Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 1 of 42

AO 106A (08/18) Application for a Warrant by Telephone or Other Reliable Electronic Means

UNITED STATES DISTRICT COURT

for the
District of&ROXPELD
In the Matter of the Search of
(Briefly describe the property to be searched )
or identify the person by name and address) )
INFORMATION ASSOCIATED WITH ONE CELL PHONE ) Case No. 21-SC-3462
ACCOUNT STORED AT PREMISES CONTROLLED BY )
)
VERIZON PURSUANT TO 18 U.S.C. § 2703 FOR )
INVESTIGATION OF VIOLATIONS OF 18 U.S.C. § 1512
APPLICATION FOR A WARRANT BY TELEPHONE OR OTHER RELIABLE ELECTRONIC MEANS
I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under
penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the
property to be searched and give its location):
6HH$WWDFKPHQW$.
District of New Jersey
/RFDWHGLQWKHBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB , there is now concealed (identify the SHUVRQ RU GHVFULEH WKH
SURSHUW\ WR EH VHL]HG

6HH$WWDFKPHQW %.

The basis for the search under Fed. R. Crim. P. 41(c) is (check one or more):
✔ evidence of a crime;
u
✔
u contraband, fruits of crime, or other items illegally possessed;
u property designed for use, intended for use, or used in committing a crime;
u a person to be arrested or a person who is unlawfully restrained.
The search is related to a violation of:
Code Section Offense Description
18 U.S.C. § 1512(c)(2) - Obstruction of Justice/Congress; 18 U.S.C. §§ 1752(a)(1) and (2) (Unlawful Entry on Restricted
Buildings or Grounds); 40 U.S.C. §§ 5104(e)(2)(D) and (G) (Violent Entry and Disorderly Conduct on Capitol Grounds)

The application is based on these facts:

See Affidavit in Support of Application for Search Warrant.

u Continued on the attached sheet.

u Delayed notice of days (give exact ending date if more than 30 days: ) is requested under
18 U.S.C. § 3103a, the basis of which is set forth on the attached sheet.

Applicant’s signature

Kellen Grogan, Special Agent

Printed name and title

Attested to by the applicant in accordance with the requirements of Fed. R. Crim. P. 4.1 by
tHOHSKRQH (specify reliable electronic means).

Date: 11/4/2021
Judge’s signature

City and state: :DVKLQJWRQ'& Robin M. Meriweather

8QLWHG 6WDWHV 0DJLVWUDWH -XGJH
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 2 of 42

AO 93C () :DUUDQWE\7HOHSKRQHRU2WKHU5HOLDEOH(OHFWURQLF0HDQV u Original u Duplicate Original

UNITED STATES DISTRICT COURT

for the
'LVWULFWRI&ROXPELD
In the Matter of the Search of
)
(Briefly describe the property to be searched
or identify the person by name and address) )
INFORMATION ASSOCIATED WITH ONE CELL PHONE ) Case No. 21-SC-3462
ACCOUNT STORED AT PREMISES CONTROLLED BY )
VERIZON PURSUANT TO 18 U.S.C. § 2703 FOR )
INVESTIGATION OF VIOLATIONS OF 18 U.S.C. § 1512 )

:$55$17%<7(/(3+21(2527+(55(/,$%/((/(&7521,&0($16
To: Any authorized law enforcement officer
An application by a federal law enforcement officer or an attorney for the government requests the searchDQGVHL]XUH
District of New Jersey
of the following person or property located in theBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
(identify the person or describe the property to be searched and give its location):

See Attachment A (incorporated by reference). This court has authority to issue this warrant under 18 U.S.C. §§ 2703
(c)(1)(A), and 2711(3)(A).

I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property
described above, and that such search will reveal (identify the person or describe the property to be seized):
See attachment B, incorporated by reference.

YOU ARE COMMANDED to execute this warrant on or before November 18, 2021 (not to exceed 14 days)
u in the daytime 6:00 a.m. to 10:00 p.m. ✔
u at any time in the day or night because good cause has been established.

Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the
person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the
property was taken.
The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory
as required by law and promptly return this warrant and inventory to Robin M. Meriweather .
(United States Magistrate Judge)

u Pursuant to 18 U.S.C. § 3103a(b), I find that immediate notification may have an adverse result listed in 18 U.S.C.
§ 2705 (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose
property, will be searched or seized (check the appropriate box)
for days (not to exceed 30) u until, the facts justifying, the later specific date of .

Date and time issued: 11/4/2021

Judge’s signature

City and state: Washington, D.C. Robin M. Meriweather

8QLWHG6WDWHV0DJLVWUDWH-XGJH
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 3 of 42
AO 93& () :DUUDQWE\7HOHSKRQHRU2WKHU5HOLDEOH(OHFWURQLF0HDQV(Page 2)

Return
Case No.: Date and time warrant executed: Copy of warrant and inventory left with:
21-SC-3462
Inventory made in the presence of :

Inventory of the property taken and nameV of any person(s) seized:

Certification

I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the
designated judge.

Date:
Executing officer’s signature

Printed name and title

 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 4 of 42

ATTACHMENT A
Property to Be Searched

This warrant applies to records and information associated with the Verizon Wireless

account identified by -1908 (the “Account”) and which is stored at premises owned,

maintained, controlled, or operated by Cellco Partnership d/b/a Verizon Wireless, a wireless

telephone service provider headquartered in Bedminster, New Jersey.

 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 5 of 42

ATTACHMENT B
Particular Things to Be Seized and
Procedures to Facilitate Execution of the Warrant

I. Information to be Disclosed by Cellco Partnership d/b/a Verizon Wireless

(“PROVIDER”) to Facilitate Execution of the Warrant

To the extent that the information described in Attachment A is within the possession,

custody, or control of PROVIDER, including any records that have been deleted but are still

available to the Provider or have been preserved pursuant to a request made under 18 U.S.C.

