31 August 1997
Source: Hardcopy from Greg Broiles (www.parrhesia.com)
FILED AUG 25 1997 RICHARD W. WIEKING CLERK, U.S. DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA MICHAEL J. YAMAGUCHI United States Attorney JOEL R. LEVIN Chief, Criminal Division GEORGE D. HARDY Assistant United States Attorney 450 Golden Gate Avenue San Francisco, CA 94102 Telephone: (415) 436-6851 Attorneys for Plaintiff UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA UNITED STATES OF AMERICA, ) Criminal No. 97-00197 - VRW ) Plaintiff, ) GOVERNMENT'S MOTION TO ) PARTIALLY SEAL RECORD v. ) OF GUILTY PLEA ) CARLOS FELIPE SALGADO, JR. ) ) Defendant. ) ______________________________) COMES NOW the United States of America, by and through counsel of record, Michael J. Yamaguchi, United States Attorney, and George D. Hardy, Assistant U.S. Attorney, and hereby files this motion to partially seal the record of the Rule 11, Federal Rules of Criminal Procedure, hearing on August 25, 1997, during which defendant CARLOS FELIPE SALGADO, JR. entered guilty pleas to Counts One, Two, Four, and Five of the indictment pending against him. This motion is being made for the purpose of protecting the identity of the victims of the defendant's criminal conduct, and is based on the attached declaration of counsel. 
DATED: August 25, 1997 Respectfully submitted, MICHAEL J. YAMAGUCHI United States Attorney [Signature] GEORGE D. HARDY Assistant U.S. Attorney 
DECLARATION OF GEORGE D. HARDY I, GEORGE D. HARDY, do declare and say: l. I am an Assistant U.S. Attorney in the Northern District of California, and have been assigned to prosecute the case of United States v. Carlos Felipe Salgado, Jr. 2. I was present on August 25, 1997, before the Honorable Vaughn R. Walker, when defendant Salgado entered guilty pleas to Counts One, Two, Four, and Five of the indictment pending against him. 3. During the defendant's colloquy with the Court regarding the factual basis for the guilty pleas to Counts One and Two, the defendant specifically identified two victims of his criminal conduct by name. Later in the colloquy there was an additional reference to the names of the victims. 4. I have been advised by the Federal Bureau of Investigation that the public release of the identity of the two victims could cause serious financial and security difficulties for the victims. Until now, the victims have been identified only to the defense, as part of the criminal discovery in the case. 5. The difficulties facing these victims include the probability that additional hackers will seek to challenge these computer systems, once the defendant's successful efforts are revealed; and the loss of business due to the perception by others that computer systems may be vulnerable. 6. I have also been advised by the Federal Bureau of 
Investigation that companies victimized by computer intruders are quite reluctant to come forward and report illegal intrusions, fearing that the revelations could have an impact on their business operations that might overshadow the specific damage inflicted by the intruder on their systems. Such an environment provides a perfect medium in which computer hackers flourish. 7. Until the date of the guilty pleas, the identities of these victims have been protected, consistent with the policy of encouraging victims to come forward. The victims realize that had the case proceeded to trial, their identities would have been revealed. However, because the case did not proceed to trial; there seems to be no good reason to reveal the information now; and several very good reasons not to reveal it. 8. The defendant's counsel was contacted regarding this motion. She expressed a willingness to agree to it, but only if the government agreed to limit in some way the government's appropriate public release of the defendant's guilty pleas as a deterrent to others. Such an arrangement was not acceptable to the government. Defendant's counsel therefore indicated that she would like to file an opposition to this motion; but would agree that pending the resolution of this issue, that the identities of the victims could be protected. I declare the foregoing to be true and correct to the best of my knowledge and belief. DATED: August 25, 1997 [Signature] GEORGE D. HARDY 
