-.

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 1 of 39 PageID #: 6

JD)~fr\\~ ({0~ UNITED STATES DISTRICT COURT FOR Tim

U\\lSL!V~~

uLS~

DISTRICTOFDELAWARE

UNITEDSTATESOFAMEruCA

v.

CRIMINAL NO. 13-78-0MS

Count!: Conspiracy
(18U.S.C. 371)

NATHAN LEROUX,
a/k/a "natelx,"
afk/a "animefre4k,,
a/k/a "comettimancer,"
a/k/a ''void mage,"
a/k/a "Durango,"
a!k/a "Cthulhu,"

"171 ~

~ s~mLt.D

q\1-c.\~'-\ ~:flL..

Count 2: Conspiracy to Commit Wrre Fraud

(18 U.S.C. 1343 and 1349)
Counts 3-6: Wiie Fraud
(18 u.s.c. 1343)
Count 7: Conspiracy to Commit
Theft of Trade Secrets
(18 U.S.C. 1832(a)(l), (a)(2), (a)(3), (a)(S))

SANADODEH NESHEIWAT,
a/k/a "rampuptechie,"
alk/a "Soniciso,"
a/kla ccsonic,"

Counts 8-11: Unauthorized Computer Access

(18 U.S.C. 1030(a)(2)(C) & 2)

DAVID POKORA,
alk/a "Xenomega 9,"
alk/a "Xenon7,"
alk/a "Xenomega,"

Counts 12-13: Criminal Copyright Infringement

(18 U.S.C. 2319(d)(2); 17 U.S.C. 506(a)(1)(C)
&2)
Count 14: Conspiracy to Commit Mail Fraud

AUSTIN ALCALA,
a/k/a "AAmonkey,"
a/k/a "AAmonkeyl,"

(18 U.S.C. 1341 and 1349)

Defendants.

Count 15: Attempted Mail Fraud

(18 U.S.C. 1341 and 1349)
Count 16: Conspiracy to Commit Identity Theft
(18 u.s.c. 1028(f))

,_

o:::w
::::lcz::

r-

0..<(
u~

c;;

'-'...I

::c

~---<

Q~W

wt-o

.J!!!~

-oo

Ll-1-

~u
:;:)0:::
X:I -

o:::.n

Counts 17-18: Aggravated Identity Theft

(18 U.S.C. 1028A & 2)

0..

"'

Forfeiture Notice

Filed Under Seal

.....10
<..:1

SUPERSEDING INDICTMENT

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 2 of 39 PageID #: 7

The Grand Jury for the District of Delaware charges that:

COUNTl
(Conspiracy)
18 u.s. c. 371

At all times material to this Superseding Indictment:

1.

The Defendants

a. DefendantNAIHAN LEROUX, alk/a "natelx," alk/a "animefre4k," alk/a

"confettimancer," alk/a ''void mage," a/kla 1'Durango," a/kJa 1'Cthulhu,"

("LEROUX") resided in or near Bowie, Maryland.
b. DefendantSANADODEHNESHEIWAT, a/k/a ''rampuptechie/' a/kla
"Soniciso," a/k/a "Sonic" (''NESHEIWAT") resided in or near Washington, New
Jersey.
c. Defendant DAVID POKORA, a/kla "Xenomega 9," a/k/a "Xenon7," alk/a
"Xenomega," ("POKORA'') resided in or near Mississauga, Ontario, Canada.
d. Defendant AUSTIN ALCALA, afkfa "AAmonkey," a/k/a "AAm.onkeyl,"
("ALCALA'') resided in or near McCordsville, Indiana
Co-conspirators

e. C.W., aJk/a "Gamerfreak," a co-conspirator who is not charged herein, resided in

or near Morganton, North Carolina.
f.

a co-conspirator who is not charged herein, alkla "savingthe:frog," afk/a

..alliyainwonderland," alk/a ..ohaiithar," alkla "Sup~rDae," alk/a ..Da~," r~::;iuetl in
or near Perth, Western Australia, Australia.

Methods of Hacking Utilized by Defendants

g. Structured Query Language ("SQL") was a computer programming language

designed to retrieve and manage data in computer databases.
h. "SQL Injection Attacks" were methods of hacking into and gaining unauthorized

access to computers connected to the Internet.

2

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 3 of 39 PageID #: 8

i. "SQL Injection Strings" were a series of instructions to computers used by

backers in furtherance of SQL Injection Attacks.
J. "Malware" was malicious computer software programmed to gain unauthorized
access to computers; to evade detection of intrusions by anti-virus programs and
other security features running on those computers; and to identify, store, and
export information from hacked computers, including information su.ch as
Copyrighted Works, Works Being Prepared for Commercial Distribution, user
names and passwords ("Log-In Credentials"), menns..of identification ("Personal

Data?'), authentication keys used to protect copyrighted works ("Authentication

Keys"), internal corporate documents, including attorney-client communications
("Corporate Documents"), credit and debit card numbers and corresponding
personal identification information of cardholders ("Card Data").
The Victims of Computer Hacking

k. Microsoft Corporation ("Microsoft'') was a provider of computer software,

hardware, video games, game engine technology, online gaming platforms, and
related products and services. Microsoft was headquartered in Redmond,
Washington. Microsoft is the developer, manufacturer and intellectual property
rights holder of the Xbox gaming console (hereinafter ''Xbox"). The latest

version of the Xbox gaming console-- which Microsoft internally codenamed

"Durango" and later publicly named ''Xbox One," and which was not released for
sale to consumers until on or about November 22, 2013 --is a computer system
and multimedia entertainment and telecommunications hub that allows users not
only to play computer games, but also to watch television and movies and to
access the Internet. Microsoft has spent millions of dollars developing the Xbox
gaming consoles, including Xbox One. 'M:icrosoft's Xbox-related revenues for
2011 and 2012 exceeded $8 billion per year.
3

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 4 of 39 PageID #: 9

1.

Microsoft is also the copyright holder for the underlying technology

employed in the "Gears of War 3" Xbox game, which was released to the
public on or about September 20, 2011. "Gears ofWar 3" sold more than
3 million copies in its first week of release, at an initial Manufacturer's
Suggested Retail Price of $59.99.

ii. Microsoft operated a "Game Development Network Portal" ("GDNP"),

which was a private computer network allowing prospective developers of

games for Microsoft's Xbox and other gaming platforms to access,

through an authentication system, the pre-release Xbox "Durango"

operating system development tools and software. Microsoft controlled
access to the GDNP by, among other methods, imposing licensing
requirements, non-disclosure agreements and other restrictions and
requiring authorized users to ~e registered with Microsoft. Microsoft also
administered separate access enclaves for more-restricted data on GDNP.
iii. Microsoft also provided developers with access to a software platform
known as "PartnerNet" to refine video game creation. Microsoft
controlled access to PartnerNet by, among other methods, imposing
licensing requirements, non-disclosure agreements and other restrictions
and providing authorized network users with an "Xbox Development Kit"
("XDK"), which are non-retail computers used to access PartnerNet.
iv. Beginning in or about January 2011, Microsoft was the victim of incidents
of unauthorized access to its computer networks, including GDNP's
protected computer network, which resulted in the theft of Log-In
Credentials, Trade Secrets, and Intellectual Property relating to its Xbox
gaming system.

