Posts

The MalwareTech Case Resets to Zero: A Dialogue Wherein the Government Repeats “YouTube” Over and Over

Yesterday, the government responded to Marcus Hutchins (MalwareTech)’s renewed challenges, submitted two weeks ago, to the superseding indictment the government used to replace its previous crappy-ass indictment and thereby set the motions process almost back to zero. Here’s my abbreviated summary of what Hutchins argues in the renewed motions, with the government response.

1) Motion for a Bill of Particulars with respect to CFAA charges

Hutchins: Name the 10 or more protected computers I allegedly damaged and the damage I did, because recording and exfiltrating data is not damaging a computer. Also, name the computers I allegedly tried to access without authorization.

Government: We’re going to revert to the outdated definition of malware the Seventh Circuit has already rejected to claim it is damage. Also, we’re going to pretend we used the word intent where you keep nagging us for not doing so.

2) Challenge to Seventh Count (CFAA)

Hutchins: You’ve rewritten the CFAA language, “[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.],” but not included the intentionality language.

Government: Correct! We’ve simply replaced the word “intentionally” with “attempted,” so it’s all good.

[A]n attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” (emphasis added) Because Count Seven is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” (which Hutchins believes to be necessary) would be unnecessary and redundant. See United States v. Rutherford, 54 F.3d 370, 373 (7th Cir. 1995) (stating attempts are intentional acts; and under common law, “an attempt includes the specific intent to commit an unlawful act”).

emptywheel: There are some cases where the government succeeded in convicting people of CFAA without the charged person causing the damage himself, but I’d have to look closer to see if this will fly under Seventh Circuit precedents.

3) Motion to dismiss the whole damn indictment

Hutchins: There was no damage in the damage charges, no wiretapping device in the wiretapping charges, nor did Marcus advertise any such device, and laying out how MalwareTech writes blog posts analyzing malware does not mean he advertised a wiretapping device.

The superseding indictment states that Mr. Hutchins “hacked control panels” associated with a so-called competing malware called Phase Bot and wrote a blog post about it. (First Superseding Indictment ¶ 4(h).) It does not appear that this allegation alone is the basis of any count, as Mr. Hutchins would presumably be charged with a direct—rather than inchoate—violation of § 1030(a)(2)(C) if that were the case. To the extent it is a basis for any count, however, the defense notes that analyzing malware is, in fact, what Mr. Hutchins does professionally. In total, Mr. Hutchins wrote a total of three lengthy blog posts to educate the public about Phase Bot’s structure and functionality. These blog posts were based on Mr. Hutchins’ analysis of Phase Bot installed on his own computers. Any attempt to punish or interfere with Mr. Hutchins’ lawful security research and publishing activities would, of course, violate his First Amendment rights.

Government: We’re going to define malware however we damn well please, even if we have to use a British dictionary rather than the American one the Seventh Circuit uses to throw a Brit in the pokey. Hell, we’re willing to play word games with four different reference books if we need to! But if you use a dictionary to argue the law means what the law says, then you’re cheating.

Therefore, the Court should resist Hutchins’s attempt to limit the scope of sections 2511 and 2512 based on a definition found in one online dictionary; or because “malware” or “spyware” or “software” is not specifically listed in the definition of “electronic, mechanical, or other device.” The reference to “any device or apparatus” is written broadly in order to capture changes in technology.

Also, because Hutchins’ co-conspirator showed a video of malware operating on a computer and both talked about malware operating on a computer in forums, that turns the malware into a device! Presto!

4) Motion to dismiss wiretapping because Congress never intended to charge foreigners with wiretapping and none of the rest of this happened in the United States

Hutchins: “A foreign defendant like Mr. Hutchins is not subject to the jurisdiction of the United States merely because someone else posted a video on the Internet.” And “to the extent that Mr. Hutchins and Individual B interacted while Individual B was purportedly in the United States, that circumstance cannot, as the first superseding indictment tries to do, subject Mr. Hutchins’ alleged dealings with Individual A to domestic prosecution.”

Government: So what if Congress didn’t intend wiretapping to apply extraterritorially? There’s a YouTube! Also, you’re being hypertechnical by arguing Congress’ intent in passing a law. Besides, that was so long ago!

[B]ecause the conduct charged in Counts Two and Three occurred in the U.S. there is no extraterritorial application of U.S. law to foreign conduct. This is true even if Hutchins and Individual A were abroad when the conduct occurred in the U.S.

Also, there’s a YouTube!

emptywheel: One interesting aspect of the government’s desperate attempt to claim the actions of two people outside of the US took place in the US is that the malware in question was sold on location obscuring sites, Darkode and AlphaBay. That doesn’t change that an officer in Easter (as the government calls it at least twice) District of WI bought the malware in WI. But it will do interesting things to the government’s claim that Hutchins and VinnyK “directed” such sales at the US. It all seems to come down to the YouTube.

5) Motion to compel the identity of Randy

Hutchins: In order to shore up your dodgy indictment, you’ve made Randy into an uncharged co-conspirator. Now you really have to give us his ID.

Government: Sure, sure, we’ve included Randy in overt acts to get around the fact that Randy, but not you, intended to steal data so we can argue you’re guilty. But that doesn’t change his role in the investigation. You’re just using a local rule against us. Plus, you were mean to Sabu once on Twitter so obviously you just want to call for reprisal against Randy.

emptywheel: As far as I know MalwareTech has not called for reprisal against me for cooperating with the government against a cybercriminal. Maybe he’s just opposed to cybercriminals blaming others for their own crimes, as Randy appears to have done?


More seriously, I’m going to pull out two more things.

First, here’s some language from the government response in 4 that pretty much sums up their argument.

Second, Hutchins misunderstands the nature of the charges in Count One and Seven and the government’s burden at trial. Conspiracy punishes an illegal agreement. United States v. Read, 658 F.2d 1225, 1240 (7th Cir. 1981) (describing liability for a conspiracy and mail fraud). And it is well established that under conspiracy law, the object of the conspiracy does not need to be achieved for liability to attach. United States v. Donner, 497 F.2d 184, 190 (7th Cir. 1974). Therefore, the government only needs to prove Hutchins conspired to damage computers, not the actual damage he intended.

The same is true for Count Seven. An attempt is a substantial step towards completing the crime with the intent to complete the crime. United States v. Sanchez, 615 F.3d 836, 843-44 (7th Cir. 2010). As with Count One, the government does not have a burden to prove damage; only an attempt to damage.

What the government has done has charged crimes that permit Hutchins to be held liable for criminal acts his co-conspirator maybe possibly intended, even though it’s not clear he had the same intent as his co-conspirator, even if neither had the intent to facilitate wiretapping or damage to computers (depending on what dictionary you use). I make light above, but this is a very powerful aspect of US law, and it shouldn’t be dismissed outright.

Finally, the only place either side addresses false statements (one of the two new charges that’s not just smearing old charges more thinly and using the part of CFAA they should have charged under in the first place, the other being wire fraud) is in argument 4. Hutchins says that because everything else is bunk there are not false statements that can be charged.

