Full Report
A Florida woman was sentenced to 22 months in prison for running a massive years-long scheme to traffic thousands of stolen Microsoft Certificate of Authenticity (COA) labels. [...]
Analysis Summary
# Incident Report: Years-Long Microsoft License Trafficking Scheme
## Executive Summary
Heidi Richards, owner of Trinity Software Distribution, operated an illicit multi-million dollar scheme involving the trafficking of stolen and standalone Microsoft Certificate of Authenticity (COA) labels. Between 2018 and 2023, the organization purchased tens of thousands of labels, extracted activation keys, and sold them globally, resulting in over $5.1 million in illicit payments to suppliers. The incident concluded with a 22-month prison sentence and financial penalties for the primary perpetrator.
## Incident Details
- **Discovery Date:** Investigation concluded/Sentencing on March 2, 2026 (Investigation spanned 2018–2023)
- **Incident Date:** July 2018 – January 2023
- **Affected Organization:** Microsoft (Intellectual Property Owner)
- **Sector:** Software / E-commerce
- **Geography:** Florida, USA (Operations); Texas, USA (Supplier); Global (Sales)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2018
- **Vector:** Fraudulent Procurement
- **Details:** Richards established a supply chain with an unnamed Texas-based company to acquire genuine Windows 10 and Microsoft Office COA labels at prices significantly below retail value.
### Lateral Movement
- **N/A:** As this was a fraud/trafficking scheme rather than a network intrusion, movement was organizational. Richards directed employees at Trinity Software Distribution to scale the operation.
### Data Exfiltration/Impact
- **Details:** Employees extracted product key codes from physical COA labels by hand. These keys were transcribed into Excel spreadsheets, effectively digitizing the physical assets for rapid illicit distribution.
### Detection & Response
- **Monitoring:** Federal authorities and the Computer Crime and Intellectual Property Section (CCIPS) tracked the financial transactions totaling over $5.1 million.
- **Response Actions:** Indictment by the U.S. Attorney’s Office, subsequent trial, and sentencing of the primary operator.
## Attack Methodology
- **Initial Access:** Misuse of wholesale supply chains to acquire "standalone" COA labels that are legally required to be bundled with hardware.
- **Persistence:** Long-term operation maintained through a legitimate-looking e-commerce front (Trinity Software Distribution).
- **Privilege Escalation:** N/A (Organizational fraud).
- **Defense Evasion:** Use of multiple aliases (Heidi Hastings, Heidi Shaffer, Heidi Williams) to obscure the identity of the primary operator.
- **Credential Access:** Extraction of legitimate activation keys (Product Keys) from physical COA stickers.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** Manual transcription of physical codes into digital Excel spreadsheets for bulk sale.
- **Exfiltration:** Global sale and distribution of product keys via electronic communication and e-commerce platforms.
- **Impact:** Significant financial loss to Microsoft through the creation of an illicit "grey market" that undercut legitimate retail prices.
## Impact Assessment
- **Financial:** Over $5.1 million wired to illicit suppliers; millions more in lost revenue for Microsoft.
- **Data Breach:** Compromise of tens of thousands of unique Microsoft product activation keys.
- **Operational:** Disruption and eventual shutdown of Trinity Software Distribution.
- **Reputational:** High-profile federal conviction highlighting the risks of purchasing "grey market" software for consumers.
## Indicators of Compromise
- **Network indicators:** N/A
- **File indicators:** Massive Excel spreadsheets containing unassociated Windows/Office Activation Keys.
- **Behavioral indicators:** High-volume wire transfers to third-party software "suppliers" that do not align with official Microsoft distributor lists.
## Response Actions
- **Containment:** Federal indictment and cessation of business operations at Trinity Software Distribution.
- **Eradication:** Sentencing of Heidi Richards to 22 months in federal prison.
- **Recovery:** Ordering of a $50,000 fine and ongoing efforts by CCIPS to recover illicit gains (part of $350 million recovered in similar cases).
## Lessons Learned
- **Supply Chain Vulnerability:** Genuine physical assets (COA labels) can be diverted from the supply chain and weaponized if not strictly tracked from manufacturer to end-user hardware.
- **Manual "De-fencing":** Traditional security software cannot easily detect the manual transcription of physical codes into digital formats by authorized employees.
## Recommendations
- **Vendor Verification:** Organizations should only purchase software licenses from Microsoft Authorized Refurbishers or authorized distributors.
- **Digital Licensing Shift:** Continued industry movement away from physical COA labels toward Digital Rights Management (DRM) and cloud-based activation (e.g., Azure AD/Entra ID) to prevent physical label theft.
- **Legal Monitoring:** Companies should monitor e-commerce platforms for "standalone" COA sales, which are a primary indicator of fraudulent activity.