Alleged Cybercriminal Charged With Unauthorized Computer Intrusion, Wire Fraud, Securities Fraud And Other Crimes

Defendant, Extradited from Ukraine, Allegedly Engaged in an Eight-Year Campaign of Cybercrime

A criminal complaint was unsealed today in federal court in Brooklyn charging Lithuanian national Vytautas Parfionovas with computer intrusion, securities fraud, money laundering, bank fraud and wire fraud, among other offenses.  The charged crimes stem from a variety of criminal conduct between 2011 and 2018 in which Parfionovas gained access to U.S.-based computers, including email servers and computers belonging to U.S. financial institutions, in order to steal money from online bank accounts and securities brokerage accounts.  Parfinovas was arrested in Ukraine on October 24, 2019, and was extradited to the United States on November 21, 2019.

Richard P. Donoghue, United States Attorney for the Eastern District of New York, and William F. Sweeney, Jr., Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the charges.

“As alleged, the defendant and his co-conspirators stole millions of dollars from U.S. victims while sitting behind keyboards thousands of miles away,” stated United States Attorney Donoghue.  “Cybercriminals are hereby on notice that no amount of distance or subterfuge will protect them, and that we and our law enforcement partners are committed to unmasking, arresting and prosecuting them.”  Mr. Donoghue thanked the Prosecutor Generals Office of Ukraine, the FBI Legal Attaché’s Office in Kiev and the Department of Justice’s Office of International Affairs for their assistance in the investigation and the defendant’s extradition.

“The world has become a much smaller place with the advent of the internet, and with that shrinking globe, the days of cyber criminals thinking because they're not in our country they can escape justice are over,” stated FBI Assistant Director-in-Charge Sweeney.  “Our extraordinary partnerships allow the FBI to reach into many of the dark corners where these thieves feel invincible.  If you violate our laws, we will make sure you pay the price.”

As charged in the criminal complaint, starting in January 2011, Parfionovas and his co-conspirators engaged in a long-running scheme to steal money through a variety of computer intrusions.

In one part of the scheme, Parfionovas and his co-conspirators allegedly obtained login information for victims’ securities brokerage accounts through various methods, including stealing that information from the server of a U.S. securities order management company to which the conspirators gained unauthorized access.  The conspirators then used those accounts to steal money and conduct trades to their own benefit.  Initially, conspirators accessed the victim brokerage accounts and transferred money from those accounts to other accounts under their control.  After financial institutions began to block those unauthorized transfers, Parfionovas and his co-conspirators accessed other victim brokerage accounts without authorization, and placed unauthorized stock trades within those accounts while simultaneously trading profitably in the same stocks from accounts that they controlled.  On or about February 22, 2016, Parfionovas explained this aspect of the scheme to a co-conspirator as follows:  “I take some fraud logins.  Do some s[_]t with stock . . . sometimes 2-3 in day . . . manipulation is 100%.”  In this manner, Parfionovas and his co-conspirators realized financial gains while causing losses of more than $5.5 million.

In another part of the scheme, Parfionovas and his co-conspirators allegedly obtained login information for victim email accounts and accessed those accounts without authorization.  The conspirators then sent email messages from those accounts to the victims’ financial advisers and requested wire transfers from the victims’ financial institutions to overseas bank accounts that the conspirators controlled.  For example, in or about May 2013, Parfionovas and his co-conspirators obtained $50,000 from an investment account that belonged to U.S. victims, and Parfionovas directed the transfer of those funds to a series of bank accounts and ultimately to an individual in Kharkov, Ukraine, where Parfionovas was located.  To defraud another victim, Parfionovas and his co-conspirators obtained control over a victim’s email account and used it to send written instructions—which falsely appeared to have been signed by the victim—to transfer $225,000 from one of the victim’s accounts.

If convicted, the defendant faces up to 30 years’ imprisonment for the money laundering charge, and a mandatory consecutive two-year sentence for the charge of aggravated identity theft.

The charges in the complaint announced today are allegations, and the defendant is presumed innocent unless and until proven guilty.

The government’s case is being handled by the Office’s National Security and Cybercrime Section and the Business and Securities Fraud Section.  Assistant United States Attorneys David K. Kessler, Mark E. Bini and Alexander Mindlin are in charge of the prosecution.  The Justice Department’s Office of International Affairs of the Department’s Criminal Division provided significant assistance in securing the defendant’s extradition from Ukraine.

The Defendant:

VYTAUTAS PARFIONOVAS

Age: 32

Kiev, Ukraine

E.D.N.Y. Docket No. 19-MJ-883

Maryland man offers guilty plea for cyberstalking Ohio victims

COLUMBUS, Ohio – A Maryland man offered a guilty plea today in U.S. District Court to cyberstalking victims in the Southern District of Ohio.

Vincent Brocoli, 32, of Essex, Md., was indicted by a federal grand jury in August.