§ 2703(f), the Provider is required to disclose to the government the following information

pertaining to the Account listed in Attachment A:

a. The following information about the customers or subscribers of the Account:

i. Names (including subscriber names, user names, and screen names);

ii. Addresses (including mailing addresses, residential addresses, business

addresses, and e-mail addresses);

iii. Local and long distance telephone connection records;

iv. Records of session times and durations, and the temporarily assigned
network addresses (such as Internet Protocol (“IP”) addresses) associated
with those sessions;

v. Length of service (including start date) and types of service used;

vi. Telephone or instrument numbers (including MAC addresses, Electronic

Serial Numbers (“ESN”), Mobile Electronic Identity Numbers (“MEIN”),
Mobile Equipment Identifier (“MEID”); Mobile Identification Number
(“MIN”), Subscriber Identity Modules (“SIM”), Mobile Subscriber
Integrated Services Digital Network Number (“MSISDN”); International
Mobile Subscriber Identity Identifiers (“IMSI”), or International Mobile
Equipment Identities (“IMEI”);

vii. Other subscriber numbers or identities (including the registration Internet

Protocol (“IP”) address); and
Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 6 of 42

viii. Means and source of payment for such service (including any credit card or
bank account number) and billing records.

b. For the time period from January 5, 2021 to January 7, 2021: All records and other

information relating to wire and electronic communications sent or received by the

Account, including:

i. Records of the date and time of the communication, the method of the

communication, and the source and destination of the communication (such

as the source and destination telephone numbers (“call detail records”),

email addresses, and IP addresses) including web browsing history and text

messaging history;

ii. Information regarding the cell tower and antenna face (also known as

“sectors”) through which the communications were sent and received; and

iii. Records and information regarding per-call measurement data (PCMD)

(also known as Network Event Location Services (NELOS), Timing

Delay/Timing Advance (TA), TrueCall, Time on Tower Report, and/or Real

Time Tool (RTT) data).

c. All records pertaining to devices associated with the Account, including the names

and phone numbers associated with other devices on the subscriber’s plan,

including device serial numbers, instrument numbers, model types/numbers,

International Mobile Equipment Identities (“IMEI”), Mobile Equipment Identifiers

(“MEID”), Global Unique Identifiers (“GUID”), Electronic Serial Numbers

(“ESN”), Android Device IDs, phone numbers, Media Access Control (“MAC”)

addresses, operating system information, browser information, mobile network

2
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 7 of 42

information, information regarding cookies and similar technologies, and any other

unique identifiers that would assist in identifying any such device(s).

Within 14 days of the issuance of this warrant, PROVIDER shall deliver the information set forth

above via United States mail, courier, or e-mail to the following:

Special Agent Kellen Grogan

Federal Bureau of Investigation
Washington Field Office
601 4th Street NW
Washington, DC 20535
[email protected]

This warrant authorizes a review of records and information disclosed pursuant to this

warrant in order to locate evidence, fruits, and instrumentalities described in this warrant. The

review of this electronic data may be conducted by any government personnel assisting in the

investigation, who may include, in addition to law enforcement officers and agents, attorneys for

the government, attorney support staff, and technical experts. Pursuant to this warrant, the FBI

may deliver a complete copy of the disclosed electronic data to the custody and control of attorneys

for the government and their support staff for their independent review.

3
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 8 of 42

II. Information to be Seized by the Government

All information described above in Section I that constitutes evidence, instrumentalities,

fruits, and contraband of the violations of 18 U.S.C. § 1512(c)(2) (Obstruction of

Justice/Congress); 18 U.S.C. § 1752(a)(1) and (2) (Unlawful Entry on Restricted Buildings or

Grounds); and 40 U.S.C. § 5104(e)(2)(D) and (G) (Violent Entry and Disorderly Conduct on

Capitol Grounds) as described in the affidavit submitted in support of this Warrant, including, for

each Account, information pertaining to the following matters:

(a) Information that constitutes evidence concerning the riot that occurred at the U.S.

Capitol on January 6, 2021;

(b) Information that constitutes evidence of the user’s presence in and around the U.S.

Capitol on January 6, 2021;

(c) Information that constitutes evidence of the user’s participation in the riot that

occurred at the U.S. Capitol on January 6, 2021, to include travel to and from

Washington, DC;

(d) Information that constitutes evidence of any planning and preparation that the user

of the account undertook prior to committing the criminal activity under

investigation;

(e) Information that constitutes evidence of any steps that the user of the account took

to disguise or hide their participation in the criminal activity under investigation;

(f) Information that constitutes evidence of the identification or location of the user(s)

of the Account;

(g) Information that constitutes evidence concerning persons who either (i)

collaborated, conspired, or assisted (knowingly or unknowingly) the commission

4
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 9 of 42

of the criminal activity under investigation; or (ii) communicated with the Account

about matters relating to the criminal activity under investigation, including records

that help reveal their whereabouts;

(h) Information that constitutes evidence indicating the Account user’s state of mind,

e.g., intent, absence of mistake, or evidence indicating preparation or planning,

related to the criminal activity under investigation;

(i) Evidence indicating how and when the account was accessed or used, to determine

the geographic and chronological context of account access, use, and events relating

to the crime under investigation and to the account owner; and

(j) The identity of any person(s) who communicated with the account about matters

relating to the events of January 6, 2021, including records that help reveal their

whereabouts.

