Posts

In media res: the FBI’s WannaCry Attribution

I’ve been working through the complaint charging Park Jin Hyok with a slew of hacking attributed to the Lazarus group associated with North Korea. Reading it closely has led me to be even less convinced about the government’s attribution of the May 2017 WannaCry outbreak to North Korea. It’s going to take me a series of posts (and some chats with actual experts on this topic) to explain why. But for now, I want to point to a really suspect move the complaint makes.

The FBI’s proof that Park and Lazarus and North Korea did WannaCry consists, speaking very broadly, of proof that the first generation of the WannaCry malware shared some key elements with other attacks attributed to Lazarus, and then an argument that the subsequent two generations of WannaCry were done by the same people as the first one. While the argument consists of a range of evidence and this post vastly oversimplifies what the FBI presents, three key moves in it are:

  • The earlier generations of WannaCry are not known to be publicly available
  • Subjects using a known Lazarus IP address were researching how to exploit the Microsoft vulnerability in the weeks before the attack
  • Both WannaCry versions 1 and 2 cashed out Bitcoin in a similar way (which the complaint doesn’t describe)

For now, I’m just interested in that middle point, which the complaint describes this way:

221. On March 14, 2017, Microsoft released a patch for a Server Message Block (SMB) vulnerability that was identified as CVE-2017-0144 on its website, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. Microsoft attempted to remedy the vulnerability by releasing patches to versions of Microsoft Windows operating systems that Microsoft supported at the time. Patches were not initially released for older versions of Windows that were no longer supported, such as Windows XP and Windows 8.

222. The next month, on April 15, 2017, an exploit that targeted the CVE-2017-0144 vulnerability (herein the “CVE-2017-0144 exploit”) was publicly released by a group calling itself the “Shadow Brokers.”

223. On April 18, 2017 and April 21, 2017, a senior security analyst at private cyber security company RiskSense, Inc. (“RiskSense”) posted research on that exploit on his website: https://zerosum0x0.blogspot.com.

224. On May 9, 2017, RiskSense released code on the website github.com with the stated purpose of allowing legal “white hat” penetration testers to test the CVE-2017-0144 exploit on unpatched systems. Essentially, RiskSense posted source code that its employees had reverse-engineered for the CVE-2017-0144 exploit, which cyber security researchers could then use to test vulnerabilities in client computer systems. I know based on my training and experience that penetration testers regularly seek to exploit vulnerabilities with their customers’ consent as a proof-of-concept to demonstrate how hackers could illegally access their customers’ systems.

225. On May 12, 2017, a ransomware attack called “WannaCry” (later identified as “WannaCry Version 2,” as discussed below) began affecting computers around the globe.

[snip]

242. Records that I have obtained show that the subjects of this investigation were monitoring the release of the CVE-2017-0144 exploit and the efforts by cyber researchers to develop the source code that was later packaged into WannaCry Version 2:

a. On numerous days between March 23 and May 12, 2017, a subject using North Korean IP Address #6 visited technet.microsoft.com, the general domain where Microsoft hosted specific webpages that provide information about Microsoft products, including information on Windows vulnerabilities (including CVE-2017-0144), although the exact URL or whether the information on this particular CVE was being accessed is not known.

b. On April 23, April 26, May 10, May 11, and May 12, 2017, a subject using North Korean IP Address #6 visited the blog website zerosum0x0.blogspot.com, where, on April 18, 2017 and 21, 2017, a RiskSense researcher had posted information about research into the CVE-2017-0144 exploit and progress on reverse-engineering the exploit; RiskSense subsequently released the exploit code on GitHub.com.

According to the in media res story told by the FBI, the following is the chronology:

March 14: Microsoft drops a vulnerability seemingly out of the blue without publicly calling attention to it

Starting on March 23: Someone using known Lazarus IP address #6 tracks Microsoft’s vulnerabilities reports (note, the FBI doesn’t mention whether this was typical behavior or unique for this period)

April 15: Shadow Brokers releases the Eternal Blue exploit

April 18 and 23: RiskSense releases a reverse engineered version of Eternal Blue

Starting on April 23 and leading up to May 12: Someone using that same known Lazarus IP #6 makes a series of visits to the RiskSense site that released an exploit reverse engineered off the Shadow Brokers release

May 12: A version of WannaCry spreads across the world using the RiskSense exploit

Of course, that’s not how things really happened. FBI neglects to mention that on January 8, Shadow Brokers offered to auction off files that NSA knew included the SMB exploit that Microsoft issued a patch for on March 14.

Along with that important gap in the narrative, the FBI Agent who wrote the affidavit behind this complaint, Nathan Shields, is awfully coy in describing Shadow Brokers simply as “a group calling itself the ‘Shadow Brokers.'” While the complaint remained sealed for three months, by June 8, 2018, when the affidavit was written, the FBI assuredly knew far more about Shadow Brokers than that it was a group with a spooky name.

As public proof, DOJ signed a plea agreement with Nghia Pho on November 29 of last year. Pho was reportedly the guy from whose home computer some of these same files were stolen. While the publicly released plea has no cooperation agreement, the plea included a sealed supplement, which given the repeated delays in sentencing, likely did include a cooperation agreement.

Pho is due to be sentenced next Tuesday. The sentencing memos in the case remain sealed, but it’s clear from the docket entry for Pho’s that he’s making a bid to be treated in the same way that David Petraeus and John Deutsch were — that is, to get a misdemeanor treatment and probation for bringing code word documents home to store in an unlocked desk drawer — which would be truly remarkable treatment for a guy who allegedly made NSA’s hacking tools available for theft.

And while it’s possible that FBI Agent Shields doesn’t know anything more about what the government knows about Shadow Brokers than that it has a spooky name, some of the folks who quoted in the dog-and-pony reveal of this complaint on September 6, not least Assistant Attorney General John Demers, do know whatever else the government knows about Shadow Brokers.

Including that the announcement of the sale of Eternal Blue on January 8 makes the searches on Microsoft’s site before the exploit was actually released on April 15 one of the most interesting details in this chronology. There are lots of possible explanations for the fact that someone was (as the FBI’s timeline suggests) searching Microsoft’s website for a vulnerability before the import of it became publicly known.

But when you add the January 8 Shadow Brokers post to the timeline, it makes culprits other than North Korea far more likely than the FBI affidavit makes out.

The MalwareTech Case Resets to Zero: A Dialogue Wherein the Government Repeats “YouTube” Over and Over

Yesterday, the government responded to Marcus Hutchins (MalwareTech)’s renewed challenges, submitted two weeks ago, to the superseding indictment the government used to replace its previous crappy-ass indictment and thereby set the motions process almost back to zero. Here’s my abbreviated summary of what Hutchins argues in the renewed motions, with the government response.

