Posts

Prosecutors Cite Osiris in an Attempt to Resuscitate Dead Law against Marcus Hutchins

/12 Comments/in , /by

I’ve been meaning to do an update on a series of filings in the MalwareTech (Marcus Hutchins’) case in which his defense challenged the magistrate’s recommendations, the government responded, and MalwareTech replied. As I’ll get to, those filings reveal a bit more about what the government was really up to in their prosecution of Hutchins.

First, however, I want to look at something the government does in the first paragraph of their response. The paragraph starts with a succinct statement about the case that smooths over a lot of legally suspect moves they make in the case.

Marcus Hutchins is charged with developing and distributing malware capable accessing and damaging computers without the owners’ knowledge and stealing personal information. See Doc. #86. As set forth in the superseding indictment, he worked with others to sell this malware in online forums. Doc. #86. Hutchins did this to earn money for himself. He essentially admitted his crimes in online “chats” that were later obtained by law enforcement.

Effectively, this statement obscures all the problems with charging Hutchins for making malware that he never intended to use to damage computers as understood by the Computer Fraud and Abuse Act and which doesn’t equate to a device that might amount to wiretapping.

Immediately after having done that, the government points to an entirely different generation of malware than Hutchins wrote — which has since been dubbed Osiris — to suggest Hutchins’ own work has led to damage.

The malware developed and sold by Hutchins and his coconspirators, and variants of that malware, particularly Kronos, have been used to compromise computers around the world for years. See, e.g., “Kronos Reborn,” Proofpoint, July 24, 2018, available at https://www.proofpoint.com/us/threat-insight/post/kronos-reborn (last visited November 30, 2018) (discussing 2018 campaigns involving Kronos variants).

The link describes a much later version of the underlying malware used in campaigns in Germany, Poland, and Japan.

In April 2018, the first samples of a new variant of the banking Trojan appeared in the wild [2]. The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymizing network. There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets. In this blog, we present information on the German, Japanese, and Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested.

Even if Hutchins’ code formed a key part of this module (I’m sure if this ever gets to trial Hutchins’ team will be able to mock this as a possibility), attacks in three other countries do not justify a prosecution of a British citizen in Milwaukee.

Remember, early on in this case, the government admitted they don’t believe Hutchins continues to engage in criminal activity.

Effectively, Hutchins is on trial for code he wrote years ago, some of it while he was a minor. Because people associated with later generations of that code — with its literal rebirth as a new product — are causing havoc, the government is intent on holding him accountable.

After Replacing FBI Devices Two Times, the Bureau Still Fails to Collect 10% of Agent Text Messages

/56 Comments/in , /by

Today, DOJ’s Inspector General released its report on the efforts it made to restore all of Peter Strzok and Lisa Page’s text messages. The report is actually better used to illustrate how, three years into beginning to respond to its failures to collect all of the texts sent or received using FBI issued phones, and after twice upgrading the phones Agents get issued, it still fails to retain 10% of texts that Agents send and receive.

With regards to Strzok and Page, the report describes the efforts it made to obtain all their texts, which includes:

  • Obtaining both the Samsung (Galaxy 5, then Galaxy 7) phones they used during this period, as well the iPhones issued for their brief stint in Mueller’s office, the latter of which neither appears to have used
  • Using the existing collection tool, which included big gaps for key periods of interest
  • Asking DOD’s Computer Forensic Lab for help
  • Searching the Enterprise database, which found a bunch more texts, for reasons no one could explain
  • Hiring an outside Android consultant, who found 62 additional text messages

The upshot is, FBI doesn’t know whether they recovered all Strzok and Page’s texts, and doesn’t know why they didn’t, if in fact they didn’t.

And we’re only learning this because the two of them decided to conduct an extramarital affair on their FBI-issued devices while serving on the two most high profile investigations in recent FBI history.

Which raises the question: is this also true for Agents investigating defendants without the clout of Hillary Clinton or Donald Trump? If necessary, would the FBI be able to find their texts?

The answer is, maybe not.

Here’s what this report says about FBI’s retention rules, generally.

First, important texts are retained by policy, not (technologically-assisted) procedure. So the country’s premier law enforcement agency ensures that important law enforcement related texts are retained by saying anything covering these topics must be retained.

  • Factual information about investigative activity
  • Factual information obtained during interviews or interactions with witnesses (including victims), potential witnesses, experts, informants, or cooperators
  • Factual discussions related to the merits of evidence
  • Factual information or opinions relating to the credibility or bias of witnesses, informants and potential witnesses; and
  • Other factual information that is potentially discoverable under Brady, Giglio, Rule 16 or Rule 26.2 (Jencks Act)

But it’s up to the Agents to do that. And if they don’t for some reason, they’re instructed to ask the Enterprise Security Operations Center if they retained them. But the ESOC is not mandated to retain texts. They happen to, but it’s not tied to any mandate to retain substantive communications required to be saved by policy.

The ESOC has a tool, by a vendor whose name may not even appear in redacted form in this report, that “wirelessly collect[s] text messages sent to or from FBI-issued mobile devices.”

As the FBI’s response to this report reveals, the Bureau has known for some time that that tool didn’t collect everything, because they’ve told the OIG that on two prior occasions.

Prior to the OIG’s investigation into the FBI’s actions in advance of the 2016 election, during at least two unrelated investigations, one of which dates back to 2015, the FBI made the OIG aware of gaps in FBI text message collection capabilities.

As DOJ IG was trying to puzzle through why they couldn’t find all of Strzok and Page’s texts, the unnamed vendor got squirrelly when asked how the retention tool interacts with administrative privileges.

Upon OIG’s request, ESOC Information Technology Specialist [redacted] consulted with the FBl’s collection tool vendor, who informed the FBI that the collection application does not write to enterprise.db. [Redacted] further stated that ESOC’s mobile device team and the vendor believed enterprise.db is intended to track applications with administrative privileges and may have been collecting the logs from the collection tool or another source such as the Short Message Service (SMS) texting application. The collection tool vendor preferred not to share specific details regarding where it saves collected data, maintaining that such information was proprietary; however, [redacted] represented that he could revisit the issue with the vendor if deemed necessary.

Maybe it’s me, but I find it pretty sketchy that this unnamed collection tool vendor doesn’t want to tell the FBI precisely what they’re doing with all these FBI Agents’ texts. “Proprietary” doesn’t cut it, in my opinion.

In any case, the FBI started trying to fix the problem, starting in 2016. At the time they started, they were losing 20% of the texts sent and received. After two upgrades of Samsung phones and a fix to a “bug” later, they’re still not collecting 10%.