This warrant authorizes a review of electronically stored information, communications,

other records and information disclosed pursuant to this warrant in order to locate evidence, fruits,

and instrumentalities described in this warrant. The review of this electronic data may be

conducted by any government personnel assisting in the investigation, who may include, in

addition to law enforcement officers and agents, attorneys for the government, attorney support

staff, and technical experts. Pursuant to this warrant, the FBI may deliver a complete copy of the

disclosed electronic data to the custody and control of attorneys for the government and their

support staff for their independent review

5
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 10 of 42

III. Government Procedures for Warrant Execution

The United States government will conduct a search of the information produced by

PROVIDER and determine which information is within the scope of the information to be seized

specified in Section II. That information that is within the scope of Section II may be copied and

retained by the United States.

Law enforcement personnel will then seal any information from PROVIDER that does not

fall within the scope of Section II and will not further review the information absent an order of

the Court. Such sealed information may include retaining a digital copy of all information received

pursuant to the warrant to be used for authentication at trial, as needed.

6
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 11 of 42

IN THE UNITED STATES DISTRICT COURT FOR THE

DISTRICT OF COLUMBIA

IN THE MATTER OF THE SEARCH OF

INFORMATION ASSOCIATED WITH
ONE CELL PHONE ACCOUNT STORED SC No. 21-sc-3462
AT PREMISES CONTROLLED BY
VERIZON PURSUANT TO 18 U.S.C.
§ 2703 FOR INVESTIGATION OF
VIOLATIONS OF 18 U.S.C. § 1512

Reference: Case # 21-mj-245; USAO # 2021R00792; Subject Account: -1908

AFFIDAVIT IN SUPPORT OF
AN APPLICATION FOR A SEARCH WARRANT

I, Kellen Grogan, being first duly sworn, hereby depose and state as follows:

INTRODUCTION AND AGENT BACKGROUND

1. I make this affidavit in support of an application for a search warrant for certain

location and related information associated with one cellular telephone account assigned the phone

number -1908 (“the SUBJECT PHONE NUMBER”), that is stored at premises controlled

by Cellco Partnership d/b/a Verizon Wireless (“PROVIDER”), a cellular service provider

headquartered in Bedminster, New Jersey. The information to be searched is described in the

following paragraphs and in Attachment A. This affidavit is made in support of an application for

a search warrant under 18 U.S.C. §§ 2703(a), 2703(b)(1)(A), and 2703(c)(1)(A) to require

PROVIDER to disclose to the government copies of the information further described in Section

I of Attachment B. Upon receipt of the information described in Section I of Attachment B,

government-authorized persons will review the information to locate items described in Section II

of Attachment B, using the procedures described in Section III of Attachment B.

2. I am a Special Agent with the Federal Bureau of Investigation (“FBI”). I have

served as a Special Agent with the FBI since March 2012. Since January 2016 I have been
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 12 of 42

assigned to one of the Washington Field Office’s Extraterritorial Counterterrorism squads and

before that to its Joint Terrorism Task Force. Prior to my employment with the FBI, I was a law

enforcement officer in the United States Air Force and Air Force Reserves for approximately ten

years.

3. The facts in this affidavit come from my personal observations, my training and

experience, and information obtained from other agents and witnesses. This affidavit is intended

to show merely that there is sufficient probable cause for the requested warrant and does not set

forth all of my knowledge about this matter.

4. Based on my training and experience and the facts as set forth in this affidavit, there

is probable cause to believe that PHILIP SEAN GRILLO has committed violations of 18 U.S.C.

§ 1512(c)(2) (Obstruction of Justice/Congress); 18 U.S.C. §§ 1752(a)(1) and (2) (Unlawful Entry

on Restricted Buildings or Grounds); and 40 U.S.C. §§ 5104(e)(2)(D) and (G) (Violent Entry and

Disorderly Conduct on Capitol Grounds). There is also probable cause to search the information

described in Attachment A for evidence, instrumentalities, contraband, or fruits of these crimes

further described in Attachment B.

JURISDICTION

5. This Court has jurisdiction to issue the requested warrant because it is a “court of

competent jurisdiction” as defined by 18 U.S.C. § 2711. 18 U.S.C. §§ 2703(a), (b)(1)(A), and

(c)(1)(A). Specifically, the Court is “a district court of the United States . . . that – has jurisdiction

over the offense being investigated.” 18 U.S.C. § 2711(3)(A)(i). As discussed more fully below,

acts or omissions in furtherance of the offenses under investigation occurred within Washington,

DC. See 18 U.S.C. § 3237.

2
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 13 of 42

PROBABLE CAUSE

Background

6. USCP, the FBI, and assisting law enforcement agencies are investigating a riot and

related offenses that occurred at the United States Capitol Building, located at 1 First Street, NW,

Washington, D.C., 20510 at latitude 38.88997 and longitude -77.00906 on January 6, 2021.

7. At the U.S. Capitol, the building itself has 540 rooms covering 175,170 square feet

of ground, roughly four acres. The building is 751 feet long (roughly 228 meters) from north to

south and 350 feet wide (106 meters) at its widest point. The U.S. Capitol Visitor Center is 580,000

square feet and is located underground on the east side of the Capitol. On the west side of the

Capitol building is the West Front, which includes the inaugural stage scaffolding, a variety of

open concrete spaces, a fountain surrounded by a walkway, two broad staircases, and multiple

terraces at each floor. On the East Front are three staircases, porticos on both the House and Senate

side, and two large skylights into the Visitor’s Center surrounded by a concrete parkway. All of

this area was barricaded and off limits to the public on January 6, 2021.

8. The U.S. Capitol is secured 24 hours a day by USCP. Restrictions around the U.S.

Capitol include permanent and temporary security barriers and posts manned by USCP. Only

authorized people with appropriate identification are allowed access inside the U.S. Capitol.

9. On January 6, 2021, the exterior plaza of the U.S. Capitol was closed to members

of the public.

10. On January 6, 2021, a joint session of the United States Congress convened at the

U.S. Capitol. During the joint session, elected members of the United States House of

Representatives and the United States Senate were meeting in separate chambers of the U.S.