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 5 of 39 PageID #: 10

1. Epic Games, Inc. ("Epic") was a developer of computer games, and cross~
platform game engine technology, including software used in electronic gaming
consoles such as Microsoft's Xbox gaming system. Epic was headquartered in
Cary, North Carolina. Beginning in or about January 2011, Epic was the victim
of a SQL Injection Attack and other incidents of unauthorized access to Epic's
protected computer network that resulted in the theft of Intellectual Property from
its network, including unreleased software, source code, and middleware from the
software title "Gears ofWa.r 3," which Epic developed exclusively for the
Microsoft Xbox gaming system. Epic holds certain copyrights and trademarks
related to the "Gears of War 3" game.
m. Valve Corporation ("Valve") was a developer of computer games, game engine
technology, and online gaming platforms, and the operator of the "Steam" online
gaming forum and merchandise store. Valve was headquartered in Bellevue,
Washington. Beginning in or about September 2011, Valve was the victim of a
SQL injection attack and other incidents of unauthorized access to Valve's
protected computer network that resulted in the theft of Intellectual Property and
Personal Data from its network, including the theft of Log-In Credentials for
Valve employees.
n. Activision Blizzard Inc. (..Activision") was a publisher of interactive online
garuing software for personal computers, consoles, handheld and mobile devices.

Activision was headquartered in Santa Monica, California. Activision was the

publisher of, and holds various copyrights and trademarks relating to, the video
game "Call ofDuty: Modem Warfare 3," which generated approximately $1
billion in sales in the first 16 days of its release on or about November 8, 2011.

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 6 of 39 PageID #: 11

o. Zombie Studios ("Zombie") was a developer of computer games for consumers

and helicopter simulation applications for the United States Deparbnent of the

Army. Zombie was headquartered in Seattle, Wasbington. Beginning in or

around July 2012, Zombie was the victim of unauthorized access to Zombie's
protected computer network that resulted in the theft of Intellectual Property and
Personal Data from its network.
p. The United States Department of the Army is one of three military departments
within the United States Department of Defense. Beginning in or about October
2012, the United States Department of the Army was the victim of unauthorized
access to and trespass into one of its protected computer networks that resulted in
the theft of confidential data valued at more than $5,000.

THE CONSPIRACY
2.

Between in or about January 2011 and in or about March 2014, in the District of

Delaware and elsewhere, the defendants

NATHAN LEROUX,
a/k/a "natelx,"
a/k/a "animefre4k,"
alkfa "confettimancer,"
a/k/a "void mage,"
a/k/a "Durango,"
afkla "Cth:ulhu,"
SANADODEH NESHEIWAT,
a/k/a ''rampuptechie,"
a/kla "Soniciso,"
a/k/a "Sonic,"
DAVID POKORA,
a/kla ''Xenomega 9,"
alkfa "Xenon7"
' .
a!k/a "Xenomega," and

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 7 of 39 PageID #: 12

AUSTIN ALCALA,
a/kla "AAmonk.ey,"
aJk/a "AAmonkeyl,"
did knowingly and intentionally conspire and agree among themselves and with others known
and unknown to the grand jury, including. and C. W., to commit offenses against the United
States, namely:
a. Fraud and Related Activity in Connection with Computers by intentionally
accessing a protected computer used in or affecting interstate or foreign
commerce without authorization, and exceeding authorized access to a
protected computer, and thereby obtaining information from that computer,
namely Log-In Credentials, Personal Data, Authentication Keys, Corporate
Documents, Card Data, and Intellectual Property, for the purpose of
commercial advantage and private financial gain, and the value of that
information exceeds $5,000, in violation of Title 18, United States Code,
Sections 1030(a)(2)(C) and (c)(2)(B)(i) and (iii);
b. Fraud and Related Activity in Connection with Computers by intentionally
accessing a protected computer used in or affecting interstate and foreign
commerce and exclusively for the use of the United States Government, and
exceeding authorized access to a protected computer, and thereby obtaining
information from any deparl!nent or agency of the United States, for the
purposes of commercial advantage and private financial gain and the value of
the information obtained exceeds $5,000, in violation ofTitle 18, United
States Code, Sections 1030(a)(2)(B) and (C) and (c)(2)(B)(i) and (iii);
c. Criminal Copyright Infringement by the distribution, for the purpose of
commercial advantage and private financial gain, of a work being prepared for

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 8 of 39 PageID #: 13

commercial distribution, by making it available on a computer network

accessible to members of the public, where the defendants knew or should
have. known that the work was intended for commercial distribution, in
violation of Title 17, United States Code, Section 506(a)(l)(C), and Title 1&,
United States Code, Section 2319(d)(l) and (d)(2).
OBJECT OF THE CONSPIRACY

3.

It was the object of the conspiracy for LEROUX, NESHEIWAT, POKORA,

ALCALA, and others to hack into the computer networks of various companies, including
but not limited to Microsoft, Epic, Valve, Activision, Zombie, and the United States Department
of the Army (collectively "the Victims''), to steal and then to use, share, and sell Network Log-In
Credentials, Personal Data, Authentication Keys, Card Data, Confidential and Proprietary
Corporate Information, Trade Secrets, Copyrighted Works, and Works Being Prepared for
Commercial Distribution, and to otherwise profit from their unauthorized access.
MANNER AND MEANS OF THE CONSPIRACY

4.

The manner and means by which LEROUX, NESHEIWAT, POKORA,

ALCALA, and others sought to accomplish the conspiracy included, among other things,
the following:
Scouting Potential Victims

a. It was part of the conspiracy that LEROUX, NESHEIWAT, POKORA,

ALCLA and .would identify potential victims by, among other methods,
visiting the websites of potential victims, as well as related companies, to
identify potential vulnerabilities of their information systems, and conducting

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 9 of 39 PageID #: 14

research to determine whether their information systems had already been

breached.
b. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA and

scan tlie "ports," or information portals

of computers belonging to potential victims, to locate network weak points.

c. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA and

visit websites where others had posted

legitimate Log-In Credentials for potential victims, and would copy those
Log-In Credentials and save them for subsequent use.
Launching the Attacks -The Hacking Platforms

d. It was further part of the conspiracy that LEROUX, NESHEIWAT,

POKORA, ALCALA and-auld lease, control, and use Internetconnected computers in New Jersey, California, Canada, Delaware, Indiana,
Maryland, Utah, Texas, the Netherlands, Hong Kong, Australia, the United
Kingdom, and elsewhere (collectively, "the Hacking Platforms") to: (1) store
hacking tools; (2) stage attacks on the Victims' networks; and (3) receive,
store and share stolen Log-In Credentials, Personal Data, Authentication
Keys, Card Data, Confidential and Proprietary Corporate Information, Trade
Secrets, Copyrighted Works, and Works Being Prepared for Commercial
Distribution.
e. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA and .would provide each other and others with
unauthorized access to the Victims' networks and would locate, store, and

