The Kronos Indictment: Is it a Crime To Create and Sell Malware?

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.
Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.

Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.

Yes, this time it is

[Bruce+Perens]

The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.

Re:Yes, this time it is

[Bruce+Perens]

Well, welcome back to Slashdot then.

I think you are missing a critical distinction. Let's compare a gun and an improvised explosive device (IED). The gun can be used to keep your family fed with venison, etc. It only shoots where you aim it, if properly operated by a trained person and kept locked up the rest of the time. If you were to set a deadfall trap, you'd have to place signs around it warning people away, or you'd be liable for anyone who was hurt. You can't really kid anyone that you've made an IED as a hunting weapon or to remove a tree stump. It's purpose built to surprise someone and maim or kill them.

As far as I've heard, this trojan was meant to eavesdrop on communications and pick up banking credentials. It's not a tool that sysadmins use to remotely assist some naive user. Those things require the user to authorize them first. This trojan just sneaks up on you and eavesdrops, for someone who intends to scoop out your bank account.

The court is not going after the person who wrote the compiler or assembler meant to produce it, or even the libraries it might use. It's going after an action committed with conscious bad intent.

Re:Yes, this time it is

[Beerdood]

The point the GP was making wasn't the point that "if something can be used for EVIL, so we should hold the manufacturer liable if it is". The point was that if you manufacture something with no good or legitimate purpose or if it's obvious the intent is *PURELY* for malice or criminal activities, then the creator should be held liable. This software wasn't something designed for white hats to find security vulnerabilities.

A considerable number of slashdot readers seem to have this weird quasi-libertarian notion that creating something with the intention of malice or subverting the law is just fine and dandy, and the creators should be absolved of responsibility - see The Pirate Bay and Silk Road. "What??? I just created the dark net trading platform that's hidden to authorities!! It's not MYYYY fault if people use it for CP, assassination attempts and selling slaves... It's not like I did the actual crimes!". If your creation has 99% illegitimate uses or is used by 99% of the users for illegitimate & illegal purposes, then maybe you totally knew that when you created it and should be held responsible.

Reminds me of that Death Ray quote from futurama "Amy, technology isn't intrinsically good or evil. It's how it's used. Like the Death Ray.". But even the fucking death ray sounds like it has more legitimate uses than this malware (like potentially killing cancel cells, parasites, or warding off an invading force from Omicron Persei 8)

Re:If treasonous collusion isn't a crime...

[x0ra]

By the same standard, Obama would get life sentence for his involvement in Operation Fast and Furious.

Manufacturing Wiretapping devices?

[mysidia]

Counts two, three and four all allege violations of 18 U.S.C. 2512.

Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.

Since when is it illegal in the UK to make wiretapping devices, and to sell them?
The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.

Re:Manufacturing Wiretapping devices?

[F.Ultra]

Since when have the US courts bothered with what is legal or illegal in other countries?

Accessory to the crimes committed with it.

[CraigCruden]

If he wrote the virus and sold it with the knowledge that this was neither an academic exercise or proof of vulnerability and he knew or should have known the tool that he wrote was going to be used to commit crimes... then yes - he should be charged with at least being an accessory to the crimes.

Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.