The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird

from the why-is-that-illegal? dept

So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the "evidence" didn't seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let's work off of his analysis.

The crux of the indictment is that Hutchins and the unnamed "co-conspirator" worked together to create and sell malware, leading Kerr to ask the fairly obvious question:

This raises an interesting legal question: Is it a crime to create and sell malware?

After all, as many others pointed out, there are lots of folks out there who build and sell malware of one kind or another -- and, indeed, the US government is often a large purchaser of malware sold by others. Kerr's initial gut reaction was more or less the same as mine: that the actual amount of evidence in the indictment is pretty minimal, though obviously they may have a lot more that just hasn't been shared yet (or they may turn up more).

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

From there, Kerr digs into each of the charges. The first is "conspiracy." This one struck my layman's mind as somewhat odd. Two people working together does not a conspiracy make. Kerr similarly calls it "odd" and notes that for this charge to work, the government has to argue that selling malware is the same as using malware to damage a computer. And that seems... difficult. Kerr points out that there are two conditions that must be met for this to work:

First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don’t appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It’s not obvious that Hutchins and X cared what the buyer did with the malware after so long as they paid. If Hutchins and X didn’t care what the buyer did with the malware, it’s hard to see how they could have a purpose to impair the availability or integrity of a computer.

Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware and the malware damages the machine. Here, though, the government’s theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.

That second point is especially interesting to me. We've seen more and more attempts to charge "intermediaries" with crimes based on actions of third party users of their tools (the Megaupload case being one big example). And that seems like a very dangerous path to go down. One of the reasons why we talk about "intermediary liability protections" on Techdirt so much is that they're so important on a basic "blame the person who actually did the wrong" spectrum. It's not the intermediary, it's the user. Go after the user, even if that's more difficult. Here, the DOJ seems to be going after the intermediary. Because.

The next three charges are all similar, and I didn't quite get them at first, but Kerr explains. They're making use of 18 U.S.C 2512 which Kerr describes as, "a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices." Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a "device" under the law, and argues that may be difficult as well.

In Potter v. Havlice, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling “Activity Monitor,” which was billed as “an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online.” After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that “Activity Monitor is not a device as contemplated by Section 2512.”

Section 2512 makes the manufacture and/or trafficking of “any electronic, mechanical, or other device” illegal. The phrase “electronic, mechanical, or other device” is defined in 18 U.S.C. § 2510(5) to generally mean “any device or apparatus which can be used to intercept a wire, oral, or electronic communication….” Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.

Also, the definition of the word “device” does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines “device” as “a piece of equipment or a mechanism designed to serve a special purpose or perform a special function.” Activity Monitor alone is not a piece of equipmentor a mechanism.

So... that's going to make this interesting. Of course, then there's the further question of whether or not the malware itself is really intercepting communications. Either way, this feels like a way to try to twist a law targeting older technology to pretend that it applies to a very different kind of technology. I know this happens semi-frequently, but it always troubles me. You get bad results this way, because the technology that was originally being regulated, and what it's now being used against, are very different, and should be treated differently. But when you try to shove something like malware into laws created to stop wiretapping devices... you end up with bad results, where rulings can be made about something being "bad" without realizing the wider reverberations it may have.

And, finally, there's a CFAA claim, because if there's a criminal case that could be summarized as "behaving badly on a computer" you have to expect an eventual CFAA claim.

This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, they need to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party’s intentional act of sending the malware was required for that to happen.

Again... this seems quite difficult to actually show, though perhaps there's more evidence that the DOJ hasn't yet revealed.

In the meantime, others are insisting that the DOJ has the wrong guy. A friend and colleague of Hutchins, Kevin Beaumont, insisted that the DOJ is simply wrong, and that Marcus has more or less dedicated his life to fighting malware, not creating it:

On top of that, the BBC spotted the fact that Marcus asked on Twitter if anyone had a sample of Kronos after it first was discovered:

Now, of course, that alone is not evidence of much. After all, if he really had created it, why not tweet something like that to make sure people think he hadn't? But, still, it is worth pointing out, along with multiple other folks saying that they simply don't believe Hutchins would have been behind the malware, let alone the broader legal question of whether or not making and selling malware is even illegal in the first place.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, conspiracy, doj, indictment, kronos, malware, malwaretech, marcus hutchins, orin kerr, selling malware


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 4 Aug 2017 @ 12:08pm

    Given your record predicting court cases, he's toast.

    An overlap between white and black hat is also likely. Others speculate he was behind Wannacry, or that he stopped the NSA's extortion with it. Or they're squeezing him for info, including the bits he snagged at DefCon.

