Bootleg Windows, Office scheme crashes, triggers 22-month lockup for Florida woman
- Reference: 1772542046
- News link: https://www.theregister.co.uk/2026/03/03/windows_office_software_scalper/
- Source link:
Heidi Richards, 52, operated the company Trinity Software Distribution (Trinity) and, according to court documents, acquired Microsoft COA labels "from a variety of sources" that were separated from the software packages with which they were intended to be paired.
Richards, also known as Heidi Hastings, Heidi Shafer, and Heidi Williams, paid more than $5 million for Microsoft COA labels between 2018 and 2023.
[1]
According to the [2]indictment [PDF], she primarily procured keys for different versions of [3]Windows 10 (Home/Pro) and [4]Microsoft Office (2019/2021/Home/Student).
[5]
[6]
Richards obtained thousands of keys during this time, and instructed employees to take the COA labels and transcribe the product activation codes written on them into a spreadsheet. She then sent the codes to buyers who could redeem them.
In plain terms, prosecutors said Richards was illegally obtaining Microsoft software keys and selling them at heavily discounted prices, all while personally profiting.
[7]
COA labels are one of Microsoft's anti-counterfeiting measures. They are not supposed to be sold separately from the packaging to which they were intended to be attached, but a black market for the labels exists due to vulnerabilities in Microsoft's supply chain, according to the indictment.
[8]
Windows 7 certificate of authenticity label
Microsoft hardware and software products have distinct labels incorporating anti-counterfeit measures. Earlier versions of Windows shipped with labels that used color-shifting ink, for example, among other measures. Since Office 2021, activation for the productivity software suite was made digital only, completed through the Microsoft account that purchased it.
[9]Ex-L3Harris exec jailed 7 years for selling exploits to Russia
[10]Ukrainian gets five years for helping North Koreans secure US tech jobs
[11]Fraudster hacked hotel system, paid 1 cent for luxury rooms, Spanish cops say
[12]Polish cops nab 47-year-old man in Phobos ransomware raid
Authorized refurbishers also have their own specific COA labels to attach to refurbished products. Labels that don't display these measures can be viewed as counterfeit and cannot legally be sold.
The labels Richards acquired were genuine and had product keys written on them, but they were obtained and later sold illegally.
Since 2016, product keys have been concealed with a silver scratch-off material so that counterfeiters or illegal resellers can't simply examine a COA label to obtain the valid key.
Richards was found guilty by a federal jury following a November 2025 trial. At the time, she was told she could face a maximum sentence of five years.
[13]
In addition to the 22 months in prison, she must also pay a $50,000 fine, [14]said Gregory Kehoe, US attorney for the Middle District of Florida. ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aacTtxdzBnmiQlgA9oI9QAAAAdY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.justice.gov/usao-mdfl/media/1333961/dl?inline
[3] https://www.theregister.com/2025/11/04/windows_10_eol/
[4] https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aacTtxdzBnmiQlgA9oI9QAAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aacTtxdzBnmiQlgA9oI9QAAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aacTtxdzBnmiQlgA9oI9QAAAAdY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://regmedia.co.uk/2026/03/03/windows_coa_label_wikimedia_commons.jpg
[9] https://www.theregister.com/2026/02/25/former_l3harris_exec_jailed/
[10] https://www.theregister.com/2026/02/20/north_korean_it_worker_prison/
[11] https://www.theregister.com/2026/02/18/fraudster_hotel_hack_one_cent_luxury_room/
[12] https://www.theregister.com/2026/02/17/poland_phobos_ransomware_arrest/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aacTtxdzBnmiQlgA9oI9QAAAAdY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.justice.gov/usao-mdfl/pr/software-distributor-sentenced-22-months-prison-conspiracy-traffic-illicit-microsoft
[15] https://whitepapers.theregister.com/
22 months and a 50K fine?
If she paid $5M for the labels, how much did she make? Because if she pocketed a couple of million, two years and a slap on the wrist fine is nothing. Just think how long it would take to make that sort of money doing a regular job...
Re: 22 months and a 50K fine?
That's what happens when financial penalties don't keep pace with inflation.
A while back some guy here got the electric chair and a $1000 fine.
People will buy Microsoft Certificate of Authenticity stickers?