1) Motion for a Bill of Particulars with respect to CFAA charges

Hutchins: Name the 10 or more protected computers I allegedly damaged and the damage I did, because recording and exfiltrating data is not damaging a computer. Also, name the computers I allegedly tried to access without authorization.

Government: We’re going to revert to the outdated definition of malware the Seventh Circuit has already rejected to claim it is damage. Also, we’re going to pretend we used the word intent where you keep nagging us for not doing so.

2) Challenge to Seventh Count (CFAA)

Hutchins: You’ve rewritten the CFAA language, “[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.],” but not included the intentionality language.

Government: Correct! We’ve simply replaced the word “intentionally” with “attempted,” so it’s all good.

[A]n attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” (emphasis added) Because Count Seven is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” (which Hutchins believes to be necessary) would be unnecessary and redundant. See United States v. Rutherford, 54 F.3d 370, 373 (7th Cir. 1995) (stating attempts are intentional acts; and under common law, “an attempt includes the specific intent to commit an unlawful act”).

emptywheel: There are some cases where the government succeeded in convicting people of CFAA without the charged person causing the damage himself, but I’d have to look closer to see if this will fly under Seventh Circuit precedents.

3) Motion to dismiss the whole damn indictment

Hutchins: There was no damage in the damage charges, no wiretapping device in the wiretapping charges, nor did Marcus advertise any such device, and laying out how MalwareTech writes blog posts analyzing malware does not mean he advertised a wiretapping device.

The superseding indictment states that Mr. Hutchins “hacked control panels” associated with a so-called competing malware called Phase Bot and wrote a blog post about it. (First Superseding Indictment ¶ 4(h).) It does not appear that this allegation alone is the basis of any count, as Mr. Hutchins would presumably be charged with a direct—rather than inchoate—violation of § 1030(a)(2)(C) if that were the case. To the extent it is a basis for any count, however, the defense notes that analyzing malware is, in fact, what Mr. Hutchins does professionally. In total, Mr. Hutchins wrote a total of three lengthy blog posts to educate the public about Phase Bot’s structure and functionality. These blog posts were based on Mr. Hutchins’ analysis of Phase Bot installed on his own computers. Any attempt to punish or interfere with Mr. Hutchins’ lawful security research and publishing activities would, of course, violate his First Amendment rights.

Government: We’re going to define malware however we damn well please, even if we have to use a British dictionary rather than the American one the Seventh Circuit uses to throw a Brit in the pokey. Hell, we’re willing to play word games with four different reference books if we need to! But if you use a dictionary to argue the law means what the law says, then you’re cheating.

Therefore, the Court should resist Hutchins’s attempt to limit the scope of sections 2511 and 2512 based on a definition found in one online dictionary; or because “malware” or “spyware” or “software” is not specifically listed in the definition of “electronic, mechanical, or other device.” The reference to “any device or apparatus” is written broadly in order to capture changes in technology.

Also, because Hutchins’ co-conspirator showed a video of malware operating on a computer and both talked about malware operating on a computer in forums, that turns the malware into a device! Presto!

4) Motion to dismiss wiretapping because Congress never intended to charge foreigners with wiretapping and none of the rest of this happened in the United States

Hutchins: “A foreign defendant like Mr. Hutchins is not subject to the jurisdiction of the United States merely because someone else posted a video on the Internet.” And “to the extent that Mr. Hutchins and Individual B interacted while Individual B was purportedly in the United States, that circumstance cannot, as the first superseding indictment tries to do, subject Mr. Hutchins’ alleged dealings with Individual A to domestic prosecution.”

Government: So what if Congress didn’t intend wiretapping to apply extraterritorially? There’s a YouTube! Also, you’re being hypertechnical by arguing Congress’ intent in passing a law. Besides, that was so long ago!

[B]ecause the conduct charged in Counts Two and Three occurred in the U.S. there is no extraterritorial application of U.S. law to foreign conduct. This is true even if Hutchins and Individual A were abroad when the conduct occurred in the U.S.

Also, there’s a YouTube!

emptywheel: One interesting aspect of the government’s desperate attempt to claim the actions of two people outside of the US took place in the US is that the malware in question was sold on location obscuring sites, Darkode and AlphaBay. That doesn’t change that an officer in Easter (as the government calls it at least twice) District of WI bought the malware in WI. But it will do interesting things to the government’s claim that Hutchins and VinnyK “directed” such sales at the US. It all seems to come down to the YouTube.

5) Motion to compel the identity of Randy

Hutchins: In order to shore up your dodgy indictment, you’ve made Randy into an uncharged co-conspirator. Now you really have to give us his ID.

Government: Sure, sure, we’ve included Randy in overt acts to get around the fact that Randy, but not you, intended to steal data so we can argue you’re guilty. But that doesn’t change his role in the investigation. You’re just using a local rule against us. Plus, you were mean to Sabu once on Twitter so obviously you just want to call for reprisal against Randy.

emptywheel: As far as I know MalwareTech has not called for reprisal against me for cooperating with the government against a cybercriminal. Maybe he’s just opposed to cybercriminals blaming others for their own crimes, as Randy appears to have done?


More seriously, I’m going to pull out two more things.

First, here’s some language from the government response in 4 that pretty much sums up their argument.

Second, Hutchins misunderstands the nature of the charges in Count One and Seven and the government’s burden at trial. Conspiracy punishes an illegal agreement. United States v. Read, 658 F.2d 1225, 1240 (7th Cir. 1981) (describing liability for a conspiracy and mail fraud). And it is well established that under conspiracy law, the object of the conspiracy does not need to be achieved for liability to attach. United States v. Donner, 497 F.2d 184, 190 (7th Cir. 1974). Therefore, the government only needs to prove Hutchins conspired to damage computers, not the actual damage he intended.

The same is true for Count Seven. An attempt is a substantial step towards completing the crime with the intent to complete the crime. United States v. Sanchez, 615 F.3d 836, 843-44 (7th Cir. 2010). As with Count One, the government does not have a burden to prove damage; only an attempt to damage.

What the government has done has charged crimes that permit Hutchins to be held liable for criminal acts his co-conspirator maybe possibly intended, even though it’s not clear he had the same intent as his co-conspirator, even if neither had the intent to facilitate wiretapping or damage to computers (depending on what dictionary you use). I make light above, but this is a very powerful aspect of US law, and it shouldn’t be dismissed outright.

Finally, the only place either side addresses false statements (one of the two new charges that’s not just smearing old charges more thinly and using the part of CFAA they should have charged under in the first place, the other being wire fraud) is in argument 4. Hutchins says that because everything else is bunk there are not false statements that can be charged.