If the Court grants this motion as to Counts One Through Eight and Ten, it should also dismiss Count Nine. That count charges a violation of 18 U.S.C. § 1001 and flows from an allegedly false statement Mr. Hutchins made to law enforcement during a post-arrest interrogation focusing on the conduct charged in the broader indictment. Section 1001 is violated only when a false statement is made about a “matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States.” 18 U.S.C. § 1001(a). This motion asserts a lack of domestic jurisdiction over the alleged offenses such that any false statement made by Mr. Hutchins about those offenses is not subject to prosecution under § 1001.

The government (predictably) doesn’t agree. It says jurisdiction doesn’t matter, what matters is that the FBI was investigating.

In this case, the FBI was conducting a criminal investigation which falls within the meaning of “any matter” as used in 18 U.S.C. § 1001. United States v. Rogers, 466 U.S. 475, 476-484 (1984); see also 28 U.S.C. § 533; 28 C.F.R. § 0.85. Additionally, the term “jurisdiction” as used in section 1001 “merely differentiates the official, authorized functions of an agency or department from matters peripheral to the business of that body.” United States v. Rogers, 466 U.S. 475, 476- 484 (1984). Therefore, even if all the other counts of the superseding indictment were dismissed, Count Nine would survive. Hutchins’s motion should therefore be denied.

I fear this argument might well work: that because the FBI was investigating something mostly in a poorly executed attempt to strand Hutchins here so they could make him inform on others, he can be charged with false statements. That’s crazy. But that’s also the way false statements may work.

All of which is to say, a great deal of the government’s argument boils down to, “YouTube! Try this dictionary! YouTube! Or maybe this dictionary! YouTube!” But that doesn’t mean it won’t all work.

What Seems to be Going on with MalwareTech’s New Charges

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

DOJ’s Minor Desperation with MalwareTech

Best as I can tell (this is way not my forté — this was done with the help of S — so please recreate my work), this screen shot shows “auroras” selling UPAS Kit 1.0.0.0 on June 14, 2012.

June 14, 2012 was before Marcus Hutchins turned 18.

Some of the Russian translates as:

Upas is a modular http bot, which was created for the sole purpose – to save you from a headache. This is an advanced ring3 rootkit that has something in common with SpyEye and Zeus. Thus, the installation is “quiet” without recognition by antiviruses.Currently it works on the following versions of Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. In addition, it is “compatible” with all service packs.

[snip]

The Upas Kit was created to identify vulnerabilities in information systems of individuals and organizations.

Upas Kit has never been used to commit cyber crimes and it can not be so.

Buying this product, you agree not to violate the laws of the Russian Federation and other countries.

Buying this product, you use it at your own risk. Before downloading the application to the user’s PC, you must obtain its consent.

The support address is [email protected] This matches the UPAS Kit described in Marcus Hutchins’ superseding indictment.

“UPAS Kit” was the name given to a particular type of malware that was advertised as a “modular HTTP bot.” UPAS Kit was marketed to “install silently and not alert antivirus engines.” UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.

All of which is to say that when the superseding indictment describes the following as overt acts in the conspiracy to violate CFAA and to wiretap, it describes code placed on sale before Hutchins turned 18.

On or about July 3, 2012, [VinnyK], using the alias “Aurora123,” sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 digital currency.

Now, as I said yesterday, it’s not clear what UPAS Kit is doing in the superseding indictment. Alone, the coding behind the listing above necessarily happened while Hutchins was a minor and the sale itself happened over five years ago. So the government can only present it as part of a conspiracy sustained by more recent overt acts, like the sale of Kronos in 2015, arguing they’re part of the same conspiracy, which extends the tolling (but doesn’t change Hutchins’ birthday).

Given the claim that he lied to the FBI in his Las Vegas interrogation, however, I think they’re suggesting that when he admitted to coding a form grabber, but not the one in Kronos, he was lying about knowing that this earlier code got used in Kronos.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

In other words, to get this admission into trial, the government is going to claim he was lying about knowing there was continuity between UPAS and Kronos in a way to deny any more recent involvement, even though they’re on the record (though Dan Cowhig’s statements to the court) that he had admitted that.

Which further suggests the evidence they have that he actually coded Kronos itself isn’t that strong, and need to rely on code that Hutchins coded when he was a minor to be able to blame this malware on him.

To Pre-empt an Ass-Handing, the Government Lards on Problematic New Charges against MalwareTech

When last we checked in on the MalwareTech (Marcus Hutchins) case, both FBI agents involved in his arrest had shown different kinds of unreliability on the stand and in their written assertions, and Hutchins’ defense had raised a slew of legal challenges that, together, showed the government stretching to use wiretapping and CFAA statutes to encompass writing code so as to include Hutchins in the charges. It looked like the magistrate in the case, Nancy Joseph, might start throwing out some of the government’s more expansive legal theories.

That is, it looked like the government’s ill-advised decision to prosecute Hutchins in the first place might be mercifully put out of its misery with some kind of dismissal.

But the government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment. [See update below — I actually think what they’re doing is even crazier and more dangerous.]

The false statements charge is the best of all, because for it to be true a Nevada prosecutor would have to be named as Hutchins’ co-conspirator, because his representations in court last summer directly contradict the claims in this new indictment.

Wherein financial criminals VinnyK and Randy become bit players in criminal mastermind Marcus Hutchins’ drama

To understand how they’re doing this, first understand there are two criminals Hutchins is alleged to have had interactions with three-plus years ago:

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With this superseding indictment, the government has turned these two criminals into the bit players in a scheme in which Hutchins is now the targeted criminal.

Interestingly, unlike in the original indictment, VinnyK is not charged in this superseding indictment. I’m not sure what that means — whether the government has decided they like him now, they’ll never get him extradited and he won’t show up at DefCon because he’s learned Hutchins’ lesson, or maybe even they’ve gotten him to flip in a bid to avoid embarrassment with Hutchins. So there’s one guy the government admits is a criminal — Randy — and another guy they believed was a serious enough criminal they had to arrest the guy who saved the world from WannaCry to help find, VinnyK. Neither is charged in this indictment. Hutchins is.

Conspiracy to violate minors outside the statute of limitations

As I said, one way the government gets from 6 to 10 counts is by identifying a second piece of software — allegedly written by Hutchins — that VinnyK sold, so as to charge the same legally suspect crimes twice.

This is a comparison of the old versus new indictment.

As I understand it (though the indictment is damned vague on this point) the additional wiretapping and CFAA charges come from a second piece of software.

Here’s what that second alleged crime looks like:

a. Defendant MARCUS HUTCHINS developed UPAS Kit and provided it to [VinnyK], who was using alias “Aurora123” at the time.

b. On or about July 3, 2012, [VinnyK], sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 in digital currency.

c. On or about July 20, 2012, [VinnyK], distributed an updated version of UPAS Kit to an individual in the Eastern District of Wisconsin.

First of all, notice how Hutchins’ activities in this second crime aren’t listed with any date? Wikipedia says Hutchins was born in June 1994 and I’ve confirmed that was when he was born. Which means either he coded UPAS Kit in a few weeks or less, or the actions he’s accused of here happened when he was a minor.

