WIXLIB

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 16 of 29DUA records reflect that the 73 IP Address has been used to login to DUA’s PUA web portal inJanuary and February of 2021. For example, the 73 IP Address has logged into DUA’s PUA webportal on claims made in the following names (and PUA claim numbers):D 9LFWLP (A00-000-1535-2875). A login occurred from the 73 IP Addresson or about January 10, 2021. The claim was initially submitted on or aboutDecember 12, 2020 using the 73 IP Address. But the address provided toDUA on this claim was on Bellevue Avenue in Haverhill, Massachusetts, and I have been unable to find any record that 9LFWLP resides at the 41 Market Street address.E 9LFWLP (A00-000-0320-0235). Logins to this claimant’s account occurredfrom the 73 IP Address on or about January 10 and 24, 2021. The claimwas initially submitted on or about May 12, 2020 using the 73 IP Address. Butthe address provided to DUA on this claim was on Exeter Street in Lawrence, Massachusetts. Further, 9LFWLP currently resides in Puerto Rico and told investigators that she does not know PENA and has never filed for unemployment. Benefits continue to be paid on this claim, including a payment for 567.00 on or about March 15, 2021.F 9LFWLP (A00-000-0360-8593). Logins to this claimant’s account occurred from the 73 IP Address on or about January 10 and 24, 2021. The claim was initially submitted on or about May 15, 2020 using the 73 IP Address. But the address provided to DUA on the claim was on Bedford Street in Methuen, Massachusetts, and I have been unable to find any record that 9LFWLP 16

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 17 of 29

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 18 of 29recently as February 2021, and that PENA has received DUA communications via mail and email,and on her cellular phone, including as recently as March 2021.EVIDENCE, FRUITS, AND INSTRUMENTALITIES OF THE TARGET OFFENSES51.There is accordingly probable cause to believe that PENA and the SUBJECTPREMISES, identified in the respective Attachments A to the proposed warrants, possess orcontain fruits, evidence, and instrumentalities of the TARGET OFFENSES as described inAttachment B to the proposed warrants.52.As described more fully above, PENA and others known and unknown have usedthe property located at 41 Market Street, Lawrence, MA, 01843 and the 73 IP Address to submitfraudulent unemployment claims. PENA owns the entire 41 Market Street property. From bothpersonal observation and multiple public sources, I can confirm that the 41 Market Street propertyis a stand-alone, two-story structure with a finished basement that is subdivided into two units,Apartment A and Apartment B. PENA resides in Apartment B. PENA’s residential address hasbeen identified through, for example, car registration and driver’s license records. Additionally,on or about March 21, 2021, PENA confirmed her residential address and cellphone number toCustoms and Border Protection.53.Because the internet is shared between Apartment A and the SUBJECTPREMISES, a device accessing DUA’s network in furtherance of fraudulent claims from the 73IP Address could have been in either Apartment A or the SUBJECT PREMISES. This affidavit,18