Capitol to certify the vote count of the Electoral College of the 2020 Presidential Election, which

3
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 14 of 42

took place on November 3, 2020 (“Certification”). The joint session began at approximately 1:00

p.m. Eastern Standard Time (EST). Shortly thereafter, by approximately 1:30 p.m., the House and

Senate adjourned to separate chambers to resolve a particular objection. Vice President Mike

Pence was present and presiding, first in the joint session, and then in the Senate chamber.

11. As the proceedings continued in both the House and the Senate, and with Vice

President Mike Pence present and presiding over the Senate, a large crowd gathered outside the

U.S. Capitol. As noted above, temporary and permanent barricades were in place around the

exterior of the U.S. Capitol building, and USCP were present and attempting to keep the crowd

away from the Capitol building and the proceedings underway inside.

12. At around 1:00 p.m. EST, known and unknown individuals broke through the police

lines, toppled the outside barricades protecting the U.S. Capitol, and pushed past USCP and

supporting law enforcement officers there to protect the U.S. Capitol.

13. At around 1:30 p.m. EST, USCP ordered Congressional staff to evacuate the House

Cannon Office Building and the Library of Congress James Madison Memorial Building in part

because of a suspicious package found nearby. Pipe bombs were later found near both the

Democratic National Committee and Republican National Committee headquarters.

14. Media reporting showed a group of individuals outside of the Capitol chanting,

“Hang Mike Pence.” I know from this investigation that some individuals believed that Vice

President Pence possessed the ability to prevent the certification of the presidential election and

that his failure to do so made him a traitor.

15. At approximately 2:00 p.m., some people in the crowd forced their way through,

up, and over the barricades and law enforcement. The crowd advanced to the exterior façade of

the building. The crowd was not lawfully authorized to enter or remain in the building and, prior

4
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 15 of 42

to entering the building, no members of the crowd submitted to security screenings or weapons

checks by U.S. Capitol Police Officers or other authorized security officials. At such time, the

certification proceedings were still underway and the exterior doors and windows of the U.S.

Capitol were locked or otherwise secured. Members of law enforcement attempted to maintain

order and keep the crowd from entering the Capitol.

16. Shortly after 2:00 p.m., individuals in the crowd forced entry into the U.S. Capitol,

including by breaking windows and by assaulting members of law enforcement, as others in the

crowd encouraged and assisted those acts. Publicly available video footage shows an unknown

individual saying to a crowd outside the Capitol building, “We’re gonna fucking take this,” which

your affiant believes was a reference to “taking” the U.S. Capitol.

17. Shortly thereafter, at approximately 2:20 p.m. members of the United States House

of Representatives and United States Senate, including the President of the Senate, Vice President

Mike Pence, were instructed to—and did—evacuate the chambers. That is, at or about this time,

USCP ordered all nearby staff, Senators, and reporters into the Senate chamber and locked it down.
5
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 16 of 42

USCP ordered a similar lockdown in the House chamber. As the subjects attempted to break into

the House chamber, by breaking the windows on the chamber door, law enforcement were forced

to draw their weapons to protect the victims sheltering inside.

18. At approximately 2:30 p.m. EST, known and unknown subjects broke windows and

pushed past USCP and supporting law enforcement officers forcing their way into the U.S. Capitol

on both the west side and the east side of the building. Once inside, the subjects broke windows

and doors, destroyed property, stole property, and assaulted federal police officers. Many of the

federal police officers were injured and several were admitted to the hospital. The subjects also

confronted and terrorized members of Congress, Congressional staff, and the media. The subjects

carried weapons including tire irons, sledgehammers, bear spray, and Tasers. They also took

police equipment from overrun police including shields and police batons. At least one of the

subjects carried a handgun with an extended magazine. These actions by the unknown individuals

resulted in the disruption and ultimate delay of the vote Certification.

19. Also at approximately 2:30 p.m. EST, USCP ordered the evacuation of lawmakers,

Vice President Mike Pence, and president pro tempore of the Senate, Charles Grassley, for their

safety.

20. At around 2:45 p.m. EST, subjects broke into the office of House Speaker Nancy

Pelosi.

21. At around 2:47 p.m., subjects broke into the United States Senate Chamber.

Publicly available video shows an individual asking, “Where are they?” as they opened up the door

to the Senate Chamber. Based upon the context, law enforcement believes that the word “they” is

in reference to members of Congress.

6
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 17 of 42

22. After subjects forced entry into the Senate Chamber, publicly available video shows

that an individual asked, “Where the fuck is Nancy?” Based upon other comments and the context,

law enforcement believes that the “Nancy” being referenced was the Speaker of the House of

Representatives, Nancy Pelosi.

7
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 18 of 42

23. An unknown subject left a note on the podium on the floor of the Senate Chamber.

This note, captured by the filming reporter, stated “A Matter of Time Justice is Coming.”

24. During the time when the subjects were inside the Capitol building, multiple

subjects were observed inside the US Capitol wearing what appears to be, based upon my training

and experience, tactical vests and carrying flex cuffs. Based upon my knowledge, training, and

experience, I know that flex cuffs are a manner of restraint that are designed to be carried in

situations where a large number of individuals were expected to be taken into custody.

8
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 19 of 42

25. At around 2:48 p.m. EST, DC Mayor Muriel Bowser announced a citywide curfew

beginning at 6:00 p.m.

26. At around 2:45 p.m. EST, one subject was shot and killed while attempting to break

into the House chamber through the broken windows.

27. At about 3:25 p.m. EST, law enforcement officers cleared the Senate floor.

9
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 20 of 42

28. Between 3:25 and around 6:30 p.m. EST, law enforcement was able to clear the

U.S. Capitol of all of the subjects.