During calendar year 2017, the FBI phased out use of the Samsung Galaxy S5 devices by its employees and replaced them with Samsung Galaxy S7 devices because of software and other issues that prevented the data collection tool from reliably capturing text messages sent and received via FBI issued Samsung Galaxy SS mobile devices. According to FBl’s Information and Technology Branch, as of November 15, 2018, the data collection tool utilized by FBI was still not reliably collecting text messages from approximately IO percent of FBI issued mobile devices, which included Samsung S7s and subsequently issued S9s. By comparison, the estimated failure rate of the collection tool was 20 percent for the Samsung S5s.

The FBI’s tech folks provided these explanations for why the tool by the unnamed vendor still doesn’t work.

  • In calendar year 2016 the collection application vendor reported a “bug” in a version of the collection tool which caused the application to stop collecting text message or log data- This application version was replaced by a newer version that corrected the issue in March 2017.
  • Errors during the initial installation of the collection application, such as misconfiguration during setup.
  • Errors in the collection application’s ability to send text message data caused by software updates or operating system updates on the mobile device itself.
  • Hardware errors, such as the device not being powered on, being located in a poor cellular signal area, or being located in an area with no cellular service.

Among the other excuses FBI offers for implementing a fix to a 20% failure with one that still results in a 10% failure is to say, “complete collection of text messages is neither required nor necessary to meet the FBI’s legal preservation obligations” (which goes back to how they’re requiring retention via policy, but not technologically-assisted procedure). The FBI also says that it “is not aware of any solution that closes the collection gap entirely on its current mobile device platforms,” which makes me wonder why they keep buying new Samsungs if the Samsungs aren’t serving their needs? Aside from the question of why we’d ask FBI Agents to use less secure Korean phones rather than more secure American ones (note, Mueller’s team is using iPhones)?

This story, like so many with the hoaxes that Republicans have ginned up to try to delegitimize the Mueller investigation, seems to be the big story, not what Strzok and Page sent themselves two years ago (the IG Report concluded the non-discoverable texts did not cover one subject area, so weren’t by themselves suspect, and doubted either Strzok or Page had the technical capability to selectively destroy only incriminating texts).

The FBI is an agency that routinely demands that people respond to subpoenas by pulling all the relevant texts on a given subject. If you were to fail, they would be at least consider whether your failure to do so amounted to obstruction. But they don’t guarantee they would be able to meet that same standard — they’re happy with their 10% failure rate, apparently.

And while it is an interesting topic for Strzok and Page and Donald Trump’s attempts to claim Witch hunt! it’s the instances where criminal defendants are asking the FBI to search for relevant texts among agents (in just one example, MalwareTech asked the FBI for texts between Agents surveilling and then arresting him in Las Vegas, but got nothing) that I care about. Because if you only aspire to 90% retention, and if you attribute any failure to do better to an individual Agent’s failure to meet a policy (but how would you prove it, if the point is that a given text no longer exists to be discovered?), then you’re pretty much ensuring that you can’t fully comply with discovery requests from defendants.

Apparently, the FBI seems okay with that.

When Insisting on the Letter of the Law Counts Amounts to Being “Hyper-Technical”

/7 Comments/in /by

After almost two months, the Magistrate in the MalwareTech case, Nancy Joseph, has finally responded to his motions to dismiss his interview and most charges in the indictment (here’s my snarky summary of the arguments the judge considered, with links to those motions). She ruled against him on every motion.

I won’t deal with Hutchins’ challenge to his interview statements; as I’ve said all along, that was unlikely to succeed, but the process of getting here did introduce evidence that should damage the arresting officers’ credibility on the stand for the trial.

There may be no evidence in the CFAA charges but there is enough to withstand this challenge

Hutchins’ first challenge is to a series of Computer Fraud and Abuse Act and Wiretapping charges, which his team argued did not correctly apply the statutes.

Hutchins moves to dismiss the first superseding indictment for failure to state an offense under Federal Rule of Criminal Procedure 12(b). In this motion, Hutchins contends that (1) Counts One and Seven fail to allege any facts that show he intended to cause “damage” to a computer within the meaning of the Computer Fraud and Abuse Act; (2) Counts One through Six do not state an offense because software such as Kronos and UPAS Kit is not an “electronic device” within the meaning of the Wiretap Act; and (3) Counts One, Four through Eight, and Ten do not allege the necessary intent and causation required to prove a conspiracy.

In her recommendation, Joseph suggests there may not be proof to support these charges, but unless this challenge is an issue regarding the application of the law to a set of undisputed facts, then insufficient evidence is not adequate to throw out a charge.

On a pretrial motion to dismiss, an indictment “is reviewed on its face, regardless of the strength or weakness of the government’s case.” White, 610 F.3d at 958. A defendant may not, via pretrial motion, challenge the sufficiency of the government’s proof. See United States v. Yasak, 884 F.2d 996, 1001 (7th Cir. 1989) (“A motion to dismiss is not intended to be a ‘summary trial of the evidence.’”). The court dismisses an indictment only if the government’s inability to prove its case appears convincingly on the face of the indictment. Castor, 558 F.2d at 384.

With this and later charges, she then analyzes the sufficiency of the indictment based on whether it includes the language of the statute, not whether it uses that language in the way the Circuit has ruled it should be or Congress intended it. So, in spite of the fact that there’s no evidence Hutchins had the intent to damage computers, because the government has defined programs Hutchins contributed to as “malware” and then defined malware as “code intended to damage a computer” (which, Hutchins argued, is not how the Seventh Circuit defines malware) their charge is sufficient.

Hutchins ignores that the indictment itself describes Kronos and UPAS Kit as “malware,” which it defines as “malicious computer code intended to damage a computer.” (Id. at 1(d)–(f).) That is sufficient to allege intent to cause damage. The crux of Hutchins’ argument is that the government cannot prove this.

Asking that the government adhere to the law as Congress wrote it is “hyper-technical”

Similarly, in spite of the fact that Congress defined wiretapping as an “electronic, mechanical, or other evidence,” Joseph says the way the government applies it instead to software passes muster until Hutchins proves that software is not hardware at trial.

Hutchins argues that the Wiretap Act’s definition of this phrase, “any device or apparatus which can be used to intercept a wire, oral, or electronic communication,” does not include software because software is not within the ordinary meaning of “device.”

As noted above, it is not appropriate to dismiss criminal indictments without undisputed facts supporting the conclusion that a jury trial is unnecessary. While the indictment briefly defines Kronos and UPAS Kit, the details of their functions and their relationships to more traditional “devices” such as computers will be a matter for the jury.