Now look at your calendar. July 2012 was 6 years ago, so outside a 5  year statute of limitations; for some reason the government didn’t even try to include the July 20, 2012 action when they first charged this last year. One way or another, the SOL has tolled on these actions.

The time periods for this new alleged crime, though, is listed as July 2014 to August 2014. Except all new actions listed in that time period are tied to Kronos, not UPAS. In other words, unless I’m missing something, the government has tried to confuse the jury by charging Kronos twice, all while introducing UPAS, which is both tolled and on which Hutchins’ alleged role occurred while he was a minor.

[See update below,]

Criminalizing malware research

The effort against Hutchins always threatened to criminalize malware research. But the government (perhaps in an effort to substantiate a second crime associated with Kronos) has gone one step further with this claim:

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government doesn’t explain this (and I guarantee you they didn’t explain this to the grand jury — I mean they put the word “hacked” right there so it must be EVIL), but they’re claiming this article talking about how to thwart Phase Bot malware via vulnerabilities in its command and control module — that is, a post about how to defeat malware!!!! — is really a devious plot to undercut the competition.

Again, the original indictment was dangerous enough. But now the government is claiming that if you write about how to thwart malware, you might be doing it for criminal purposes.

Charging the other bad guys with wire fraud conspiracy

As a reminder, the charges in the original indictment (which remain largely intact here) were problematic because selling Kronos fit neither the definition of wiretapping nor CFAA (the latter because it doesn’t damage computers). In an apparent attempt to get out of that problem (though not the venue one, which best as I can tell remains a glaring problem here), they’ve added a conspiracy to commit wire fraud, arguing that Hutchins “knowingly conspired and agreed with [VinnyK] and others unknown to the Grand Jury, to devise and participate in a scheme to defraud and obtain money by means of false and fraudulent pretenses and transmit by wire in interstate and foreign commerce any writing, signs, and signals for the purpose of executing the scheme.”

I’ll let the lawyers explain whether this charge will hold up better than the wiretapping and CFAA ones. But at least as alleged, all VinnyK has ever done (even assuming Hutchins can be shown to have agreed with this) is to sell Kronos to an FBI agent in Wisconsin.

The only one in this entire indictment described as actually making money off using Kronos is Randy, the guy the US government isn’t prosecuting because he narced out Hutchins. Meaning the guy with whom Hutchins would most credibly be claimed to have conspired to commit wire fraud is the one guy not mentioned in the charge.

But for some reason the government decided the just thing to do when faced with these facts was charge only the guy who saved the world from WannaCry.

Charging false statements after both FBI agents have been shown to be unreliable

Which brings us, finally, to what is probably the point of this superseding indictment, the government’s effort to salvage their authority. They’ve charged Hutchins with lying to the FBI about knowing that his code was part of Kronos.

On August 2, 2017, the Federal Bureau of Investigation was conducting an investigation related to Kronos, which was a matter within the jurisdiction of the Federal Bureau of Investigation.

On or about August 2, 2017, in the state of Eastern District of Wisconsin and elsewhere,

[Hutchins]

knowingly and willfully made a materially false, fictitious, and fraudulent statement and represented in a matter within the jurisdiction of the Federal Bureau of Investigation when he stated in sum and substance that he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016, when in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHINS made multiple statements to Individual B in which HUTCHINS acknowledged his role in developing Kronos and his partnership with Individual A.

Whoo boy.

First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.

So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.

Oh wait! It gets better. See how they describe that Hutchins lied in Wisconsin?

The interrogation happened in Las Vegas, which last I checked was not anywhere near Eastern District of Wisconsin. I mean, I’m sure there’s a way to finesse these things wit that “and elsewhere” language, but this indictment simply asserts that an interrogation room in the Las Vegas airport was in Milwaukee.

And there’s more!!!

On top of the fact that one or another agent who themselves have credibility problems would have to go on the stand to accuse Hutchins of lying, and on top of the fact that they say this thing that happened in Las Vegas didn’t stay in Las Vegas but was actually in Milwaukee, there’s the fact that AUSA Dan Cowhig, on August 4, 2017, in a bid to deny Hutchins bail, represented to a judge that,

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he sold that code to another.

We don’t have the full transcript of Hutchins’ interrogation yet (parts released by the defense show him admitting to underlying code, which may be what this UPAS stuff is about, though denying Kronos itself). But for it to be true that Hutchins lied about knowing that “his computer code was part of Kronos until he reverse engineered the malware,” then Cowhig would have had to be lying last year.

So to sum up: the government’s bid to save face, on top of some jimmying with dates and using Randy to accuse Hutchins of something that Randy is far more guilty of, is to put two agents who have real credibility problems on the stand to argue that their colleague in Nevada, which apparently spends its summers in Wisconsin, lied last year when he claimed that Marcus admitted “he was the author of the code that became the Kronos malware.”

Update: It has been suggested those 2012 UPAS Kit actions got included because they are part of the conspiracy, which is how they get beyond tolling (though not Hutchins’ age). If the government is arguing that UPAS is the underlying code that Hutchins contributed to Kronos, then that might make sense. Except that then the false statements charge becomes even more ridiculous, because we know that Hutchins admitted to that bit.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Also note, at least according to Hutchins’ jail call to his boss, GCHQ vetted this earlier activity and found it to be unproblematic.

Update: On fourth read (this indictment makes no sense), I think the new charges are not the 2012 sales, but a vague crime based on the marketing, but no sale, of malware in 2014. In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube. Note, the YouTube in question has already been litigated, as the government is trying hard to get venue because of that — because YouTube is based in the US.

This is such an unbelievably dangerous argument; it’s a real testament to the sheer arrogance of this prosecution at this point, that they’ll stop at nothing to avoid the embarrassment of admitting how badly they fucked up.

The Government Refuses to Name FBI Agent Accused of Deceit in MalwareTech Case

Here’s the basic argument that Marcus Hutchins’ (AKA MalwareTech) lawyers are making in an effort to get his post-arrest interview suppressed.

[D]espite Mr. Hutchins’ multiple direct questions to the FBI agents who arrested him about the nature of his circumstance (e.g., “Can you please tell me what this is about?,” asked at the outset of the interrogation) and notwithstanding his frequent expressions of uncertainty about the agents’ focus of inquiry, the agents intentionally concealed from him the true and pertinent nature of his then-existing reality (e.g., “We’re going to get to it,” then somewhat revealing things 75 minutes later). Under these circumstances, bolstered by his known-to-the-agents exhaustion and status as a foreigner (among other things), Mr. Hutchins “full awareness of both the nature of the right being abandoned and the consequences of the decision to abandon it” was fatally compromised.

For its part, the government largely dodges the question of whether the agents misled (or refused to inform) Hutchins why he was being questioned, arguing (incorrectly — deception is mentioned twice in the first motion) that Hutchins didn’t raise deceit until after learning more details about the process, and focusing on the law in isolation from the facts. Ultimately, though, they argue that the substance of the crimes of which Hutchins was accused doesn’t matter because he knew he was arrested. To substantiate that, they present claims that go to the heart of the deceit question — the circumstances surrounding Special Agent Lee Chartier informing Hutchins that he had been indicted in Wisconsin.

