Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 1 of 8

ORIGINAL FlLEo~ CHA

Atlanta
United States District Court
NORTHERN DISTRICT OF GEORGIA j~ 1 6 2020
JAME~
UNITED STATES OF AMERICA 8)1: , Clerk
v. CRIMINAL COMPLAINT

MARQUAVIOUS DEONTE BRIfl Case Number: 1:20-MJ-22

I, Jared Sikorski, the undersigned complainant being duly sworn, state the following is true and correct to
the best of my knowledge and belief. From in or about May 2019 until in or about October 2019, in Fulton
County, in the Northern District of Georgia, and elsewhere, defendant MARQUAVIOUS DEONTE BRITT
did intentionally access a computer, without authorization and exceeding authorization, and thereby
obtained information and attempted to obtain information from a protected computer for the purposes of
commercial advantage and private financial gain; with the value of the information obtained exceeding
$5,000; in violation of Title 18, United States Code, Section 1030(a)(2)(C), Section 1030(c)(2)(B)(i), and
Section 1030(c)(2)(B)(iii).

I further state that I am a Special Agent with the Federal Bureau of Investigation and that this complaint
is based on the following facts:

PLEASE SEE ATtACHED AFFIDAVIT

Continued on the attached sheet and made a part hereo~~~,

e of Complainant
Jared Sikorski

Based upon this complaint, this Court finds that there is probable cause to believe that an offense has
been committed and that the defendant has committed it. Sworn to before me, and subscribed in my
presence

anua 16, 2020 at Atlanta, G-~gjia

Date City and . -

UNITED STATES MAGISTRATE

Name and Title of Judicial Officer
AUSA Michael Herskowitz
DGE At
,,t~ ~dt~e of Judiciai Officer
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 2 of 8

AFFIDAVIT IN SUPPORT OF CRIMINAL COMPLAINT

I, Jared Sikorski, a Special Agent with the Federal Bureau of Investigation

(FBI), being first duly sworn, depose and state under oath as follows:

INTRODUCTION

1. This Affidavit is made in support of a criminal complaint for

MARQUAVIOUS DEONTE BRITT (“BRITT”), for intentionally accessing a

computer, without authorization and exceeding authorization, and thereby

obtaining information and attempting to obtain information from a protected

computer for the purposes of commercial advantage and private financial gain;

with the value of the information obtained exceeding $5,000; in violation of Title

18, United States Code, Section 1030(a)(2)(C), Section 1030(c)(2)(B)(i), and Section

1030(c) (2) (B) (iii).

AFFIANT BACKGROUND

2. I am an “investigative or law enforcement officer” within the meaning of

Title 18, United States Code, Section 2510(7), that is, an officer of the United

States who is empowered by law to conduct investigations and to make arrests

for offenses enumerated in Title 18, United States Code, Section 2516.

3. I am a Special Agent with the FBI, assigned to the Atlanta Field Office, and

have been so employed since May 2019. Prior to becoming a Special Agent with

the FBI, I was a Forensic Investigator employed at a digital forensics company

1
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 3 of 8

located in Chicago, IL, for approximately five years. In this role, I investigated

hundreds of cases involving cyber-crime.

4. I am currently assigned to investigate cyber-crime, as well as other

criminal matters, and I have participated in investigations involving the use of

computers, e-mail accounts, and the Internet. I have also participated in the

execution of search warrants involving computer equipment and electronically

stored information. I have received advanced training in computer

investigations, interviewing and interrogation techniques, arrest procedures,

search warrant applications, the execution of searches and seizures, and various

other criminal laws and procedures. Based on my training and experience, I am

familiar with the means by which individuals use computers and information

networks to commit various crimes.

5. I make this affidavit based upon personal knowledge derived from my

training, experience, and participation in this investigation, and information that

I have learned from discussions with other investigators. The facts related in this

affidavit do not reflect the totality of information known to me or other officers,

merely the amount needed to establish probable cause. Unless otherwise noted,

wherever in this affidavit I asserted that a statement was made, the information

was provided by another law enforcement officer or witness who may have had

either direct or indirect or hearsay knowledge of that statement and to whom I or

2
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 4 of 8

others have spoken. I do not rely upon facts not set forth herein in reaching my

conclusion that a complaint should be issued, nor do I request that this Court

rely upon any facts not set forth herein in reviewing this affidavit.

PROBABLE CAUSE

6. BRITI worked as a server support technician for an Atlanta-based

company (hereinafter VICTIM-i) for a short period of time from May 6, 2019

until June 24, 2019. VICTIM-i provides IT support, mobile application

development, website development, and software support to its clients.

7. VICTIM-i had retained a Canadian based company, Vultr, which provides

Cloud services to store its clients’ data. Only one VICTIM-i employee possessed

the administrator account in the Vultr Cloud panel. However, unbeknownst to

VICTIM-i, a second administrator account had been created on or about May 14,

20i9 using BRITT’S email account.

8. According to VICTIM-i, BRITT was a disgruntled employee who was

terminated for failure to complete tasks assigned to him. According to VICTIM

i, BRITT often expressed his interest in computer hacking to his colleagues.