29. Based on these events, all proceedings of the United States Congress, including the

joint session, were effectively suspended until shortly after 8:00 p.m. the same day. In light of the

dangerous circumstances caused by the unlawful entry to the U.S. Capitol, including the danger

posed by individuals who had entered the U.S. Capitol without any security screening or weapons

check, Congressional proceedings could not resume until after every unauthorized occupant had

left the U.S. Capitol, and the building had been confirmed secured. The proceedings resumed at

approximately 8:00 pm after the building had been secured. Vice President Pence remained in the

United States Capitol from the time he was evacuated from the Senate Chamber until the session

resumed.

30. Beginning around 8:00 p.m., the Senate resumed work on the Certification.

31. Beginning around 9:00 p.m., the House resumed work on the Certification.

32. Both chambers of Congress met and worked on the Certification within the Capitol

building until approximately 3 a.m. on January 7, 2021.

33. During national news coverage of the aforementioned events, video footage which

appeared to be captured on mobile devices of persons present on the scene depicted evidence of

violations of local and federal law, including scores of individuals inside the U.S. Capitol building

without authority to be there.

34. Based on my training and experience, I know that it is common for individuals to

carry and use their cell phones during large gatherings, such as the gathering that occurred in the

area of the U.S. Capitol on January 6, 2021. Such phones are typically carried at such gatherings

to allow individuals to capture photographs and video footage of the gatherings, to communicate

10
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 21 of 42

with other individuals about the gatherings, to coordinate with other participants at the gatherings,

and to post on social media and digital forums about the gatherings.

35. Many subjects seen on news footage in the area of the U.S. Capitol are using a cell

phone in some capacity. It appears some subjects were recording the events occurring in and

around the U.S. Capitol and others appear to be taking photos, to include photos and video of

themselves after breaking into the U.S. Capitol itself, including photos of themselves damaging

and stealing property. As reported in the news media, others inside and immediately outside the

U.S. Capitol live-streamed their activities, including those described above as well as statements

about these activities.

36. Photos below, available on various publicly available news, social media, and other

media show some of the subjects within the U.S. Capitol during the riot. In several of these photos,

the individuals who broke into the U.S. Capitol can be seen holding and using cell phones,

including to take pictures and/or videos:

11
Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 22 of 42

12
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 23 of 42

Facts Specific to This Application

37. According to records obtained through a search warrant served on Verizon, on

January 6, 2021, at or about the time of the incident described above, that is, 3:32 p.m., the cell

phone associated with the SUBJECT PHONE NUMBER was identified as having utilized a cell

site consistent with providing service to a geographic area that includes the interior of the United

States Capitol building.

38. According to records provided by PROVIDER, the SUBJECT PHONE NUMBER

is also associated with the following device identifiers: International Mobile Equipment Identity

(“IMEI”) 2484.

1
https://www.thv11.com/article/news/arkansas-man-storms-capitol-pelosi/91-41abde60-a390-4a9e-b5f3-
d80b0b96141e

13
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 24 of 42

39. Two individuals contacted the FBI tip line and stated that they observed CNN

footage of PHILIP GRILLO inside the Capitol on January 6, 2021.

40. On January 14, 2021, the FBI received an anonymous tip from an individual

hereinafter referred to as WITNESS 1. WITNESS 1 stated that s/he saw PHILIP GRILLO

“storm[]” into the Capitol on CNN footage. WITNESS 1 also said, “I saw him twice in CNN in

two separate incidents”. WITNESS 1 stated that s/he knew GRILLO from growing up with him

in Glen Oaks, New York.

41. On January 18, 2021, a tipster, hereinafter referred to as “WITNESS 2,” contacted

the FBI and identified GRILLO from CNN footage. WITNESS 2 included a video and an image

taken from his/her cell phone of the CNN footage where s/he identified GRILLO. Screenshots of

the image and video WITNESS 2 provided are attached below. The red oval was inserted by your

affiant to identify GRILLO.

14
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 25 of 42

42. An FBI agent met with WITNESS 2 and showed him/her surveillance footage from

inside the U.S. Capitol. WITNESS 2 identified GRILLO in the CCTV footage. WITNESS 2

stated s/he has known GRILLO for decades, growing up with him and going to the same schools.

WITNESS 2 stated s/he did not require any aids, such as unique clothing, to identify GRILLO,

and stated s/he knows his face. WITNESS 2 also reported that GRILLO was a member of the

Knights of Columbus. The CCTV image from which WITNESS 2 identified GRILLO is pasted

below.

43. In the course of the investigation, your affiant reviewed video footage recorded

from inside the U.S. Capitol. An individual matching GRILLO’s description and clothing can be

seen in video from the Senate Wing Door climbing into the U.S. Capitol through a broken window

15
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 26 of 42

at or about 2:20 p.m. GRILLO can be seen holding a megaphone in his hand after entering the

building. Screenshots showing GRILLO’s entrance and him holding the megaphone are included

below. Red circles indicate GRILLO and the megaphone.

16
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 27 of 42

44. About fifteen (15) minutes after he entered the U.S. Capitol through the broken

window, GRILLO was captured in a different surveillance camera that faces the Capitol Rotunda

interior. In this video, GRILLO is seen with a crowd of individuals attempting to exit the Rotunda

and gain entry to a separate room that contained doors leading outside, where more protestors were
17
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 28 of 42

gathered. The crowd’s movement is blocked by three Capitol Police officers trying to stop the

crowd’s progress. Eventually the crowd, including GRILLO, is able to move past the officers and

towards the Rotunda’s exterior entryway doors. GRILLO was among the first few individuals to

get past the officers, although he followed the individual who was standing in front of him.

Screenshots from the video footage are pasted below, with GRILLO indicated by a red circle. At

this point, GRILLO no longer appears to be holding a megaphone.