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA UNITED STATES OF AMERICA, ) Criminal No. 97-00197 - VRW ) Plaintiff, ) ) ) ) ) O R D E R CARLOS FELIPE SALGADO, JR. ) ) Defendant. ) ______________________________) Considering the foregoing motion and declaration of counsel, IT IS ORDERED that the portion of the proceedings before this Court on August 25, 1997, during which defendant Carlos Felipe Salgado, Jr., identified the victims of his criminal conduct, is hereby sealed until further order of the Court. DATED: [Blank] [Blank] THE HONORABLE VAUGHN R. WALKER UNITED STATES DISTRICT COURT JUDGE
FILED JUN 23 1 23 PM '97 RICHARD W. WIEKING CLERK U.S. DISTRICT COURT NO. DIST. OF CA. MICHAEL J. YAMAGUCHI United States Attorney Attorney for Plaintiff UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA UNITED STATES OF AMERICA, ) CRIMINAL NO. CR97 00197 VRW ) Plaintiff, ) VIOLATIONS: Title 18, United ) States Code, Section 1030(a)(4) v. ) - UNAUTHORIZED ACCESS OF ) COMPUTER IN FURTHERANCE OF ) FRAUD; Title 18, United States CARL0S FELIPE SALGADO, JR., ) Code Section 1030(a)(5)(B) - ) UNAUTHORIZED ACCESS OF COMPUTER Defendant. ) CAUSING DAMAGE; United States ) Code, Section 1029(a)(2) - ) TRAFFICKING IN STOLEN CREDIT ) CARD NUMBERS; Title 18, United ) States Code, Section 1029(a)(3) ) - POSSESSING MORE THAN FIFTEEN ) STOLEN CREDIT CARD NUMBERS ) WITH INTENT TO DEFRAUD ) ) [San Francisco Venue] ______________________________) I N D I C T M E N T COUNT ONE (18 U.S.C. S1030(a)(4) - Unauthorized Access Of Computer In Furtherance Of Fraud) The Grand Jury charges that: In or about March, 1997, from the City of Daly City, County of San Mateo, State and Northern District of California, 1
CARLOS FELIPE SALGADO, Jr., defendant herein, did knowingly and with intent to defraud, access a protected computer, which was used in interstate and foreign commerce and communication, without authorization, and by means of such conduct, did further the intended fraud and obtain credit card numbers with a combined credit limit in excess of one billion dollars; in violation of Title 18, United States Code, Section 1030(a)(4). COUNT TWO (18 U.S.C. S1030(a)(4) - Unauthorized Access Of Computer In Furtherance Of Fraud) The Grand Jury further charges that: On or about May 4, 1997, from the City of Daly City, County of San Mateo, State and Northern District of California, CARLOS FELIPE SALGADO, JR., defendant herein, did knowingly and with intent to defraud, access a protected computer, which was used in interstate and foreign commerce and communication, without authorization, and by means of such conduct, did further the intended fraud and obtain credit card numbers with a combined credit limit in excess of one million dollars; in violation of Title 18, United States Code, Section 1030(a)(4). // // // 2
COUNT THREE (18 U.S.C. S1030(a)(5)(B) - Unauthorized Access of Computer Causing Damage) The Grand Jury further charges that: On or about March 28, 1997, from the City of Daly City, County or san Mateo, State and Northern District of California, CARLOS FELIPE SALGADO, JR., defendant herein, did intentionally access a protected computer, affecting interstate and foreign commerce and communication, without authorization, and as a result of such conduct, recklessly caused damage; in violation of Title 18, United States Code, Section 1030(a)(5)(B). COUNT FOUR 18 U.S.C. S1029(a)(2) - Trafficking In Stolen Credit Card Numbers) The Grand Jury further charges that: Between on or about May 7, 1997, and on or about May 14, 1997, and during a one year period, in the City and County of San Francisco, State and Northern District of California, and elsewhere, CARLOS FELIPE SALGADO, JR., defendant herein, did knowingly and with intent to defraud traffic in unauthorized access devices, that is, stolen credit card numbers, and by such conduct did affect interstate commerce and did obtain something of value aggregating in excess of one thousand 3
dollars; in violation of Title 18, United States Code, Section 1029(a)(2). COUNT FIVE (18 U.S.C. S 1029(a)(3) - Possessing Fifteen Or More Stolen Credit Card Numbers With Intent to Defraud) The Grand Jury further charges that: On or about May 21, 1997, at the San Francisco International Airport, and elsewhere within the State and Northern District of California, CARLOS FELIPE SALGADO, JR., defendant herein, did knowingly and with intent to defraud, possess more than fifteen access devices, that is, approximately 100,000 credit card numbers, which were unauthorized and stolen, and by such conduct did affect interstate commerce; in violation of Title 18, United States Code, Section 1029(a)(3). DATED: [Blank] A TRUE BILL. [Signature] FOREPERSON [Signature] MICHAEL J. YAMAGUCHI United States Attorney (Approved as to Form) [Initials] AUSA Hardy 4