9. On September 30, 20i9, the moniker “wOzniak” created a post on a dark

web forum which advertised access to a managed service provider (MSP)

account for $600 USD, payable in Bitcoin.

3
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 5 of 8

10. On October 10, 2019, an FBI confidential source (CHS)1 responded to the

post, and expressed interest in purchasing the MSP access. In response, wOzniak

emailed the CHS a screenshot of the Vuift administrator panel. The CHS and

wOzniak then negotiated a price of $450.00, and the CHS sent 0.05254621 Bitcoin

to wOzniak’s CoinBase wallet.

11. After the purchase, the FBI reviewed the account sold to the CHS. The

administrator credentials provided to the CHS were username:

“mbritt@[VICTIM-1].com” and password: “Quay#7816!”. The FBI confirmed

that the stolen administrator account was in fact that of VICTIM-i. Agents also

confirmed that 7816 is the last four digits of BRITT’S social security number.

i2. In response to a subpoena, Coinbase confirmed the wallet which was

provided to the CHS by wOzniak was in fact registered to BRITT. In fact,

Coinbase provided the FBI an uploaded scan of BRITI’S Florida driver’s license,

name, SSN, email address, home address, and date of birth — all of which

matched the identifiers for BRITT. There was also a Chase bank account linked

to the Coinbase account in BRITT’S name.

‘The CR5 has provided reliable and corroborated information to the government for
over two years. CHS reporting has continually been timely, detailed, and accurate. CHS
has provided information on multiple occasions that has resulted in open investigations
and identified subjects. CHS has also successfully identified multiple victims which
were positively confirmed during victim notifications. CHS has no criminal history and
no known Ciglio issues.
4~
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 6 of 8

13. The IP addresses used to access BRITT’S Coinbase account include

69.73.104.77 and 75.76.203.92. The FBI confirmed that 75.76.203.92 was the IP

address used by wOzniak when he sold access to VICTIM-i’s MSP. The

information provided by Coinbase such as BRITT’S driver’s license, social

security number, phone number, birthdate, and email address also matched

BRITT’S VICTIM-i employment documentation.

14. In response to another subpoena, Chase Bank provided statements for

BRITT which shows both his VICTIM-i paycheck direct deposit in June 2019, and

a transfer from PayPal of $436.59 on October 10, 2019 — which is consistent with

the funds that the CHS paid for the VICTIM-i’s admThistrator account.

15. On October 10, 2019, BRITT’S PayPal account received $44i.00 USD from

Coinbase. That same day, funds were transferred from BRITT’S PayFal account

to BRITT’S Chase Bank account. Moreover, the IP address 75.76.203.92 was used

to login to BRITI’S PayPal account on October iO, 2019. As mentioned,

75.76.203.92 was the IF address used by wOzniak when he sold access to

VICTIM-i’s MSP account.

16. Open source research revealed Twitter and Instagram profiles that

appeared to be associated with BRITT, namely: Twitter username: “@_WOz”; and

Instagram username: “_wOz”. The names associated with both accounts is

5
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 7 of 8

“Marq” and, the social media profiles and posts appear to depict BRITT in the

photos.

17. Agents also confirmed that the IP address 75.76.203.92 was utilized to

login to the Twitter account @_WOz approximately 50 times between October 18,

2019 and November 25, 2019. The IF address 75.76.203.92 matches the IF address

provided by Coinbase and FayPal for the transaction in which wOzniak sold

access to VICTIM-i’s MSP.

18. According to VICTIM-i, its Vultr access logs show: On October 1, 2019,

the IF address 69.73.104.77 was used to login to VICTIM-i’s administrator

account. On October 12, 2019, the IP address 75.76.203.92 was used to login to

VICTIM-i’s admin account. The IP address 75.76.203.92 matches the IF address

linked to wOzniak’s sale of VICTIM-i’s account. Additionally, it matches the IF

address which accessed BRITT’S Coinbase, FayFal, and Twitter accounts. The IP

address 69.73.104.77 is another address linked to BRITT’S Coinbase account.

19. The value of VICTIM-i’s MSP illegally obtained by BRITT exceeded

$5,000 in value to VICTIM-i, and BRITT obtained the information for his own

personal financial gain or commercial advantage.

20. BRITT illegally accessed VICTIM-i’s information, without authorization

and exceeding any authorization provided to him by VICTIM-i.

6
 Case 1:20-cr-00024-UNA Document 1 Filed 01/16/20 Page 8 of 8

21. Based upon the foregoing, I submit there is probable cause to believe that

MARQUAVIOUS DEONTE BRITT intentionally accessed a computer, without

authorization and exceeding authorization, and thereby obtained information

and attempted to obtain information from a protected computer for the purposes

of commercial advantage and private financial gain; with the value of the

information obtained exceeding $5,000; in violation of Title 18, United States

Code, Section 1030(a) (2) (C), Section 1030(c) (2)(B) (i), Section 1030(c) (2) (B) (iii).