18
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 29 of 42

45. Another surveillance video pointed toward the Rotunda exterior doors picked up

the crowd after it bypassed the previously-mentioned Capitol Police officers. GRILLO and the

large group of individuals approached the exterior entryway doors, which were barricaded with

benches. Protestors outdoors were clearly visible through the door’s windows. GRILLO and the

large crowd gathered at the closed doors while the same three U.S. Capitol Police officers

repositioned themselves and again barred the crowd’s movement, this time preventing them from

opening the exterior doors. GRILLO was able to move about the crowd, eventually moving from

the back to the front and directly in front of the officers. The crowd ultimately pushed against the

officers and against the doors, forcing them open and allowing individuals located outside to gain

entry to the Capitol. At the time the doors were pushed open, GRILLO was standing towards the

middle of the crowd and not making direct contact with the officers. Two screenshots from the

Rotunda exterior doors footage are attached below, with Grillo indicated by a red marking.

19
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 30 of 42

46. Once the doors were opened, allowing more protestors inside the building,

GRILLO briefly went through the doors only to re-enter the Capitol moments later and remain

inside the Capitol. GRILLO can also clearly be seen recording himself on his cell phone, a

screenshot of which is attached below, with red circles to indicate GRILLO and his cell phone.

20
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 31 of 42

47. In the same surveillance footage facing the Rotunda exterior doors, GRILLO can

be seen wearing a Knights of Columbus, St. Anne’s Council #2429, Glen Oaks, New York

embroidered jacket. The FBI conducted an open-records check of GRILLO and confirmed

GRILLO to be a member of the Knights of Columbus chapter, matching the jacket’s description.

Additionally, as stated above, WITNESS 2 reported to the agent s/he met with that GRILLO was

a member of the Knights of Columbus. A screenshot from this footage is attached below.

21
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 32 of 42

48. In video footage found on YouTube, the back of GRILLO’s jacket can be more

clearly seen. A screenshot is pasted below.

22
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 33 of 42

49. In the YouTube footage, which was taken outside the Capitol and near an entryway,

GRILLO was with a crowd that is shouting, “Fight for Trump.” This crowd was engaged in a

physical confrontation with uniformed officers at the entryway. Again, GRILLO was near the

front of the crowd. The crowd, including GRILLO, was eventually driven back from the door

when officers employed a chemical irritant.

50. From New York State vehicle registration records, the FBI identified GRILLO as

the registered owner of a 2019 Chevrolet Traverse with New York State License Plate number

. The registration is effective as of April 1, 2020. The address linked to the vehicle’s

registration is Glen Oaks, New York. A License Plate reader in New York

City captured New York License Plate departing New York City at approximately 9:30

p.m. on January 5, 2021 and returning on January 6, 2021 at approximately 11:20 p.m. A Secret

Service camera located in Washington, D.C. scanned New York License Plate at

approximately 2:10 a.m. on January 6, 2021.

51. On November 11, 2020, GRILLO posted a brief video from the Facebook page of

“DONALD J. TRUMP” to his own page. TRUMP’s post was captioned with “WE WILL WIN!”

and a brief video saying to believe in the impossible.

52. Subscriber information for the SUBJECT PHONE NUMBER shows that the

account holder is and that the address for the SUBJECT PHONE NUMBER is

Glen Oaks, New York. Other phone numbers on the same account are also

registered in ’s name. GRILLO’s mother listed the SUBJECT PHONE NUMBER

on her passport application as belonging to PHILIP GRILLO in the point of contact section.

53. I have reviewed PHILIP GRILLO’s United States Passport Application from

March 7, 2017, which includes a photograph of PHILIP GRILLO. The photograph of PHILIP

23
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 34 of 42

GRILLO from the passport application appears to be the same individual who was identified as

PHILIP GRILLO in the video footage at the Capitol on January 6, 2021. On the passport

application, PHILIP GRILLO lists “ ” as his emergency contact and states that she is

his mother. The mailing address on the application is Glen Oaks, New York.

54. The SUBJECT PHONE NUMBER is also linked to a WhatsApp social media

account that has a photograph that I believe to be of PHILIP GRILLO.

55. On February 22, 2021, GRILLO was arrested and charged by complaint with

violations of 18 U.S.C. § 1512(c)(2); 18 U.S.C. §§ 1752(a)(1) and (2); and 40 U.S.C. §§

5104(e)(2)(D) and (G). In a post-arrest interview with law enforcement the day of his arrest,

GRILLO admitted that he went inside the United States Capitol Building on January 6, 2021. He

also said that he was drunk at the time, that he did not think he had done anything illegal and did

not realize he was trespassing, and that he protected police officers inside the Capitol and did not

push past officers.

56. At the time of his arrest, law enforcement seized GRILLO’s cell phone with the

SUBJECT PHONE NUMBER pursuant to a search and seizure warrant issued in United States

District Court for the Eastern District of New York. Videos recovered from the cell phone with

the SUBJECT PHONE NUMBER establish that GRILLO entered the U.S. Capitol on January 6,

2021. Some video footage shows GRILLO expressing support for law enforcement. Other video

footage shows GRILLO announcing that they “did it” and “stormed” the Capitol, as well as

GRILLO asking others smoking marijuana for a hit and inhaling from it when provided.

Furthermore, in a video from an outside source, GRILLO stated, “I’m here to stop the steal.”

24
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 35 of 42

57. The time frame of January 5, 2021 to January 7, 2021 requested in this application

covers the date of the Capitol riot and ensures that the times of GRILLO’s travel are also captured

in light of the information gathered from license plate readers as described above.

BACKGROUND CONCERNING PROVIDER’S ACCOUNTS

58. PROVIDER is the provider of the cell services for the SUBJECT PHONE

NUMBER.