Like the defendant in Serlin, Hutchins was aware of the nature of the FBI inquiry. Hutchins knew that the FBI’s interview on August 2, 2017, related to a criminal inquiry because Hutchins was handcuffed with his hands placed behind his back and told that he was under arrest based on federal arrest warrant. Doc. #82 at 20. And as if that was not enough, the questions posed to Hutchins, like the questions in Serlin, “would have alerted even the most unsuspecting [individual] that he was the . . . focus of the [criminal inquiry].”

[snip]

Unlike the defendant in Giddins, Hutchins was never misled about the criminal nature of the FBI investigation. There is no dispute that Hutchins was placed in handcuffs and told he was under arrest based on an arrest warrant issued from the Eastern District of Wisconsin, and that before any questioning, Hutchin was advised of his rights and waived those rights.

On that bolded bit, there very much is a dispute. Tellingly, the government never once mentions the name of the agent, Lee Chartier, who claims to have done this, the same agent that Hutchins accuses of deceit. That’s interesting, not least, because even after the agents “colluded” (curse you for using that term, Hutchins’ legal team!!!) about their story, whether and how Chartier informed Hutchins of his indictment while he had Hutchins in a stairwell is one of the matters on which their sworn testimony differed.

At the outset, it is very important for the Court to remember the agents’ pre-hearing collusion. As Agent Butcher revealed, she and Agent Chartier got together to “mak[e] sure that we were on – you know, that our facts were the same.” (Id. 112:4-5.) Their synchronization of their testimony calls into question their entire characterization of events, and any benefit of any doubt the Court has regarding what happened should accrue to Mr. Hutchins’ favor.

[snip]

Agent Chartier testified that he revealed he was with the FBI and told Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant just after Mr. Hutchins had been detained, when he and the customs officers took Mr. Hutchins from the lounge to a stairwell. (Hearing Tr. 19:8-23.) By his own admission, however, Agent Chartier did not explain the charges or what was going on, despite Mr. Hutchins’ numerous questions in the hallway. (Id. at 19:25- 20:4; 58:25-59:1.)4

In addition, Agent Chartier claimed that after he escorted Mr. Hutchins to the (pre-arranged) interrogation room, he and Agent Butcher again advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. (Id. 20:25-21:1.) Notably, they did not explain anything else. Agent Chartier acknowledged that Mr. Hutchins was not told that the arrest warrant flowed from an indictment, much less that the indictment charged six felony offenses stemming from the development and sale of Kronos. (Id. 56:22-24.)

Further, although the agents tried to coordinate their testimony, Agent Butcher’s testimony about these meaningful events was quite different from Agent Chartier’s. She did not testify that he (Agent Chartier) advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. Only Agent Chartier makes this claim, one that is undermined by Agent Butcher and otherwise lacks any support in the record. [my emphasis]

There’s actually a very good reason why Butcher didn’t describe Chartier doing this. He did so, if he did, in the stairwell; Butcher wouldn’t have been a witness.

Ordinarily, an FBI agent would get the benefit of the doubt on this point, but for two reasons, the public records suggests they shouldn’t in this case.

First, the time that Jamie Butcher estimated Hutchins was given his Miranda warning, 1:18PM, would only allow for a minute to transpire between the time Hutchins exited the airport lounge and his interview started post-waiver.

Despite the fact that Mr. Hutchins was escorted out of the lounge at 1:17 p.m. and the audio recording started at approximately 1:18 p.m. (see Exhibits 14 and 9), Agent Chartier claimed that he read Mr. Hutchins the Advice of Rights form (Exhibit 9) and Mr. Hutchins read and signed it. (Hearing Tr. 24:25-25:6.)

Further, as an excerpt from the transcript reveals, Butcher told Chartier he (the more experienced agent on questioning witnesses of the two) was all over the place just minutes after he would have given such a warning.

5:05-5:22

Chartier: Okay. And I don’t know if we did this in the beginning. Sorry, my brain is like—

Butcher: You’re like a mile a minute. Go ahead.

Chartier: Did you—did we have a passport for you? I didn’t have—we didn’t take one off of you. Did you have a passport.

Hutchins: It’s in the bag.

Chartier: It’s in your bag? Okay. All right. Well just for the record, could you go ahead and state your full name and then give your date of birth?

Again, this would have happened just minutes after Chartier would have given Hutchins his Miranda warning. Whatever the verdict on Hutchins’ competence to waive his rights, it does raise questions about the carefulness of the warning that Chartier gave.

Ultimately, both these motions have the feeling of rushed filings, with some errors and imprecisions. Ultimately, the judge is likely to rule against Hutchins here (though it will form important background as she considers much more substantial challenges to the charges against him). As I’ve said, though, the entire process has undermined both agents’ credibility if this ever goes to trial.

Hutchins’ motion is also interesting for the evidence it gives that this was still ultimately about getting Hutchins to cooperate against people the government was certain he was still communicating with, something I’ve been maintaining from the start.

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

Chartier: I understand, I understand, I understand. But you see why we’re here?

Hutchins: Yep. I can definitely see.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving–

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

This is what the entire case is about: the government used a trumped up claim of really attenuated criminal liability to try to get Hutchins to provide information on “these guys.” And they didn’t decide to do so until after Hutchins came back to their attention after he saved the world from WannaCry.

If this ever goes to trial, that should be the central issue. And going forward, too, that should be the central issue: that the government got itself into a very deep hole on a legally deficient claim because they did a back door search on the guy who saved the world and decided arresting him was the best way to coerce his cooperation moving forward.

But I’m still betting this doesn’t go to trial.

The He Said, She Said That May Render MalwareTech’s Arresting Agents Useless on the Stand at Trial

Back when Marcus Hutchins (MalwareTech) moved to suppress the statements he made in his first custodial interview after his arrest, I suggested the challenge itself was unlikely to succeed, but that it would “serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial.”

While I still generally think the effort is unlikely to succeed (though it may never come to that, as I lay out below), an evidentiary hearing on the issue yesterday may have rendered both his arresting agents largely useless for testimony at trial.

As a reminder, Hutchins originally challenged his statements because:

  • As a Brit, he couldn’t be expected to understand that US Miranda works in the opposite way as British Miranda does without specific explanation
  • He waived his Miranda rights after being arrested after over a week of partying at DefCon, and was exhausted and possibly high
  • The FBI’s own records were sketchy; they hadn’t recorded that he had been asked if he was drunk (but not high) until over four months after his arrest (yesterday we learned that 302 was dated December 8 or 9)

Then, just before the originally scheduled evidentiary hearing on April 19, the government told Hutchins that the multiple crossed out times on his waiver had not been corrected until at least five days after his arrest, something the FBI agent in question, Jamie Butcher, didn’t formally explain anywhere.

Hutchins lawyers got a continuance to understand the implications of that; yesterday was the rescheduled opportunity to grill the FBI agents about when he was really Mirandized.

From the get-go, Hutchins attorney Brian Klein set a contentious tone for the hearing by suggesting at the outset that they might need to call one or the other of the prosecutors to testify to impeach the agents, something that almost never happens (for mostly good reasons). After some preliminaries in which judge Nancy Joseph laid out how she’d be assessing the issues, first Lee Chartier and then Butcher took the stand to explain how the post-arrest interview and subsequent paperwork had gone down.