I normally stick them on rubbish bins, along with "Designed For Microsoft Windows" labels
Re: People will buy Microsoft Certificate of Authenticity stickers?
Suggest attaching them to a memory SIMM, then you can legitimately sell the memory leaving to the user to decide what to do with the attached COA and activation key…
This case revolves around MS’s determination to prevent people exercising their right to sell stuff they have purchased, because MS want people to think their software is somehow “special”..
MS want people to think their software is somehow “special”..
Definitely "special"
Re: People will buy Microsoft Certificate of Authenticity stickers?
I've seen loads like this on ebay in the past - sold with "untested" DIMM or 2.5" hard drive, or some other small piece of probably-faulty technocrap, with a note that the hardware woudn't actually be sent unless the buyer requested it in some cases. Don't know whether this still goes on.
There are also various websites which sell keys which appear to be of somewhat grey providence.
Re: People will buy Microsoft Certificate of Authenticity stickers?
I normally stick them on rubbish bins, along with "Designed For Microsoft Windows" labels
Probably the best place for them.
All our DELL PCs came with the Win7 PRO sticker attached but given they were never going to run microslop I used to remove those stickers a keep them in an envelope. Turned out quite useful later when installing Win10 on the odd VM. Still have dozens of the now useless stickers. The original PCs would now be ewaste.
Reading the indictment Heidi appears to have paid $20-80 per COA (Windows, Office) so if you say $50 per COA so $5m works out to at least 100,000 COAs. It isn't clear how much her clients paid for licenses but $242,000 restitution was sought.
Doesn't seem too profitable on the face of it. I would wonder whether her operation was mostly a front for "unindicted co·conspirator 1" from whom she appeared to purchase the COAs.
Re: People will buy Microsoft Certificate of Authenticity stickers?
Research Machines - Temp Agency Assemblers would plaster their toolboxes with damaged COA labels as decoration, until someone in manglement caught one of them doing this, an order went out unpeel all labels & transfer to a sheet of A4 paper, so they could be returned for credit to the tune of about £3K.
Then there was the TAA, that conspired to get a replacement HDD (Still wrapped in a sealed anti static bag) off the shop floor & dropped into a lavatory cistern for later retrieval. Unfortunately he wedged the cistern float & the cistern overflowed. The HDD was discovered, traced to who had booked it out & confirmed he had headed straight for the Gents after taking it, when the CCTV footage examined. He rapidly became a ex-TAA as he was fired, left without transport back to Scotland where he had been brought in from & his B&B accommodation no longer paid for.
Back in the day, I used to work in the returns department for a large UK PC assembler.
Whenever somebody returned a faulty PC (and many did), we used to steam off the COA sticker, attach it to a refund sheet, then send the month's worth of sheets to Thompson Litho in Germany via Fed Ex.
I seem to remember the cost for 24 delivery with insurance was about £50.
Then Bush invaded Iraq and the world became a darker place, and for some reason, Fed Ex now wanted £9,000 to send the same envelopes to Germany.
My boss decided it was much cheaper, and quicker, to put me in a taxi to Manchester Airport, fly to Kaiserslautern, taxi at the other end, and back again. All done in a work day.
Thanks George W...
send the month's worth of sheets to Thompson Litho
Ok I'm dense. What was the purpose of this exercise? What did Thompson Litho do with that?
Log the receipt of the COA's & authorise the issue of the credit (by Microsoft) I would think.
Who needs packages and labels?
User-based, not reliant upon a 'cloud', Microsoft (MS) products circulate freely for people under the illusion that MS still vends software worth having.
Heidi Richards' clients have paid small sums for the convenience of not being more thoroughly ripped-off by MS and its middlemen.
Hardly the crime of the century, is it?
So… she gets a two-year vacation in Club Fed (when Wesley Snipes was in Club Fed for tax evasion, he at the Club Fed at Eglin Air Force Base, in the Florida panhandle; among the lowlights of his time in durance vile was that he, and the others in that Club Fed, had to be grounds staff at the officer’s golf course at the base. And could use the course when the officers weren’t using it. Those Feds, they’re harsh.) and she pays $50k… and, unless there’s something not mentioned in the article, keeps a whole lot of cash from selling tens of thousands of copies of various MS crapware. Sounds like a deal to me…