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 10 of 39 PageID #: 15

transmit Network Log-In Credentials, Personal Data, Authentication Keys,

Card Data, Confidential and Proprietary Corporate Information, Trade
Secrets, Copyrighted Works, and Works Being Prepared for Commercial
Distribution from the Victims' networks.

f. It was further part of the conspiracy that LEROUX, NESHEIWAT,

POKORA, ALCALA

would hack into the Victims' networks using

various techniques, including, among others, SQL Injection Attacks, to steal,

among other things, Network Log-In Credentials, Personal Data,
Authentication Keys, Card Data, Confi.denti~ and Proprietary Corporate
Information, Trade Secrets, Copyrighted Works, and Works Being Prepared
for Commercial Distribution from the Victims' networks.
g. It was further part of the conspiracy that if LEROUX, NESHEIWAT,
POKORA, ALCALA and D.W. obtained Log-In Credentials that were
encrypted, POKORA would defeat the encryption using software programs
such as "Passwords Pro" and "Password Recovery Magic," so that LEROUX,
NESHEIWAT, POKORA, ALCALA and .could subsequently use the
decrypted Log-In Credentials to access the Victims' networks.
Executing the Attacks - Obtaining Confidential and Proprietary Information
and Intellectual Properly from the Victims
h.

It was further part of the conspi,racy that once they hacked into the computer
networks, LEROUX, NESHEIWAT-;~POKORA, ALCALA and
conduct network reconnaissance to find and to steal Log-In Credentials,
Personal Data, Authentication Keys, Card Data, Confidential and Proprietary

10

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 11 of 39 PageID #: 16

Corporate Information, Trade Secrets, Copyrighted Works, and Works Being

Prepared for Commercial Distribution from the Victims' networks.
i. It was further part of the conspiracy that LEROUX, NESHEIWAT,

POKORA, ALCALA an-would use an unauthorized Comcast cable

modem belonging to NESHEIWAT and phys~cally located in New Jersey to
connect to the Internet to steal Log-In Credentials, Personal Data,
Authentication Keys, Card Data, Confidential and Proprietary Corporate
Information, Copyrighted Works, and Works Being Prepared for Commercial
Distribution from the Victims' networks. The conspiracy used the
unauthorized Comcast cable modem because its members believed that the
modem could not be traced to the conspiracy, and further to avoid the
limitations on Internet bandwidth usage that Internet Service Providers apply
to legitimate users of their networks.
J.

It was :further part ofthe conspiracy that LEROUX, NESHEIWAT,

communicate via various online instant

POKORA, ALCALA

message platforms, which allowed them to use their Internet connections to

talk to and advise each other in real time regarding how to navigate the
Victims' networks and to locate Log-In Credentials, Personal Data,
Authentication Keys, Card Data, Confidential and Proprietary Corporate
Information, Trade Secrets, Copyrighted Works, and Works Being Prepared
for Commercial Distribution from the Victims' networks. By doing so, their
electronic communications traveled between computers connected to the

11

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 12 of 39 PageID #: 17

Internet from, among other places, Ontario, Canada, Delaware, Indiana, New
Jersey, Maryland, and Australia.
k. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA and

and others would use the computer program

TeamViewer to remotely view other computer desktops in real time, and to

allow them to communicate about their unauthorized access of the Victims'
networks and the location of Log-In Credentials, Personal Data,
Authentication Keys, Card Data, Confidential and Proprietary Corporate
Information, Trade Secrets, Copyrighted Works, and Works Being Prepared
for Commercial Distribution from the Victims' networks. By doing so, their
electronic communications traveled between computers connected to the
Internet from, among other places, Ontario, Canada, Delaware, Indiana, New
Jersey, Maryland, and Australia.
1. It was further part of the conspiracy that LEROUX, NESHEIWAT,

POKORA, ALCALA and.and others would use computer servers

located in various states and countries -- including Utah, Texas, the United
Kingdom, and Canada -- to store, receive and disseminate Log-In Credentials,
Personal Data, Authentication Keys, Card Data, Confidential and Proprietary
Corporate Information, Trade Secrets, Copyrighted Works, and Works Being
Prepared for Commercial Distribution stolen from the Victims' networks.
Concealing the Attacks

m. It was further part of the conspiracy that LEROUX, NESHEIWAT,

conceal their hacking into the Victims'

POKORA, ALCALA and

12

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 13 of 39 PageID #: 18

networks by, among other things, conducting their hacking via Virtual Private
Networks, including but not limited to computer programs that used
encryption to protect communications transmitted via the Internet.
n. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA and

conceal their hacking into the Victims'

networks by, among other things, disguising their true Internet Protocol
addresses through the use of "proxies," or intermediary computers.
o. It was further part of the conspiracy that LEROUX, NE~HEIWAT,
POKORA, ALCALA

conceal their theft of Log-In

Credentials, Personal Data, Authentication Keys, Card Data, Confidential and

Proprietary Corporate Information, Trade Secrets, Copyrighted Works, and
Works Being Prepared for Commercial Distribution from the Victims'
networks by encrypting the contents of their own computers and digital media
with TrneCrypt and other encryption software.
p. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA

conceal their activities within the

Victims' computer networks by utilizing Log-In Credentials, Personal

Identifiers, and Authentication Keys of other individuals to steal data,
Confidential and Proprietary Corporate Information, Trade Secrets,
Copyrighted Works, and Works Being Prepared for Commercial Distribution
from the Victims' computer networks.
q. Defendants undertook such efforts at concealment to attempt to avoid
detection by the Victims and law enforcement agencies. During an August

13

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 14 of 39 PageID #: 19

21, 2011 electronic communication session via the Internet, for instance,
POKORA stated:
Have you been listening to the shit that I've done this past month?
,.

I have shit to the U.S. military. I have shit to the Australian Dept. of
Defense.

I have every single big company: Intel, AMD, Nvidia, any game company
you could name, Google, Microsoft, Disney, Warner Brothers, everything.

It's not like I'm trying to prove a point, but I'm just saying. if they notice
any of this, eventually they're going to come looking for me.

Profiting from the Attacl<S

r. It was further part of the conspiracy that LEROUX, NESHEIWAT,
POKORA, ALCALA and -ttempted to, and did, sell Log-In Credentials,
Personal Data, Authentication Keys, Card Data, Confidential and Proprietary
Corporate Information, Trade Secrets, Copyrighted Works, and Works Being
Prepared for Commercial Distribution stolen from the Victims' computer
networks.
s. During an online chat session on or about October 2, 2011 between POKORA
a n d . for example, POKORA wrote, in reference to ongoing computer
intrusions into the Victims' computer networks: "if we do this right, we will
make a million dollars each." POKORA also stated in an Internet audio call,
"I don't think you understand the plan that I had. I've akeady compromised a

14

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 15 of 39 PageID #: 20

fuckton ofPaypals from those databases we have. Not that I logged into
them, but I've compromised enough that we could have already sold them for
Bitcoins which would have been untraceable if we did it right. It could have
already been easily an easy 50 grand."
t.