FILED MAY 22 11 08 AM '97 RICHARD W. WEIKING CLERK DISTRICT COURT NO. DIST. OF CA. [Form] UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA ORDER SETTING CONDITIONS OF RELEASE AND APPEARANCE BOND DATE: 5-22-97 CASE NUMBER: 13-97-302570? NAME OF DEFENDANT: CARLOS FELIPE SALGADO, JR. ADDRESS OF DEFENDANT: 99 EVERGREEN AVE. DALY CITY, [Illegible] TELEPHONE NUMBER: (415) 334-779? [Snip blanks] AMOUNT OF BOND: $100,000 [X] UNSECURED PR [Snip blanks] TIME AND DATE OF NEXT APPEARANCE: 9:30 6-11-97 COURTROOM 17 CONDITIONS OF RELEASE AND APPEARANCE Defendant is subject to each condition checked: X Defendant shall appear at all proceedings as ordered by the Court and shall surrender for service of any sentence imposed. X Defendant shall not commit any federal, state, or local crime. X Defendant shall not harass, threaten, intimidate, injure, tamper with, or retaliate against any witness, victim, informant, juror, or officer of the Court, or obstruct any criminal investigation. See 18 U.S.C. 1503, 1510, 1512, and 1513, on reverse side. X Defendant shall not travel outside the Northern District of California, that is, these counties: Alameda, Contra Costa Del Norte, Humboldt, Lake Marin, Mendocino, Monterey, Napa, San Benito, San Francisco, San Mateo, Santa Clara, Santa Cruz. and Sonoma. See map on reverse side. X Defendant shall report in person. immediately upon release, and as directed and by telephone every [blank] by 4:00 P.M. to the U.S. Pretrial Office in [blank]. See addresses and telephone numbers on reverse side. [Snip blanks] X The following conditions also apply: 1) Whatever computer equipment is in parent's house shall be removed within 24 hours. 2) No access to computer terminals. 3) Premises and person shall be subject to search and seizure by PTS as deemed necessary 4) Deft shall reside with parents. CONSEQUENCES OF DEFENDANT'S FAILURE TO OBEY CONDITIONS OF RELEASE Payment of the full amount of this bond shall be due forthwith, and all cash or property posted to secure it shall be forfeited. Judgment may be entered and executed against defendant and all sureties jointly and severally. An arrest warrant for defendant shall issue immediately, and defendant may be detained without bail for the rest of the proceeding. Defendant shall be subject to consecutive sentences and fines for failure to appear and/or for committing an offense while on release. See 18 U.S.c. 3146 and 3147, on reverse side. We, the undersigned, have read and understand the terms of this bond and acknowledge that we are bound by it until duly exonerated. SIGNATURE OF DEFENDANT SIGNATURE OF SURETY [Signature] [Signature] SIGNATURE OF MAGISTRATE [Signature]
FILED MAY 22 1997 RICHARD W. WIEKING CLERK, U.S. DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA [Form] United States District Court NORTHERN DISTRICT OF CALIFORNIA UNITED STATES OF AMERICA V. CARLOS FELIPE SALGADO, JR. CRIMINAL COMPLAINT CASE NUMBER: 3.97-30257 OEW I, the undersigned complainant being duly sworn state the following is true and correct to the best of my knowledge and belief. SEE ATTACHMENT A in violation of Title 18 United States Code. Section(s) 1029(a)(2) (trafficing in stolen credit card numbers) 1030(a) (4) (unauthorized access of computer) I further state that I am a(n) FBI Special Agent and that this complaint is based on the following facts: SEE ATTACHMENT B COUNT ONE COUNT TWO PENALTY: 10 years in custody PENALTY: 5 years in custody S250,000 fine, $250,000 fine 3 years supervised release 3 years supervised release $100 penalty assessment $100 penalty assessment APPROVED: [Initials] AUSA Hardy PROCESS: N/A Continued on the attached sheet and made a part hereof: [X] Yes [Signature] Signature of Complainant CALLEN D. DALRYMPLE Special Agent Federal Bureau of Investigation Sworn to before me and subscribed in my presence, Date 5-22-97 at San Francisco CA [Signature] Owen E. Woodruff, Jr. United States Magistrate Judge
Between on or about May 2, 1997, and May 21, 1997, within the State and Northern District of California, defendant CARLOS FELIPE SALGADO, JR., aka "Smak", did knowingly, and with intent to defraud, traffic in unauthorized access devices affecting interstate commerce, to wit, over 100,000 stolen credit card numbers, and by such conduct did obtain in excess of $1000; in violation of Title 18, United States Code, Section 1029(a)(2).