Chartier, almost a sterotypical-looking FBI agent — tall and white, beefy, with a goatee — had the more experience of the two: he’s been working cyber since 2011 and in 2016 Jim Comey gave him the Director’s Medal of Excellence for being one of the top performing cyber agents. Still, he testified he had only done around 50 interviews, of which 20 were custodial interviews, over those years. Butcher, a short white woman, has been at FBI nine years, moving from an admin position to a staff operations specialist to her current cyber special agent position, where she’s been for three years. When prosecutor Benjamin Proctor walked her through her background, he didn’t ask how many interviews, custodial or no, she had done, which given Chartier’s surprisingly low number, probably means she’s done very few interviews, particularly custodial ones. When Proctor asked about her involvement in this case, he described it as “becom[ing] involved in the investigation that resulted in arrest of Marcus Hutchins,” which suggests a curious agency behind the investigation.

Between them, the agents described how they flew out to Vegas the night before the arrest. Surveilling agents tracked Hutchins as he went to the airport and got through TSA then sat down at a first class lounge. As soon as Hutchins ordered a drink that turned out to be Coke but that the agents worried might be booze, Chartier, wearing business casual civvies, and two CBP agents wearing official jackets pulled Hutchins away from the lounge, placed him under arrest and cuffed him in a stairwell inside the secure area, and walked him to a CBP interview room, where Chartier and Butcher Mirandized him, then interrogated him for 90 to 100 minutes.

Even in telling that story, Chartier and Butcher’s stories conflicted in ways that are significant for determining when Hutchins was Mirandized. He said it took “seconds” to get into the stairwell and then to the interview room. She noted that the “Airport is rather large. Would have taken awhile.” to walk from place to place (it was 36 minutes between the time Hutchins cleared TSA, walked to the lounge, ordered a Coke, and the time Chartier first approached Hutchins). There seems to be a discrepancy on how many CBP agents were where when (that is, whether one or two accompanied Chartier and Hutchins all the way to to the interrogation room). Those discrepancies remained in spite of the fact that, as Butcher admitted, they had spoken, “Generally, about the interview, and Miranda, and making sure that we were on, that our facts were the same.”

Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning.

It sounds like Chartier did most of the questioning and the dick-wagging, even though Butcher was the lead agent. He offered up the term “Liquid Courage” to describe Hutchins’ description of having to drink to network. He gave Hutchins a list of 80 online monikers, of which Hutchins recognized a handful; “Vinny,” who has shown up in public reporting on Hutchins’ background, was apparently one of those, so he may actually be the co-defendant after all (or the informant the government is hiding). Chartier had Hutchins review a string of code; Hutchins only recognized that it listed Kronos (which is the first he figured out that’s what the interview was about, and which is what the FBI claim he inculpated himself as the coder of Kronos is based off).

Chartier’s more dominant role in the questioning is interesting given the dynamic yesterday. Butcher, who was questioned second, seemed to know her multiple fuck-ups on the basic parts of this interview (failing to note the Miranda time, starting the recording late, offering unconvincing claims about what she did when she realized she had entered the time wrong on the consent form) make her an FBI short-timer. I’d honestly be surprised if she were still at FBI by the time this goes to trial, if it does. At times, she seemed not to recognize the dangers of the answers she was giving. Chartier, on the other hand, has his Director’s award career to protect, and perhaps for that reason was openly hostile and seemed ready to throw Butcher under the bus for the fuck-ups that had gotten him sucked in.

Except it was Chartier’s responses that seemed to reflect deceit, and it was Chartier that Brian Klein accused of lying. Chartier seemed to be aware that he had to ensure three details:

  • That he explained to Marcus the circumstances of his arrest, which allegedly happened in the stairwell (I think it shows up in the 302, which Butcher wrote, but she wouldn’t have witnessed it. Also, her response to the judge on how she reconstructed the time of the waiver hinted that there are other sources of time stamps she doesn’t want to reveal — I bet there is surveillance footage from the stairwell).
  • That WannaCry only came up at the end.
  • That Hutchins should have known the interview was about Kronos.

Except even the prosecution made clear that’s not what happened. Prosecutor Michael Chmelar described how Hutchins first realized the case was about Kronos when he was shown the code.

Do you recall certain point Hutchins asked if case was about Kronos, looking for developer. What did you respond. I said I don’t think we’re looking anymore. Our belief that Mr Hutchins was developer of Kronos.

Note, I suspect the full 302 will also show that Chartier had absolutely no reason to make this claim, which is probably why within days of Hutchins’ arrest it became clear the FBI had way oversold their proof from this interview that Hutchins had admitted to contributing to Kronos.

Also at issue is when Hutchins first got to see the arrest warrant, something that Chartier’s testimony appears dodgy on. More importantly, Chartier’s testimony did make it clear Hutchins started asking immediately what the arrest was about, and 30 seconds after the recording started (therefore, after he had just signed the waiver) he asked again. Except it wasn’t until an hour later that Chartier explained that this stop wasn’t about WannaCry, as Klein laid out.

It’s not until 1 hour into the interview that they show him arrest warrant. Here’s what happens. Chartier. What you’ll hear him say, okay, well, here’s the arrest warrant, and just to be honest. If i’m being honest with you this has absolutely nothing to do with WannaCry.

Plus, the arrest warrant apparently did not lay out the charges in the indictment, instead listing “conspiracy to defraud the US” as the crime (good old ConFraudUs!) which is remarkable for reasons I may return to if and when the warrant is docketed.

Effectively, the government explains that the reason they didn’t arrest Hutchins until just before he boarded his plane is because they feared he’d dodge off, open a computer, and shut down the WannaCry sinkhole, re-releasing the global malware. (Yeah, that’s dumb.) Everything they did they did because of WannaCry.

But it wasn’t until an hour into their interrogation of Hutchins that they told him it wasn’t really about WannaCry.

Frankly, I don’t think this thing is going to trial. When Klein asked for more time, given what they discovered yesterday, before arguing the suppression motion, Joseph said she had all the other motions briefed and she wanted to decide them together. As I have laid out, the 5 motions work together, showing (for example) that the CFAA charge is improper, but also showing that the government refuses to point to any computers that were damaged by the Kronos malware Hutchins wrote.

If she’s thinking of all those motions together, then she’s seeing how, together, they show how pointless this prosecution is.

But if not — if this case actually does go to trial — either one of these FBI agents will be very easy to impeach on the stand.

Update: Fixed spelling of Chartier’s last name.

Update, 5/31: Turns out I had Chartier’s last name right the first time, and have now fixed this back.

Update: In talking to a physical surveillance expert who followed the hearing, the stairwell may actually be one place in the secure space that wouldn’t be on surveillance footage, with cameras instead capturing the entry and exit. If that’s right, it would mean the stairwell is all the more curious a place to have some of the key events in this arrest and interrogation go down. h/t DO

The FBI Has No Idea What Time MalwareTech Waived Miranda

Here’s the signature line of the FBI Agent who says that Marcus Hutchins waived his Miranda rights when he was arrested on August 2 of last year.

