Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 1 of 16

ORIGINAL
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF GEORGIA
ATLANTA DIVISION

UNITED ST ATES OF AMERICA

V. Criminal Indictment
DANIEL MELI, No.
AKA "XVULNERABLE",
AKA "VULN .HF",
1:23-CR-405
AKA "MELI#4472",
UNDER SEAL
AKA "DMELI96"

THE GRAND JURY CHARGES THAT:

BACKGROUND

At all times relevant to this Indictment:

1. "Malware" is any software intentionally designed to disrupt or

cause damage to a computer, server, client, or computer network.
2. A "Remote Access Trojan" ("RAT") is a type of malware designed to
allow an attacker to remotely control an infected computer.
3. A "RAT mentor" is someone who offers their expertise on RAT
setup and answers any questions users have when implementing RATs.
4. A "slave" is an infected computer controlled by another computer.

5. "Hidden remote desktop" is a tool that allows operators to interact

with a remote desktop session without the user's knowledge.
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 2 of 16

6. The defendant, DANIEL MELI, a.k.a. "xVulnerable", a.k.a.

"vuln.hf", a.k.a. "Meli#4472", a.k.a. "dmeli96", was a Maltese citizen, who

resided in or around Zabbar, Malta.

7. Defendant MELI was a malware vendor, RAT mentor, and

administrator operating on the internet forum "HackForums" and using
the moniker "xVulnerable".
8. Defendant MELI offered products and services for sale on
HackForums, including "RATs" and "RAT Mentoring."

9. Additionally, Defendant MELI offered services to computer hackers

using RATs to help them remain anonymous during their RAT use to
conceal their activity from the victim computers' users and law
enforcement.
10. Defendant MELI offered teaching tools, such as an eBook on
HackForums to assist customers with the private RAT spreading method
he used to obtain numerous slaves very quickly. Defendant MELI's RAT
spreading method for getting slaves often targeted the computers of
gamers, who are generally known to have high-performance hardware
that is optimal for mining cryptocurrency.
11. Defendant MELI, using the moniker "xVulnerable", was an

administrator of an online criminal enterprise known as Skynet-

Corporation, which later changed its name to The Pantheon and Icarus

Group. Defendant MELI partnered with other unknown individuals to

sell RATs on the website Skynet-corporation.com.

2
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 3 of 16

12. Defendant MELI, using the moniker "xVulnerable", was also known
as an administrator for a separate online criminal enterprise that develops
RAIs employing a hidden remote desktop to avoid detection. Defendant
MELI offered these RAIs for sale on HackForums. Defendant MELI' s
partners in the online criminal enterprise listed their contact information
on Defendant MELI's HackForums' page, while keeping their true
identities concealed.
13. On HackForums, Defendant MELI offered several different types of
identification for customers to use to contact him on the instant messaging
services Skype, Discord, and Telegram, while concealing his true identity.
14. On HackForums, Defendant MELI advertised that he had worked
w ith over 500 customers. He had a well-established reputation in the
HackForums community, demonstrated by over 8,000 posts and past
product and service offerings since his account's creation in 2012.

COUNT ONE
(Conspiracy A)

15. The Grand Jury re-alleges and incorporates by reference the factual

allegations contained in paragraphs 1 through 14 of this Indictment as if

fully set forth here.

16. Beginning on a date unknown, but at least as of in or about

December 2021, and continuing through at least as of in or about June

2022, in the Northern District of Georgia and elsewhere, the defendant,

DANIEL MELI, a.k.a. "xVulnerable", a.k.a. "vuln.hf", a.k.a. "Meli#4472",

a.k.a. "dmeli96", did knowingly and willfully combine, conspire,

3
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 4 of 16

confederate, agree, and have a tacit understanding with others known and

unknown to the Grand Jury to commit an offense against the United

States, namely, to:

a. Intentionally access a computer without authorization and

exceed authorized access, and thereby obtain information

from a protected computer, and the offense was committed

for purposes of private financial gain, in violation of Title 18,

United States Code, Sections 1030(a)(2)(C), 1030(b), and

1030(c)(2)(B)(i);

b. Knowingly cause the transmission of a program, information,

code, and command and, as a result, intentionally cause

damage without authorization to a protected computer and

the offense would, if completed, have caused damage

affecting 10 or more protected computers during a one-year

period, in violation of Title 18, United States Code, Sections

1030(a)(5)(A), 1030(b), and 1030(c)(4)(B)(i);