On or about March 28, 1997, within the State and Northern District of California, defendant CARLOS FELIPE SALGADO, JR., aka "Smak", did knowingly, and with intent to defraud, access a protected computer affecting interstate commerce without authorization, and by means of such conduct, did further the intended fraud and did obtain something of value, to wit, valid credit card numbers; in violation of Title 18, United States Code, Section 1030(a)(4).
AFFIDAVIT IN SUPPORT OF COMPLAINT
UNITED STATES OF AMERICA ) ) SS. NORTHERN DISTRICT OF CALIFORNIA )
I, CALLEN D. DALRYMPLE, Special Agent, Federal Bureau of Investigation, United States Department of Justice, having been duly sworn, do depose and state as follows:
1. I am a Special Agent of the Federal Bureau of Investigation (FBi), United States Department of Justice, and have been so employed for approximately five and one-half years. I was assigned to the FBI's San Diego Division from January 1992 through December of 1995. I was transferred to the FBI's San Francisco Division and assigned to a newly-created Computer Intrusion Threat Assessment (CITA) Squad in January of 1996. During my career as an FBI Special Agent, I have primarily been assigned to investigate " white collar crime" matters, including various types of fraudulent activity in violation of the laws of the United States. I have conducted investigations or participated in investigations into violations of Title 18, United States Code, Section 371 (Conspiracy); Title 18, United States Code, Section 1029 (Fraud and Related Activity in Connection With Access Devices); Title 18, United States Code, Section 1030 (Fraud and Related Activity in Connection With Computers); Title 18, United States Code, Section 1343 (Fraud By Wire), Title 18 United States Code, Sections 1956 and 1957 (Money Laundering), Title 18 United States Code, Section 2314 (Interstate
Transportation of Stolen Property), and Title 18, United States Code, Section
2511 (Unauthorized Interception and Disclosure of Wire, Oral or Electronic
Communications). Before becoming an FBI Special Agent, I received a Bachelor
of Science degree in Accounting and a Master of Business Administration degree
in Financial Planning, which includes the study of Computer Systems. During
my tenure as an FBI agent, I have gained experience conducting computer fraud
and abuse investigations which included investigations into the unauthorized
access of telephone company computer systems, unauthorized access and use
of cellular telephones, and the unauthorized access of consumer credit reporting
agencies. I have also gained experience in methods of investigating computer
fraud and abuse. These investigative methods include surveillance techniques,
pen registers CDD, electronic monitoring, undercover recordings,
conduct of interviews and interrogations related to computer crimes and the
use of confidential informants. I and/or the other agents involved in this
investigation have used all of these investigative techniques during this
investigation. I have also received classroom and practical instruction,
pertaining to computer fraud and abuse, from both the FBI and private sources,
such as the University of California at San Diego Supercomputer Center.
STATEMENT OF FACTS
2. An internet service provider (ISP) is a company that sells access to the Internet for a fee. The owner of an ISP, on March 31, 1997, notified the FBI of the following:
While performing routine maintenance on the Internet servers on Friday, March 28, 1997, technicians discovered that the servers had been broken into by an intruder. Investigation by technicians revealed a "packet sniffer" installed on the system. The packet sniffer program was being used to capture user ID's and passwords of
authorized users. The technicians then discovered that the intruder was still logged onto the system. As the technicians backed-up affected files, the intruder was deleting files and covering his/her tracks on the server. To stop the attack, the server was removed from the Internet connection and the technicians built another server to replace the hacked server.
As the intrusion was occurring, a customer (hereafter CW) notified the owner of the ISP that he was also on the server during the incident. CW explained that he had engaged the perpetrator in an Internet Relay Chat (IRC) conversation. During this conversation, the intruder wrote that he had broken into the ISP's server and bragged about how easy it was to compromise the server. The intruder wrote that he had removed all of the credit card numbers from one of the sites on the server and offered to sell the credit card numbers to the CW. The intruder also offered a total of 60,000 credit card numbers that he had hacked from other sources.