If the Court grants this motion as to Counts One Through Eight and Ten, it should also dismiss Count Nine. That count charges a violation of 18 U.S.C. § 1001 and flows from an allegedly false statement Mr. Hutchins made to law enforcement during a post-arrest interrogation focusing on the conduct charged in the broader indictment. Section 1001 is violated only when a false statement is made about a “matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States.” 18 U.S.C. § 1001(a). This motion asserts a lack of domestic jurisdiction over the alleged offenses such that any false statement made by Mr. Hutchins about those offenses is not subject to prosecution under § 1001.

The government (predictably) doesn’t agree. It says jurisdiction doesn’t matter, what matters is that the FBI was investigating.

In this case, the FBI was conducting a criminal investigation which falls within the meaning of “any matter” as used in 18 U.S.C. § 1001. United States v. Rogers, 466 U.S. 475, 476-484 (1984); see also 28 U.S.C. § 533; 28 C.F.R. § 0.85. Additionally, the term “jurisdiction” as used in section 1001 “merely differentiates the official, authorized functions of an agency or department from matters peripheral to the business of that body.” United States v. Rogers, 466 U.S. 475, 476- 484 (1984). Therefore, even if all the other counts of the superseding indictment were dismissed, Count Nine would survive. Hutchins’s motion should therefore be denied.

I fear this argument might well work: that because the FBI was investigating something mostly in a poorly executed attempt to strand Hutchins here so they could make him inform on others, he can be charged with false statements. That’s crazy. But that’s also the way false statements may work.

All of which is to say, a great deal of the government’s argument boils down to, “YouTube! Try this dictionary! YouTube! Or maybe this dictionary! YouTube!” But that doesn’t mean it won’t all work.

As the Summit Arrives, Keep in Mind that Putin Manages Trump with Carrots and Sticks

As I laid out last week, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In my post revealing that I went to the FBI with information about someone who played a significant role in Russia’s attack on US elections, I revealed that the person sent me a text less than 15 hours after polls closed indicating Trump had ordered Mike Flynn to start working on Syrian issues.

Both Jared Kushner’s public statement and Mike Flynn’s anonymous confidant’s comments corroborate that Trump focused on Syria immediately after the election. I have taken from that that conceding to Russian plans to leave Bashar al-Assad in place is one of the payoffs Trump owed Putin for help winning the election.

For that reason, I want to look at the Shadow Brokers Don’t Forget Your  Base post, posted on April 9, 2017, just three days after Trump retaliated against Syria for a chemical weapons attack on civilians. It was the first post after Shadow Brokers had announced he was going away on January 12 (which, I now realize, was the day after the Seychelles meeting set up a back channel with Russia through Erik Prince). It preceded by days the Lost in Translation post, which released powerful NSA hacking tools that would lead directly to the WannaCry malware attack in May. And while the Don’t Forget Your Base post did release files, it was mostly about messaging.

That messaging included a bunch of things. Among other things (such as that Trump shouldn’t have fired Steve Bannon and should refocus on his racist domestic policies), the post argues that Trump should just own up to Russia helping Trump win the election.

Your Supporters:

  • Don’t care what is written in the NYT, Washington Post, or any newspaper, so just ignore it.
  • Don’t care if you swapped wives with Mr Putin, double down on it, “Putin is not just my firend he is my BFF”.
  • Don’t care if the election was hacked or rigged, celebrate it “so what if I did, what are you going to do about it”.

It talks about what the people who got Trump elected expect.

The peoples whose voted for you, voted against the Republican Party, the party that tried to destroying your character in the primaries. The peoples who voted for you, voted against the Democrat Party, the party that hates, mocks, and laughs at you. Without the support of the peoples who voted for you, what do you think will be happening to your Presidency? Without the support of the people who voted for you, do you think you’ll be still making America great again?

It claims that embracing Russian foreign policy will make America great.

TheShadowBrokers isn’t not fans of Russia or Putin but “The enemy of my enemy is my friend.” We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin are nationalist and enemies of the Globalist, examples: NATO encroachment and Ukraine conflict. Therefore Russia and Putin are being best allies until the common enemies are defeated and America is great again.

And it argues (in a thoroughly muddled description of what happened) that Trump shouldn’t have bombed Syria.

Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

Good Evidence:

#1 — Goldman Sach (TheGlobalists) and Military Industrial Intelligence Complex (MIIC) cabinet
#2 — Backtracked on Obamacare
#3 — Attacked the Freedom Causcus (TheMovement)
#4 — Removed Bannon from the NSC
#5 — Increased U.S. involvement in a foreign war (Syria Strike)

[snip]

Because from theshadowbrokers seat is looking really bad. If you made deal(s) be telling the peoples about them, peoples is appreciating transparency. But what kind of deal can be resulting in chemical weapons used in Syria, Mr. Bannon’s removal from the NSC, US military strike on Syria, and successful vote for SCOTUS without change rules?

[snip]

Mr Trump, we getting it. You having special empathy for father whose daughter is killed. We know this is root cause for anti-illegal immigrant policy. Illegal immigrant shoot man’s daughter in San Francisco. Now is Syrian man daughter killed by chemical gas. We agree its needless tragedy. But tragedies happening everyday and wars endangers all the children not just Syrian.

There is, admittedly, a lot going on here, even ignoring that it sounds like a batshit insane rant.

But is also that case that Shadow Brokers had gone away in the transition period. And then shortly after Trump bombed Syria, he came back, and very quickly released tools he had threatened to release during the transition period. The release of those tools did significant damage to the NSA (and its relations with Microsoft and other US tech companies) and led directly to one of the most damaging malware attacks in history.

It is my opinion that Russia manages Trump with both carrots — in the form of election year assistance and promises of graft — and sticks — in this case, in the form of grave damage to US security and to innocent people around the world.

And Trump is poised to head into a meeting with Vladimir Putin on Monday — showing no embarrassment about the proof laid out yesterday that without Putin, Trump wouldn’t have won the election — to discuss (among other things) a deal on Syria.

Meanwhile, Trump’s own Director of National Intelligence, Dan Coats, says the lights are blinking red like they were in advance of 9/11.

Director of National Intelligence Dan Coats raised the alarm on growing cyberattack threats against the United States, saying the situation is at a “critical point” and coming out forcefully against Russia.

“The warning signs are there. The system is blinking. It is why I believe we are at a critical point,” Coats said, addressing the Hudson Institute in Washington, DC, on Friday.

“Today, the digital infrastructure that serves this country is literally under attack,” he said.
Coats compared the “warning signs” to those the United States faced ahead of the September 11 terrorist attacks.

Rather than doing the things to prepare for an attack, Trump has virtually stood down, firing his very competent cyber czar and providing no order to take more assertive steps to prepare for an attack.