Permitting the government to sustain any possible definition of wiretapping

Her decision to permit the government to define malware as a device makes it unsurprising that she keeps both charges two and three, which charge the same advertising a wiretapping device twice. The government defended this charging decision based on its assertion of the right to pick its own dictionary, and having already ceded the government that authority, keeping both charges two and three is consistent with her other decisions.

Mistaking the conspiracy for the direct sale

The way in which Joseph dismisses Hutchins’ challenge to how the government charged him with conspiracy to commit CFAA is curious for other reasons. This is a conspiracy case, and while I think it possible the government could succeed at trial in arguing that because Hutchins’ alleged co-conspirator fully intended his customers (like the government’s informant) to hack computers, that means he entered into a conspiracy to do so. Joseph doesn’t rely on the powerful way the government uses conspiracy charges at all. Indeed, she edits out mention of that co-conspirator, without whom no sale would have taken place.

Hutchins argues that the indictment “conflates [Hutchins’] alleged selling of the software with a specific intent for buyers to commit an illegal act with the software. There is no allegation that Mr. Hutchins . . . intended any specific result to occur because of the sales. . . . Merely writing a program and selling it—when any illegal activity is up to the buyer to perform—is not enough to allege specific intent by Mr. Hutchins.” (Id. at 95.) Here again, Hutchins tries to impose a standard for civil pleading on a criminal indictment.

The language about intent and causation tracks the statutory elements, and that is all that is required in an indictment.

Effectively, Joseph seems to be arguing a CFAA charge itself rather than a conspiracy to commit CFAA charge. That’s problematic given that Hutchins raised a Seventh Circuit standard applying to conspiracies to sell stuff (drugs) that would be on point.

Intentionality is required but attempts are sufficient

In one of the charges where Hutchins is personally charged with CFAA, rather than conspiracy, Joseph permits the government’s effort to effect a conspiracy anyway, by first agreeing that intent is required, but then saying that attempting to do something even in absence of intent amounts to intent anyway.

To prove an attempt to violate § 1030(a)(5)(A), the government must prove that (1) Hutchins knowingly took a substantial step toward committing a violation of § 1030(a)(5)(A) and (2) that he did so with the intent to violate § 1030(a)(5). Seventh Circuit Pattern Jury Instruction 4.09. Accordingly, although Hutchins is correct that §1030(a)(5) does require that the damage be intentional, he is incorrect that the charge does not allege intentionality. It alleges an attempt, and intentionality is a necessary component of an attempt. In other words, the phrase “intentionally attempted” would be redundant.

Because Count Seven, read practically and not in a hyper-technical manner, sets forth the elements of an attempt to violate § 1030(a)(5), it is sufficient.

Again, “hyper-technical” is doing a lot of work here.

A YouTube in California is an overt act in Wisconsin

Hutchins may have fucked himself a bit by waiving all venue challenges to Wisconsin (venue here comes from an Agent buying two pieces of malware and then committing no crimes with it). Still, his argument clearly lays out parts of the government’s claim that he can be charged in the United States — notably, via a YouTube had no tie to and his co-conspirator only linked — that argue there were no overt acts in the US.

Joseph ignores the parts of the argument where Hutchins lays out that the government doesn’t argue any basis for venue and declares the allegations sufficient.

Count One alleges various acts in furtherance of a conspiracy resulting in the sale of UPAS Kit and Kronos to individuals in the Eastern District of Wisconsin.

Of course, Hutchins is correct that an offense cannot be prosecuted anywhere in the world just because it involves the Internet. (Docket # 105 at 5.) But the indictment does not do that. On the contrary, it alleges that relevant events occurred in the state and Eastern District of Wisconsin. Whether the government will be able to prove that is a question for another day. At this juncture, it is sufficient that the indictment alleges that the violations occurred within the state and Eastern District of Wisconsin.

Dodging the issue of the informant who is the only one who has damaged or wiretapped computers

Joseph effectively dodges the entirety of Hutchins’ renewed demand for the identity of “Randy,” the informant whom the government describes as the only one who actually damaged (if malware damages computers) or wiretapped anything, which is that Randy is an unindicted co-conspirator, not an informant. She just says 30 days notice of Randy’s identity is sufficient.

The hyper-technical problems with treating malware as a device

It’s in the Wiretap Act where this ruling is most alarming. Joseph twice appears to misunderstand that Hutchins is not alleged to have wiretapped anything himself, but instead coded malware that his alleged co-conspirator sold, which other then people used to collect data (as noted, the government’s informant is the only one alleged to have illegally collected any data here).

In the absence of more details, it is unwarranted at this stage to evaluate whether they alone qualify as “devices” or to assume that the government could not produce evidence that Hutchins did in fact use an indisputable “device” of some kind, if not the software itself than a computer or some other device.

[snip]

There is simply no authority for the argument that software cannot constitute a “device” within the meaning of the Wiretap Act, and even if there were, there are simply not sufficient facts before the court to determine that Hutchins did not violate the Wiretap Act using some “device” in connection with Kronos and UPAS Kit. [my emphasis]

More troubling still, in adopting the government’s expansive definition of wiretapping, she suggests doing otherwise is “hyper-technical.”

[T]here are reasons to doubt such a strict interpretation of the Wiretap Act would be warranted even if this court were to undertake such an interpretation. Determining that the Wiretap Act could never apply to software would require the court to overlook the notably broad language of the Wiretap Act, which was to generally prohibit unauthorized artificial interception of communication in an era of changing technologies, in favor of a hyper-technical reading of the statute. It would also require the court to adopt a very restrictive definition of “electronic, mechanical, or other device” that may not comport with legislative intent, the ordinary meaning of those words, or the (scant) existing case law. Cf. Luis v. Zang, 833 F.3d 619 (6th Cir. 2016); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051 (N.D. Cal. 2015).

Most charitably, this should be taken as a punt. Because Joseph doesn’t realize that the facts are almost undisputed (because the government admitted that in this case a computer would be the device doing any wiretapping, not the malware itself), she dodges the issue of law that, she says, could be the appropriate standard for dismissal.

But in fact, it reverses the burden, permitting prosecutors to invent new readings of law, and permitting that reading until such time as Hutchins demonstrates at trial that’s explicitly not what Congress intended.

Ultimately, though, it seems that Joseph has been staring at several well-substantiated technical arguments about how the law is written and, having despaired of understanding that, simply declared treating the law as it was either written or has been interpreted by the Courts amounts to being “hyper-technical” and punted that job to the jury. That’s not surprising. Indeed, that’s one of the grave risks of defending against a hacking charge in a place that sees little of it. But everywhere where Hutchins made a legal careful argument, Joseph either let the government invent different meanings willy nilly or just deferred all treatment of the technical issues to trial.

