exchange is a virtual-currency trading platform. Virtual currency exchanges typically allow trading between the U.S. dollar, other foreign currencies, Bitcoin, and other digital currencies. Many virtual-currency exchanges also act like virtual banks and store their customers’ Bitcoin. Virtual currency exchanges doing business in whole or in substantial part in the United States are regulated under the Bank Secrecy Act, codified at 31 U.S.C. § 5311 et seq., and must comply with federal regulations designed to combat money laundering, including the collection of identifying information about their customers.

[xi] Konstantin’s full name is known to law enforcement but omitted here due to the ongoing nature of law enforcement investigations.

[xii] Spur is a U.S. cybersecurity industry leader specializing in detecting anonymous infrastructure cyber criminals use to obfuscate their locations and identities.

[xiii] Based on my training and experience, I know cybercriminals often create “operational” email addresses using fake identifying information to conduct illegal activity as a way to obfuscate their identity.