59. PROVIDER is a company that provides cellular telephone access to the general

public. As part of the provision of such access, PROVIDER gives its users a cell phone number,

voice mail, cell service based text messaging, SMS messaging, the ability to share pictures and

video, and cell service based access to the internet. As part of its regular business practices,

PROVIDER stores information about the use of these services and their contents for varying

periods of time depending on the service.

60. Wireless providers such as PROVIDER can provide cell service to more than one

phone as part of a package, so that the SUBJECT PHONE NUMBER may be associated with other

phones that are paid for by the same subscriber. Based on my training and experience, I also know

that evidence concerning the identity of such linked accounts can be useful evidence in identifying

the person or persons who have used a particular PROVIDER account and/or who may have

conspired with the user of a particular PROVIDER account.

61. Based on my training and experience, I know that each cellular device has one or

more unique identifiers embedded inside it. Depending on the cellular network and the device,

the embedded unique identifiers for a cellular device could take several different forms, including

Media Access Control address (“MAC” address), an Electronic Serial Number (“ESN”), a Mobile

Electronic Identity Number (“MEIN”), Mobile Equipment Identifier (“MEID”), a Mobile

25
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 36 of 42

Identification Number (“MIN”), a Subscriber Identity Module (“SIM”), a Mobile Subscriber

Integrated Services Digital Network Number (“MSISDN”), an International Mobile Subscriber

Identifier (“IMSI”), or an International Mobile Equipment Identity (“IMEI”). Based on my

training and experience, I know that cell service providers like PROVIDER retain records of the

unique identifiers of their subscribers’ cell phones and other devices.

62. Based on my training and experience, I know that subscribers can communicate

directly with PROVIDER about issues relating to the account, such as technical problems, billing

inquiries, or complaints from other users. Providers such as PROVIDER typically retain records

about such communications, including records of contacts between the user and the provider’s

support services, as well records of any actions taken by the provider or user as a result of the

communications. In my training and experience, such information may constitute evidence of the

crimes under investigation because the information can be used to identify the account’s user or

users.

63. Wireless providers such as PROVIDER typically collect and retain information

about their subscribers in their normal course of business. This information can include basic

personal information about the subscriber, such as name and address, and the method(s) of

payment (such as credit card account number) provided by the subscriber to pay for wireless

communication service.

64. Wireless providers such as PROVIDER typically collect and retain information in

their normal course of business about their subscribers’ use of PROVIDER’s services, including

records about calls, text messages, SMS messages, pictures and video or other communications

sent or received by a particular device, such as the source and destination telephone numbers (“call

detail records”), email addresses, and IP addresses, and other transactional records. These records

26
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 37 of 42

may include the contents of such communications. In my training and experience, this information

may constitute evidence of the crimes under investigation because the information can be used to

identify the SUBJECT PHONE NUMBER’s user or users and who they communicated with and

when.

65. Based on my training and experience, I know that for each communication a

cellular device makes, its wireless service provider typically stores: (1) the date and time of the

communication; (2) the telephone numbers involved, if any; (3) the cell tower to which the

customer connected at the beginning of the communication; (4) the cell tower to which the

customer connected at the end of the communication; and (5) the duration of the communication.

I also know that wireless providers such as PROVIDER typically collect and retain cell-site data

pertaining to cellular devices to which they provide service in their normal course of business in

order to use this information for various business-related purposes.

66. I also know that providers of cellular telephone service have technical capabilities

that allow them to collect and generate information about the locations of the cellular telephones

to which they provide service, including cell-site data, also known as “tower/face information” or

“cell tower/sector records.” Cell-site data identifies the “cell towers” (i.e., antenna towers covering

specific geographic areas) that received a radio signal from the cellular telephone and, in some

cases, the “sector” (i.e., faces of the towers) to which the telephone connected. These towers may

be a half-mile or more apart, even in urban areas, and can be 10 or more miles apart in rural areas.

Furthermore, the tower closest to a wireless device does not necessarily serve every call made to

or from that device.

67. Based on my training and experience, I know that PROVIDER also collects Per-

Call Measurement Data (“PCMD”). PCMD estimates the approximate distance of the cellular

27
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 38 of 42

device from a cellular tower based upon the speed with which signals travel between the device

and the tower. This information can be used to estimate an approximate location range that is

more precise than typical cell-site data. This location information is variously known as “NELOS”

(AT&T), “TrueCall” and “Time on Tower Report” (T-Mobile), “Timing Delay/Timing Advance”

(T-Mobile & Sprint), and/or “Real Time Tool” (RTT) (Verizon) data. Given the limits of the

antenna compared to cell towers, this information is likely to be even less reliable than it is when

collected by traditional cell towers. AT&T’s NELOS information can provide an approximate

location of the cellular device using a combination of timing advance, Wi-Fi, and global

positioning information (GPS). At times, this information can supplement cell site data when no

call or text information is available.

68. In summary, based on my training and experience in this context, I believe that the

computers of PROVIDER are likely to contain user-generated content such as stored electronic

communications, as well as PROVIDER-generated information about its subscribers and their

location and use of PROVIDER services and other online services. In my training and experience,

all of that information may constitute evidence of the crimes under investigation because the

information can be used to identify the account’s user or users. In fact, even if subscribers provide

PROVIDER with false information about their identities, that false information often nevertheless

provides clues to their identities, locations, or illicit activities.

69. As explained above, information stored in connection with a PROVIDER account

may provide crucial evidence of the “who, what, why, when, where, and how” of the criminal

conduct under investigation, thus enabling the United States to establish and prove each element

of the offense, or, alternatively, to exclude the innocent from further suspicion. From my training

and experience, I know that the information stored in connection with a PROVIDER account can

28
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 39 of 42

indicate who has used or controlled the account. This “user attribution” evidence is analogous to

the search for “indicia of occupancy” while executing a search warrant at a residence. For

example, text messages, contacts lists, and images sent (and the data associated with the foregoing,

such as date and time) may indicate who used or controlled the account at a relevant time. Further,

information maintained by PROVIDER can show how and when the account was accessed or used.

