Thirteen Defendants Plead Guilty in December 2010 Cyber Attack Against PayPal

SAN JOSE—Thirteen defendants pleaded guilty in federal court in San Jose yesterday to charges related to their involvement in the cyber attack of PayPal’s website as part of the group Anonymous, United States Attorney Melinda Haag announced. One of the defendants also pleaded guilty to the charges arising from a separate cyber attack on the website of Santa Cruz County.

In pleading guilty, the defendants admitted to carrying out a distributed denial of service (DDoS) cyber attack against PayPal in December 2010.

These DDoS attacks were facilitated by software tools designed to damage a computer network’s ability to function by flooding it with useless commands and information, thus denying service to legitimate users. A group calling itself Anonymous claimed responsibility for the attacks, saying they conducted the attacks in protest of the companies’ and organizations’ actions. The attacks were facilitated by the software tools Anonymous made available for free download on the Internet. The victims included major U.S. companies across several industries.

According to the plea agreements and statements made in court, in late November 2010, WikiLeaks released a large amount of classified United States State Department cables on its website. Citing violations of the PayPal terms of service, and in response to WikiLeaks’ release of the classified cables, PayPal suspended WikiLeaks’ accounts such that WikiLeaks could no longer receive donations via PayPal. WikiLeaks’ website declared that PayPal’s action “tried to economically strangle WikiLeaks.”

The plea agreements further state that, in retribution for PayPal’s termination of WikiLeaks’ donation account, Anonymous coordinated and executed DDoS attacks against PayPal’s computer. Anonymous referred to these coordinated attacks on PayPal as Operation Avenge Assange.

The following defendants pleaded guilty:

1. Christopher Wayne Cooper, dob October 21, 198, aka “Anthrophobic,” Elberta, Alabama
2. Joshua John Covelli, dob January 10, 1985, aka “Absolem, and, “Toxic,” Fairborn, Ohio
3. Keith Wilson Downey, dob November 7, 1984, Jacksonville, Florida
4. Mercedes Renee Haefer, dob June 21, 1991, aka “No,” and “MMMM,” Las Vegas, Nevada
5. Donald Husband, dob August 14, 1981, aka “Ananon,” Fairfield, California
6. Vincent Charles Kershaw, dob February 23, 1984, aka “Trivette,” “Triv,” and “Reaper,” Fort Collins, Colorado
7. Ethan Miles, dob September 1, 1977, Flagstaff, Arizona
8. James C. Murphy, dob November 15, 1974, Baldwin Park, California
9. Drew Alan Phillips, dob April 15, 1985, aka “Drew010,” Santa Rosa, California
10. Jeffrey Puglisi, dob February 19, 1983, aka “Jeffer,” “Jefferp,” and “Ji,” Clinton Township, Michigan
11. Daniel Sullivan, dob June 19, 1989, Camarillo, California
12. Tracy Ann Valenzuela, dob February 11, 1969, Napa, California
13. Christopher Quang VO, dob May 16, 1989, Attleboro, Massachusetts

With the exception of Valenzuela, Phillips, and Miles, each of the defendants pleaded guilty to one count of vonspiracy, in violation of 18 USC 1030(b)(felony), and one count of intentional damage to a protected computer, in violation of 18 USC 1030(a)(5)(A)(misdemeanor). Defendant Valenzuela pleaded guilty to one count of reckless damage to a protected computer, in violation of 18 USC 1030(a)(5)(A)(misdemeanor). Defendants Phillips and Miles were permitted to plead guilty to one count each of intentional damage to a protected computer, in violation of 18 USC 1030(a)(5)(A)(misdemeanor) only.

The terms of the plea agreements allow that unless a defendant violates any of the terms of the plea agreement or fails to accept responsibility, at the time of sentencing, the defendant may make an unopposed motion to withdraw his/her guilty plea to count one, conspiracy to commit intentional damage to a protected computer in violation of 18 U.S.C. 1030(b), and the government will dismiss count one, leaving only the misdemeanor count of violating of 18 U.S.C. 1030(a)(5)(A) to be entered as a final judgment against the defendant.

Defendant Joshua John Covelli also pleaded guilty to executing a DDoS attack (with another defendant, presently a fugitive) against the Santa Cruz County webserver, admitting that it was in retaliation for a statute enacted by the city of Santa Cruz. The city of Santa Cruz enacted Section 6.36.010 of its municipal code, entitled “Camping Prohibited,” which contained restrictions and definitions on camping within Santa Cruz City. In response to the enforcement of Section 6.36.010, protesters occupied the Santa Cruz County Courthouse premises from approximately July 4, 2011 to October 2, 2011. Law enforcement officers from Santa Cruz County disbanded the protest, and several protesters were charged with misdemeanors crimes in Santa Cruz County.

According to Covelli’s plea agreement and statements in court, in retribution for Santa Cruz City’s enforcement of Section 6.36.010 of the municipal code and Santa Cruz County’s disbandment of the protest, Covelli and others, calling themselves the “People’s Liberation Front’” or “PLF,” and claiming to be associated with the Anonymous group, coordinated and executed an attack against Santa Cruz County’s computer servers. The PLF referred to these coordinated attacks on Santa Cruz County as Operation Peace Camp 2010.

The defendants are currently released on bond.

The sentencing hearings for twelve of the defendants are scheduled for December 4, 2014, at 10:00 a.m. before the Honorable D. Lowell Jensen, United States District Court Judge, in San Jose. Tracy Valenzuela’s sentencing hearing is scheduled for November 20, 2014, at 10:00 a.m. before Judge Jensen as well. The maximum statutory penalty for each count in violation of 18 United States Code, Section 1030(b)-conspiracy (felony) is five years’ imprisonment and a $250,000 fine; for each count in violation of 18 United States Code, Section 1030(a)(5)(A)-intentional damage to a protected computer (felony), is 10 years’ imprisonment and a $250,000 fine; for each count in violation of 18 United States Code, Sections 1030(a)(5)(A) & (c)(4)(G)(i)—intentional damage to a protected computer (misdemeanor) is one year in prison and a $100,000 fine; and for each count in violation of 18 United States Code, Sections 1030(a)(5)(A) & (c)(4)(G)(i)-reckless damage to a protected computer (misdemeanor) is one year in prison and a $100,000 fine.

However, any sentence will be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

Matt Parrella and Hanley Chew are the Assistant U.S. Attorneys who prosecuted the case with the assistance of Elise Etter. The prosecution is the result of an investigation by the Federal Bureau of Investigation, along with cooperation from PayPal. Authorities in the Netherlands, Germany, and France have also taken their own investigative and enforcement actions.

The National Cyber-Forensics and Training Alliance, a public-private partnership whose mission to identify, mitigate, and neutralize cyber crime, also provided assistance.