The MalwareTech Case Resets to Zero: A Dialogue Wherein the Government Repeats “YouTube” Over and Over

/2 Comments/in /by

Yesterday, the government responded to Marcus Hutchins (MalwareTech)’s renewed challenges, submitted two weeks ago, to the superseding indictment the government used to replace its previous crappy-ass indictment and thereby set the motions process almost back to zero. Here’s my abbreviated summary of what Hutchins argues in the renewed motions, with the government response.

1) Motion for a Bill of Particulars with respect to CFAA charges

Hutchins: Name the 10 or more protected computers I allegedly damaged and the damage I did, because recording and exfiltrating data is not damaging a computer. Also, name the computers I allegedly tried to access without authorization.

Government: We’re going to revert to the outdated definition of malware the Seventh Circuit has already rejected to claim it is damage. Also, we’re going to pretend we used the word intent where you keep nagging us for not doing so.

2) Challenge to Seventh Count (CFAA)

Hutchins: You’ve rewritten the CFAA language, “[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.],” but not included the intentionality language.

Government: Correct! We’ve simply replaced the word “intentionally” with “attempted,” so it’s all good.

[A]n attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” (emphasis added) Because Count Seven is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” (which Hutchins believes to be necessary) would be unnecessary and redundant. See United States v. Rutherford, 54 F.3d 370, 373 (7th Cir. 1995) (stating attempts are intentional acts; and under common law, “an attempt includes the specific intent to commit an unlawful act”).

emptywheel: There are some cases where the government succeeded in convicting people of CFAA without the charged person causing the damage himself, but I’d have to look closer to see if this will fly under Seventh Circuit precedents.

3) Motion to dismiss the whole damn indictment

Hutchins: There was no damage in the damage charges, no wiretapping device in the wiretapping charges, nor did Marcus advertise any such device, and laying out how MalwareTech writes blog posts analyzing malware does not mean he advertised a wiretapping device.

The superseding indictment states that Mr. Hutchins “hacked control panels” associated with a so-called competing malware called Phase Bot and wrote a blog post about it. (First Superseding Indictment ¶ 4(h).) It does not appear that this allegation alone is the basis of any count, as Mr. Hutchins would presumably be charged with a direct—rather than inchoate—violation of § 1030(a)(2)(C) if that were the case. To the extent it is a basis for any count, however, the defense notes that analyzing malware is, in fact, what Mr. Hutchins does professionally. In total, Mr. Hutchins wrote a total of three lengthy blog posts to educate the public about Phase Bot’s structure and functionality. These blog posts were based on Mr. Hutchins’ analysis of Phase Bot installed on his own computers. Any attempt to punish or interfere with Mr. Hutchins’ lawful security research and publishing activities would, of course, violate his First Amendment rights.

Government: We’re going to define malware however we damn well please, even if we have to use a British dictionary rather than the American one the Seventh Circuit uses to throw a Brit in the pokey. Hell, we’re willing to play word games with four different reference books if we need to! But if you use a dictionary to argue the law means what the law says, then you’re cheating.

Therefore, the Court should resist Hutchins’s attempt to limit the scope of sections 2511 and 2512 based on a definition found in one online dictionary; or because “malware” or “spyware” or “software” is not specifically listed in the definition of “electronic, mechanical, or other device.” The reference to “any device or apparatus” is written broadly in order to capture changes in technology.

Also, because Hutchins’ co-conspirator showed a video of malware operating on a computer and both talked about malware operating on a computer in forums, that turns the malware into a device! Presto!

4) Motion to dismiss wiretapping because Congress never intended to charge foreigners with wiretapping and none of the rest of this happened in the United States

Hutchins: “A foreign defendant like Mr. Hutchins is not subject to the jurisdiction of the United States merely because someone else posted a video on the Internet.” And “to the extent that Mr. Hutchins and Individual B interacted while Individual B was purportedly in the United States, that circumstance cannot, as the first superseding indictment tries to do, subject Mr. Hutchins’ alleged dealings with Individual A to domestic prosecution.”

Government: So what if Congress didn’t intend wiretapping to apply extraterritorially? There’s a YouTube! Also, you’re being hypertechnical by arguing Congress’ intent in passing a law. Besides, that was so long ago!

[B]ecause the conduct charged in Counts Two and Three occurred in the U.S. there is no extraterritorial application of U.S. law to foreign conduct. This is true even if Hutchins and Individual A were abroad when the conduct occurred in the U.S.

Also, there’s a YouTube!

emptywheel: One interesting aspect of the government’s desperate attempt to claim the actions of two people outside of the US took place in the US is that the malware in question was sold on location obscuring sites, Darkode and AlphaBay. That doesn’t change that an officer in Easter (as the government calls it at least twice) District of WI bought the malware in WI. But it will do interesting things to the government’s claim that Hutchins and VinnyK “directed” such sales at the US. It all seems to come down to the YouTube.

5) Motion to compel the identity of Randy

Hutchins: In order to shore up your dodgy indictment, you’ve made Randy into an uncharged co-conspirator. Now you really have to give us his ID.

Government: Sure, sure, we’ve included Randy in overt acts to get around the fact that Randy, but not you, intended to steal data so we can argue you’re guilty. But that doesn’t change his role in the investigation. You’re just using a local rule against us. Plus, you were mean to Sabu once on Twitter so obviously you just want to call for reprisal against Randy.

emptywheel: As far as I know MalwareTech has not called for reprisal against me for cooperating with the government against a cybercriminal. Maybe he’s just opposed to cybercriminals blaming others for their own crimes, as Randy appears to have done?

More seriously, I’m going to pull out two more things.

First, here’s some language from the government response in 4 that pretty much sums up their argument.

Second, Hutchins misunderstands the nature of the charges in Count One and Seven and the government’s burden at trial. Conspiracy punishes an illegal agreement. United States v. Read, 658 F.2d 1225, 1240 (7th Cir. 1981) (describing liability for a conspiracy and mail fraud). And it is well established that under conspiracy law, the object of the conspiracy does not need to be achieved for liability to attach. United States v. Donner, 497 F.2d 184, 190 (7th Cir. 1974). Therefore, the government only needs to prove Hutchins conspired to damage computers, not the actual damage he intended.

The same is true for Count Seven. An attempt is a substantial step towards completing the crime with the intent to complete the crime. United States v. Sanchez, 615 F.3d 836, 843-44 (7th Cir. 2010). As with Count One, the government does not have a burden to prove damage; only an attempt to damage.