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 19 of 299Q]0[0T b QLD b U00CUb YV9QT:X b WQbU0 T.9bV90b %( &b " % %b S TWF0LVb b ]90T0b" bT0U:/0U QTbW90bT0 UQLUbLQW0/b -Q[0 bW90T0b:UbSTQ- -D0b. YU0bWQb-0D:0[0bW9 Wb ( b9 UbF :E0/FYDW:SD0b "( T0D W0/b D0WV0TUbWQb" Ub b TC0Wb %VT00VbSTQS0 B b :L.DY/:L7b WQb W90b %) 'b" % % b -0. YU0b " b L/b QW90TUb CLQ]Lb L/b YPQ]Lb 9 [0b D:UV0/b W90b %( 'b"# % %b QLb "( b .D :FUb UY-F:VW0/b VQb ( b &90U0b ;L.EY/0/b W90b *;.V;Fbb .D ;F b ]9:.9b] UbUY-F:VW0/bYU:L7b" Ub.0DEYD TbS9QL0bLYF-0Tb b " b9 UbW90T03RT0bE:C0E bT0.0:[0/b F ;Db 6QFb ( b Wb 90Tb b TC0Wb %WT00Vb STQS0 b L/b W90b %( 'b " % % b:L.DY/:L7bF ;DbT0D W0/bWQbQL0bQTbFQT0b.D ;FUbUY-F;WV0/b:LbW90bL F0b L/b" bQ1bV9 T/bS @ :0U b " b]QYD/b 9 [0b EUQb T0.0:[0/b .QKYL:. W:QLUb QLb 90Tb .0DES9QL0 b ]9:.9b - U0/b QLb F b WT ;L:L7b L/b0 S0T;0L.0b L/bW9TQY79b;L5MN W:QLbQ-W ;L0/b/G;L7bW9:Ub:L[0UW;7 V:QL b " bT07YD TE bC00SUbQLb90TbS0TUQL b &90T0b:Ub DUQbSTQ- -D0b. YU0bVQb-0D:0[0bV9 Wb" bSQUU0UU0Ub;L5 H W:QL b0:V90TbQL90Tb S0TUQLb QTb Wb V90b %( 'b "# % % b YU0/b WQbUY-F:Wb 6 Y/YE0LVb"( b .D :FU b " b L/bQV90TUbCLQ]Lb L/bYLCLQ]Lb9 \0bUY-F:WW0/b6 Y/YD0LWb"( b.D :FUb6QFb b TC0Wb%VT00Wb L/bV90b b "b //T0UU b b "( b .E :F LWb W S:. DD b STQ[;/0Ub b UY-UW LW: Eb FQYLWb Q1b:L5 H W;QLb ]90LbUY-F:WW:L7b b"( b.D ;F b:L.EY/:L7b b4TUVb L/bE UWbL F0 b/ W0bQ1b-: 9 bS9QL0bLYF-0T bT0U:/0LV; Db L/bF ;D;L7b //T0UU b0F :Eb //T0UU b%% b L/b- LCb .QZOWb;L5 H W:QL b 0. YU0bW90 bUY-F:WV0/bUQbF L b.D :FU b" b L/bQV90TUbCLQ]Lb L/bYLCLQ]LbD;C0E b]TQW0b/Q]LbQTbST0U0T[0/b WbD0 UWb T0U:/0/b L/bF b.QLW;LY0bWQbT0U:/0b;Lb S F0LVb b-YVbW9:Ub3,.Wb/Q0UbLQVbL07 W0bW90bSTQ- -D0b. YU0bWQb-0D:0[0bW9 WbW90b%( &b"# % %b];EDb.QLW ;Lb0[:/0L.0 b2J:WU b L/b;LUVIF0LW D;W:0UbQ1bW90b& # 'b! % % b QUWbLQV -D b" b L/b" Ub.0DEbS9QL0b ?a0b-QW9b.DQU0E bE:LC0/bWQbV90b b "b //T0UUb L/bW90b3AD:L7bQ1b6 Y/YD0LWb.D :FU b;L.EY/;L8b.D ;FUbW9 Vb/;/bLQWb:L[QD[0 b

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 20 of 29some of this information. The email address used to submit the claims, for example, would haveto be retained in order to later login to DUA’s PUA web portal. Further, Witness 1 reported toinvestigators that PENA had previously kept a black notebook that contained third-party PII.PENA later claimed that she removed the notebook from her residence. However, based ontraining and experience, I know that individuals often lie about whether and how they havedisposed of evidence of their crimes. Further, based on my training and experience, there isprobable cause to believe that PENA kept PII used to submit fraudulent PUA claims because thatinformation retains value for other criminal schemes. In addition to PENA’s unemployment fraudscheme described above, PII can be sold or used for identity fraud, fraudulent loans or moneytransfers, counterfeit credit cards, and/or blackmail and extortion. Based on my training andexperience, individuals tend to store valuable information, including PII, in a private location, suchas their residence or on their smartphone.Seizure of Computer Equipment and Data56.The investigation has determined that fraudulent unemployment claims weresubmitted online to DUA using mobile phones and/or computers. Some of those submissions weremade from the 41 Market Street property using the 73 IP Address. Recent logins to DUA’s PUAweb portal have also occurred from the 73 IP Address. Records obtained from Apple reflect thatPENA owned an Apple iPhone version 11.6. Records from Apple also reflect that PENA’s AppleiCloud account utilized the “back up” service over the 73 IP Address in June2020. Additionally, Witness 1 said that C& , who reportedly lived at the SUBJECTPREMISES,7 originally filed XQHPSOR\PHQW FODLPV YLD FRPSXWHU DQG :LWQHVV DOVR 7PUA claim A00-000-0069-8357 was submitted to DUA on April 30, 2020 in the nameof && and listed the SUBJECT PREMISES as his address.20