c. Intentionally manufacture, assemble, possess, and sell an

electronic, mechanical, and other device, knowing and having

reason to know that the design of such device renders it

primarily useful for the purpose of surreptitious interception

of wire and electronic communications, and such device was

and was to be transported in interstate and foreign commerce,

4
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 5 of 16

in violation of Title 18, United States Code, Section 2512(1)(b);

and

d. Intentionally disseminate by electronic means an

advertisement of an electronic, mechanical, and other device,

knowing and having reason to know that the design of such

device renders it primarily useful for the purpose of the

surreptitious interception of wire and electronic

communications, knowing the content of the advertisement

and having reason to know that such advertisement will be

transported in interstate and foreign commerce, in violation of

Title 18, United States Code, Section 2512(1)(c)(i).

Manner and Means of Conspiracy

17. The manner and means sought to accomplish the object and purpose

of the conspiracy included:

a. Creating and developing RATs;

b. Advertising the availability of RATs on internet forums;

c. Selling RA Ts;

d. Directly assisting computer hackers with RAT downloads and

set up on their computers;

e. Instructing computer hackers how to set up, use, and

distribute RATs;

f. Receiving the proceeds obtained from selling the RATs; and

5
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 6 of 16

g. Concealing and hiding acts done in furtherance of the

conspiracy.

Overt Acts in Furtherance of the Conspiracy

18. In furtherance of the conspiracy, and to accomplish the objects and

purposes of the conspiracy, in the Northern District of Georgia and

elsewhere, the following overt acts, among others, were committed and

were caused to be committed:

a. Skynet-Corporation, an online criminal group, created and

developed RATs.

b. On or about December 10, 2021, Defendant MELI and an

unknown administrator of Skynet-Corporation, who created

and developed RATs, agreed to a partnership where

Defendant MELI would provide mentoring and sales support

for the RATs sold by Skynet-Corporation and claim 30% of the

profit for himself. The coupon code for Defendant MELI to

earn the percentage was "xvuln".

c. As a result of this partnership, Defendant MELI was listed as

an administrator on the website for Skynet-Corporation.

d. In or about December 2021, Defendant MELI's products

advertised on HackForums included a RAT at a cost of about

$28 to $73 USD. In or about the same time, Defendant MELI

advised customers to contact him on Skype using the ID

6
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 7 of 16

"vuln.hf", on Discord using the ID "Meli#4472", and on

Telegram using the ID" dmeli96".

e. After working with Skynet-Corporation for a few weeks, in or

about December 2021, Defendant MELI contacted the

unknown Skynet-Corporation administrator asking for more

money, stating, "Don't u think I deserve a raise?" ...

"considering im risking jail time" ... "look at all the other

rats" ... "black shades" .. . "IM" ... "netwire" ... "even

cryp t er owners ,, . . . "lummos1

. .ty RAT" . . . nanocore RAT" ...
II

"im going to end up in jail."

f. Between in or about October 2021 and April 2022, Defendant

MELI assisted a computer hacker with using a RAT to steal

passwords from Microsoft Outlook. In a text exchange, the

computer hacker promised to pay Defendant MELI when he

"g[ot] profits" from his hacking.

g. On or about February 2, 2022, Defendant MELI was an

administrator of Skynet-Corporation, which sold a RAT for
$180 in Bitcoin to an FBI Online Covert Employee ("OCE")
located in the Northern District of Georgia. The RAT was
downloaded the next day.

All in violation of Title 18, United States Code, Section 371.

7
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 8 of 16

COUNT TWO
(Conspiracy B)

19. The Grand Jury re-alleges and incorporates by reference the factual

allegations contained in paragraphs 1 through 14 of this Indictment as if

fully set forth here.

20. Beginning on a date unknown, but at least as of in or about June

2022, and continuing through the date of this Indictment, in the Northern

District of Georgia and elsewhere, the defendant, DANIEL MELI, a.k.a.

"xVulnerable", a.k.a. "vuln.hf", a.k.a. "Meli#4472", a.k.a. "dmeli96", did

knowingly and willfully combine, conspire, confederate, agree, and have a

tacit understanding with others known and unknown to the Grand Jury to

commit an offense against the United States, namely, to:

a. Intentionally access a computer without authorization and

exceed authorized access, and thereby obtain information

from a protected computer, and the offense was committed

for purposes of private financial gain, in violation of Title 18,

United States Code, Sections 1030(a)(2)(C), 1030(b), and

1030(c)(2)(B)(i);