During an October 2, 2011 hacking session, POKORA and his co-conspirators

initiated a Remote Desktop Protocol connection to Epic's computer network
through an intermediary network node controlled by

POKORA and his

co-conspirators, using computers located in Delaware, Australia, Canada,

New Jersey and Maryland, logged into Epic's webmail server with the Log-In
Credentials of an Epic employee who was assigned to respond to known
intrusions into Epic's computer network. While POKORA and others viewed
the Epic employee's e-mail through Team.Viewer,.wrote, using an
instant message service:
Look at the e-mails between them about me.
Haha.
But fuck, I don't even get anything fun out of it anymore.
Its degrading.
Making money out of it
Fuck.
u. On or about November 3, 2011, POKORA instructed Person A to obtain a
'wish list" ofpre-relea:se inlt:llt:utual prope1ty from online alias
"XBO:XDEVGUY." POKORA had previously negotiated with
XBOXDEVGUY to hack into companies to obtain software for compensation.
v. POKORA,

and other co-conspirators used online merchants to purchase

Apple computer products with the proceeds of their criminal activity.

15

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 16 of 39 PageID #: 21

w. In or about August 2012, LEROUX and his co-conspirators gained

unauthorized access to Microsoft computer networks, from which they
downloaded Trade Secrets and Copyrighted Works owned by Microsoft.
LEROUX used Microsoft's Trade Secrets, including internal design and
technical specifications and pre-release operating system software code, to
build a counterfeit, next-generation JVIicrosoft Xbox gaming console, which he
and other co-conspirators sold online.
x. In or about August 2012,. used the personally-identifying information of
two individuals, C.L. and M.L., including name, social security number, date
ofbirth, and address, to which he gained access in the course ofthe abovereferenced computer intrusions, to fraudulently open financial accounts in the
names of the two victims.
y. During the course of the conspiracy, POKORA, NESHIEWAT, ALCALA,
others designed software and exploited source code of various
online games created and owned by the Victims - source code that they had
stolen during incidents of unauthorized access into the Victims' computer
networks- to sell unauthorized access to online games.
OVERT ACTS

5.

In furtherance of the conspiracy, the following overt acts, among others, were

committed in the District of Delaware and elsewhere:

16

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 17 of 39 PageID #: 22

Epic Computer Network

a. In or about January 2011, POKORA learned that C.W., an unindictedcoconspirator, had conducted a SQL Injection Attack against Epic, and revealed
Log-In Credentials for Epic's protected computer network.
b. In or about Januacy 2011, POKORA used legitimate Epic Log-In Credentials
to gain unauthorized access to Epic's computer network, and to copy and

download Epic's Copyrighted Works and Works Being Prepared for

Commercial Distribution, including the game "Gears of War 3,' to a computer
controlled by POKORA and hosted on a server in Utah. "Gears of War 3"
was developed by Epic and had not yet been commercially released. The
copyrights and trademarks to "Gears of War 3," which was commercially
released on or about September 20, 2011, are held by Epic ~d Microsoft.
c. On or about January 12, 2011,

an tmindicted co-conspirator, transmitted

from Australia, via the Internet, a request for technical support to

Bluehost.com, a company located in Houston, Texas, that hosted a website
controlled by~d that he and his co-conspirators used to store and
disseminate stolen Log-In Credentials, Personal Data, Authentication Keys,
Card Data, Confidential and Proprietary Corporate Information, Trade
Secrets, Copyrighted Works, and Works Being Prepared for Commercial
Distribution. complained that file transfer through his ~ebsite was
occurring too slowly, and provided Bluehost.com with futemet-routing data
showing that .was connecting to Epic's computer network.

17

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 18 of 39 PageID #: 23

d. In or about June 2011,. used legitimate Epic Log-In Credentials to gain

unauthorized access to Epic's network, and copied a legal document
belonging to Epic and marked "Attorney-Client Privileged" to a computer
controlled by. .
e. In or about June 2011, POKORA told the co-conspirators and others known
and unknown to the grand jury via an Internet audio communication and
transmitted to computers connected to the Internet from, among other places,
Delaware, New Jersey, Maryland and Canada: "Somebody leaked Epic
Games' database. I already had it before that guy but someone else leaked it.
Then they tightened their security, but the funny thing is I still have root
access to all their computers, cause I signed in yesterday. I gave them one
that I stole from Epic."
f. On or about June 2011, NESHEIWAT unlawfully downloaded from Epic's

computer network certain Copyrighted Works and Works Being Prepared For
Commercial Distribution, including "Gears of War 3," which was developed
by Epic and had not yet been commercially released. The copyrights and
trademarks to "Gears of War 3," which was commercially released on or
about September 20, 2011, are held by Epic and Microsoft.
g. On or about July 15,2011, NESHEIWAT sentPOKORA a package labeled
"Wedding Videos," which included Blu-Ray discs containing Copyrighted
Works and Works Being Prepared for Commercial Distribution, including
"Gears of War 3" gaming software.

18

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 19 of 39 PageID #: 24

h. On or about July 8, 2011, the co-conspirators provided Person A with access

to a website controlled by POKORA. The co-conspirators permitted Person A
to download approximately 39 files from POKORA's website. These files
contained Copyrighted Works and Works Being Prepared for Commercial
Distribution, including Epic and Microsoft's "Gears of War 3" gaming
software.
i.

On or about July 19,2011. via an electronic communication and transmitted

to computers connected to the Internet from, among other places, Delaware,
New Jersey, Maryland and Canada, PQJfR.~ solicited the assistance of his
co-conspirators and Person A in installing encryption software on his hard
drives. During the conversation, POKORA stated: "I need your help. I'm
going to get arrested." POKORA subsequently stated: "I need to encrypt
some hard drives." A co-conspirator stated: "If you, encrypt it right, they're
not going to find anything."

j.

