A Florida woman will spend nearly two years behind bars after being found guilty of fraudulently acquiring Microsoft certificate of authenticity (COA) labels and selling them in bulk.

Heidi Richards, 52, operated the company Trinity Software Distribution (Trinity) and, according to court documents, acquired Microsoft COA labels "from a variety of sources" that were separated from the software packages with which they were intended to be paired.

Richards, also known as Heidi Hastings, Heidi Shafer, and Heidi Williams, paid more than $5 million for Microsoft COA labels between 2018 and 2023.

According to the indictment [PDF], she primarily procured keys for different versions of Windows 10 (Home/Pro) and Microsoft Office (2019/2021/Home/Student). 

Richards obtained thousands of keys during this time, and instructed employees to take the COA labels and transcribe the product activation codes written on them into a spreadsheet. She then sent the codes to buyers who could redeem them.

In plain terms, prosecutors said Richards was illegally obtaining Microsoft software keys and selling them at heavily discounted prices, all while personally profiting.

COA labels are one of Microsoft's anti-counterfeiting measures. They are not supposed to be sold separately from the packaging to which they were intended to be attached, but a black market for the labels exists due to vulnerabilities in Microsoft's supply chain, according to the indictment.

Windows 7 certificate of authenticity label

Microsoft hardware and software products have distinct labels incorporating anti-counterfeit measures. Earlier versions of Windows shipped with labels that used color-shifting ink, for example, among other measures. Since Office 2021, activation for the productivity software suite was made digital only, completed through the Microsoft account that purchased it.

• Ex-L3Harris exec jailed 7 years for selling exploits to Russia
• Ukrainian gets five years for helping North Koreans secure US tech jobs
• Fraudster hacked hotel system, paid 1 cent for luxury rooms, Spanish cops say
• Polish cops nab 47-year-old man in Phobos ransomware raid

Authorized refurbishers also have their own specific COA labels to attach to refurbished products. Labels that don't display these measures can be viewed as counterfeit and cannot legally be sold.

The labels Richards acquired were genuine and had product keys written on them, but they were obtained and later sold illegally.

Since 2016, product keys have been concealed with a silver scratch-off material so that counterfeiters or illegal resellers can't simply examine a COA label to obtain the valid key.

Richards was found guilty by a federal jury following a November 2025 trial. At the time, she was told she could face a maximum sentence of five years.

In addition to the 22 months in prison, she must also pay a $50,000 fine, said Gregory Kehoe, US attorney for the Middle District of Florida. ®