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 21 of 299.'R-h ! h 'H-h h -;X, XXh X;H8h,.AAaA'ShY.A.O9MH.XhZMh2A.h,B';CX h C';Bh'--R.XX.Xhe.T.h'AXMh,R.'Y.-h'H-hZ.A.O9MH.hH C*.RXhe.R.h X.-h YMh 1 A.h Y9.h ,A';CXh 'H-h YMh R.,.;c.h ,MH1KD'Y;MHh,M-.Xh ;Hh MR-.Rh YMh ',,.XXh 'H-h OTM,.XXh Y9.h5' -aA.HZh H.CPBMgC.HYh,B';CX h !% h,A' CXhX *C YY.-h HhZ9.hH'C.hM/h! h'H-hMY9.RXh 9'c.hA;XZ.-h! Xh,.AAaB'RhO9MH.hH C*.Rh'Xh'hC.'HXhM/hR.,.;c H8h,MCC H ,'Y;MHXh5MCh % h --;Y;MH'BAg h 5MCh Cgh [R'?H H8 h .fO.R .H,. h 'H-h ;H4 E'Z MHh ORMc -.-h YMh C.h *gMZ9.Rh'8.HZX h h'Ch'e'R.hY9'Yh?H-;c - 'AXh5.Q .HZBgh'AXMh X.h,MCO *gh ,MFCaH ,'Y;H8h ' M YhZ9.Ch Y9RM 89h.C';A h ;HXY'HZh C.XX'8.X h 'H-h aO-(Y.XhYMhMHB?H.hXM,;'AhH.YeMR@;H8he.*X Z.X h-R'6 H8hA.Y].RX h@.O;H8hY9.;Rh,'B.H-'RX h 'I'H8 H8h4RhYR'c.B hXYMS;H8hO;,Z R.X hR.X.'R,: H8hYMO;,XhM/h;HZ.R.XZ h* g;H8h'H-hX.AB;H8h;Y.CXhMHB;H. h'H-h',,.XX;H8hZ9. Rh*'H@ h2H'H,;'A h Hc.XYC.HY haY A; g h'H-hMY9.Rh',,M HYXhMHA;H. h 'Hgh,.AAhO9MH.X hXa,9h'XhY9.h OOA.h;!9MH. hHMeh7H,Y;MHh.XX.HY 'AAgh'XhXC'BAh,MCOaY.SX h !9MH.Xh9'c.h,'O'* A;Y;.XhY9'Yh;H,A -.hX.Rd;H8h'Xh'he R.B.XXhY.A.O9MH.hZMhC'@.h' -;Mh,'ABX h-;8;Y'Bh,'C.R' hOM \'*A.hC.-;'hOA'g.R h !#hH'c;8'Y;MHh-.c ,. h X.H-;H8h 'H-h R.,. c;H8h Z.fZh C.XX'8.Xh 'H-h .C';AX h 'H-h XYMR?H8h 'h R'H8.h 'H-h 'CMbJZh M0h.A.,YRMH;,h-'Y' h f'C;H;H8h-'Z'hXYMR.-hMHh-.c;,.XhM/hY9;Xh gO.h,'Hh H,Mc.S h'CMH8h MY9.ThZ9;H8X h.c;-.H,.h M/h,MCG H;,'Y;MHXh'H-h .c;-.H,.h Y9'ZhR.c.'AXhMRh Xa88.XYXh e9Mh OMXX.XX.-h MTh X.-h Y9.h-.c ,. h MRh.f'COA. h! Xh&9'ZX OOhC.XX'8.XhM*Z';H.-h- R H8hY9;Xh;Hc.XY;8'Y;MHh-.CMHXYR'Y.hY9'Yh ! h X.-h 9.Rh ,.BA A'Rh O9MH.h YMh -;X, XXh 'H-h 1), B;Z'Y.h Y9.h X *C;XX;MHh M/h 5' - A.HYh H.COAMgC.HYh,B';CX h H,Ba- H8hY9UMa89hY9.h.f,9'H8.hM/hY.fYX h' -;MhHMY.X h'H-hO;,ZaR.X h H1N E'Y;MHhXYMR.-he;Z9?Hh'h,MCOaY.Sh'H-hMY9.Rh.A.,YRMH ,hXZMR'8.hC.-;'hC'gh'AXMORMc -.h ,V,;'Ah '-- Y;MH'Bh .c -.H,.h M0hY9.h e9M h e9'Z h e9g h e9.H h e9.R. h 'H-h 9Me h M0h Y9.h " h # # ORMc.h.',9h.A.C.HYhM/hY9.h " h # # h MTh 'AY.W'Y;c.Ag h YMh .f,A -.h Y9.h ;LHM,.HYh 5MCh 3Y9.Rh X XO;,;MH h h