On or about July 20, 2011, via an electronic communication and transmitted to

computers connected to the Internet from, among other places, Delaware,
New Jersey, Maryland and Canada, POKORA offered to provide the co~onspirators

and Person A with access to "Gears of War 3." Referring to

possible interactions with law enforcement if such activity was discovered,

POKORA stated: "If we ever go disappearing, just, you know, upload it to
the Internet and say fuck you Epic, if you know, they ever go after us."
k. On or about September 28, 2011, via electronic communications transmitted

to computers connected to the Internet from, among other places, Delaware,

19

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 20 of 39 PageID #: 25

New Jersey, Maryland and Canada, POKORA, his co-conspirators and others
utilized TeamViewer software to jointly and remotely access a computer
controlled by POKORA. This computer contained multiple databases within
a "Hacking'' folder, labeled in a manner consistent with the Victims' names,
including: Epic Games (i.e., "epicgames_user_db_cracked") and Valve Corp.
(i.e., "steam_valve_accs.html"). POKORA provided Person A with access to

these databases. which contained compromised means of identification for

over 200 individual victim accounts, including fields such as usemame,
password, and e-mail address. POKORA also provided access to usemames,
passwords, encrypted passwords or "password hashes," and e-mail addresses,
for approximately 47 additional accounts.
1. On or about October 2, 2011, via electronic communications transmitted to
computers connected to the Internet from, among other places, Delaware,
New Jersey, Maryland, Australia and Canada, POKORA, his co-conspirators

by.

and Person A initiated a Remote Desktop Protocol connection to Epic's

computer network through an intermediary network node controlled

POKORA and the others logged into Epic's webmail server with the Log-In
Credentials of an Epic employee who was assigned to respond to lmown
intrusions into Epic's computer network. POKORA and the others accessed
an Epic e-mail account and visually reviewed approximately 35
Authentication Keys. POKORA and his co-conspirators then posted the
proprietary software keys to the "Pastebin.com" website.

20

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 21 of 39 PageID #: 26

m. On or about March 201

transferred a partial software build of "Gears

of War 3" via the Internet to an individual using the alias "Xboxdevguy."
n. In multiple online instant message chats occurring in May and July 2012, via
computers connected to the Internet from Delaware and Australia.
provided Person A with the credit card information for an Epic Games
corporate credit card issued to Epic employee, S.S., including the card
number. cardholder name, expiration date, and card brand.
Valve Computer Network

o. On or about September 28, 2011, POKORA obtained i~gitimate Log-In

Credentials for Valve's computer network, including those of Valve
Information Technology employees.
p. POKORA stored these Log-In Credentials in multiple databases that
contained usernames, passwords, and e-mail addresses for numerous Valve
employees. POKORA saved these database files to a computer under his
control within a file directory named
"/Hacking/Databases/Importantdbs/Cracked." POKORA allowed Person A,
who connected to the Internet :from Delaware, to view these database files.
q. Utilizing TeamViewer, Internet audio calls, and instant messaging services,
via computers connected to the Internet from, among other places, Delaware,
New Jersey, Maryland, Australia and Canada, POKORA, his co-conspirators
and Person A used legitimate Log-In Credentials to gain unauthorized access
to Valve's network, and transferred a file named "MW3_MP_BETA_l.rar."
1bis file contained a computer game called "Call of Duty: Modem Warfare

21

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 22 of 39 PageID #: 27

3," which was being prepared for commercial release by Activision Blizzard,
Inc., the holder of various trademarks and copyrights relating to the game.
"Call of Duty: Modem Warfare 3" was commercially released on or about
November 8, 2011.
r. After obtaining "Call of Duty: Modem Warfare 3," POKORA used an instant
messaging service to transmit to . . a link allowing him to download "Call
ofDn1y: Modem Warfare 3."

s. On or about September 27, 2011, POKORA provided Person A, who was

connected to the Internet from Delaware, with a link to a domain controlled by
-

Person A downloaded "MW3_MP_BETA_l.rar'' from this website.

t. During the group's theft of"Call ofDuty: Modem Warfare 3" from Valve,
POKORA and his co-conspirators made the following statements:

i. When discussing the "Modem Warfare 3" file download, a coconspirator stated: "you don't get those unless you're Valve," to
which POKORA responded: "well, unless you're us."

ii. POKORA additionally state~: "yeah, let's get arrested."

iii. POKORA characterized his access to the software with the following
statements:
1. "I'm going to setup the laptop so it's ready to steal shit."

2. "first I'm going to have to grab it off the [Valve] FTP."

3. "then I'm going to be looking at files actually on the network."
u. POKORA used an Internet-connected computer controlled by - t o store
the stolen copy of "Call of Duty: Modern Warfare 3."

22

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 23 of 39 PageID #: 28

v. Also located on the Internet-connected computer controlled by.was a

file named "steam:fkn.png," which contained a screenshot of the administrator
interface for Valve's "Steam" website as an unauthorized download of a file
named "vbulletin.sql" was being conducted from Valve's network. Over the
screenshot was the text: ''Ruddified fknOwned steam." Billing and account
records show that-was the owner of the Ip.ternet domain
''www.ruddified.com."

Zombie Studios Computer Network and U.S. Army Virtual Private Network
w .. On or about May 14, 2012, during an online communications session, . .
and Person A, who was connected to the Internet from Delaware, discussed
computer intrusions into Zombie Studios. ~ted, in part:
Time to see if I can connect to Zombie Studios still
pull some military shit

They have a tunnel to the US Army

x. On or about July 29, 2012, via computers connected to the Internet from,
among other places, Delaware, Indiana, Maryland, Australia and Canada,
. . . LEROUX, ALCALA and others, including Person A, utilized
TeamViewer software to intrude into the computer network of Zombie
Studios.
y. During this intrusion,

LEROUX, ALCALA and others accessed pre-

release software and software builds for gaming software being developed by

23

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 24 of 39 PageID #: 29

Zombie Studios, as well as personally identifying information of Zombie

Studios' employees. transmitted the means of identification, including
the name, social security number, home address, and tax documents, of
"C.L.," a Zombie Studios employee, to Person A, in Delaware; to ALCALA,

in Indiana; and to LEROUX, in Maryland. After gaining access to C.L.'s

Personal Data,. subsequently submitted credit card applications in the
names ofC.L. and M.L, for limits of$15,000 and $10,000.

additionally

attempted to open a "Lendingclub.com" account in the name of C.L for

approximately $20,000.

accessed these accounts online and provided a

Delaware mailing address associated with Person A.

z. Person A subsequently received, vi~ United States Mail, credit account

activation notices in the names of C.L. and M.L. at the Delaware address.
aa. On or about July 31, 2012, via computers connected to the Internet from,

among other places, Delaware, Maryland, Australia and Canada,

LEROUX, and others, including Person A, utilized TeamViewer software to
participate in a Remote Desktop Protocol intrusion into the computer network
of Zombie Studios.
bb. During this intrusion, ~d his co-conspirators accessed Works Being

Prepared for Commercial Distribution and pre-release software builds for

gaming software being developed by Zombie Studios through computers and
network assets controlled by Zombie Studios and its employees.

and his

co-conspirators accessed approximately 18 computers, websites, accounts,

and/or network shares using unauthorized credentials. Data accessed during

24

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 25 of 39 PageID #: 30

this intrusion included multiple software products produced by, or licensed to,
Zombie Studios.

additionally reviewed a Zombie Studios internal

website descnoing how to connect to a United States Army Perforce server.

cc. On or about November 27, 2012,. accessed Zombie Studios employee
C.L.'s computer. -also had previously accessed C.L.'s Outlook webmail
account, and had executed a "forced password reset," which allowed . t o
use C.L. 's Outlook account to access the United States Army's Perforce
Virtual Private Network. C.L. was authorized to access the United States

