DOJ Stacks Charges On MalwareTech, Including Stuff Put Out Of Reach By The Statute Of Limitations

from the 'lying-to-feds'-bingo-card-complete dept

The government's case against Marcus Hutchins, aka MalwareTech, isn't getting any stronger. After detaining him at a Las Vegas airport following some post-conference partying, the FBI decided to hit the guy who inadvertently shut down WannaCry with charges for allegedly creating the Kronos malware. In essence, the case is about criminalizing security research, and the government's indictment decided to hang Hutchins out to dry while allowing the people who actually sold the malware to remain unarrested and unindicted.

The charges were weak and the government appeared to know it. Deployment of malware to cause damage and wreak havoc is one thing, but creating malware -- something lots of security researchers do -- isn't a criminal activity in and of itself. Thrown into the mix were wiretap charges based on the very thin premise that the malware was used to intercept communications.

Hutchins' defense team pushed back, forcing the government to actually show its work. A discovery request intended to show Hutchins was drunk and tired when he was "interviewed" by the FBI was rebuffed by the government. It also appears -- using the FBI's own testimony and recordings -- that Hutchins was never properly Mirandized.

Between them, the agents described how they flew out to Vegas the night before the arrest. Surveilling agents tracked Hutchins as he went to the airport and got through TSA then sat down at a first class lounge. As soon as Hutchins ordered a drink that turned out to be Coke but that the agents worried might be booze, Chartier, wearing business casual civvies, and two CBP agents wearing official jackets pulled Hutchins away from the lounge, placed him under arrest and cuffed him in a stairwell inside the secure area, and walked him to a CBP interview room, where Chartier and Butcher Mirandized him, then interrogated him for 90 to 100 minutes.

Even in telling that story, Chartier and Butcher’s stories conflicted in ways that are significant for determining when Hutchins was Mirandized. He said it took “seconds” to get into the stairwell and then to the interview room. She noted that the “Airport is rather large. Would have taken awhile.” to walk from place to place (it was 36 minutes between the time Hutchins cleared TSA, walked to the lounge, ordered a Coke, and the time Chartier first approached Hutchins). There seems to be a discrepancy on how many CBP agents were where when (that is, whether one or two accompanied Chartier and Hutchins all the way to to the interrogation room). Those discrepancies remained in spite of the fact that, as Butcher admitted, they had spoken, “Generally, about the interview, and Miranda, and making sure that we were on, that our facts were the same.”

Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning.

With all of this going on, and the government's charges relying on some very generous interpretations of the CFAA and wiretap laws, the feds appear unable to close this case successfully. Prosecutors were unable to get Hutchins to agree to a plea deal with their first try, so they're going to take another crack at it. A superseding indictment [PDF] has been entered by the government and, as Marcy Wheeler explains, it's even worse than the extremely shaky one it's replacing.

[T]he government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment.

The government has added another piece of malware to its indictment -- UPAS Kit -- and is attempting to tie it to Hutchins. Even if it's able to do this, it likely won't help the government secure a conviction for two reasons. First, if the date is accurate, it means Hutchins was still a minor when this alleged crime took place. Second, the government has only five years to prosecute and the July 2012 date stated in the indictment means the statute of limitations has tolled.

There's far more to it than that. Wheeler's post detailing everything wrong with the superseding indictment is a masterpiece deconstruction of government desperation. The indictment wants jurors to believe simply writing about malware is a criminal act, even when the post cited actually details how to thwart malware. And it now includes an old DOJ favorite: making false statements to the FBI.

This last one might cause more problems for the FBI than it will solve. This will rely on statements made during the interrogation of Hutchins -- one that's already been marred by conflicting testimony by FBI agents.

First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.

So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.

The best case scenario, as Wheeler explains, in the government tying the 2012 (past the statute of limitations) criminal act to some "marketing" of the malware in 2014, allowing it to salvage all these charges.

In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube.

And if it can tie anything to this YouTube video, it can nail down venue because YouTube is a US company. (Hutchins is a UK resident.)

What it may also be is another attempt to get Hutchins to cave to a plea deal. This indictment adds more charges, which could mean additional jail time and fines if he's convicted. But that's a huge if. What the government has shown so far doesn't even meet the lowest standards of competency. It's a garbage prosecution made worse by the FBI's apparent decision to let the two people who actually marketed and sold malware walk away from this -- either because the agency can't locate them or (at least in "Randy's" case) has already agreed to drop charges in exchange for testimony.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, fbi, indictment, malware, marcus hutchins, statute of limitations


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Jun 2018 @ 9:41am

    Unrelated news

    For some reason, the government's always claiming it has difficulty hiring people who are knowledgeable about computer security.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2018 @ 2:37am

      Re: Unrelated news

      I think we're actually watching their new recruitment process in action right here - you think they'll have him pressing numberplates once hes been sent down?

      link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Jun 2018 @ 9:49am

    Between the...