This is why I came forward two weeks ago to talk about how quickly someone involved in the election attack learned of Trump’s policy shift on Syria. I believe Trump is cornered — has allowed himself to be cornered. And in spite of everything, Trump is prepared to go alone into a meeting on Monday with Vladimir Putin — the guy wielding both carrots and sticks against Trump — and make a deal.

Everyone is worried that Putin might release a pee tape. I think what Putin holds over Trump may be far more serious. And if something happens, know that there’s good reason to believe Trump brought it on the country himself, willingly.

What Seems to be Going on with MalwareTech’s New Charges

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

DOJ’s Minor Desperation with MalwareTech

Best as I can tell (this is way not my forté — this was done with the help of S — so please recreate my work), this screen shot shows “auroras” selling UPAS Kit 1.0.0.0 on June 14, 2012.

June 14, 2012 was before Marcus Hutchins turned 18.

Some of the Russian translates as:

Upas is a modular http bot, which was created for the sole purpose – to save you from a headache. This is an advanced ring3 rootkit that has something in common with SpyEye and Zeus. Thus, the installation is “quiet” without recognition by antiviruses.Currently it works on the following versions of Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. In addition, it is “compatible” with all service packs.

[snip]

The Upas Kit was created to identify vulnerabilities in information systems of individuals and organizations.

Upas Kit has never been used to commit cyber crimes and it can not be so.

Buying this product, you agree not to violate the laws of the Russian Federation and other countries.

Buying this product, you use it at your own risk. Before downloading the application to the user’s PC, you must obtain its consent.

The support address is [email protected] This matches the UPAS Kit described in Marcus Hutchins’ superseding indictment.

“UPAS Kit” was the name given to a particular type of malware that was advertised as a “modular HTTP bot.” UPAS Kit was marketed to “install silently and not alert antivirus engines.” UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.

All of which is to say that when the superseding indictment describes the following as overt acts in the conspiracy to violate CFAA and to wiretap, it describes code placed on sale before Hutchins turned 18.

On or about July 3, 2012, [VinnyK], using the alias “Aurora123,” sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 digital currency.

Now, as I said yesterday, it’s not clear what UPAS Kit is doing in the superseding indictment. Alone, the coding behind the listing above necessarily happened while Hutchins was a minor and the sale itself happened over five years ago. So the government can only present it as part of a conspiracy sustained by more recent overt acts, like the sale of Kronos in 2015, arguing they’re part of the same conspiracy, which extends the tolling (but doesn’t change Hutchins’ birthday).

Given the claim that he lied to the FBI in his Las Vegas interrogation, however, I think they’re suggesting that when he admitted to coding a form grabber, but not the one in Kronos, he was lying about knowing that this earlier code got used in Kronos.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

In other words, to get this admission into trial, the government is going to claim he was lying about knowing there was continuity between UPAS and Kronos in a way to deny any more recent involvement, even though they’re on the record (though Dan Cowhig’s statements to the court) that he had admitted that.

Which further suggests the evidence they have that he actually coded Kronos itself isn’t that strong, and need to rely on code that Hutchins coded when he was a minor to be able to blame this malware on him.

To Pre-empt an Ass-Handing, the Government Lards on Problematic New Charges against MalwareTech

When last we checked in on the MalwareTech (Marcus Hutchins) case, both FBI agents involved in his arrest had shown different kinds of unreliability on the stand and in their written assertions, and Hutchins’ defense had raised a slew of legal challenges that, together, showed the government stretching to use wiretapping and CFAA statutes to encompass writing code so as to include Hutchins in the charges. It looked like the magistrate in the case, Nancy Joseph, might start throwing out some of the government’s more expansive legal theories.

That is, it looked like the government’s ill-advised decision to prosecute Hutchins in the first place might be mercifully put out of its misery with some kind of dismissal.

But the government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment. [See update below — I actually think what they’re doing is even crazier and more dangerous.]

The false statements charge is the best of all, because for it to be true a Nevada prosecutor would have to be named as Hutchins’ co-conspirator, because his representations in court last summer directly contradict the claims in this new indictment.

Wherein financial criminals VinnyK and Randy become bit players in criminal mastermind Marcus Hutchins’ drama

To understand how they’re doing this, first understand there are two criminals Hutchins is alleged to have had interactions with three-plus years ago:

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With this superseding indictment, the government has turned these two criminals into the bit players in a scheme in which Hutchins is now the targeted criminal.

Interestingly, unlike in the original indictment, VinnyK is not charged in this superseding indictment. I’m not sure what that means — whether the government has decided they like him now, they’ll never get him extradited and he won’t show up at DefCon because he’s learned Hutchins’ lesson, or maybe even they’ve gotten him to flip in a bid to avoid embarrassment with Hutchins. So there’s one guy the government admits is a criminal — Randy — and another guy they believed was a serious enough criminal they had to arrest the guy who saved the world from WannaCry to help find, VinnyK. Neither is charged in this indictment. Hutchins is.

Conspiracy to violate minors outside the statute of limitations

As I said, one way the government gets from 6 to 10 counts is by identifying a second piece of software — allegedly written by Hutchins — that VinnyK sold, so as to charge the same legally suspect crimes twice.

This is a comparison of the old versus new indictment.

As I understand it (though the indictment is damned vague on this point) the additional wiretapping and CFAA charges come from a second piece of software.

Here’s what that second alleged crime looks like:

a. Defendant MARCUS HUTCHINS developed UPAS Kit and provided it to [VinnyK], who was using alias “Aurora123” at the time.

b. On or about July 3, 2012, [VinnyK], sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 in digital currency.

c. On or about July 20, 2012, [VinnyK], distributed an updated version of UPAS Kit to an individual in the Eastern District of Wisconsin.

First of all, notice how Hutchins’ activities in this second crime aren’t listed with any date? Wikipedia says Hutchins was born in June 1994 and I’ve confirmed that was when he was born. Which means either he coded UPAS Kit in a few weeks or less, or the actions he’s accused of here happened when he was a minor.

Now look at your calendar. July 2012 was 6 years ago, so outside a 5  year statute of limitations; for some reason the government didn’t even try to include the July 20, 2012 action when they first charged this last year. One way or another, the SOL has tolled on these actions.

The time periods for this new alleged crime, though, is listed as July 2014 to August 2014. Except all new actions listed in that time period are tied to Kronos, not UPAS. In other words, unless I’m missing something, the government has tried to confuse the jury by charging Kronos twice, all while introducing UPAS, which is both tolled and on which Hutchins’ alleged role occurred while he was a minor.

[See update below,]

Criminalizing malware research

The effort against Hutchins always threatened to criminalize malware research. But the government (perhaps in an effort to substantiate a second crime associated with Kronos) has gone one step further with this claim:

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government doesn’t explain this (and I guarantee you they didn’t explain this to the grand jury — I mean they put the word “hacked” right there so it must be EVIL), but they’re claiming this article talking about how to thwart Phase Bot malware via vulnerabilities in its command and control module — that is, a post about how to defeat malware!!!! — is really a devious plot to undercut the competition.