Army's Perforce Virtual Private Network in connection with Zombie Studios'

contract for the design of United States Army Apache Helicopter Pilot
simulation software entitled, "AH-64D Apache Simulator."
dd. On or about December 11, 2012, via computers connected to the Internet from
Australia, .logged into the United States Army's Perforce Virtual Private
Network server using the new password and log-in credentials for C.L. 's
account.
ee. During this December 11, 2012 trespass into the United States Army's
Perforce Virtual Private Network,-ccessed Army Apache Helicopter
Pilot simulation software entitled "AH-64D Apache Simulator," which was
developed by Zombie Studios under contract with the United States
Department of ~Y

ff. On or about AprillO, 2013,

the Internet from Delaware, with access to a server controlled by . a n d

25

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 26 of 39 PageID #: 31

permitted Person A to download approximately five gigabytes of files

pertaining to the "AH-64D Apache Simulator."
gg. Zombie Studios maintained a firewall log of"offending" IP addresses, which
had attempted or completed unauthorized, remote connections to Zombie
Studios' network during the approximate date range of May 2012 through

January 2013. Within this period, the following IP addresses, which were
known to have been utilized by . t o access Zombie Studios' computer
network, had the following number of records:
203.59.226.40- approximately 104 entries;
203.59.226.72- approximately 13 entries;
203.59.226.73- approximately 3 entries;
203.59.226.75- approximately 3 entries.
Microsoft Game Developer Network Portal

hh. In or about 2011 and 2012, Microsoft and its development partners were
designing a next-generation Xbox gaming console, which Microsoft internally
codenamed "Durango" and later publicly named "Xbox One," as well as
software to be used with the new Xbox console. Microsoft released the
"Xbox One" fo.r commercial distribution on or about November 22, 2013.
ii. Microsoft operated a "Game Developer Network Portal" ("GDNP''), which

was an online system allowing prospective developers of games for

Micro soWs Xbox and other gaming platforms to access, through an
authentication system, pre-release Xbox operating system development tools
~d software. Microsoft controlled access to the GDNP by, among other

methods, imposing licensing and other requirements for authorized users to be

26

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 27 of 39 PageID #: 32

registered with Microsoft. In addition, Microsoft administered separate access

enclaves within GDNP for more-restricted data.

jj. Microsoft also provided developers with access to a software platfonn, known
as ''PartnerNet," to refine video game creation. Microsoft controlled access to
PartnerNet by, among other methods, licensing and providing authorized
network users with an ":Xbox Development Kif' ("XDK''), which are nonretail units used to access PartnerNet.
kk. Beginning in or about January 2011, LEROUX, NESHEIWAT, POKORA,
ALCALA,.and others engaged in incidents of unauthorized access into
Microsoft's computer networks, including GDNP' s protected computer
network, during which they stole Log-In Credentials, Personal Data,
Confidential and Proprietary Corporate Information, Trade Secrets,
Copyrighted Works, and Works Being Prepared for Commercial Distribution
relating to the Xbox gaming system. In particular, LEROUX. NESHEIWAT,
POKORA, ALCALA, ~d others accessed GDNP with valid, but stolen,
accounts associated with legitimate Microsoft software-development partners.
'

11. During an online electronic communication session conducted by the coconspirators on or about August 11, 2011 from computers connected to the
Internet from Australia, Canada, Delaware, and New Jersey, POKORA
claimed: "I got a couple of GDN accounts. I actually have over 16,000, just
pure developer accounts for different studios."
mm.

In or about July and August 2012, NESHEIWAT, LEROUX, POKORA,

ALCALA,. and others engaged in electronic communications from

computers connected to the Internet from Australia, Canada, Indiana,
27

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 28 of 39 PageID #: 33

Maryland, New Jersey, and Delaware, and shared information that they had
gained from accessing Microsoft's PartnerNet and GDNP.

Th~

co-

conspirators then entered email addresses, passwords, and account usernames

of Microsoft's Xbox-related development partners they had obtained until
they found active ac~ounts that could be used to gain unauthorized access to
Microsoft's computer networks. The group then spent hundreds of hours
searching through these networks for files containing intellectual property,
and personal, confidential and proprietary information.

nn. Using the stolen Log-In Credentials that provided them access to Microsoft's
computer networks, LEROUX, NESHEIWAT, POKORA, ALCALA and
copied files containing or relating to the specialized operating system
with software source code, technical specifications, assembly instructions, and
software design and source code writing specifications for use by game
developers for the next-generation Xbox gaming console, which Microsoft
internally codenamed "Durango" and later publicly named ''Xbox One" and
which was being prepared for commercial distribution.
to use this stolen data and operating

oo. LEROUX, POKORA, and

system software to manufactUre and then sell counterfeit versions of the next
generation Xbox gaming console, which Microsoft internally codenamed
"Durango" and later publicly named "Xbox One" and which was being
prepared for commercial distribution.
pp. LEROUX subsequently ordered hardware components from NewEgg.com and
other online vendors to build a counterfeit version of the next-generation

28

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 29 of 39 PageID #: 34

Xbox gaming console, which Microsoft internally codenamed "Durango" and

later publicly named "Xbox One" and which was being prepared for
commercial distribution.
qq. During an electronic communication conducted on or about July 24, 2012
from computers connected to the Internet from Canada, Australia, and
Delaware, POKORA,., and Person A discussed a plan pursuant to which
Person A would travel from Delaware to LEROUX's residence in Maryland

to obtain custody of a counterfeit version of the next-generation Xbox gaming

console built by LEROUX.
rr. Person A was instructed by the co-conspirators to send, by United States Mail,
the counterfeit version of the next-generation Xbox gaming console built by
LEROUX from Delaware to an individual located in Victoria, Mahe, Republic
of Seychelles.
ss. On or about August 9, 2012, Person A traveled from Delaware to LEROUX's
Maryland residence, where LEROUX gave Person A the counterfeit version
of the next-generationXbox gaming console built by LEROUX, with the
understanding that Person A would transport the counterfeit Xbox console
into Delaware and then mail it to the Republic of Seychelles.
tt. On or about August 9, 2012, Special Agents of the Federal Bureau of

Investigation obtained, from Person A in Delaware, the counterfeit version of

the next-generation Xbox gaming console built by LEROUX. Microsoft
subsequently confirmed that this counterfeit version of the next-generation
Xbox gaming console contained stolen Microsoft intellectual property.

29

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 30 of 39 PageID #: 35

uu. In or about August 2012,

listed another counterfeit version of the next

generation Xbox gaming console for sale on eBay.com.

sold this

counterfeit version of the next-generation Xbox gaming console for

approximately $5,000.
vv. paid LEROUX a portion of the sales proceeds from the counterfeit
version of the next generation Xbox gaming console by giving LEROUX
access to . s credit card.

ww.