What the government has done has charged crimes that permit Hutchins to be held liable for criminal acts his co-conspirator maybe possibly intended, even though it’s not clear he had the same intent as his co-conspirator, even if neither had the intent to facilitate wiretapping or damage to computers (depending on what dictionary you use). I make light above, but this is a very powerful aspect of US law, and it shouldn’t be dismissed outright.

Finally, the only place either side addresses false statements (one of the two new charges that’s not just smearing old charges more thinly and using the part of CFAA they should have charged under in the first place, the other being wire fraud) is in argument 4. Hutchins says that because everything else is bunk there are not false statements that can be charged.

If the Court grants this motion as to Counts One Through Eight and Ten, it should also dismiss Count Nine. That count charges a violation of 18 U.S.C. § 1001 and flows from an allegedly false statement Mr. Hutchins made to law enforcement during a post-arrest interrogation focusing on the conduct charged in the broader indictment. Section 1001 is violated only when a false statement is made about a “matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States.” 18 U.S.C. § 1001(a). This motion asserts a lack of domestic jurisdiction over the alleged offenses such that any false statement made by Mr. Hutchins about those offenses is not subject to prosecution under § 1001.

The government (predictably) doesn’t agree. It says jurisdiction doesn’t matter, what matters is that the FBI was investigating.

In this case, the FBI was conducting a criminal investigation which falls within the meaning of “any matter” as used in 18 U.S.C. § 1001. United States v. Rogers, 466 U.S. 475, 476-484 (1984); see also 28 U.S.C. § 533; 28 C.F.R. § 0.85. Additionally, the term “jurisdiction” as used in section 1001 “merely differentiates the official, authorized functions of an agency or department from matters peripheral to the business of that body.” United States v. Rogers, 466 U.S. 475, 476- 484 (1984). Therefore, even if all the other counts of the superseding indictment were dismissed, Count Nine would survive. Hutchins’s motion should therefore be denied.

I fear this argument might well work: that because the FBI was investigating something mostly in a poorly executed attempt to strand Hutchins here so they could make him inform on others, he can be charged with false statements. That’s crazy. But that’s also the way false statements may work.

All of which is to say, a great deal of the government’s argument boils down to, “YouTube! Try this dictionary! YouTube! Or maybe this dictionary! YouTube!” But that doesn’t mean it won’t all work.

What Seems to be Going on with MalwareTech’s New Charges

/29 Comments/in , /by

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

DOJ’s Minor Desperation with MalwareTech

/10 Comments/in /by

Best as I can tell (this is way not my forté — this was done with the help of S — so please recreate my work), this screen shot shows “auroras” selling UPAS Kit 1.0.0.0 on June 14, 2012.

June 14, 2012 was before Marcus Hutchins turned 18.

Some of the Russian translates as:

Upas is a modular http bot, which was created for the sole purpose – to save you from a headache. This is an advanced ring3 rootkit that has something in common with SpyEye and Zeus. Thus, the installation is “quiet” without recognition by antiviruses.Currently it works on the following versions of Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. In addition, it is “compatible” with all service packs.

[snip]

The Upas Kit was created to identify vulnerabilities in information systems of individuals and organizations.

Upas Kit has never been used to commit cyber crimes and it can not be so.

Buying this product, you agree not to violate the laws of the Russian Federation and other countries.

Buying this product, you use it at your own risk. Before downloading the application to the user’s PC, you must obtain its consent.

The support address is [email protected]. This matches the UPAS Kit described in Marcus Hutchins’ superseding indictment.

“UPAS Kit” was the name given to a particular type of malware that was advertised as a “modular HTTP bot.” UPAS Kit was marketed to “install silently and not alert antivirus engines.” UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.

All of which is to say that when the superseding indictment describes the following as overt acts in the conspiracy to violate CFAA and to wiretap, it describes code placed on sale before Hutchins turned 18.

On or about July 3, 2012, [VinnyK], using the alias “Aurora123,” sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 digital currency.

Now, as I said yesterday, it’s not clear what UPAS Kit is doing in the superseding indictment. Alone, the coding behind the listing above necessarily happened while Hutchins was a minor and the sale itself happened over five years ago. So the government can only present it as part of a conspiracy sustained by more recent overt acts, like the sale of Kronos in 2015, arguing they’re part of the same conspiracy, which extends the tolling (but doesn’t change Hutchins’ birthday).

Given the claim that he lied to the FBI in his Las Vegas interrogation, however, I think they’re suggesting that when he admitted to coding a form grabber, but not the one in Kronos, he was lying about knowing that this earlier code got used in Kronos.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

In other words, to get this admission into trial, the government is going to claim he was lying about knowing there was continuity between UPAS and Kronos in a way to deny any more recent involvement, even though they’re on the record (though Dan Cowhig’s statements to the court) that he had admitted that.

Which further suggests the evidence they have that he actually coded Kronos itself isn’t that strong, and need to rely on code that Hutchins coded when he was a minor to be able to blame this malware on him.

To Pre-empt an Ass-Handing, the Government Lards on Problematic New Charges against MalwareTech

/55 Comments/in , /by

When last we checked in on the MalwareTech (Marcus Hutchins) case, both FBI agents involved in his arrest had shown different kinds of unreliability on the stand and in their written assertions, and Hutchins’ defense had raised a slew of legal challenges that, together, showed the government stretching to use wiretapping and CFAA statutes to encompass writing code so as to include Hutchins in the charges. It looked like the magistrate in the case, Nancy Joseph, might start throwing out some of the government’s more expansive legal theories.

That is, it looked like the government’s ill-advised decision to prosecute Hutchins in the first place might be mercifully put out of its misery with some kind of dismissal.

But the government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment. [See update below — I actually think what they’re doing is even crazier and more dangerous.]

The false statements charge is the best of all, because for it to be true a Nevada prosecutor would have to be named as Hutchins’ co-conspirator, because his representations in court last summer directly contradict the claims in this new indictment.

Wherein financial criminals VinnyK and Randy become bit players in criminal mastermind Marcus Hutchins’ drama

To understand how they’re doing this, first understand there are two criminals Hutchins is alleged to have had interactions with three-plus years ago:

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With this superseding indictment, the government has turned these two criminals into the bit players in a scheme in which Hutchins is now the targeted criminal.

Interestingly, unlike in the original indictment, VinnyK is not charged in this superseding indictment. I’m not sure what that means — whether the government has decided they like him now, they’ll never get him extradited and he won’t show up at DefCon because he’s learned Hutchins’ lesson, or maybe even they’ve gotten him to flip in a bid to avoid embarrassment with Hutchins. So there’s one guy the government admits is a criminal — Randy — and another guy they believed was a serious enough criminal they had to arrest the guy who saved the world from WannaCry to help find, VinnyK. Neither is charged in this indictment. Hutchins is.

