A Florida woman was sentenced to 22 months in prison for running a massive, years-long scheme to traffic thousands of stolen Microsoft Certificate of Authenticity (COA) labels.
52-year-old Heidi Richards (also known as Heidi Hastings, Heidi Shaffer and Heidi Williams), who ran an e-commerce company called Trinity Software Distribution, was also ordered to pay a $50,000 fine.
COA labels are small stickers that authenticate software and contain unique product key codes used to activate products distributed on physical media, such as Microsoft’s Windows operating system and the Office productivity suite.
As the plaintiffs explained, COA labels have no independent commercial value and cannot be legally sold without the licensed software and hardware for which they were designed. However, the codes on these labels can be used to activate Microsoft software without a legitimate license, leading to an illegal market for standalone COA labels.
“The only authorized method of downstream distribution for a Windows OEM COA is affixed to the computer on which the software is installed or with the complete, sealed OEM package including the COA label and license,” the complaint reads.
“The labels may not be sold on a ‘standalone’ basis, separate from the software they were intended to authenticate.”
In total, between July 2018 and January 2023, Richards and her accomplices purchased tens of thousands of authentic Windows 10 and Microsoft Office COA labels from a Texas-based company, paying millions of dollars at prices well below retail value.
Instead of selling the labels with the software to accompany them (as required by federal law), Richards instructed employees to extract the product key codes by hand and transcribe them into Excel spreadsheets.
They then sold the collected Microsoft license keys in bulk to customers around the world, transferring $5,148,181.50 to the vendor between 2018 and 2023.
This case was prosecuted by Assistant U.S. Attorney Risha Asokan and Trial Attorney Jared Hosid of the Computer Crime and Intellectual Property Section (CCIPS). Over the past five years, CCIPS has secured more than 180 cybercrime convictions and helped victims recover more than $350 million.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious examples to discover the top 10 techniques and see if your security stack is blindsided.