According to court documents, from August 2016 until April 2019, Brocoli (also known as Matthew Dehart, BunchMedia and BunchMarketing), cyberstalked a female victim and her parents by creating social media accounts in their names, sending them threats, and using the Internet to cause substantial emotional distress to their family.

Brocoli created social media accounts like @xokirstylies1, @xokirstyslut1 and @killyourselfkirsty, among others.

The defendant used the Internet to post photos of the victim with a cross on her forehead and send messages like “I hope you get cancer and die UGLY SLLUT [sic],” and “Go away and die. Just put a gun in your mouth and get it over with.”

Court documents also details that, over the course of nearly three years, Brocoli used the Internet and multiple social media platforms to post threatening and sexually vulgar comments, calling the victim a “worthless lying slut” and a “whore.” Brocoli also used the Internet to post comments asserting that the victim and her husband had AIDS, like claiming that the victim “took [her husband]’s gay cum down her throat and now she has aids. Diseased whorebag.”

Brocoli posed as the victim’s father and mother online by creating multiple Instagram and Twitter handles using their names. He also used the Internet to post comments to the victim’s mother, calling her a “pedophile,” commenting that she needed “to be arrested for child abuse,” and telling her to “Shut up and die.” Brocoli further used the Internet to post to the victim’s father that he would “be the first to go to hell and answer to the real God when the time comes.”

Cyberstalking is a federal crime punishable by up to five years in prison. Congress sets the maximum statutory sentence. Sentencing of the defendant will be determined by the Court based on the advisory sentencing guidelines and other statutory factors.

David M. DeVillers, United States Attorney for the Southern District of Ohio, and Joseph M. Deters, Acting Special Agent in Charge, Federal Bureau of Investigation (FBI), Cincinnati Division, announced the plea offered today before U.S. Magistrate Judge Kimberly A. Jolson. Assistant United States Attorney Jessica H. Kim and Special Assistant United States Attorney Christopher N. St. Pierre are representing the United States in this case.

Russian Hacker Who Used NeverQuest Malware To Steal Money From Victims’ Bank Accounts Sentenced In Manhattan Federal Court To Four Years In Prison

Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that STANISLAV VITALIYEVICH LISOV, a/k/a “Black,” a/k/a “Blackf” (“LISOV”), was sentenced to 48 months in prison today for conspiring to deploy and use a type of malicious software known as NeverQuest to infect the computers of unwitting victims, steal their login information for online banking accounts, and use that information to steal money out of the victims’ accounts.  NeverQuest has been responsible for millions of dollars’ worth of attempts by hackers to steal money out of victims’ bank accounts.  LISOV was sentenced by U.S. District Judge Valerie E. Caproni, who presided over his guilty plea earlier this year.

U.S. Attorney Geoffrey S. Berman stated:  “Stanislav Vitaliyevich Lisov, a Russian hacker, used malware to infect victims’ computers, obtain their login credentials for online banking accounts, and steal money from their accounts.  This type of cybercrime threatens personal privacy and harms financial institutions.  Lisov’s arrest, extradition, conviction, and prison sentence should send an unmistakable message about this Office’s firm commitment to prosecuting hackers – domestic and foreign alike.”

According to the allegations in the Indictment to which LISOV pled guilty, public court filings, and statements made in court:

NeverQuest is a type of malicious software, or malware, known as a banking Trojan.  It can be introduced to victims’ computers through social media websites, phishing emails, or file transfers.  Once surreptitiously installed on a victim’s computer, NeverQuest is able to identify when a victim attempted to log onto an online banking website and transfer the victim’s login credentials – including his or her username and password – back to a computer server used to administer the NeverQuest malware.  Once surreptitiously installed, NeverQuest enables its administrators remotely to control a victim’s computer and log into the victim’s online banking or other financial accounts, transfer money to other accounts, change login credentials, write online checks, and purchase goods from online vendors.

Between June 2012 and January 2015, LISOV was responsible for key aspects of the creation and administration of a network of victim computers known as a “botnet” that was infected with NeverQuest.  Among other things, LISOV maintained infrastructure for this criminal enterprise, including by renting and paying for computer servers used to manage the botnet that had been compromised by NeverQuest.  Those computer servers contained lists with approximately 1.7 million stolen login credentials – including usernames, passwords, and security questions and answers – for victims’ accounts on banking and other financial websites.  LISOV had administrative-level access to those computer servers.

LISOV also personally harvested login information from unwitting victims of NeverQuest malware, including usernames, passwords, and security questions and answers.  In addition, LISOV discussed trafficking in stolen login information and personally identifying information of victims.

On January 13, 2017, LISOV was arrested in Spain pursuant to a provisional arrest warrant.  On January 19, 2018, LISOV was extradited from Spain to the United States.

*                *                *

In addition to his prison term, LISOV, 34, a citizen of Russia, was sentenced to three years of supervised release, and was ordered to pay forfeiture of $50,000 and restitution of $481,388.04.

Mr. Berman praised the outstanding investigative efforts of the Federal Bureau of Investigation.

The matter is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant U.S. Attorney Michael D. Neff is in charge of the prosecution.