A Florida woman was sentenced to 22 months in prison for running a massive years-long scheme to traffic thousands of stolen Microsoft Certificate of Authenticity (COA) labels.

52-year-old Heidi Richards (also known as Heidi Hastings, Heidi Shaffer, and Heidi Williams), who operated an e-commerce business called Trinity Software Distribution, was also ordered to pay a $50,000 fine.

COA labels are small stickers that authenticate software and carry unique product key codes used to activate products distributed on physical media, such as Microsoft's Windows operating system and Office productivity suite.

As prosecutors explained, COA labels carry no independent commercial value and may not legally be sold apart from the licensed software and hardware they are designed to accompany. However, the codes on these labels can be used to activate Microsoft software without a legitimate license, leading to an illicit market for standalone COA labels.

"The only authorized method of downstream distribution for a Windows OEM COA is affixed to the computer on which the software was installed or with the complete, sealed OEM package including the COA label and license," the indictment reads.

"The labels may not be sold on a 'standalone' basis separated from the software they were intended to authenticate."

In all, Richards and her accomplices bought tens of thousands of genuine Windows 10 and Microsoft Office COA labels from a Texas-based company between July 2018 and January 2023, paying millions of dollars at prices far below retail value.

Rather than sell the labels with the software they were intended to accompany (as required by federal law), Richards directed employees to extract the product key codes by hand and transcribe them into Excel spreadsheets.

They then sold the extracted Microsoft license keys in bulk to customers worldwide, wiring $5,148,181.50 to the supplier between 2018 and 2023.

This case was prosecuted by Assistant U.S. Attorney Risha Asokan and trial attorney Jared Hosid of the Computer Crime and Intellectual Property Section (CCIPS). Over the last 5 years, CCIPS has secured more than 180 cybercrime convictions and helped victims recover more than $350 million.