    We don't know! But key point for sure is that Masnick leaps to defend a hacker. (A British hacker: avoided extradition!)

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 12:54pm

      Re: Given your record predicting court cases, he's toast.

      Speaking of leaping...

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 1:19pm

      Re: Given your record predicting court cases, he's toast.

      "..Masnick leaps to defend a hacker."

      Uh, how about: "..Masnick leaps to defend an innocent-until-proven-guilty hacker."

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 2:57pm

      Re: Given your record predicting court cases, he's toast.

      How's that John Steele appeal going bro?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 12:12pm

    Also worth noting, the Indictment was issued before he entered the US, but they don't bother to pick him up until he tries to leave the US. Surely if the though he was behind distributing malware, the would have arrested him on entry, so as to stop him distributing it to contacts at the conferences.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 4 Aug 2017 @ 12:12pm

    Considering he works with security and more specifically with vulnerability exploits through malware one can go conspiracy and argue he found out stuff he shouldn't have or probed the wrong botnet. From the little I read about Hutchines he does everything quite in the open. You know, if you are doing everything right you have nothing to fear? Yeah about that...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 12:13pm

    the british government have been strangely silent, and if he did create malware why has he not been prosecuted under uk law

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 3:12pm

      Re:

      indeed. fishy.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 3:49pm

      HMG reaction [was Re: ]

      the british government have been strangely silent

      Oh, seeing the latest comment bumped this thread for me.

      I wasn't really going to bother posting a link to this Dustin Volz tweet, but that tweet contains a short statement for publication from Peter Heaton-Jones, Member of Parliament (Conservative, North Devon). As of half-an-hour ago or so, I hadn't see the statement anywhere else besides Twitter.

      (Via @cfarivar retweet.)

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 12:20pm

    Another notable lawyer

    Orin Kerr … famed lawyer

    Thomas Fox-Brewster writing at Forbes has a piece today ( “Kronos Malware Dealer On WannaCry Killer Charges: What Charges?”, Aug 4, 2017) with some reaction from attorney Tor Ekeland:

    Tor Ekeland, a lawyer specializing in Computer Fraud and Abuse Act (CFAA) cases, described the charges as "a disaster", claiming the government is trying to punish Hutchins for "non-alleged harms that other people may have committed with Kronos."

    In the next paragraph, that piece goes on to further quote Mr Ekeland. All in all, though, it's a much shorter take than the analysis by Professor Kerr.

    “A disaster”.

    link to this | view in chronology ]

  • icon
    Norahc (profile), 4 Aug 2017 @ 12:30pm

    "The next three charges are all similar, and I didn't quite get them at first, but Kerr explains. They're making use of 18 U.S.C 2512 which Kerr describes as, "a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices." Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a "device" under the law, and argues that may be difficult as well."

    The government's viewpoint:
    Malware equals a wiretap
    Stingray does not equal a wiretap

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 1:31pm

      Re:

      If you ask me, this has the sniff of the early phreaking cases in the eighties, where cops who were completely out of their depths were charging hackers with causing phone service failures - which were likely the phone companies' fault.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 12:32pm

    Novel legal interpretation

    Supposing for the sake of argument that the DOJ actually prevails with their odd theory that selling computer-impairing software is illegal even when the seller had no particular interest in how the buyer would use it, that could open a fascinating mess with regard to the selling of software that impairs computers not because it is malicious, but because it is very poorly written. This could also have interesting chilling effects on anyone who creates toolkits that readily can be converted into malware (e.g. Windows-hosted VNC servers aren't that far off if you compile out the pieces that make it easy for the console user to know VNC is running, tell it to stand down, or tell it to stop), even when the toolkit has substantial non-malicious uses.

    Since we're contemplating criminal law, rather than civil law, the usual EULA disclaimer about "not liable for damage caused by defects even if the vendor knew, should have known, or was warned about these defects" would not apply.

    link to this | view in chronology ]

    • identicon
      Christenson, 4 Aug 2017 @ 1:19pm

      Extending the Novel legal interpretation

      We could go all the way to Microsoft itself with *that* legal interpretation, since there are those that view the Windows operating system or the Internet Explorer browser as impairing computers and facilitating crime.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Aug 2017 @ 9:53am

        Re: Extending the Novel legal interpretation

        The eventual "logical" conclusion is to take it to the hardware vendors and include the PC's themselves. Because the PC is a necessary piece of equipment to create and run the software that impairs another computer.

        You could also include the internet provides, etc., etc.

        link to this | view in chronology ]

  • identicon
    Anonmylous, 4 Aug 2017 @ 12:49pm

    Ugh...