Again, the original indictment was dangerous enough. But now the government is claiming that if you write about how to thwart malware, you might be doing it for criminal purposes.

Charging the other bad guys with wire fraud conspiracy

As a reminder, the charges in the original indictment (which remain largely intact here) were problematic because selling Kronos fit neither the definition of wiretapping nor CFAA (the latter because it doesn’t damage computers). In an apparent attempt to get out of that problem (though not the venue one, which best as I can tell remains a glaring problem here), they’ve added a conspiracy to commit wire fraud, arguing that Hutchins “knowingly conspired and agreed with [VinnyK] and others unknown to the Grand Jury, to devise and participate in a scheme to defraud and obtain money by means of false and fraudulent pretenses and transmit by wire in interstate and foreign commerce any writing, signs, and signals for the purpose of executing the scheme.”

I’ll let the lawyers explain whether this charge will hold up better than the wiretapping and CFAA ones. But at least as alleged, all VinnyK has ever done (even assuming Hutchins can be shown to have agreed with this) is to sell Kronos to an FBI agent in Wisconsin.

The only one in this entire indictment described as actually making money off using Kronos is Randy, the guy the US government isn’t prosecuting because he narced out Hutchins. Meaning the guy with whom Hutchins would most credibly be claimed to have conspired to commit wire fraud is the one guy not mentioned in the charge.

But for some reason the government decided the just thing to do when faced with these facts was charge only the guy who saved the world from WannaCry.

Charging false statements after both FBI agents have been shown to be unreliable

Which brings us, finally, to what is probably the point of this superseding indictment, the government’s effort to salvage their authority. They’ve charged Hutchins with lying to the FBI about knowing that his code was part of Kronos.

On August 2, 2017, the Federal Bureau of Investigation was conducting an investigation related to Kronos, which was a matter within the jurisdiction of the Federal Bureau of Investigation.

On or about August 2, 2017, in the state of Eastern District of Wisconsin and elsewhere,

[Hutchins]

knowingly and willfully made a materially false, fictitious, and fraudulent statement and represented in a matter within the jurisdiction of the Federal Bureau of Investigation when he stated in sum and substance that he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016, when in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHINS made multiple statements to Individual B in which HUTCHINS acknowledged his role in developing Kronos and his partnership with Individual A.

Whoo boy.

First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.

So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.

Oh wait! It gets better. See how they describe that Hutchins lied in Wisconsin?

The interrogation happened in Las Vegas, which last I checked was not anywhere near Eastern District of Wisconsin. I mean, I’m sure there’s a way to finesse these things wit that “and elsewhere” language, but this indictment simply asserts that an interrogation room in the Las Vegas airport was in Milwaukee.

And there’s more!!!

On top of the fact that one or another agent who themselves have credibility problems would have to go on the stand to accuse Hutchins of lying, and on top of the fact that they say this thing that happened in Las Vegas didn’t stay in Las Vegas but was actually in Milwaukee, there’s the fact that AUSA Dan Cowhig, on August 4, 2017, in a bid to deny Hutchins bail, represented to a judge that,

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he sold that code to another.

We don’t have the full transcript of Hutchins’ interrogation yet (parts released by the defense show him admitting to underlying code, which may be what this UPAS stuff is about, though denying Kronos itself). But for it to be true that Hutchins lied about knowing that “his computer code was part of Kronos until he reverse engineered the malware,” then Cowhig would have had to be lying last year.

So to sum up: the government’s bid to save face, on top of some jimmying with dates and using Randy to accuse Hutchins of something that Randy is far more guilty of, is to put two agents who have real credibility problems on the stand to argue that their colleague in Nevada, which apparently spends its summers in Wisconsin, lied last year when he claimed that Marcus admitted “he was the author of the code that became the Kronos malware.”

Update: It has been suggested those 2012 UPAS Kit actions got included because they are part of the conspiracy, which is how they get beyond tolling (though not Hutchins’ age). If the government is arguing that UPAS is the underlying code that Hutchins contributed to Kronos, then that might make sense. Except that then the false statements charge becomes even more ridiculous, because we know that Hutchins admitted to that bit.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Also note, at least according to Hutchins’ jail call to his boss, GCHQ vetted this earlier activity and found it to be unproblematic.

Update: On fourth read (this indictment makes no sense), I think the new charges are not the 2012 sales, but a vague crime based on the marketing, but no sale, of malware in 2014. In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube. Note, the YouTube in question has already been litigated, as the government is trying hard to get venue because of that — because YouTube is based in the US.

This is such an unbelievably dangerous argument; it’s a real testament to the sheer arrogance of this prosecution at this point, that they’ll stop at nothing to avoid the embarrassment of admitting how badly they fucked up.

The Government Refuses to Name FBI Agent Accused of Deceit in MalwareTech Case

Here’s the basic argument that Marcus Hutchins’ (AKA MalwareTech) lawyers are making in an effort to get his post-arrest interview suppressed.

[D]espite Mr. Hutchins’ multiple direct questions to the FBI agents who arrested him about the nature of his circumstance (e.g., “Can you please tell me what this is about?,” asked at the outset of the interrogation) and notwithstanding his frequent expressions of uncertainty about the agents’ focus of inquiry, the agents intentionally concealed from him the true and pertinent nature of his then-existing reality (e.g., “We’re going to get to it,” then somewhat revealing things 75 minutes later). Under these circumstances, bolstered by his known-to-the-agents exhaustion and status as a foreigner (among other things), Mr. Hutchins “full awareness of both the nature of the right being abandoned and the consequences of the decision to abandon it” was fatally compromised.

For its part, the government largely dodges the question of whether the agents misled (or refused to inform) Hutchins why he was being questioned, arguing (incorrectly — deception is mentioned twice in the first motion) that Hutchins didn’t raise deceit until after learning more details about the process, and focusing on the law in isolation from the facts. Ultimately, though, they argue that the substance of the crimes of which Hutchins was accused doesn’t matter because he knew he was arrested. To substantiate that, they present claims that go to the heart of the deceit question — the circumstances surrounding Special Agent Lee Chartier informing Hutchins that he had been indicted in Wisconsin.

Like the defendant in Serlin, Hutchins was aware of the nature of the FBI inquiry. Hutchins knew that the FBI’s interview on August 2, 2017, related to a criminal inquiry because Hutchins was handcuffed with his hands placed behind his back and told that he was under arrest based on federal arrest warrant. Doc. #82 at 20. And as if that was not enough, the questions posed to Hutchins, like the questions in Serlin, “would have alerted even the most unsuspecting [individual] that he was the . . . focus of the [criminal inquiry].”