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 22 of 29Information stored within a computer or storage media (e.g., registry information,communications, images and movies, transactional information, records of session times anddurations, internet history, and anti-virus, spyware, and malware detection programs) can provide,for example:a. Evidence of who has used or controlled the computer or storage media and whatcomputer or storage media. This “user attribution” evidence is analogous to thesearch for “indicia of occupancy” while executing a search warrant at a residence.The existence or absence of anti-virus, spyware, and malware detection programsmay also indicate whether the computer was remotely accessed, thus inculpating orexculpating the computer owner.b. Evidence of how and when the computer or storage media was accessed or used.Computers typically contain information that log: computer user account sessiontimes and durations, computer activity associated with user accounts, electronicstorage media that connected with the computer, and the IP addresses throughwhich the computer accessed networks and the internet. Such information allowsinvestigators to understand the chronological context of computer or electronicstorage media access, use, and events relating to the crime under investigation.c. Evidence relating to the physical location of other evidence and the suspect. Imagesstored on a computer may both show a particular location and have geolocationinformation incorporated into its file data. Such file data typically also containsinformation indicating when the file or image was created. The existence of suchimage files, along with external device connection logs, may also indicate the22

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 23 of 29presence of additional electronic storage media (e.g., a digital camera or cellularphone with an incorporated camera).d. Information within the computer may indicate the owner’s motive and intent tocommit a crime (e.g., internet searches indicating criminal planning), orconsciousness of guilt (e.g., running a “wiping” program to destroy evidence on thecomputer or password protecting/encrypting such evidence in an effort to concealit from law enforcement).59.From my training, experience, and information provided to me by other agents, Iam aware that individuals commonly store records of the type described in Attachment B to theproposed warrant in computer hardware, computer software, smartphones, and storage media.Further, computer files or remnants of such files can be recovered months or years after they havebeen written, downloaded, saved, deleted, or viewed locally or over the Internet. This is truebecause:a. Electronic files that have been downloaded to a storage medium can be stored foryears at little or no cost. When users replace their computers, they can easilytransfer the data from their old computer to their new computer.b. Even after files have been deleted, they can be recovered months or years laterusing forensic tools. This is so because when a person “deletes” a file on acomputer, the data contained in the file does not actually disappear; rather, that dataremains on the storage medium until it is overwritten by new data, which might notoccur for long periods of time. In addition, a computer’s operating system mayalso keep a record of deleted data in a “swap” or “recovery” file.23