    Yes two can conspire, happens all the time in murder cases, usually with attempts to hire not involving an undercover agent posing as the hitman. But its a catch-all, and might actually get them if they provided more than basic instruction on how to use the software. Supporting a buyer by providing additional instruction beyond bug fixes and troubleshooting installation on their own machines could net them a conviction. Luckily, in order to do that, they'll have to prove that Marcus and the other guy really did create or at least distribute this malware, and that they did support it afterwards. That said, the other charges should crumble. If he gets a competent attorney and it looks like he intends to fight it, the Gov will either re-charge with something more concrete, or drag it out a long while then fold. This is gonna suck either way.

    link to this | view in chronology ]

    • icon
      Wyrm (profile), 5 Aug 2017 @ 12:40pm

      Re: Ugh...

      Regarding you comparison with hiring a hitman, this is a backwards comparison.

      In the case of A hiring B to kill C, A actually has the intent to kill a specific target. The intermediary B would do the actual murder, but A provided the intent first.

      In the case of A creating a malware that B then buys to infect C's computer, B had the intent, and B is the one to execute the task. A here doesn't have intent, nor does he acts against C's computer. He only created a general tool that might be used for nefarious purposes, or for research, or then again for legal investigation...

      There is no valid comparison here.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Aug 2017 @ 1:48pm

        Re: Re: Ugh...

        The comparison would be going after the Colt for a murder committed with one of their firearms.

        link to this | view in chronology ]

  • icon
    CanadianByChoice (profile), 4 Aug 2017 @ 12:49pm

    They need someone to blame

    In order to not look incompetent, they need to find a scapegoat. Reality need not enter the equation - they simply need someone to pile charges on so that it LOOKS like they can actually do their jobs.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 12:53pm

    Representation

    Yesterday, a Reuters article by Dustin Volz and John L. Smith (“Cyber expert who stopped 'WannaCry' attack arrested in U.S. on hacking charges”, Aug 3, 2017) reported:

    Hutchins appeared before U.S. Judge Nancy Koppe in Las Vegas on Thursday. Dan Coe, a federal public defender, told the court Hutchins "had cooperated with the government prior to being charged."

    The hearing was scheduled to continue Friday afternoon to determine whether he will be represented by private legal counsel or a public defender.

    “Friday” would be today.

    (Via retweet of an @MattBlaze retweet.)

    link to this | view in chronology ]

    • identicon
      Christenson, 4 Aug 2017 @ 1:23pm

      Re: Representation

      More than that, the docket indicated they had him in shackles yesterday.

      On a nonviolent offender, that's a strong indicator of a made-up, bogus case.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 5:11pm

      Re: Representation

      This afternoon, reporter Christy Wilcox (KSNV News 3) has posted two different videos with statements from Marcus Hutchin's attorney Adrian Lobo:

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Aug 2017 @ 7:57pm

        Re: Re: Representation

        … attorney Adrian Lobo … Facebook video

        Fwiw, Dan Goodin asked whether anyone knew for certain whether Marcus Hutchin had entered a plea.

        In KSNV News 3 reporter Christy Wilcox's Facebook video posted earlier this afternoon, I believe that Mr Hutchin's attorney Adrian Lobo answers that question.

        About the “-6:05” mark in the video (counting up with negative time):

        Adrian Lobo: He pled not guilty.… That was yesterday's hearing.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Aug 2017 @ 11:43pm

        Re: Re: Representation

        … attorney Adrian Lobo

        Incidentally, I was looking at what I presume is Ms Lobo's website. Her list of “Criminal Practice Areas” does not appear to show the CFAA as a specialty.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 1:10pm

    the main purpose of the USA, certainly the law enforcement side, seems to be to find someone, charge them with something, regardless of whether they actually did what they are charged with or anything at all, come to that, then get them into court, convicted and imprisoned for a life term, even if all they had done was really to spit in the gutter! this paranoia that everyone except law enforcement are bad is ridiculous and has to stop! the country is being turned into a penal nation with just law enforcement supposedly doing no wrong! we know already that that is not the case and in actual fact, those who are supposed to uphold and live by the law are the worst offenders! perhaps how they are conducting themselves is to try to cover up all of their own illegal activities? if so, they need to remember that sooner or later, the truth comes out and severely bites you in the ass!!

    link to this | view in chronology ]

  • icon
    Peter (profile), 4 Aug 2017 @ 1:23pm

    Hutchins real crime? He took away fantastic opportunity from the FBI

    Finally, with WannaCry, the big, nasty Cybermonster showed its head. Big money on the horizon for the FBI, lots of new people to be hired. Promotions. Brave FBI-cyberwarriors protecting America from the evil Cyberthreat.