[snip]

Unlike the defendant in Giddins, Hutchins was never misled about the criminal nature of the FBI investigation. There is no dispute that Hutchins was placed in handcuffs and told he was under arrest based on an arrest warrant issued from the Eastern District of Wisconsin, and that before any questioning, Hutchin was advised of his rights and waived those rights.

On that bolded bit, there very much is a dispute. Tellingly, the government never once mentions the name of the agent, Lee Chartier, who claims to have done this, the same agent that Hutchins accuses of deceit. That’s interesting, not least, because even after the agents “colluded” (curse you for using that term, Hutchins’ legal team!!!) about their story, whether and how Chartier informed Hutchins of his indictment while he had Hutchins in a stairwell is one of the matters on which their sworn testimony differed.

At the outset, it is very important for the Court to remember the agents’ pre-hearing collusion. As Agent Butcher revealed, she and Agent Chartier got together to “mak[e] sure that we were on – you know, that our facts were the same.” (Id. 112:4-5.) Their synchronization of their testimony calls into question their entire characterization of events, and any benefit of any doubt the Court has regarding what happened should accrue to Mr. Hutchins’ favor.

[snip]

Agent Chartier testified that he revealed he was with the FBI and told Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant just after Mr. Hutchins had been detained, when he and the customs officers took Mr. Hutchins from the lounge to a stairwell. (Hearing Tr. 19:8-23.) By his own admission, however, Agent Chartier did not explain the charges or what was going on, despite Mr. Hutchins’ numerous questions in the hallway. (Id. at 19:25- 20:4; 58:25-59:1.)4

In addition, Agent Chartier claimed that after he escorted Mr. Hutchins to the (pre-arranged) interrogation room, he and Agent Butcher again advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. (Id. 20:25-21:1.) Notably, they did not explain anything else. Agent Chartier acknowledged that Mr. Hutchins was not told that the arrest warrant flowed from an indictment, much less that the indictment charged six felony offenses stemming from the development and sale of Kronos. (Id. 56:22-24.)

Further, although the agents tried to coordinate their testimony, Agent Butcher’s testimony about these meaningful events was quite different from Agent Chartier’s. She did not testify that he (Agent Chartier) advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. Only Agent Chartier makes this claim, one that is undermined by Agent Butcher and otherwise lacks any support in the record. [my emphasis]

There’s actually a very good reason why Butcher didn’t describe Chartier doing this. He did so, if he did, in the stairwell; Butcher wouldn’t have been a witness.

Ordinarily, an FBI agent would get the benefit of the doubt on this point, but for two reasons, the public records suggests they shouldn’t in this case.

First, the time that Jamie Butcher estimated Hutchins was given his Miranda warning, 1:18PM, would only allow for a minute to transpire between the time Hutchins exited the airport lounge and his interview started post-waiver.

Despite the fact that Mr. Hutchins was escorted out of the lounge at 1:17 p.m. and the audio recording started at approximately 1:18 p.m. (see Exhibits 14 and 9), Agent Chartier claimed that he read Mr. Hutchins the Advice of Rights form (Exhibit 9) and Mr. Hutchins read and signed it. (Hearing Tr. 24:25-25:6.)

Further, as an excerpt from the transcript reveals, Butcher told Chartier he (the more experienced agent on questioning witnesses of the two) was all over the place just minutes after he would have given such a warning.

5:05-5:22

Chartier: Okay. And I don’t know if we did this in the beginning. Sorry, my brain is like—

Butcher: You’re like a mile a minute. Go ahead.

Chartier: Did you—did we have a passport for you? I didn’t have—we didn’t take one off of you. Did you have a passport.

Hutchins: It’s in the bag.

Chartier: It’s in your bag? Okay. All right. Well just for the record, could you go ahead and state your full name and then give your date of birth?

Again, this would have happened just minutes after Chartier would have given Hutchins his Miranda warning. Whatever the verdict on Hutchins’ competence to waive his rights, it does raise questions about the carefulness of the warning that Chartier gave.

Ultimately, both these motions have the feeling of rushed filings, with some errors and imprecisions. Ultimately, the judge is likely to rule against Hutchins here (though it will form important background as she considers much more substantial challenges to the charges against him). As I’ve said, though, the entire process has undermined both agents’ credibility if this ever goes to trial.

Hutchins’ motion is also interesting for the evidence it gives that this was still ultimately about getting Hutchins to cooperate against people the government was certain he was still communicating with, something I’ve been maintaining from the start.

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

Chartier: I understand, I understand, I understand. But you see why we’re here?

Hutchins: Yep. I can definitely see.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving–

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

This is what the entire case is about: the government used a trumped up claim of really attenuated criminal liability to try to get Hutchins to provide information on “these guys.” And they didn’t decide to do so until after Hutchins came back to their attention after he saved the world from WannaCry.

If this ever goes to trial, that should be the central issue. And going forward, too, that should be the central issue: that the government got itself into a very deep hole on a legally deficient claim because they did a back door search on the guy who saved the world and decided arresting him was the best way to coerce his cooperation moving forward.

But I’m still betting this doesn’t go to trial.

The He Said, She Said That May Render MalwareTech’s Arresting Agents Useless on the Stand at Trial

Back when Marcus Hutchins (MalwareTech) moved to suppress the statements he made in his first custodial interview after his arrest, I suggested the challenge itself was unlikely to succeed, but that it would “serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial.”

While I still generally think the effort is unlikely to succeed (though it may never come to that, as I lay out below), an evidentiary hearing on the issue yesterday may have rendered both his arresting agents largely useless for testimony at trial.

As a reminder, Hutchins originally challenged his statements because:

  • As a Brit, he couldn’t be expected to understand that US Miranda works in the opposite way as British Miranda does without specific explanation
  • He waived his Miranda rights after being arrested after over a week of partying at DefCon, and was exhausted and possibly high
  • The FBI’s own records were sketchy; they hadn’t recorded that he had been asked if he was drunk (but not high) until over four months after his arrest (yesterday we learned that 302 was dated December 8 or 9)

Then, just before the originally scheduled evidentiary hearing on April 19, the government told Hutchins that the multiple crossed out times on his waiver had not been corrected until at least five days after his arrest, something the FBI agent in question, Jamie Butcher, didn’t formally explain anywhere.

Hutchins lawyers got a continuance to understand the implications of that; yesterday was the rescheduled opportunity to grill the FBI agents about when he was really Mirandized.

From the get-go, Hutchins attorney Brian Klein set a contentious tone for the hearing by suggesting at the outset that they might need to call one or the other of the prosecutors to testify to impeach the agents, something that almost never happens (for mostly good reasons). After some preliminaries in which judge Nancy Joseph laid out how she’d be assessing the issues, first Lee Chartier and then Butcher took the stand to explain how the post-arrest interview and subsequent paperwork had gone down.