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 24 of 29c. Wholly apart from user-generated files, computer storage media contain electronicevidence of how the computer has been used, what it has been used for, and whohas used it. This evidence can take the form of operating system configurations,artifacts from operating system or application operation, file system data structures,and virtual memory “swap” or paging files. It is technically possible to delete thisinformation, but computer users typically do not erase or delete this evidencebecause special software is typically required for that task.d. Similarly, files that have been viewed over the Internet are sometimes automaticallydownloaded into a temporary Internet directory or “cache.” The browser oftenmaintains a fixed amount of hard drive space devoted to these files, and the filesare overwritten only as they are replaced with more recently viewed Internet pagesor if a user takes steps to delete them.e. Data on a storage medium can provide evidence of a file that was once on thestorage medium but has since been deleted or edited, or of a deleted portion of afile (such as a paragraph that has been deleted from a word processing file). Virtualmemory paging systems can leave traces of information on the storage medium thatshow what tasks and processes were recently active.Web browsers, emailprograms, and chat programs store configuration information on the storagemedium that can reveal information such as online nicknames and passwords.Operating systems can record additional information, such as the attachment ofperipherals, the attachment of USB flash storage devices or other external storagemedia, and the times the computer was in use. Computer file systems can record24

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 25 of 29

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 26 of 29either from accidental or programmed destruction, it is often necessary that computer hardware,computer software, and storage media be seized and subsequently processed by a computerspecialist in a laboratory setting rather than in the location where it is seized. This is true because:a. The volume of evidence storage media such as hard disks, flash drives, CDs, andDVDs can store the equivalent of thousands or, in some instances, millions of pagesof information. Additionally, a user may seek to conceal evidence by storing it inrandom order or with deceptive file names. Searching authorities may need toexamine all the stored data to determine which particular files are evidence, fruits,or instrumentalities of criminal activity. This process can take weeks or months,depending on the volume of data stored, and it would be impractical to attempt thisanalysis on-site.b. Technical requirements analyzing computer hardware, computer software orstorage media for criminal evidence is a highly technical process requiring expertiseand a properly controlled environment. The vast array of computer hardware andsoftware available requires even computer experts to specialize in some systemsand applications. Thus, it is difficult to know, before the search, which expertpossesses sufficient specialized skill to best analyze the system and its data.Furthermore, data analysis protocols are exacting procedures, designed to protectthe integrity of the evidence and to recover even "hidden," deleted, compressed, orencrypted files. Many commercial computer software programs also save data inunique formats that are not conducive to standard data searches. Additionally,computer evidence is extremely vulnerable to tampering or destruction, both fromexternal sources and destructive code imbedded in the system as a "booby trap."26

Case 1:21-cr-10180-WGY Document 3-3 Filed 04/01/21 Page 27 of 29Consequently, law enforcement agents may either copy the data at the premises to be searched orseize the computer equipment for subsequent processing off-site.63.Off-site processing may also be necessary because the process of identifying theexact files, blocks, registry entries, logs, or other forms of forensic evidence on a storage mediumthat are necessary to draw an accurate conclusion is a dynamic process. While it is possible tospecify in advance the records to be sought, computer evidence is not always data that can bemerely reviewed by a review team and passed along to investigators. Whether data stored on acomputer is evidence may depend on other information stored on the computer and the applicationof knowledge about how a computer behaves. Therefore, contextual information necessary tounderstand other evidence also falls within the scope of the proposed warrant.Unlocking a Device Using Biometric Features64.I know from my training and experience, as well as from information found inpublicly available materials, that some models of cellphones made by Apple and othermanufacturers, offer their users the ability to unlock a device via the use of a fingerprint or throughfacial recognition, in lieu of a numeric or alphanumeric passcode or password.65.On the Apple devices that have this feature, the fingerprint unlocking feature iscalled Touch ID. If a user enables Touch ID on a given Apple device, he or she can register up to5 fingerprints that can be used to unlock that device. The user can then use any of the registeredfingerprints to unlock the device by pressing the relevant finger(s) to the device’s Touch ID sensor.In some circumstances, a fingerprint cannot be used to unlock a device that has Touch ID enabled,and a passcode must be used instead, such as: (1) when more than 48 hours has passed since thelast time the device was unlocked and (2) when the device has not been unlocked via Touch ID in8 hours and the passcode or password has not been entered in the last 6 days. Thus, in the event27

Case 1:21-cr-10

workers). PUA provided payments for these benefits beginning on or after January 27, 2020 and ending before December 31, 2020, for a maximum period of 39 weeks. On or about December 27, 2020, recipients of PUA were granted 13 weeks of extended benefits. The American Rescue Act has now further extended PUA benefits through September 4, 2021. 11.