Conspiracy to violate minors outside the statute of limitations

As I said, one way the government gets from 6 to 10 counts is by identifying a second piece of software — allegedly written by Hutchins — that VinnyK sold, so as to charge the same legally suspect crimes twice.

This is a comparison of the old versus new indictment.

As I understand it (though the indictment is damned vague on this point) the additional wiretapping and CFAA charges come from a second piece of software.

Here’s what that second alleged crime looks like:

a. Defendant MARCUS HUTCHINS developed UPAS Kit and provided it to [VinnyK], who was using alias “Aurora123” at the time.

b. On or about July 3, 2012, [VinnyK], sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 in digital currency.

c. On or about July 20, 2012, [VinnyK], distributed an updated version of UPAS Kit to an individual in the Eastern District of Wisconsin.

First of all, notice how Hutchins’ activities in this second crime aren’t listed with any date? Wikipedia says Hutchins was born in June 1994 and I’ve confirmed that was when he was born. Which means either he coded UPAS Kit in a few weeks or less, or the actions he’s accused of here happened when he was a minor.

Now look at your calendar. July 2012 was 6 years ago, so outside a 5  year statute of limitations; for some reason the government didn’t even try to include the July 20, 2012 action when they first charged this last year. One way or another, the SOL has tolled on these actions.

The time periods for this new alleged crime, though, is listed as July 2014 to August 2014. Except all new actions listed in that time period are tied to Kronos, not UPAS. In other words, unless I’m missing something, the government has tried to confuse the jury by charging Kronos twice, all while introducing UPAS, which is both tolled and on which Hutchins’ alleged role occurred while he was a minor.

[See update below,]

Criminalizing malware research

The effort against Hutchins always threatened to criminalize malware research. But the government (perhaps in an effort to substantiate a second crime associated with Kronos) has gone one step further with this claim:

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government doesn’t explain this (and I guarantee you they didn’t explain this to the grand jury — I mean they put the word “hacked” right there so it must be EVIL), but they’re claiming this article talking about how to thwart Phase Bot malware via vulnerabilities in its command and control module — that is, a post about how to defeat malware!!!! — is really a devious plot to undercut the competition.

Again, the original indictment was dangerous enough. But now the government is claiming that if you write about how to thwart malware, you might be doing it for criminal purposes.

Charging the other bad guys with wire fraud conspiracy

As a reminder, the charges in the original indictment (which remain largely intact here) were problematic because selling Kronos fit neither the definition of wiretapping nor CFAA (the latter because it doesn’t damage computers). In an apparent attempt to get out of that problem (though not the venue one, which best as I can tell remains a glaring problem here), they’ve added a conspiracy to commit wire fraud, arguing that Hutchins “knowingly conspired and agreed with [VinnyK] and others unknown to the Grand Jury, to devise and participate in a scheme to defraud and obtain money by means of false and fraudulent pretenses and transmit by wire in interstate and foreign commerce any writing, signs, and signals for the purpose of executing the scheme.”

I’ll let the lawyers explain whether this charge will hold up better than the wiretapping and CFAA ones. But at least as alleged, all VinnyK has ever done (even assuming Hutchins can be shown to have agreed with this) is to sell Kronos to an FBI agent in Wisconsin.

The only one in this entire indictment described as actually making money off using Kronos is Randy, the guy the US government isn’t prosecuting because he narced out Hutchins. Meaning the guy with whom Hutchins would most credibly be claimed to have conspired to commit wire fraud is the one guy not mentioned in the charge.

But for some reason the government decided the just thing to do when faced with these facts was charge only the guy who saved the world from WannaCry.

Charging false statements after both FBI agents have been shown to be unreliable

Which brings us, finally, to what is probably the point of this superseding indictment, the government’s effort to salvage their authority. They’ve charged Hutchins with lying to the FBI about knowing that his code was part of Kronos.

On August 2, 2017, the Federal Bureau of Investigation was conducting an investigation related to Kronos, which was a matter within the jurisdiction of the Federal Bureau of Investigation.

On or about August 2, 2017, in the state of Eastern District of Wisconsin and elsewhere,

[Hutchins]

knowingly and willfully made a materially false, fictitious, and fraudulent statement and represented in a matter within the jurisdiction of the Federal Bureau of Investigation when he stated in sum and substance that he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016, when in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHINS made multiple statements to Individual B in which HUTCHINS acknowledged his role in developing Kronos and his partnership with Individual A.

Whoo boy.

First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.

So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.

Oh wait! It gets better. See how they describe that Hutchins lied in Wisconsin?

The interrogation happened in Las Vegas, which last I checked was not anywhere near Eastern District of Wisconsin. I mean, I’m sure there’s a way to finesse these things wit that “and elsewhere” language, but this indictment simply asserts that an interrogation room in the Las Vegas airport was in Milwaukee.

And there’s more!!!

On top of the fact that one or another agent who themselves have credibility problems would have to go on the stand to accuse Hutchins of lying, and on top of the fact that they say this thing that happened in Las Vegas didn’t stay in Las Vegas but was actually in Milwaukee, there’s the fact that AUSA Dan Cowhig, on August 4, 2017, in a bid to deny Hutchins bail, represented to a judge that,

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he sold that code to another.

We don’t have the full transcript of Hutchins’ interrogation yet (parts released by the defense show him admitting to underlying code, which may be what this UPAS stuff is about, though denying Kronos itself). But for it to be true that Hutchins lied about knowing that “his computer code was part of Kronos until he reverse engineered the malware,” then Cowhig would have had to be lying last year.

So to sum up: the government’s bid to save face, on top of some jimmying with dates and using Randy to accuse Hutchins of something that Randy is far more guilty of, is to put two agents who have real credibility problems on the stand to argue that their colleague in Nevada, which apparently spends its summers in Wisconsin, lied last year when he claimed that Marcus admitted “he was the author of the code that became the Kronos malware.”

Update: It has been suggested those 2012 UPAS Kit actions got included because they are part of the conspiracy, which is how they get beyond tolling (though not Hutchins’ age). If the government is arguing that UPAS is the underlying code that Hutchins contributed to Kronos, then that might make sense. Except that then the false statements charge becomes even more ridiculous, because we know that Hutchins admitted to that bit.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Also note, at least according to Hutchins’ jail call to his boss, GCHQ vetted this earlier activity and found it to be unproblematic.

Update: On fourth read (this indictment makes no sense), I think the new charges are not the 2012 sales, but a vague crime based on the marketing, but no sale, of malware in 2014. In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube. Note, the YouTube in question has already been litigated, as the government is trying hard to get venue because of that — because YouTube is based in the US.