Chartier, almost a sterotypical-looking FBI agent — tall and white, beefy, with a goatee — had the more experience of the two: he’s been working cyber since 2011 and in 2016 Jim Comey gave him the Director’s Medal of Excellence for being one of the top performing cyber agents. Still, he testified he had only done around 50 interviews, of which 20 were custodial interviews, over those years. Butcher, a short white woman, has been at FBI nine years, moving from an admin position to a staff operations specialist to her current cyber special agent position, where she’s been for three years. When prosecutor Benjamin Proctor walked her through her background, he didn’t ask how many interviews, custodial or no, she had done, which given Chartier’s surprisingly low number, probably means she’s done very few interviews, particularly custodial ones. When Proctor asked about her involvement in this case, he described it as “becom[ing] involved in the investigation that resulted in arrest of Marcus Hutchins,” which suggests a curious agency behind the investigation.

Between them, the agents described how they flew out to Vegas the night before the arrest. Surveilling agents tracked Hutchins as he went to the airport and got through TSA then sat down at a first class lounge. As soon as Hutchins ordered a drink that turned out to be Coke but that the agents worried might be booze, Chartier, wearing business casual civvies, and two CBP agents wearing official jackets pulled Hutchins away from the lounge, placed him under arrest and cuffed him in a stairwell inside the secure area, and walked him to a CBP interview room, where Chartier and Butcher Mirandized him, then interrogated him for 90 to 100 minutes.

Even in telling that story, Chartier and Butcher’s stories conflicted in ways that are significant for determining when Hutchins was Mirandized. He said it took “seconds” to get into the stairwell and then to the interview room. She noted that the “Airport is rather large. Would have taken awhile.” to walk from place to place (it was 36 minutes between the time Hutchins cleared TSA, walked to the lounge, ordered a Coke, and the time Chartier first approached Hutchins). There seems to be a discrepancy on how many CBP agents were where when (that is, whether one or two accompanied Chartier and Hutchins all the way to to the interrogation room). Those discrepancies remained in spite of the fact that, as Butcher admitted, they had spoken, “Generally, about the interview, and Miranda, and making sure that we were on, that our facts were the same.”

Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning.

It sounds like Chartier did most of the questioning and the dick-wagging, even though Butcher was the lead agent. He offered up the term “Liquid Courage” to describe Hutchins’ description of having to drink to network. He gave Hutchins a list of 80 online monikers, of which Hutchins recognized a handful; “Vinny,” who has shown up in public reporting on Hutchins’ background, was apparently one of those, so he may actually be the co-defendant after all (or the informant the government is hiding). Chartier had Hutchins review a string of code; Hutchins only recognized that it listed Kronos (which is the first he figured out that’s what the interview was about, and which is what the FBI claim he inculpated himself as the coder of Kronos is based off).

Chartier’s more dominant role in the questioning is interesting given the dynamic yesterday. Butcher, who was questioned second, seemed to know her multiple fuck-ups on the basic parts of this interview (failing to note the Miranda time, starting the recording late, offering unconvincing claims about what she did when she realized she had entered the time wrong on the consent form) make her an FBI short-timer. I’d honestly be surprised if she were still at FBI by the time this goes to trial, if it does. At times, she seemed not to recognize the dangers of the answers she was giving. Chartier, on the other hand, has his Director’s award career to protect, and perhaps for that reason was openly hostile and seemed ready to throw Butcher under the bus for the fuck-ups that had gotten him sucked in.

Except it was Chartier’s responses that seemed to reflect deceit, and it was Chartier that Brian Klein accused of lying. Chartier seemed to be aware that he had to ensure three details:

  • That he explained to Marcus the circumstances of his arrest, which allegedly happened in the stairwell (I think it shows up in the 302, which Butcher wrote, but she wouldn’t have witnessed it. Also, her response to the judge on how she reconstructed the time of the waiver hinted that there are other sources of time stamps she doesn’t want to reveal — I bet there is surveillance footage from the stairwell).
  • That WannaCry only came up at the end.
  • That Hutchins should have known the interview was about Kronos.

Except even the prosecution made clear that’s not what happened. Prosecutor Michael Chmelar described how Hutchins first realized the case was about Kronos when he was shown the code.

Do you recall certain point Hutchins asked if case was about Kronos, looking for developer. What did you respond. I said I don’t think we’re looking anymore. Our belief that Mr Hutchins was developer of Kronos.

Note, I suspect the full 302 will also show that Chartier had absolutely no reason to make this claim, which is probably why within days of Hutchins’ arrest it became clear the FBI had way oversold their proof from this interview that Hutchins had admitted to contributing to Kronos.

Also at issue is when Hutchins first got to see the arrest warrant, something that Chartier’s testimony appears dodgy on. More importantly, Chartier’s testimony did make it clear Hutchins started asking immediately what the arrest was about, and 30 seconds after the recording started (therefore, after he had just signed the waiver) he asked again. Except it wasn’t until an hour later that Chartier explained that this stop wasn’t about WannaCry, as Klein laid out.

It’s not until 1 hour into the interview that they show him arrest warrant. Here’s what happens. Chartier. What you’ll hear him say, okay, well, here’s the arrest warrant, and just to be honest. If i’m being honest with you this has absolutely nothing to do with WannaCry.

Plus, the arrest warrant apparently did not lay out the charges in the indictment, instead listing “conspiracy to defraud the US” as the crime (good old ConFraudUs!) which is remarkable for reasons I may return to if and when the warrant is docketed.

Effectively, the government explains that the reason they didn’t arrest Hutchins until just before he boarded his plane is because they feared he’d dodge off, open a computer, and shut down the WannaCry sinkhole, re-releasing the global malware. (Yeah, that’s dumb.) Everything they did they did because of WannaCry.

But it wasn’t until an hour into their interrogation of Hutchins that they told him it wasn’t really about WannaCry.

Frankly, I don’t think this thing is going to trial. When Klein asked for more time, given what they discovered yesterday, before arguing the suppression motion, Joseph said she had all the other motions briefed and she wanted to decide them together. As I have laid out, the 5 motions work together, showing (for example) that the CFAA charge is improper, but also showing that the government refuses to point to any computers that were damaged by the Kronos malware Hutchins wrote.

If she’s thinking of all those motions together, then she’s seeing how, together, they show how pointless this prosecution is.

But if not — if this case actually does go to trial — either one of these FBI agents will be very easy to impeach on the stand.

Update: Fixed spelling of Chartier’s last name.

Update, 5/31: Turns out I had Chartier’s last name right the first time, and have now fixed this back.