As I noted here, in addition to not memorializing that they asked him whether or not he was drunk (but not if he was high or exhausted) until four months after his arrest, the FBI wrote three different times down on his consent form, with the last being just a minute after he was arrested. In a new filing, Hutchins’ lawyers disclose that the Agent didn’t make those changes until a week after he was arrested — and didn’t note the delay on either the form or the 302 of the interview.

Hours before the scheduled April 19 evidentiary hearing, the government revealed to the defense for the first time how the handwritten times listed on the form came about. Since receiving the form from the government in discovery last fall, the defense had assumed that one of the agents had added the times contemporaneously with the interrogation. But that was not so. One of the two agents who interrogated Mr. Hutchins, Agent Butcher, disclosed to the prosecutors that:

The header information on the advice of rights form was entered after the interview. [She] realized the time she entered on the form was incorrect when she was drafting the 302 and attempted to reconstruct the time based on information available to her.

Agent Butcher wrote that 302, which is the FBI’s official report of the interrogation, five days after the interrogation, when she was presumably back in Milwaukee. The agent did not note her alteration of the form in the 302 or anywhere else.

It almost seems like the Agent was just as confused, possibly regarding the two hour time zone change from Wisconsin, as Hutchins was.

Hutchins’ lawyers want the form thrown out and the FBI’s claim that he was warned to be treated with a negative inference.

Evidence crucial to determining whether law enforcement honored Mr. Hutchins’ constitutional rights in connection with custodial interrogation is spoiled, at law enforcement’s hands. The form, as it existed whenever Mr. Hutchins signed it, apparently no longer exists. In its place is an altered version, and the government should not be permitted to introduce and rely on altered evidence in defending against Mr. Hutchins’ suppression motion.

[snip]

And the Court should also draw from the circumstance an inference adverse to the government’s position that Mr. Hutchins was warned of and waived his constitutional rights before making a post-arrest statement.

Hutchins team also suggests — though doesn’t explain — that the Agents deceived Hutchins as to why they they were interviewing him or that he was under arrest or what waiving Miranda entails.

Deception, as an independent basis for suppression, requires that the defense produce clear and convincing evidence that the agents affirmatively mislead the defendant as to the true nature of their investigation, and that the deception was material to the decision to talk. United States v. Serlin, 707 F.2d 953, 956 (7th Cir. 1983). Importantly, as the Seventh Circuit explained:

Simple failure to inform defendant that he was the subject of the investigation, or that the investigation was criminal in nature, does not amount to affirmative deceit unless defendant inquired about the nature of the investigation and the agents’ failure to respond was intended to mislead.

Id. (emphasis added).

They haven’t explained this, but perhaps it will come out on the stand when the Agent testifies next week.

There’s one more fuck-up revealed in this motion.

The government wants to use two calls Hutchins made to his boss from jail, in which he apparently discussed the issues he did in the interrogation, as proof that he was willing to discuss those issues. Whether that helps their case or not, apparently the transcript the government made of those calls has some discrepancies with the actual recording.

The calls were audio-recorded and the government has disclosed those recordings, along with draft transcripts reflecting what was said. The defense’s review of the draft transcripts reveals minor discrepancies between the transcripts and the actual conversations. If, over Mr. Hutchins’ objection, the Court chooses to consider the calls, that consideration should be based on listening to the actual calls, not just reviewing the transcripts.

The defense wants to prevent the government from using the calls (because they were made hours after his arrest and can’t really reflect on his state of mind), as well.

Recording the time you gave someone their Miranda warning is pretty basic stuff. Noting that you screwed that up is also pretty basic stuff.

None of that happened properly. Normally, it’s really hard to get interrogations thrown out. But the fuck-ups pertaining to this one keep mounting.

After Reiterating Orin Kerr’s Arguments, MalwareTech Asks for the Indictment to be Dismissed with Prejudice

In a post explaining that MalwareTech (Marcus Hutchins) had gotten a last minute continuance before an evidentiary hearing last month, I linked to my thread on the government’s weak responses to a bunch of motions he had submitted. Here’s how I described the original motions:

The five filings are:

  1. motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
  2. motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
  3. motion to dismiss the indictment, arguing on three different grounds that,
    • The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
    • The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
    • The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
  4. motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
  5. motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Yesterday, Hutchins submitted his replies to the government’s arguments, in which he argues:

1.The government needs to explain what kind of proof of damage to 10 computers that Hutchins and his co-defendant conspired to damage it will offer and provide discovery on it.

2. [Hutchins offered no new response to the government’s Miranda response]

4. Because the government didn’t include the legitimate (purchase by an FBI Agent of the malware) and specious (sharing a binary with someone in CA and discussing the malware in online forums) bases that tie Hutchins’ activities to Eastern District of Wisconsin or even the US in the indictment itself, the indictment is an improper extraterritorial application of the law and lack venues in EDWI.

5. Because the government doesn’t include intentionality where the statute requires it, it should dismiss the related counts with prejudice (note, this argument has evolved from a grand jury error to a more fundamental problem assault on the indictment).

While I’m not sure all of these will succeed on their own (indeed, I think the motion on venue with respect to CFAA might fail in the absence of the rest of this), these motions form an interlocking argument that there’s no there there.

Which the defense argues at most length is the motion reiterating that selling software does not amount to either CFAA (damaging 10 computers) or wiretapping (which requires a device), an argument Orin Kerr made just after the charges were released in August. I get the feeling the defense thought that, having had access to Kerr’s argument all these months, the government might have responded better. The two substantive parts of their argument are here, addressing the point that CFAA violations require doing (or attempting to do) actual damage to computers, not just code that has the ability to damage them.

[T]he government suggests that its characterization of Kronos as “malware” should satisfy the pleading standard, claiming that it is “common knowledge” that malware is “written with the intent of being disruptive or damaging.” (Gov’t Response at 4 (citing Oxford English Dictionary 2018).) But the CFAA does not make so-called malware illegal—it is not some form of contraband. In fact, the term “malware” does not appear anywhere in the statute. The CFAA is not concerned with what software is called, but what an actor uses it to do. Artificial labels aside, the question before the Court is whether the indictment adequately pleads a case that Mr. Hutchins and his co-defendant conspired or attempted to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” 18 U.S.C. §§ 371 & 1030(a)(5)(A).

The only definition of “malware” relevant to that question is one offered in the indictment. The indictment, at paragraph 3(d), defines “malware” as “malicious computer code installed on protected computers without authorization that allowed unauthorized access to the protected computer.” Nothing in this definition involves “intentionally caus[ing] damage without authorization, to a protected computer,” which is necessary to violate § 1030(a)(5)(A). The indictment’s “unauthorized access” language seems to be borrowed from other provisions of the CFAA that have not been charged in this case, such as §§ 1030(a)(2), (5)(B), and (5)(C)—all of which include additional elements beyond “unauthorized access.” Even if Kronos precisely meets the definition of “malware” offered by the government in the indictment, that functionality alone would not constitute a violation of § 1030(a)(5)(A) or any other provision of the CFAA.