    But no. Along comes Hutchins, and pulls the plug on this Fairy tale. The FBI is back to hunting UFOs or mysterious Russian Hackers that no sane person believes in. Back to propping up some misfits with FBI bombs and FBI undercover terrorist cells to get a few fleeting moments of media attention.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 1:32pm

    Conspiracy...

    ...to commit software. Subversion (the very name!?) and Git users beware the FBI!

    link to this | view in chronology ]

  • icon
    Roy (profile), 4 Aug 2017 @ 1:48pm

    3rd party liability protection

    This is the most important part of this whole thing. If I'm the NRA I'd be filing an amicus brief over this. Eroding 3rd party liability protection is the path to punishing gun makers for murders. If I can build something that someone else can use to harm another - I can become a target of the DOJ. That can go a long way beyond software.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 2:00pm

      Re: 3rd party liability protection

      Not to mention Budweiser et al.

      link to this | view in chronology ]

    • icon
      Toom1275 (profile), 4 Aug 2017 @ 4:51pm

      Re: 3rd party liability protection

      Doing security research in a laboratory environment, such as those engineers studying air-gap-defeating malware and suffer a malicious breach that sees your "proof-of-concept" used against the world? Now the government can attack you instead of an actual criminal.

      All they need is your "intent" for the software to "harm" a computer, even if it's your own.

      Of course, none of this applies if you're the NSA cultivating and distributing malware.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 2:00pm

    "Two people working together does not a conspiracy make."

    Actually, yes it can. If two or more people agree to participate in a criminal act or if two or more people agree to participate in an act that is legal in and of itself BUT which becomes illegal when done by multiple people.

    link to this | view in chronology ]

  • icon
    Pronounce (profile), 4 Aug 2017 @ 2:38pm

    The Register Picked Up on This Story

    The commenters were warning against traveling to the U.S., and I agreed with their assessment. But it seemed to me that they failed to consider that Britain is still a member of Five Eyes, and so it's doubtful the UK would afford you much protection if the U.S. wanted you bad enough. (for evidence see the case against Kim Dotcom)

    The smell of this is very Aaron Swartz, or Tamerlan Tsarnaev, -ish to me.

    The U.S. government is notorious for first demonizing you in the media, and then eliminating you as a threat.

    Good luck to you, Marcus Hutchines, your life might be cut short, but at least you did good before getting the U.S. government treatment.

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 4 Aug 2017 @ 3:10pm

    Well when the NSA loses all of it toys & no researchers want to work for them... you have to get creative to force them into taking a plea deal that involves them rearming the empty cyberweapon silos.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Aug 2017 @ 6:11pm

      Re:

      His real crime was figuring out how some of their favorite toys worked and helping to stop them from harming us.

      link to this | view in chronology ]

  • identicon
    Nicola, 4 Aug 2017 @ 5:36pm

    Didn't Sony get prosecuted over thier rootkit?

    I'm sure I recall Sony distributing a rootkit a few years ago, then distributing a "removal tool" that just made the whole thing worse.

    I don't recall the discussion of when the FBI investigated, arrested executives, and prosecuted people there though. Can someone remind me please?

    link to this | view in chronology ]

  • identicon
    tin-foil-hat, 4 Aug 2017 @ 6:32pm

    No good deed goes unpunished

    Or any deed if you're in the US. People who know stuff threaten the power structure so if they know you know stuff then you're at risk of being punished.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2017 @ 7:17pm

    Look no farther

    than what the FBI might want from someone they have leverage against.

    How many folks have the funds to afford a competent defense in a criminal trial? (Don't cry to me that public defenders can make it all better either.)

    link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 5 Aug 2017 @ 12:07am

    Governments irritation

    More and more it appears that the Marcus Hutchins indictment isn't about malware. It looks like the government is irritated with Hutchins and is using this as a cover to get even. Makes you wonder if Wanna Cry was a government attack.

    link to this | view in chronology ]

  • identicon
    Bruce C., 5 Aug 2017 @ 11:47am

    The other part that's weird to me is that they aren't charging him with 500 counts or more of each offense. How many computers did Kronos infect? I'll be interested to see their timeline. There are way too many plausible scenarios where Hutchins may have inadvertently given/sold Kronos to someone under the impression they were a researcher, or an accidental release due to a gap in a sandbox environment.