On or about February 22,2013, "Kotaku.com," a website devoted to the

discussion of computer games, published an article entitled: "The Rise and

Fall of SuperDaE, a Most Unusual Video Game Hacker.'' In this article, was quoted as discussing his unauthorized access to a next-generation Xbox
gaming console and his dissemination of approximately 20 Microsoft
confidential documents to a person associated with "Kotaku.com."
xx.

On or about August 12 and 13, 2013, POKORA, ALCALA and others

conducted unauthorized intrusions into Microsoft's GDNP computer network
by utilizing previously stolen means of identification oflegitimate users of the
GDNP network. During this intrusion, ALCALA downloaded various files
relating to "Xbox One" and "Xbox Live" from Microsoft's network to his
computer, including files that contained Confidential and Proprietary
Corporate Information, Trade Secrets, Copyrighted Works, and Works Being
Prepared for Commercial Distribution.

yy. During the August 12 and 13, 2013 intrusion in Microsoft's GDNP computer

network, ALCALA displayed to co-conspirators and Person A, in Delaware,

30

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 31 of 39 PageID #: 36

files relating to ''Xbox Onen that the group had stolen from Microsoft's
computer network during prior intrusions, including files named "GDN.txt,"
''Durango ins1ructions.png," and "P4 Epic.txt." ALCALA also displayed a
folder named ''Durango\Latest," which contained a file named ''Xbox One
Roadmap."
zz. In or about September 2013, ALCALA and POKORA brokered a physical
theft, committed by A.S. and B.A., of multiple Xbox Development Kits
(XDKs) from a secure building on Microsoft's Redmond, Washington

campus. Using stolen access credentials to a Microsoft buildlng, AS. and

E.A. entered the building and stole three non-public versions of the Xbox One
console, which contained confidential and proprietary intellectual property of
Microso~ including source code for the Xbox One operating system. A.S.

and E.A. subsequently mailed two of the stolen consoles to ALCALA and
POKORA. In return, ALCALA transmitted to A.S. stolen Log-in Credentials
thatprovidedA.S. with access to Microsoft's GDNP.
aaa.

On or about October 2, 2013, ALCALA conducted an unauthorized

intrusion into Microsoft's GDNP by using the stolen credentials ofM.I., an

authorized user employed by a Microsoft Xbox development partner.
All in violation of Title 18, United States Code, Section 371.
COUNT2

(Conspiracy to Commit Wire Fraud)

18 U .S.C. 1349

6.

The allegations contained in paragraphs 1 through S of the Superseding

Indictment are re-alleged and incorporated as if set forth herein.

31

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 32 of 39 PageID #: 37

7.

Between in or about January 2011 and in or about October 2013, in the District of

Delaware and elsewhere, the defendants

NATHAN LEROUX,
a/k/a "natelx,"
aJk/a "animefre4k,"
aJk/a "confettimancer"
aJk/a "void mage," '
a/k/a "Durango,"
aJk/a "Cthulhu,"
SANADODEHNESHEIWAT,
alkla "rampuptechie,"
aJk/a "Soniciso,"
aJk/a "Sonic,"
DAVID POKORA,
aJk/a "Xenomega 9,"
aJk/a "Xenon7,"
a/k/a "Xenomega," and
AUSTIN ALCALA,
aJk/a "AAmonkey,"
aJk/a "AAmonk.eyl,"
did knowingly and intentionally conspire and agree among themselves and with others known
and unknown to the grand jury, including C.W., A.S., and E.A., to execute a scheme and
artifice to commit wire fraud, in violation of Title 18, United States Code, Section 1343, to wit,
devising and intending to devise a scheme and artifice to defraud and to obtain money and
property by means of false and fraudulent pretenses, representations and promises, as set forth in
Paragraphs 1 through 5 above, and in furtherance thereof, on or about the dates set forth below,
in the District ofDelaware and elsewhere, causing to be transmitted by means of wire
communication in interstate and foreign commerce, writings, signs, signals, pictures and sounds,
including but not limited to emails and Log-In Credentials assigned to actual employees of the
Victims, for the purpose of executing such scheme and artifice:

32

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 33 of 39 PageID #: 38

All in violation ofTitle 18, United States Code, Section 1349.

COUNTS3-4

(Wire Fraud)

18 u.s. c. 1343

8.

The allegations contamedinparagraphs 1 tbrougb.S ofthe Superseding

Indictment are re-alleged and incorporated as if set forth herein.

9.

On or about each of the dates set forth below, each instance constituting a

separate count, in the District ofDelaware and elsewhere, the defendants,

NATIIAN LEROUX,
alk/a "natelx,"
a!k/a "animefre4k,"
a!k/a "confettimancer,"
a/k/a "void mage,"
aJkfa "Durango,"
aJkla "Cthulhu,"
SANADODEHNESHEIWAT,
alk/a "rampuptechie,"
aJkfa "Soniciso,"
aJkla "Sonic," and
DAVID POKORA,
a!k/a "Xenomega 9,"
alk/a 'Xenon7,"
a!kia 'Xenomega,"
having intentionally devised and intending to devise a scheme and artifice to defraud, and for
obtaining money and property, by means of materially false and fraudulent pretenses,
representations, and promises, and for the purpose of executing such scheme and artifice, and
attempting to do so, knowingly transmitted and caused to be transmitted, by means of wire
33

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 34 of 39 PageID #: 39

communication in interstate and foreign commerce, the following writings, signs, signals,
pictures,

and sounds:

computer network of pre~release "Call of

Modem Warfare 3" software
All in violation of Title 18, United States Code, Section 1343.
COUNTS 5-6
(Wire Fraud)
18 u.s.c. 1343

10.

The allegatio:ils contained in paragraphs 1 through 5 of the Super;eding

Indictment are re~alleged and incorporated as if set forth herem.

11.

On or about each of the dates set forth below, each instance constituting a

separate count, in the District ofDelaware"and elsewhere, the defendants,

NATHAN LEROUX,
a/kla "natelx,"
a/k/a "anim.efre4k,"
a/kla "confettimancer,"
a/k/a "void mage,"
a/kfa "Durango,"
a/k/a "Ctb.ulhu,"
SANADODEHNESHEIWAT,
a/kla ''rampuptechie,"
alkla "Soniciso,"
a/k/a "Sonic,"
DAVID POKORA,
alk/a "Xenomega 9,"
a/k/a "Xenon7,"
a/k/a "Xenomega," and
AUSTIN ALCALA,
alk/a "AAmonkey,"
alkJa "AAmonkeyl,"
34

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 35 of 39 PageID #: 40

having intentionally devised and intending to devise a scheme and artifice- to defraud, and for
obtaining money and property, by means of materially false and :fraudulent pretenses,
representations, and promises, and for the purpose of executing such scheme and artifice, and
attempting to do so, knowingly transmitted and caused to be transmitted, by means ofwixe
communication in interstate and foreign commerce, the following writings, signs, signals,
pictures, and sounds:

computer networks and electronic

transmission of Confidential and
Proprietary Data ofMicroso:ft Corporation,
including Trade Secrets and Copyrighted
Material relating to Xbox Live and to the
next generation Xbox gaming console,
which Microsoft internally codenamed
"Durango" and later publicly named
''Xbox One" and which was being
for commercial distribution
Unlawful download :from U.S. Army
computer network and transmission of
''AH-64D
Simulator'' software

April2013

All in violation of Title 18, United Stf!,tes Code, Section 1343.