    Criminalize all drugs and sex Republicans and the
    regulate every little thing Democrats...

    Citizens are not going to win, just suffer under a tyrannical government because fear!

    Republicans fear sex and drugs and happily allow all manor of laws, unconstitutional or otherwise to be created to deal with them, to hell with the consequences.

    Democrats fear economic prosperity and free-market to the point they run off and hide behind a politicians pants legs, just like the republicans they so readily despise and trash talk.

    Looks to me like you BOTH are getting what you deserve!

    Sadly I have to sit here and watch all the well meaning innocent people get destroyed because above all else, the Party Politician MUST be preserved!

    At the end of the Day, Marcus Hutchins will be forgotten and will not even be a noticeable pebble in the roadwork as the steamroller passes by. But at least he will get some lip service... and that's a nice thing!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2018 @ 10:02am

    Tolled?

    >and the July 2012 date stated in the indictment means the statute of limitations has tolled.

    When referring to statues of limitations, "tolled" has a specific meaning. Specifically, it means the clock stops running for some reason (if a 5 year limitation was tolled for 2 years, then it would still be valid until 7 years instead of 5, for example.) That is almost certainly not what you mean here, so perhaps you should use a different word.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2018 @ 10:26am

      Re: Tolled?

      You beat me to it. Tolling is most often applied to leaving the US for a period. The clock stops the moment you leave, and starts where it left off the moment you come back.

      link to this | view in chronology ]

    • identicon
      kallethen, 11 Jun 2018 @ 10:34am

      Re: Tolled?

      I suspect he was trying to use the word as in the old idiom, "for whom the bell tolls".

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2018 @ 11:04am

    same old playbook never gets old

    It's also possible that sending Marcus Hutchins up the river was not the DOJ's real objective, but wanted other favors from him and are just using the criminal charges as bit of arm-twisting leverage.

    Perhaps not unlike the case of Russian programmer Dmitry Sklyarov, another non-American who coincidentally was arrested by the feds at the same Las Vegas airport after also attending DEF CON. The case against Sklyarov was equally weak, and he ultimately was never taken to court, but did cut a deal to testify instead.

    It would certainly appear that foreign nationals who must attend DEF CON would do well to skip their flight after the convention is over and slip out of the country some other way than going through the Las Vegas airport, where men with badges routinely wait.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2018 @ 1:16pm

      Re: same old playbook never gets old

      A better idea, move defcon to another country, as it will skilled US security experts a chance to defect.

      link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 11 Jun 2018 @ 12:20pm

    And now we see the downside of the courts constantly believing the stories of cops, even one with a long history of lying on the stand & giving them 'good faith' to hide behind.

    We magically have no recording, a form was altered after the fact, & he was extremely tired & drunk but he totes is a bad guy so we don't have to answer for these things.

    We targeted someone who has provided benefits to society by claiming he's done all of these horrible things & creating a timeline that legally can't exist. We totally aren't just stacking charges to get him to give us what we really wanted, we aren't just doing that because thats illegal & we say what we are doing isn't illegal.

    But hey we're not likely to see many large tech conference in the US anymore as the US will grab anyone on trumped up charges to get something... just wait till other nations decide this is a great plan.

    link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 11 Jun 2018 @ 5:54pm

    Close only counts in horseshoes, hand grenades, and prosecutions

    I think all your pronouncements of case weakness are wishful thinking. I'd take odds that he'll get convicted (includes taking a plea) and sentenced to 5 or more years.

    Remember, modern prosecution operates on what they can sell a judge and jury, and has little or nothing to do with justice...or guilt.

    link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 12 Jun 2018 @ 7:20am

      Re: Close only counts in horseshoes, hand grenades, and prosecutions

      [Sad but True]

      Behind every story of some poor sod being railroaded there's a grandstanding politician who wants to be seen to be tough on crime.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2018 @ 10:02am

    A poster case for the problems of prosecutorial over-reach or overcharging. A way to force a defendant to either agree to a plea bargain or face further costs in defending themselves. A wholly unbalanced and easily exploitable judicial system - almost rising to a description of blackmail

    Its not for nothing that I look to something like the UK model, who don't plea deal and also reimburse defendants to their defence if found not guilty. Slightly ironic being as he's a UK citizen.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.