b. Knowingly cause the transmission of a program, information,

code, and command and, as a result, intentionally cause

damage without authorization to a protected computer and

the offense would, if completed, have caused damage

affecting 10 or more protected computers during a one-year

8
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 9 of 16

period, in violation of Title 18, United States Code, Sections

1030(a)(S)(A), 1030(b), and 1030(c)(4)(B)(i);

c. Intentionally manufacture, assemble, possess, and sell an

electronic, mechanical, and other device, knowing and having

reason to know that the design of such device renders it

primarily useful for the purpose of surreptitious interception

of wire and electronic communications, and such device was

and was to be transported in interstate and foreign commerce,

in violation of Title 18, United States Code, Section 2512(1)(b);

and

d. Intentionally disseminate by electronic means an

advertisement of an electronic, mechanical, and other device,

knowing and having reason to know that the design of such

device renders it primarily useful for the purpose of the

surreptitious interception of wire and electronic

communications, knowing the content of the advertisement

and having reason to know that such advertisement will be

transported in interstate and foreign commerce, in violation of

Title 18, United States Code, Section 2512(1)(c)(i).

Manner and Means of Conspiracy

21. The manner and means sought to accomplish the object and purpose

of the conspiracy included:

9
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 10 of 16

a. Creating and developing RATs;

b. Advertising the availability of RA Ts on internet forums;

c. Selling RA Ts;

d. Directly assisting computer hackers with RAT downloads and

set up on their computers;

e. Instructing computer hackers how to set up, use, and

distribute RATs;

f. Receiving the proceeds obtained from selling the RATs; and

g. Concealing and hiding acts done in furtherance of the

conspiracy.

Overt Acts in Furtherance of the Conspiracy

22. In furtherance of the conspiracy, and to accomplish the objects and

purposes of the conspiracy, in the Northern District of Georgia and

elsewhere, the following ov·e rt acts, among others, were committed and

were caused to be committed:

a. A known criminal enterprise created and developed RATs

employing hidden remote desktop to avoid detection, which

was advertised and sold by Defendant MELL

b. Defendant MELI' s partners in this criminal enterprise

advertised their contact information on Defendant MELI' s

HackForums page, while keeping their true identities

concealed.

10
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 11 of 16

c. In or about June 2022, one of Defendant MELI' s partners on

HackForums advertised RATs specifically designed to avoid

detection by using hidden remote desktop and other features.

The RATs were offered for $37.95 USD for 1 month, $24.95

USD per month for 3 months, or $16.34 USD per month for 12

months.

d . On or about October 31, 2022, Defendant MELI provided the

discount code "DAN" to an FBI OCE, located in the Northern

District of Georgia, to purchase a RAT from his associated

online criminal enterprise that specifically developed RATs

employing hidden remote desktop to avoid detection. With

the discount code, the online criminal enterprise sold the RAT

to the FBI OCE on or about November 3, 2022, for $186 USD,

and the FBI OCE downloaded it on the same day.

e. On or about November 14, 2022, Defendant MELI directly

sold the eBook on his private RAT spreading method for $218

USD to an FBI OCE located in the Northern District of

Georgia.

f. On or about November 22, 2022, Defendant MELI directly

sold lifetime support and setup of RA Ts for $57 USD to an FBI

OCE located in the Northern District of Georgia.

All in violation of Title 18, United States Code, Section 371.

11
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 12 of 16

COUNTS THREE AND FOUR

(Electronic Communication Intercepting Devices)
23. The Grand Jury re-alleges and incorporates by reference the factual

allegations contained in paragraphs 1 through 14 of this Indictment as if

fully set forth here.

24. On or about the dates listed in Column A of the following table, in

the Northern District of Georgia and elsewhere, the defendant, DANIEL

MELI, a.k.a. "xVulnerable", a.k.a. "vuln.hf", a.k.a. "Meli#4472", a.k.a.

" dmeli96", aided and abetted by others known and unknown to the Grand

Jury, intentionally manufactured, assembled, possessed, and sold an

electronic, mechanical, and other device, knowing and having reason to

know that the design of such device renders it primarily useful for the

purpose of surreptitious interception of wire and electronic

communications, and such device was and was to be transported in

interstate and foreign commerce:

A B C D E

Count Date Device Price Seller Purchaser

(USD) Location Location
3 February RAT $180 Malta United States
2,2022
4 November RAT with $186 Malta United States
3,2022 hidden
remote
desktop

12
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 13 of 16

All in violation of Title 18, United States Code, Section 2512(1)(b) and

Section 2.