COUNT7
(Conspiracy to Commit Theft of Trade Secrets)
18 U.S.C. 1832(a)(l), (a)(2), (a)(3) & (a)(5)

12.

The allegations contained in paragraphs 1 through 5 of the Superseding

Indic1ment are re-alleged and incorporated as if set forth herein.

13.

Between in or aboutJanuary2011 and in or about October 2013, in the District of

Delaware and elsewhere, the defendants

35

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 36 of 39 PageID #: 41

NATHAN LEROUX,
aJk/a "natelx,".
a!k/a "animefre4k,"
a/k/a "confettimancer,"
a/k/a "void mage,''
a/k/a "Durango,"
a!k/a "Cthulhu,"

SANADODEH NESHEIWAT,
a/k/a "rampuptechie,"
a!k/a ''Soniciso,"
a/k/a "Sonic,"
DAVID POKORA,

a/k/a "Xenomega 9,"

a!kla "Xenon7/'
a/k/a "Xenomega," and
AUSTIN ALCALA,
a/kla "AAmonkey,"
a/k/a ''AAmonkeyl,"
with the intent to convert a Trade Secret to the economic benefit of someone other than its
owner, did knowingly and intentionally conspire and agree among themselves and with others
known and unknown to the grand jury, including C. W., A.S. and E.A., to commit theft of
trade secrets, in violation ofTitle 18, United States Code, Sections 1832(a)(l), (a)(2), (a)(3) and
(a)(S), to wit, to steal, and without authorization appropriate, take, carry away, copy, duplicate,
download, upload, replicate, transmit, deliver, send, mail, communicate, convey and possess
Trade Secrets owned by Microsoft Corporation, that is Xbox Gaming System technology,
including but not limited to source code and other trade secrets relating to "Xbox Live," and the
specialized operating system with software source code, technical specifications, descriptions of
expected performance characteristics, plans for the development of new features, descriptions of
assembly instructions, descriptions of processing unit functionality, and software design and
source code writing specifications for use by game developers for the next-generation Xbox
gaming console, which Microsoft internally codenamed "Durango" and later public~y named
36

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 37 of 39 PageID #: 42

"Xbox One," and which is related to and included in a product that is produced for and placed in
interstate and foreign commerce, knowing that the Trade Secrets had been stolen, appropriated,
obtained, and converted without authorization, and intending and knowing that the disclosure
would injure Microsoft.
MANNER AND MEANS OF THE CONSPIRACY

14.
ALCALA,

The manner and means by which LEROUX, NESHEIWAT, POKORA,

and their co-conspirators sought to accomplish the conspiracy included, among

other things, the following:

a. It was part of the conspiracy that LEROUX, NESHEIWAT, POKORA,
ALCALA,. and others would unlawfully obtain authentic Log-In Credentials
for Microsoft's Game Development Network Portal ("GDNP").
b. It was further part of the conspiracy that LEROUX, l'ffiSHEIWAT, POKORA,
ALCALA,

and others would gain unauthorized access to Microsoft's

GDNP using the stolen Log-In Credentials and would download Microsoft
Copyrighted Works, Works Being Prepared for Commercial Distribution, and
Trade Secrets relating to the "Xbox Live" online gaming platform and to the nextgeneration Xbox gaming console, which Microsoft internally codenamed
"Durango" and later publicly named "Xbox One," and which was being prepared
for commercial distribution.
c. It was further part of the conspiracy that LEROUX, NESHEIWAT, POKORA,
ALCALA,

and others would share copies of the stolen Microsoft Trade

Secrets with each other and with other co-conspirators in an effort to build and
then sell a counterfeit version of the next-generation Xbox gaming console, which

37

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 38 of 39 PageID #: 43

Microsoft internally codenamed "Durango" and later publicly named "Xbox One"
and which was being prepared for commercial distribution.
d. It was further part of the conspiracy that LEROUX, NESHEIWAT, POKORA,

and others would share with each other and with other co-conspirators the

proceeds from the sale ofthe counterfeit version of the next-generationXbox

gaming console, which Microsoft internally codenamed "Durango" and later
publicly named ''Xbox One" and which was being prepared for commercial
distribution.
e. It was further part of the conspiracy that POKORA, ALCALA,. and others
would design software and would exploit stolen source code for the "Xbox Live"
online gaming platform and for various online games created and owned by the
Victims to sell unauthorized access to those online games on the "Xbox Live"
online gaming platform.
OVERT ACTS

15.

In furtherance of the conspiracy, the following overt acts, among others, were

committed in the District of Delaware and elsewhere:

a. In or about 2011 and 2012, :Microsoft and its development partners were
designing a next-generation Xbox gaming console, which Microsoft internally
codenamed "Durango" and later publicly named "Xbox One," as well as software
to be used with the new Xbox console. Microsoft released ''Xbox One" for
commercial distribution on or about November 22, 2013.
b. Beginning in or about January 2011, LEROUX, NESHEIWAT, POKORA,
ALCALA,. and others engaged in incidents of unauthorized access into

Microsoft's computer networks, including Microsoft's "Game Developer

38

Case 1:13-cr-00078-GMS Document 40 Filed 04/22/14 Page 39 of 39 PageID #: 44

Network Portal" ("GDNP"), during which they stole Log-In Credentials, Trade
Secrets, and Intellectual Property relating to the Xbox gaming system. In
particular, LEROUX, NESHEIWAT, POKORA, ALCALA,. and others
accessed GDNP with valid, but stolen, accounts associated with legitimate
Iv!icrosoft software-development partners.
c. During an online electronic communication session on or about August 11, 2011
from computers connected to the Internet from Australia, Canada, Delaware, and
New Jersey, POKORA claimed: "I got a couple of GDN accounts. I actually
have over 16,000, just pure developer accounts for different studios."
d. In or about July and August 2012, NESHEIWAT, LEROUX, POKORA,

ALCALA, ~d others engaged in electronic communications from

computers connected to the Internet from Australia, Canada, Indiana, Maryland,
New Jersey, and Delaware, and shared information that they had gained from
accessing Microsoft's PartnerNet and GDNP. The co-conspirators then entered
email addresses, passwords, and account usernames of Microsoft's Xbox-related
development partners they had obtained until they found active accounts that
could be used to gain unauthorized access to Microsoft's computer networks. The
group then spent hundreds of hours searching through these networks for files
containing intellectual property, and personal, confidential and proprietary
information.
e. Using the stolen Log-In Credentials that provided them access to Microsoft's
computer networks, LEROuX, NESHE~AT, POKORA, ALCALA, . a n d
others copied files relating to Xbox Live and containing or relating to the

39