There are, I think, cases where malware sellers have been convicted — but only after their customers were busted doing damage. Here, the only customer mentioned in the legal case thus far was an FBI Agent that no one has alleged actually used the malware (the malware was used in other countries, including Hutchins’ home in the UK, about which the government has been completely silent since the initial indictment).

Here’s the language arguing that software, sold without a computer, is not a device as defined in the wiretapping statute charged.

[T]hose cases all involved claims that the defendants acquired communications using software running on a computer. Under those circumstances, a court has no reason to draw a distinction between the two because the software and computer are working together: the operation of one depends on the other. Indeed, the cases cited by the government discuss computers and the software installed on them as one unit. See, e.g., Zang, 833 F.3d at 633 (“[O]nce installed on a computer, WebWatcher automatically acquires and transmits communications to servers”); Klumb, 884 F. Supp. 2d at 661 (“The point is that a program has been installed on the computer which will cause emails sent at some time in the future through the internet to be re-routed[.]”); see also Shefts, 2012 WL 4049484, **6-10 (variously referring to servers, email accounts, software, and BlackBerry smartphones as interception devices).

For purposes of the § 2512 charges in this case, however, the distinction between software and computer is important. In Counts Two through Four, there is no computer, which would not be true in any scenario involving an actual interception. As noted in Potter, software alone is incapable of intercepting anything. 2008 WL 2556723, at *8. “It must be installed in a device, such as a computer, to be able to do so.” protected computer,” which is necessary to violate § 1030(a)(5)(A).

In both cases, the defense is basically arguing that not only do Hutchins’ actions not meet the terms of the statute, but the indictment was also badly written in an unsuccessful attempt to make those statutes apply.

These are alleged crimes for which the government has refused to identify victims, provided none of the requisite evidence of intentionality, applied to software that doesn’t obviously qualify under either of the charged laws. Some of that is a problem with the indictment, as written. Much about this case suggests the government assumed Hutchins would plead quickly, obviating the need to write an indictment that could hold up to a trial. As I noted, in its response a few weeks ago, the government claimed (after threatening that it might) it was planning on obtaining a superseding indictment.

The government plans to seek a superseding indictment in this case, and in doing so will correct this drafting error and moot Hutchins’s argument.

Two weeks later, there’s still no sign of the indictment that fixes the aspects the government admits are flawed, much less the other scope issues. And so now Hutchins is asking for the indictment — all counts of it, between one challenge or another — be dismissed with prejudice.

I’m not sure that will happen — judges have proven the ability to interpret CFAA to include all manner of bad hacker stuff. But an outright dismissal might put the government out of the misery it brought on itself with a case it should never have charged.

 

Continuance in MalwareTech’s Case

I thought that while I was out traveling the continent last week, I’d miss a key hearing on Thursday in MalwareTech’s (Marcus Hutchins’) case. This thread lays out the government’s responses to his challenges to his indictment; the short version is, while the government would likely defeat his Miranda challenge, they still had to put their Agents on the stand for discovery. On the other issues, the government seems to have more serious problems (notably with trying him on charges for which there are no victims). So I thought it might be a really interesting hearing that would provide a glimpse of whether the judge thinks the government has a case.

That didn’t happen. After he and his lawyers got out to Milwaukee for the hearing, they asked for and got a one month continuance.

In light of new information, defendant requests a continuance of the evidentiary hearing. Parties agree to conduct evidentiary hearing on May 16, 2018 at 1:30 P.M.

So something’s up in his case, but it’s totally unclear what it is. All of the following are possibilities:

  • As noted, the government has been going back and forth about whether they’d get a superseding indictment. Last week they said they would. That’s probably the worst case scenario to explain the new information that would lead to a continuance: new charges that might pose a more serious risk.
  • In one of last week’s filings, the government revealed that he shared a binary with someone in CA (alleging, dangerously, that that amounts to wiretapping). That must be the informant the government has been trying to hide by calling a tipster. It may be the government provided information on this guy, and the defense wants a year to research him.
  • The government had finally found the dark web materials related to the sale of the malware. They may have provided that or more details on Hutchins’ alleged co-conspirator.
  • Defendants that the government might have have been trying to coerce Hutchins to share information on — most notably Peter Levashov, who was arrested for making Kelihos (which uses a successor to Kronos) — are now in US custody. That may change the status of his case somehow.
  • The government may finally realize that it’s got real problems with its case, and is finally offering a plea that better reflects the potential legal pitfalls of their case.

As I said, it could be any of these issues, or a combination of them. All we know is something’s up in his case, and we may not find out for another month.

The MalwareTech Poker Hand: Calling DOJ’s Bluff

With a full poker hand’s worth of filings on Friday, MalwareTech’s (AKA Marcus Hutchins) lawyers are finally revealing the main thrust of their defense. The five filings are:

  1. A motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
  2. A motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
  3. A motion to dismiss the indictment, arguing on three different grounds that,
    • The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
    • The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
    • The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
  4. A motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
  5. A motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Effectively, these five motions (which are likely to meet with mixed success, but even where they’re likely to fail, will lay the groundwork for trial) work together to sustain an argument that Hutchins should never have been charged with these crimes in the US, and that FBI may have cheated a bit to get the incriminatory statements that might let them sustain the prosecution.

I laid out the general oddity of these charges here, and the background to the Miranda challenge and grand jury instructions here, here, and here.

Hutchins was high and tired, not drunk, for his one minute Miranda warning

While I don’t expect the Miranda challenge (item 2) to be effective on its face, I do expect it to serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial. This motion provides more detail about why his defense thinks it will be an effective tactic. It’s not just that Hutchins is a foreigner and couldn’t be expected to know how US Miranda works, or that the FBI only documented that they asked Hutchins if he had drinking alcohol four months after the arrest (as I laid out here). But as the motion notes, the FBI doesn’t claim to have asked whether he was exhausted or otherwise intoxicated.

According to an FBI memorandum, before “initiating a post arrest interview,” an agent asked Mr. Hutchins if he had been drinking that day, and he responded that he had not. That memorandum, written over four months after the arrest, then states that the agent asked Mr. Hutchins “if has [sic] in a good state of mind to speak to the FBI Hutchins agreed.” Mr. Hutchins did not understand it to be an inquiry as to whether he had used drugs or was exhausted.

The initial 302 of the interrogation records Hutchins telling the agents that he had been partying and not sleeping.

Mr. Hutchins discussed his partying while in Las Vegas, as well as his lack of sleep, during the interrogation.

The motion admits that he had been using drugs (of unspecified type) the night before.

As Mr. Hutchins sat in the airport lounge, he was not drinking, but he was exhausted from partying all week and staying up the night before until the wee hours. He had also used drugs.

Nevada legalized the recreational use of marijuana effective July 2017, so if he was still high during this interview, he might have been legally intoxicated under state (but not federal) law. And there’s not a lick of evidence that the FBI asked him about that.

After laying out that the FBI has no record of asking Hutchins whether he was sober (rather than just not drunk), the motion reveals that the FBI couldn’t decide at what time it gave Hutchins his Miranda warning.