Additionally, information stored at the user’s account may further indicate the geographic location

of the account user at a particular time (e.g., location information integrated into an image or video

sent via e-mail). Finally, stored electronic data may provide relevant insight into the user’s state

of mind as it relates to the offense under investigation. For example, information in the

PROVIDER account may indicate its user’s motive and intent to commit a crime (e.g.,

communications relating to the crime), or consciousness of guilt (e.g., deleting communications in

an effort to conceal them from law enforcement). 2

70. Based on my training and experience, I know that evidence of who controlled, used,

and/or created a PROVIDER account may be found within the user-generated content created or

stored by the PROVIDER subscriber. This type of evidence includes, for example, personal

correspondence, personal photographs, purchase receipts, contact information, travel itineraries,

and other content that can be uniquely connected to a specific, identifiable person or group. In

addition, based on my training and experience, I know that this type of user-generated content can

provide crucial identification evidence, whether or not it was generated close in time to the offenses

2
At times, internet services providers such as PROVIDER can and do change the details and functionality of the
services they offer. While the information in this section is true and accurate to the best of my knowledge and belief,
I have not specifically reviewed every detail of PROVIDER’s services in connection with submitting this application
for a search warrant. Instead, I rely upon my training and experience, and the training and experience of others, to set
forth the foregoing description for the Court.

29
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 40 of 42

under investigation. This is true for at least two reasons. First, people that commit crimes

involving electronic accounts typically try to hide their identities, and many people are more

disciplined in that regard right before (and right after) committing a particular crime. Second,

earlier-generated content may be quite valuable, because criminals typically improve their

tradecraft over time. That is to say, criminals typically learn how to better separate their personal

activity from their criminal activity, and they typically become more disciplined about maintaining

that separation, as they become more experienced. Finally, because phones and similar

PROVIDER accounts do not typically change hands on a frequent basis, identification evidence

from one period can still be relevant to establishing the identity of the account user during a

different, and even far removed, period of time.

71. In my knowledge, training, and experience, I know that criminals sometimes use

“burner” phones, or cheap disposable prepaid mobile phones when preparing for and committing

their crimes. “Burner” phones are mobile phones for which credit is purchased in advance of

service use. Burner phones can be bought with cash and with no contract, plus providers that sell

these devices often don’t track personal data. Burner phones often use a mobile virtual network

operator that has agreements with companies like PROVIDER to access cell service, therefore,

burner phone records may be included in the information stored by PROVIDER.

AUTHORIZATION REQUEST

72. Based on the foregoing, I request that the Court issue the proposed search warrant,

pursuant to 18 U.S.C. § 2703(c) and Federal Rule of Criminal Procedure 41.

73. I further request that the Court direct PROVIDER to disclose to the government

any information described in Section I of Attachment B that is within its possession, custody, or

control. Because the warrant will be served on PROVIDER, who will then compile the requested

30
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 41 of 42

records at a time convenient to it, reasonable cause exists to permit the execution of the requested

warrant at any time in the day or night.

REQUEST TO SUBMIT WARRANT BY TELEPHONE

OR OTHER RELIABLE ELECTRONIC MEANS

74. I respectfully request, pursuant to Rules 4.1 and 41(d)(3) of the Federal Rules of

Criminal Procedure, permission to communicate information to the Court by telephone in

connection with this Application for a Search Warrant. I submit that Assistant U.S. Attorney

Christine Macey, an attorney for the United States, is capable of identifying my voice and

telephone number for the Court.

CONCLUSION

75. Based on the aforementioned factual information, I respectfully submit that there is

probable cause to believe that evidence of the Subject Offenses may be located with the records

and information associated with the SUBJECT PHONE NUMBER described in Attachment A.

Therefore, I request that the Court issue the proposed search warrant to seize items described in

Attachment B.

Respectfully submitted,

Kellen Grogan
Special Agent
Federal Bureau of Investigation

Subscribed and sworn telephonically pursuant to Fed. R. Crim. P. 4.1 and 41(d)(3) on November
4, 2021

_________________________________________
HONORABLE ROBIN M. MERIWEATHER
UNITED STATES MAGISTRATE JUDGE

31
 Case 1:21-sc-03462-RMM Document 2 Filed 11/04/21 Page 42 of 42

CERTIFICATE OF AUTHENTICITY OF DOMESTIC

RECORDS PURSUANT TO FEDERAL RULES OF EVIDENCE
902(11) AND 902(13)

I, _________________________________, attest, under penalties of perjury by the laws

of the United States of America pursuant to 28 U.S.C. § 1746, that the information contained in
this certification is true and correct. I am employed by _______________ (PROVIDER), and my
title is _____________________________. I am qualified to authenticate the records attached
hereto because I am familiar with how the records were created, managed, stored, and retrieved. I
state that the records attached hereto are true duplicates of the original records in the custody of
PROVIDER. The attached records consist of ______________. I further state that:
a. all records attached to this certificate were made at or near the time of the
occurrence of the matter set forth by, or from information transmitted by, a person with knowledge
of those matters, they were kept in the ordinary course of the regularly conducted business activity
of PROVIDER, and they were made by PROVIDER as a regular practice; and
b. such records were generated by PROVIDER’s electronic process or system that
produces an accurate result, to wit:
1. The records were copied from electronic device(s), storage medium(s), or
file(s) in the custody of PROVIDER in a manner to ensure that they are true duplicates of the
original records; and
2. The process or system is regularly verified by PROVIDER, and at all times
pertinent to the records certified here, the process and system functioned properly and normally.
I further state that this certification is intended to satisfy Rules 902(11) and 902(13) of the
Federal Rules of Evidence.

Date Signature