This is such an unbelievably dangerous argument; it’s a real testament to the sheer arrogance of this prosecution at this point, that they’ll stop at nothing to avoid the embarrassment of admitting how badly they fucked up.

The Government Refuses to Name FBI Agent Accused of Deceit in MalwareTech Case

/44 Comments/in /by

Here’s the basic argument that Marcus Hutchins’ (AKA MalwareTech) lawyers are making in an effort to get his post-arrest interview suppressed.

[D]espite Mr. Hutchins’ multiple direct questions to the FBI agents who arrested him about the nature of his circumstance (e.g., “Can you please tell me what this is about?,” asked at the outset of the interrogation) and notwithstanding his frequent expressions of uncertainty about the agents’ focus of inquiry, the agents intentionally concealed from him the true and pertinent nature of his then-existing reality (e.g., “We’re going to get to it,” then somewhat revealing things 75 minutes later). Under these circumstances, bolstered by his known-to-the-agents exhaustion and status as a foreigner (among other things), Mr. Hutchins “full awareness of both the nature of the right being abandoned and the consequences of the decision to abandon it” was fatally compromised.

For its part, the government largely dodges the question of whether the agents misled (or refused to inform) Hutchins why he was being questioned, arguing (incorrectly — deception is mentioned twice in the first motion) that Hutchins didn’t raise deceit until after learning more details about the process, and focusing on the law in isolation from the facts. Ultimately, though, they argue that the substance of the crimes of which Hutchins was accused doesn’t matter because he knew he was arrested. To substantiate that, they present claims that go to the heart of the deceit question — the circumstances surrounding Special Agent Lee Chartier informing Hutchins that he had been indicted in Wisconsin.

Like the defendant in Serlin, Hutchins was aware of the nature of the FBI inquiry. Hutchins knew that the FBI’s interview on August 2, 2017, related to a criminal inquiry because Hutchins was handcuffed with his hands placed behind his back and told that he was under arrest based on federal arrest warrant. Doc. #82 at 20. And as if that was not enough, the questions posed to Hutchins, like the questions in Serlin, “would have alerted even the most unsuspecting [individual] that he was the . . . focus of the [criminal inquiry].”

[snip]

Unlike the defendant in Giddins, Hutchins was never misled about the criminal nature of the FBI investigation. There is no dispute that Hutchins was placed in handcuffs and told he was under arrest based on an arrest warrant issued from the Eastern District of Wisconsin, and that before any questioning, Hutchin was advised of his rights and waived those rights.

On that bolded bit, there very much is a dispute. Tellingly, the government never once mentions the name of the agent, Lee Chartier, who claims to have done this, the same agent that Hutchins accuses of deceit. That’s interesting, not least, because even after the agents “colluded” (curse you for using that term, Hutchins’ legal team!!!) about their story, whether and how Chartier informed Hutchins of his indictment while he had Hutchins in a stairwell is one of the matters on which their sworn testimony differed.

At the outset, it is very important for the Court to remember the agents’ pre-hearing collusion. As Agent Butcher revealed, she and Agent Chartier got together to “mak[e] sure that we were on – you know, that our facts were the same.” (Id. 112:4-5.) Their synchronization of their testimony calls into question their entire characterization of events, and any benefit of any doubt the Court has regarding what happened should accrue to Mr. Hutchins’ favor.

[snip]

Agent Chartier testified that he revealed he was with the FBI and told Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant just after Mr. Hutchins had been detained, when he and the customs officers took Mr. Hutchins from the lounge to a stairwell. (Hearing Tr. 19:8-23.) By his own admission, however, Agent Chartier did not explain the charges or what was going on, despite Mr. Hutchins’ numerous questions in the hallway. (Id. at 19:25- 20:4; 58:25-59:1.)4

In addition, Agent Chartier claimed that after he escorted Mr. Hutchins to the (pre-arranged) interrogation room, he and Agent Butcher again advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. (Id. 20:25-21:1.) Notably, they did not explain anything else. Agent Chartier acknowledged that Mr. Hutchins was not told that the arrest warrant flowed from an indictment, much less that the indictment charged six felony offenses stemming from the development and sale of Kronos. (Id. 56:22-24.)

Further, although the agents tried to coordinate their testimony, Agent Butcher’s testimony about these meaningful events was quite different from Agent Chartier’s. She did not testify that he (Agent Chartier) advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. Only Agent Chartier makes this claim, one that is undermined by Agent Butcher and otherwise lacks any support in the record. [my emphasis]

There’s actually a very good reason why Butcher didn’t describe Chartier doing this. He did so, if he did, in the stairwell; Butcher wouldn’t have been a witness.

Ordinarily, an FBI agent would get the benefit of the doubt on this point, but for two reasons, the public records suggests they shouldn’t in this case.

First, the time that Jamie Butcher estimated Hutchins was given his Miranda warning, 1:18PM, would only allow for a minute to transpire between the time Hutchins exited the airport lounge and his interview started post-waiver.

Despite the fact that Mr. Hutchins was escorted out of the lounge at 1:17 p.m. and the audio recording started at approximately 1:18 p.m. (see Exhibits 14 and 9), Agent Chartier claimed that he read Mr. Hutchins the Advice of Rights form (Exhibit 9) and Mr. Hutchins read and signed it. (Hearing Tr. 24:25-25:6.)

Further, as an excerpt from the transcript reveals, Butcher told Chartier he (the more experienced agent on questioning witnesses of the two) was all over the place just minutes after he would have given such a warning.

5:05-5:22

Chartier: Okay. And I don’t know if we did this in the beginning. Sorry, my brain is like—

Butcher: You’re like a mile a minute. Go ahead.

Chartier: Did you—did we have a passport for you? I didn’t have—we didn’t take one off of you. Did you have a passport.

Hutchins: It’s in the bag.

Chartier: It’s in your bag? Okay. All right. Well just for the record, could you go ahead and state your full name and then give your date of birth?

Again, this would have happened just minutes after Chartier would have given Hutchins his Miranda warning. Whatever the verdict on Hutchins’ competence to waive his rights, it does raise questions about the carefulness of the warning that Chartier gave.

Ultimately, both these motions have the feeling of rushed filings, with some errors and imprecisions. Ultimately, the judge is likely to rule against Hutchins here (though it will form important background as she considers much more substantial challenges to the charges against him). As I’ve said, though, the entire process has undermined both agents’ credibility if this ever goes to trial.