COUNT FIVE
(Advertising Electronic Communication Intercepting Devices)

25. The Grand Jury re-alleges and incorporates by reference the factual

allegations contained in paragraphs 1 through 14 of this Indictment as if

fully set forth here.

26. Beginning on a date unknown, but at least as of in or about

December 2021, and continuing through the date of this Indictment, in the

Northern District of Georgia and elsewhere, the defendant, DANIEL

MELI, a.k.a. "xVulnerable", a.k.a. "vuln.hf", a.k.a. "Meli#4472", a.k.a.

" dmeli96", aided and abetted by others known and unknown to the Grand

Jury, intentionally disseminated by electronic means an advertisement of

an electronic, mechanical, and other device, knowing and having reason to

know that the design of such device renders it primarily useful for the

purpose of the surreptitious interception of electronic communications,

knowing the content of the advertisement and having reason to know that

such advertisement will be transported in interstate and foreign

commerce, in violation of Title 18, United States Code, Section 2512(1)(c)(i)

and Section 2.

13
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 14 of 16

COUNTS SIX AND SEVEN

(Computer Intrusions)

27. The Grand Jury re-alleges and incorporates by reference the factual

allegations contained in paragraphs 1 through 14 of this Indictment as if

fully set forth here.

28. On or about the dates listed in Column A of the following table, in

the Northern District of Georgia and elsewhere, the defendant, DANIEL
MELI, a.k.a. "xVulnerable", a.k.a. "vuln.hf", a.k.a. "Meli#4472", a.k.a.
"dmeli96", aided and abetted by others known and unknown to the Grand
Jury, knowingly caused and attempted to cause the transmission of a
program, information, code, and command and, as a result, intentionally
caused and attempted to cause damage without authorization to a
protected computer, and the offense caused and would, if completed, have
caused damage affecting ten or more protected computers during a one-
year period:

A B C D E

Count Date Program Price Seller Purchaser

Location Location
6 February RAT $180 Malta United States
2,2022
7 November RAT $186 Malta United States
3,2022
All in violation of Title 18, United States Code, Sections 1030(a)(S)(A),

1030(b), and 1030(c)(4)(B), and Section 2.

14
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 15 of 16

FORFEITURE

29. Upon conviction of one or more offenses alleged in Counts One,

Two, Six, and Seven of this Indictment, the defendant, DANIEL MELI,
11 11 11 11 11
a.k.a. xVulnerable , a.k.a. vuln.hf", a.k.a. Meli#4472", a.k.a. dmeli96",
shall forfeit to the United States, pursuant to Title 18, United States Code,

Sections 982(a)(2)(B) and 1030(i), any personal property used or intended

to be used to commit or to facilitate the commission of said violations and
any property constituting, or derived from, proceeds obtained, directly or
indirectly, as a result of said violations, including, but not limited to, the
following:
MONEY JUDGMENT: A sum of money in United States currency,

representing the amount of proceeds obtained as a result of each

offense alleged in Counts One, Two, Six, and Seven.

30. Upon conviction of one or more of the offenses alleged in Counts

11
Three through Five, the defendant, DANIEL MELI, a.k.a. xVulnerable",
11 11 11
a.k.a. vuln.hf", a.k.a. Meli#4472", a.k.a. dmeli96", shall forfeit to the

United States, pursuant to Title 18, United States Code, Section 2513 and

Title 28, United States Code, Section 2461(c), any electronic, mechanical or

other device used, sent, carried, manufactured, assembled, possessed, sold

or advertised in violation of the offenses.

31. If, as a result of any act or omission of the defendant, any property

subject to forfeiture:

a. cannot be located upon the exercise of due diligence;

15
 Case 1:23-cr-00405-UNA Document 1 Filed 12/12/23 Page 16 of 16

b. has been transferred or sold to, or deposited with, a third

party;

c. has been placed beyond the jurisdiction of the Court;

d. has been substantially diminished in value; or

e. has been commingled with other property which cannot be

divided without difficulty;

the United States of America intends, pursuant to Title 21, United States

Code, Section 853(p ), as incorporated by Title 18, United States Code,

Section 1030(i)(2) and Title 28, United States Code, Section 2461(c), to seek

forfeiture of any other property of said defendant up to the value of the

forfeitable property.
A
---- BILL

RYAN K. BUCHANAN
United States A ttorney

Assistant United States A ttorney

Georgia Bar No. 349515

fJ~ fR~
Assistant United States A ttornei;
Georgia Bar No. 971630

600 U.S. Courthouse

75 Ted Turner Drive SW
Atlanta, GA 30303
16