Based on information provided by the CW and computer log files, the ISP's technicians logged onto the Internet using another domain ID and tried to contact the intruder. The intruder's terminal was idle. The technicians traced the intruder's ID back to a user account and port address at the University of California at San Francisco. The traced address matched the user ID and address of the person to whom the CW had chatted with via IRC.
3. Thereafter, the CW began working with the FBI in an undercover capacity.
Under the direction of the FBI, the CW made contact with the intruder to determine if the intruder was still intent on selling the stolen ("hacked") credit card numbers. Contact was made originally via IRC (as described above). Subsequently, the CW and the intruder (who called himself "Smak") began to communicate using encrypted electronic mail. Beginning on May 2, 1997, and continuing to May 21, 1997, "Smak" and the CW exchanged over 50 e-mail messages. "Smak" 's messages to the CW were received at an FBI-controlled address in San Jose, California. Each of the communications was recorded and maintained as evidence.
4. "Smak" quickly made it clear that he had the ability to hack into computers and extract valid credit numbers which he would offer for sale. On May 4, 1997, "Smak" 's e-mail message read in part:
"There may be a delay in our business together of a day or so. It's not necessarily a bad thing. Let met explain. This morning i[sic] was reading a business magazine article about online transactions on the internet and a particular niche in services. A couple companies were mentioned that generated SEVERAL MILLION dollars in CC [credit card] transactions a week! I decided to go exploring and got into their sites. The article was right! However, i[sic] need to explore the sites for a a [sic] little while to establish firm control and locate machine extractable data. I think it is worth it. --Smak"
5. Negotiations between the CW (acting at the direction of the FBI) and "Smak" continued toward the goal of a large purchase of "hacked" credit card numbers. "Smak" had already represented that he had available 60,000 credit card numbers (see above). The negotiations quickly led to a sale of 710 credit card numbers for $710. This was intended as
a sample of the larger group of credit cards available for sale. The numbers were delivered to the CW as an attachment to an encrypted e-mail message. Fifteen numbers were chosen at random for verification. The numbers were determined to be valid credit card numbers issued by financial institutions with credit limits between $5000 and $12,000. "Smak" was paid by use of a Western Union transfer to offices in the San Francisco Bay Area. For identification purposes, "Smak" described himself as looking "Latin", with "black hair, tan-dark skin, black eyes, no visible birthmarks, beard, mustache, about 5'5", and heavy".
6. At the direction of the FBI, the CW continued to communicate with "Smak" using e-mail. Negotiations led to the delivery, once again by encrypted e-mail from "Smak", of 580 credit card numbers at $5 apiece, on May 13, 1997. A small sample of the cards purchased were researched with the issuing bank and found to be valid. The purchase limits on the cards ranged from $2000 to $25,000. In payment for these credit card numbers, two Western Union transfers of $1450 each were made to San Francisco Area Western Union offices for the benefit of "Smak", utilizing code names and general descriptions. On May 15, 1997, "Smak" indicated in an encrypted e-mail message that he had picked up the two payments.
7. The negotiations between the CW and "Smak" culminated with the agreement to meet at the San Francisco International Airport on May 21, 1997, at 11:15 a.m. to exchange a large number of stolen credit card numbers for approximately $260,000. On that day, the CW, under the direction and control of the FBI, met "Smak" at the appointed hour and place. "Smak" delivered an encrypted CD containing over 100,000 stolen credit card numbers. After the validity of the credit card information was confirmed through decryption of the data on the
CD, "Smak" was taken into custody by the FBI.
8. After being advised of his constitutional rights, "Smak" agreed to waive those rights and speak to the FBI. He then identified himself as CARLOS FELIPE SALGADO, JR., a 36-year old resident of Daly City. He also acknowledged that he had "hacked" into various computers and stolen all of the credit card numbers delivered to the CW on the prior occasions, as well as the credit card numbers in his possession at the time of arrest. In particular, he acknowledged that on March 28, 1997, he "hacked" into the server of the San Diego ISP referenced above in paragraph 2 and thereby obtained credit card information with intent to defraud.
CALLEN D. DALRYMPLE
Federal Bureau of Investigation
Sworn to before me this 22nd day of May, 1997.
UNITED STATES MAGISTRATE JUDGE
NORTHERN DISTRICT OF CALIFORNIA
Digitized and hypertexted by JYA/Urban Deadline