    Also, is anyone actually accusing him of writing the malware other than the media? The indictment appears to speak to small scale distribution consistent with research.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Aug 2017 @ 12:02pm

      Re:

      Also, is anyone actually accusing him of writing the malware other than the media?

      According to KSNV News 3 reporter Christy Wilcox's story yesteday, “Malwaretech hailed hero gets bail after allegation of producing malicious malware” (Aug 4, 2017), in court before Magistrate Judge Nancy Koppe, AUSA Dan Cowhig accused Mr Hutchins of writing the malware.

      Nevada Assistant Attorney General Dan Cowhig told the court Hutchins admits he wrote Kronos bank malware, he then sold it and profited from the sale.

      (Note that “Nevada Assistant Attorney General” appears to be an unusual way to refer to an assistant United States attorney (AUSA).)

      Also see 4.a. on p.3 of the indictement, where it is alleged:

      Defendant MARCUS HUTCHINS created the Kronos malware.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Aug 2017 @ 12:23pm

        Followup [was Re: Re: ]

                    Also, is anyone actually accusing him of writing the malware other than the media?

        According to KSNV News 3 reporter Christy Wilcox… AUSA Dan Cowhig accused Mr Hutchins of writing the malware.

        The transcript of the Aug 4 hearing contains, on pp.7-8:

        MR. COWHIG: [...] In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another.

        Among the evidence that the Government will present at his trial will be that there are chat logs in which Mr. Hutchins discusses with an associate the sale of the Kronos banking trojan through his associate splitting the proceeds of the Kronos trojan with his associate, where he complains about the amount of money that he received for the sale of the banking trojan and where he received a request from that associate to update the Kronos banking trojan. The associate in these chats is the person from whom the law enforcement agents purchased the Kronos trojan on AlphaBay as specified in the indictment.

        (Note that I'm seeing this transcript for the first time on Fri, Aug 11, 2017. This story is no longer on Techdirt's front page.)

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2017 @ 6:30am

    There are several disturbing issues here:

    1. If you do something that is completely legal and socially acceptable in your home country, say burp, and then go to a foreign country does the foreign have the right to prosecute you for burping? According to the concept of:

    Wikipedia
    https://en.wikipedia.org/wiki/Universal_jurisdiction

    Universal jurisdiction allows states or international organizations to claim criminal jurisdiction over an accused person regardless of where the alleged crime was committed, and regardless of the accused's nationality, country of residence, or any other relation with the prosecuting entity. Crimes prosecuted under universal jurisdiction are considered crimes against all, too serious to tolerate jurisdictional arbitrage.

    The point here is nationalism. Does a country have the right to claim a legal action in one's home country and performed there is a prosecutable and illegal actin their country.

    2. Under universal jurisdiction does a country not only have the right to declare that legal actions in one's home country are not only illegal but are extraditable/ If I recall correctly that is exactly what the US did to a UK subject. Extradite him to the US for trial and conviction for performing legal actions in the UK.

    3. What is going to happen when China, Russia, Arabia decide that free speech made in the US violates their laws, that universal jurisdiction applies, and then foreseeable extradite (kidnap from US perspective) US politicians to stand trial followed by lengthy prison terms?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2017 @ 11:23pm

    If it is illegal to sell malware, will the DOJ also be prosecuting the FBI/CIA/NSA etc suppliers of malware and exploits?

    How about the FBI/CIA/NSA for actually deploying the malware? seems like a really weird case to prosecute.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Aug 2017 @ 2:32pm

    ....leading [Orin] Kerr to ask the fairly obvious question:

    This raises an interesting legal question: Is it a crime to create and sell malware?

    Vendors of security hardened systems have a legitimate interest in buying or otherwise acquiring malware in order to test the security of their hardened systems.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2017 @ 11:53am

    Aug 4, 2017 Hearing Transcript

    Transcript of Aug 4, 2017 hearing in US v Marcus Hutchins (2:17-MJ-0825-NJK): “Continued Initial Appearance In Rule 5(c)(3) Proceeding” before Magistrate Judge Nancy Koppe.

     

    (Via Lorenzo Franceschi-Bicchierai.)

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2017 @ 5:05pm

    Eastern District of Wisconsin Docket

    CourtListener (RECAP) finally has a page up copying the docket from the Eastern District of Wisconsin.

    US v Hutchins docket (E.D.Wis. 2:17-cr-00124)

    Document 6: Redacted Indictment as to Marcus Hutchins

    The link to (another) copy of the indictment is just an indicator that this is in fact the docket for the Hutchins case. Currently, CourtListener still has this docket page titled as “United States v. SEALED”.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.