An FBI Advice of Rights form sets forth Miranda warnings and reflects Mr. Hutchins’ signature. It is dated August 2, 2017, but the time it was completed includes two crossed out times, 11:08 a.m. and 2:08 p.m., and one uncrossed out time, 1:18 p.m. (which is one minute after the FBI log reflects Mr. Hutchins’ arrest, as noted above).

And as noted before, and reiterated here, the FBI didn’t record that part of his interview.

The motion notes that if the final, current record of the time of warning is correct, then the Miranda warning, including any discussion of how US law differs from British law, took place in the minute after he was whisked away from this gate.

Hutchins recently tweeted that he “slept the entire time I was in prison,” which while not accurate (he was neither in prison nor in real solitary), would otherwise corroborate the claim he was exhausted.

The government’s cobbled case on intentionality and computer law

Items 3 and 5, arguing the law is inappropriately applied and specifically not instructed correctly with regards to two charges, work together to argue that the government has cobbled together charges against Hutchins via misapplying both CFAA and Wiretap law, and in turn using conspiracy charges and misstating requisite intentionality to be able to get at Hutchins.

As I’ve noted, Hutchins’ lawyers have been arguing for some time that the government may not have properly instructed the grand jury on the intentionality required under charges 2 and 6. At a hearing in February, Magistrate Nancy Joseph showed some sympathy to this argument (though is still reviewing whether the defense should get the grand jury instructions). As I noted in that post, whereas the government once claimed it would easily fix this problem by getting a superseding indictment (possibly larding on new charges), they seem to have lost their enthusiasm for doing so.

It’s the combination of the rest of the legal challenge that I find more interesting. The challenge will interact with recent innovations in charging other foreign hackers, especially a bunch of Russians that will make DOJ especially defensive of this challenge. But the motions all cite Seventh Circuit precedent closely, so I’m not sure whether that matters.

Ultimately, this motion makes roughly the same arguments that Orin Kerr made as soon as the indictment came out. As he introduced his more thorough explanation in August,

This raises an interesting legal question: Is it a crime to create and sell malware?

The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability — basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

Kerr is not flaming hippie, so I assume that these arguments will be rather serious challenges for the government and I await the analysis of this challenge by more Fourth Amendment lawyers. But as he suggested back in August, Hutchins’ team may well be right that this indictment is an overreach.

DOJ still hasn’t explained why it charged Hutchins for a crime with no known US victims

While requests for Bill of Particulars (basically, a request for more details about what the government is claiming broke the law) are usually unsuccessful, this one does two interesting things. It asks the government for proof of damage, including proof of which ten computers got damaged.

Mr. Hutchins asks that the government be required to particularize the “damage” it intends to offer into evidence at trial in connection with the alleged violations of the Computer Fraud and Abuse Act by the two defendants. Mr. Hutchins also asks that the government be required to particularize the “10 or more protected computers” to which it contends the defendants conspired and attempted to cause “damage.”

Whether the motion itself is successful or not, demanding proof that ten computers were damaged helps support the challenge to the two CFAA charges based on whether stealing credentials amounts to damage. It also lays the groundwork for the motion made explicitly in item 4 — that Hutchins should never have been charged in the US, much less Wisconsin.

As I laid out in this piece, it appears likely that charges against Hutchins arose out of back door searches done as part of the investigation into who “MalwareTech” was after he sinkholed WannaCry. For whatever reason (probably because the government thought Hutchins could inform on someone, possibly related to either WannaCry itself or Kelihos), the government decided to cobble together a case against Hutchins consisting — by all appearances — entirely of incidental collection so as to coerce him into a plea deal. When he got a team of very good lawyers and then bail, that put a lot more pressure on the appropriateness of the charges in the first place.

So now, eight months after Hutchins was arrested, we’re finally getting to that question of why the US government decided to charge him for a crime that even DOJ didn’t claim had significant US victims.

The motion starts by noting that Hutchins didn’t do most of the acts alleged, his co-defendant Tran (whom the government has shown little urgency in extraditing) did. But even for Tran’s acts (basically marketing and selling the malware), there’s no affirmative tie made to Wisconsin.

As part of the purported conspiracy, the indictment alleges that Mr. Hutchins created the Kronos software, described as “a particular type of malware that recorded and exfiltrated user credentials and personal identifying information from protected computers.” (Id. ¶¶ 3(e), 4(a).) It also alleges that Mr. Hutchins and his co-defendant later updated Kronos. (Id. ¶ 4(d).)

All other alleged overt acts in furtherance of the purported conspiracy pertain solely to Mr. Hutchins’ co-defendant. Per the indictment, the codefendant (1) used a video posted to YouTube to demonstrate how Kronos worked, (2) advertised Kronos on internet forums, (3) sold a version of Kronos, and (4) offered crypting services for Kronos. (Id. ¶¶ 4(b), (c), (e), (f), (g).)

Aside from a bare allegation that each offense was committed “in the state and Eastern District of Wisconsin and elsewhere,” the indictment does not describe any connection to this District.

While the government has long suggested that the case is in EDWI because an FBI agent located there bought a copy of Kronos, the motion suggests Hutchins’ team hasn’t even seen good evidence of that yet.

Here, the indictment reflects that Mr. Hutchins was on foreign soil, and any acts he performed occurred there. There is no indication that damage was caused in the Eastern District of Wisconsin—or, indeed, that any damage occurred at all. At best, a buyer was present in this District. But the buyer would then need to use Kronos to cause damage in the District for venue to lie. Nothing [i]n the indictment supports that conclusion.

The charging of two foreigners is all the more problematic on the four wiretapping charges, given that (unlike CFAA), Congress did not mean to apply it to foreigners.

There is evidence that Congress intended the CFAA—the legal basis of Counts One and Six—to have extraterritorial application. The CFAA prohibits certain conduct with respect to “protected computers,” 18 U.S.C. § 1030(e)(2)(B), and the legislative history shows that Congress crafted the definition of that term with foreign-based attackers in mind. S. Rep. 104-357, at 4-5 (1996).

The Wiretap Act—at issue in Counts Two through Five—is different, though. That law does not reflect a clear congressional mandate that it should apply extraterritorially. Accordingly, courts have repeatedly found that it “has no extraterritorial force.” Huff v. Spaw, 794 F.3d 543, 547 (6th Cir. 2015) (quoting United States v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987)).

There is a great deal of precedent to establish venue based on where a federal agent bought something. Indeed, the main AlphaBay case against Alexandre Cazes consisted of that (remember that Kronos was ultimately sold on AlphaBay). But that case was based on the illegal sale of drugs and ATM skimmers, not software, which given the challenge to the CFAA and Wiretapping application here, might make the EDWI purchase of Kronos insufficient to justify venue here.

I’m not sure whether this motion will succeed or not. But one way or another, given that the defense appears to have seen no real basis for venue here, this motion may serve as critical groundwork for what appears to be a justifiable argument that this case should never have been charged in the US.

I keep waiting for DOJ to give up this case in the face of having to argue that the guy who sinkholed WannaCry should be prosecuted because he refused to accept a plea deal on charges with no known US victims. But they’re probably too stubborn to do that.

Update: Corrected Joseph’s name. h/t GM.