Hutchins’ motion is also interesting for the evidence it gives that this was still ultimately about getting Hutchins to cooperate against people the government was certain he was still communicating with, something I’ve been maintaining from the start.

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

Chartier: I understand, I understand, I understand. But you see why we’re here?

Hutchins: Yep. I can definitely see.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving–

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

This is what the entire case is about: the government used a trumped up claim of really attenuated criminal liability to try to get Hutchins to provide information on “these guys.” And they didn’t decide to do so until after Hutchins came back to their attention after he saved the world from WannaCry.

If this ever goes to trial, that should be the central issue. And going forward, too, that should be the central issue: that the government got itself into a very deep hole on a legally deficient claim because they did a back door search on the guy who saved the world and decided arresting him was the best way to coerce his cooperation moving forward.

But I’m still betting this doesn’t go to trial.

The FBI Has No Idea What Time MalwareTech Waived Miranda

/10 Comments/in /by

Here’s the signature line of the FBI Agent who says that Marcus Hutchins waived his Miranda rights when he was arrested on August 2 of last year.

As I noted here, in addition to not memorializing that they asked him whether or not he was drunk (but not if he was high or exhausted) until four months after his arrest, the FBI wrote three different times down on his consent form, with the last being just a minute after he was arrested. In a new filing, Hutchins’ lawyers disclose that the Agent didn’t make those changes until a week after he was arrested — and didn’t note the delay on either the form or the 302 of the interview.

Hours before the scheduled April 19 evidentiary hearing, the government revealed to the defense for the first time how the handwritten times listed on the form came about. Since receiving the form from the government in discovery last fall, the defense had assumed that one of the agents had added the times contemporaneously with the interrogation. But that was not so. One of the two agents who interrogated Mr. Hutchins, Agent Butcher, disclosed to the prosecutors that:

The header information on the advice of rights form was entered after the interview. [She] realized the time she entered on the form was incorrect when she was drafting the 302 and attempted to reconstruct the time based on information available to her.

Agent Butcher wrote that 302, which is the FBI’s official report of the interrogation, five days after the interrogation, when she was presumably back in Milwaukee. The agent did not note her alteration of the form in the 302 or anywhere else.

It almost seems like the Agent was just as confused, possibly regarding the two hour time zone change from Wisconsin, as Hutchins was.

Hutchins’ lawyers want the form thrown out and the FBI’s claim that he was warned to be treated with a negative inference.

Evidence crucial to determining whether law enforcement honored Mr. Hutchins’ constitutional rights in connection with custodial interrogation is spoiled, at law enforcement’s hands. The form, as it existed whenever Mr. Hutchins signed it, apparently no longer exists. In its place is an altered version, and the government should not be permitted to introduce and rely on altered evidence in defending against Mr. Hutchins’ suppression motion.

[snip]

And the Court should also draw from the circumstance an inference adverse to the government’s position that Mr. Hutchins was warned of and waived his constitutional rights before making a post-arrest statement.

Hutchins team also suggests — though doesn’t explain — that the Agents deceived Hutchins as to why they they were interviewing him or that he was under arrest or what waiving Miranda entails.

Deception, as an independent basis for suppression, requires that the defense produce clear and convincing evidence that the agents affirmatively mislead the defendant as to the true nature of their investigation, and that the deception was material to the decision to talk. United States v. Serlin, 707 F.2d 953, 956 (7th Cir. 1983). Importantly, as the Seventh Circuit explained:

Simple failure to inform defendant that he was the subject of the investigation, or that the investigation was criminal in nature, does not amount to affirmative deceit unless defendant inquired about the nature of the investigation and the agents’ failure to respond was intended to mislead.

Id. (emphasis added).

They haven’t explained this, but perhaps it will come out on the stand when the Agent testifies next week.

There’s one more fuck-up revealed in this motion.

The government wants to use two calls Hutchins made to his boss from jail, in which he apparently discussed the issues he did in the interrogation, as proof that he was willing to discuss those issues. Whether that helps their case or not, apparently the transcript the government made of those calls has some discrepancies with the actual recording.

The calls were audio-recorded and the government has disclosed those recordings, along with draft transcripts reflecting what was said. The defense’s review of the draft transcripts reveals minor discrepancies between the transcripts and the actual conversations. If, over Mr. Hutchins’ objection, the Court chooses to consider the calls, that consideration should be based on listening to the actual calls, not just reviewing the transcripts.

The defense wants to prevent the government from using the calls (because they were made hours after his arrest and can’t really reflect on his state of mind), as well.

Recording the time you gave someone their Miranda warning is pretty basic stuff. Noting that you screwed that up is also pretty basic stuff.

None of that happened properly. Normally, it’s really hard to get interrogations thrown out. But the fuck-ups pertaining to this one keep mounting.

Continuance in MalwareTech’s Case

/9 Comments/in /by

I thought that while I was out traveling the continent last week, I’d miss a key hearing on Thursday in MalwareTech’s (Marcus Hutchins’) case. This thread lays out the government’s responses to his challenges to his indictment; the short version is, while the government would likely defeat his Miranda challenge, they still had to put their Agents on the stand for discovery. On the other issues, the government seems to have more serious problems (notably with trying him on charges for which there are no victims). So I thought it might be a really interesting hearing that would provide a glimpse of whether the judge thinks the government has a case.

That didn’t happen. After he and his lawyers got out to Milwaukee for the hearing, they asked for and got a one month continuance.

In light of new information, defendant requests a continuance of the evidentiary hearing. Parties agree to conduct evidentiary hearing on May 16, 2018 at 1:30 P.M.

So something’s up in his case, but it’s totally unclear what it is. All of the following are possibilities:

  • As noted, the government has been going back and forth about whether they’d get a superseding indictment. Last week they said they would. That’s probably the worst case scenario to explain the new information that would lead to a continuance: new charges that might pose a more serious risk.
  • In one of last week’s filings, the government revealed that he shared a binary with someone in CA (alleging, dangerously, that that amounts to wiretapping). That must be the informant the government has been trying to hide by calling a tipster. It may be the government provided information on this guy, and the defense wants a year to research him.
  • The government had finally found the dark web materials related to the sale of the malware. They may have provided that or more details on Hutchins’ alleged co-conspirator.
  • Defendants that the government might have have been trying to coerce Hutchins to share information on — most notably Peter Levashov, who was arrested for making Kelihos (which uses a successor to Kronos) — are now in US custody. That may change the status of his case somehow.
  • The government may finally realize that it’s got real problems with its case, and is finally offering a plea that better reflects the potential legal pitfalls of their case.

As I said, it could be any of these issues, or a combination of them. All we know is something’s up in his case, and we may not find out for another month.