Update: In talking to a physical surveillance expert who followed the hearing, the stairwell may actually be one place in the secure space that wouldn’t be on surveillance footage, with cameras instead capturing the entry and exit. If that’s right, it would mean the stairwell is all the more curious a place to have some of the key events in this arrest and interrogation go down. h/t DO

The MalwareTech Poker Hand: Calling DOJ’s Bluff

With a full poker hand’s worth of filings on Friday, MalwareTech’s (AKA Marcus Hutchins) lawyers are finally revealing the main thrust of their defense. The five filings are:

  1. A motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
  2. A motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
  3. A motion to dismiss the indictment, arguing on three different grounds that,
    • The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
    • The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
    • The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
  4. A motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
  5. A motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Effectively, these five motions (which are likely to meet with mixed success, but even where they’re likely to fail, will lay the groundwork for trial) work together to sustain an argument that Hutchins should never have been charged with these crimes in the US, and that FBI may have cheated a bit to get the incriminatory statements that might let them sustain the prosecution.

I laid out the general oddity of these charges here, and the background to the Miranda challenge and grand jury instructions here, here, and here.

Hutchins was high and tired, not drunk, for his one minute Miranda warning

While I don’t expect the Miranda challenge (item 2) to be effective on its face, I do expect it to serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial. This motion provides more detail about why his defense thinks it will be an effective tactic. It’s not just that Hutchins is a foreigner and couldn’t be expected to know how US Miranda works, or that the FBI only documented that they asked Hutchins if he had drinking alcohol four months after the arrest (as I laid out here). But as the motion notes, the FBI doesn’t claim to have asked whether he was exhausted or otherwise intoxicated.

According to an FBI memorandum, before “initiating a post arrest interview,” an agent asked Mr. Hutchins if he had been drinking that day, and he responded that he had not. That memorandum, written over four months after the arrest, then states that the agent asked Mr. Hutchins “if has [sic] in a good state of mind to speak to the FBI Hutchins agreed.” Mr. Hutchins did not understand it to be an inquiry as to whether he had used drugs or was exhausted.

The initial 302 of the interrogation records Hutchins telling the agents that he had been partying and not sleeping.

Mr. Hutchins discussed his partying while in Las Vegas, as well as his lack of sleep, during the interrogation.

The motion admits that he had been using drugs (of unspecified type) the night before.

As Mr. Hutchins sat in the airport lounge, he was not drinking, but he was exhausted from partying all week and staying up the night before until the wee hours. He had also used drugs.

Nevada legalized the recreational use of marijuana effective July 2017, so if he was still high during this interview, he might have been legally intoxicated under state (but not federal) law. And there’s not a lick of evidence that the FBI asked him about that.

After laying out that the FBI has no record of asking Hutchins whether he was sober (rather than just not drunk), the motion reveals that the FBI couldn’t decide at what time it gave Hutchins his Miranda warning.

An FBI Advice of Rights form sets forth Miranda warnings and reflects Mr. Hutchins’ signature. It is dated August 2, 2017, but the time it was completed includes two crossed out times, 11:08 a.m. and 2:08 p.m., and one uncrossed out time, 1:18 p.m. (which is one minute after the FBI log reflects Mr. Hutchins’ arrest, as noted above).

And as noted before, and reiterated here, the FBI didn’t record that part of his interview.

The motion notes that if the final, current record of the time of warning is correct, then the Miranda warning, including any discussion of how US law differs from British law, took place in the minute after he was whisked away from this gate.

Hutchins recently tweeted that he “slept the entire time I was in prison,” which while not accurate (he was neither in prison nor in real solitary), would otherwise corroborate the claim he was exhausted.

The government’s cobbled case on intentionality and computer law

Items 3 and 5, arguing the law is inappropriately applied and specifically not instructed correctly with regards to two charges, work together to argue that the government has cobbled together charges against Hutchins via misapplying both CFAA and Wiretap law, and in turn using conspiracy charges and misstating requisite intentionality to be able to get at Hutchins.

As I’ve noted, Hutchins’ lawyers have been arguing for some time that the government may not have properly instructed the grand jury on the intentionality required under charges 2 and 6. At a hearing in February, Magistrate Nancy Joseph showed some sympathy to this argument (though is still reviewing whether the defense should get the grand jury instructions). As I noted in that post, whereas the government once claimed it would easily fix this problem by getting a superseding indictment (possibly larding on new charges), they seem to have lost their enthusiasm for doing so.

It’s the combination of the rest of the legal challenge that I find more interesting. The challenge will interact with recent innovations in charging other foreign hackers, especially a bunch of Russians that will make DOJ especially defensive of this challenge. But the motions all cite Seventh Circuit precedent closely, so I’m not sure whether that matters.

Ultimately, this motion makes roughly the same arguments that Orin Kerr made as soon as the indictment came out. As he introduced his more thorough explanation in August,

This raises an interesting legal question: Is it a crime to create and sell malware?

The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability — basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

Kerr is not flaming hippie, so I assume that these arguments will be rather serious challenges for the government and I await the analysis of this challenge by more Fourth Amendment lawyers. But as he suggested back in August, Hutchins’ team may well be right that this indictment is an overreach.

DOJ still hasn’t explained why it charged Hutchins for a crime with no known US victims

While requests for Bill of Particulars (basically, a request for more details about what the government is claiming broke the law) are usually unsuccessful, this one does two interesting things. It asks the government for proof of damage, including proof of which ten computers got damaged.

Mr. Hutchins asks that the government be required to particularize the “damage” it intends to offer into evidence at trial in connection with the alleged violations of the Computer Fraud and Abuse Act by the two defendants. Mr. Hutchins also asks that the government be required to particularize the “10 or more protected computers” to which it contends the defendants conspired and attempted to cause “damage.”

Whether the motion itself is successful or not, demanding proof that ten computers were damaged helps support the challenge to the two CFAA charges based on whether stealing credentials amounts to damage. It also lays the groundwork for the motion made explicitly in item 4 — that Hutchins should never have been charged in the US, much less Wisconsin.

As I laid out in this piece, it appears likely that charges against Hutchins arose out of back door searches done as part of the investigation into who “MalwareTech” was after he sinkholed WannaCry. For whatever reason (probably because the government thought Hutchins could inform on someone, possibly related to either WannaCry itself or Kelihos), the government decided to cobble together a case against Hutchins consisting — by all appearances — entirely of incidental collection so as to coerce him into a plea deal. When he got a team of very good lawyers and then bail, that put a lot more pressure on the appropriateness of the charges in the first place.

So now, eight months after Hutchins was arrested, we’re finally getting to that question of why the US government decided to charge him for a crime that even DOJ didn’t claim had significant US victims.

The motion starts by noting that Hutchins didn’t do most of the acts alleged, his co-defendant Tran (whom the government has shown little urgency in extraditing) did. But even for Tran’s acts (basically marketing and selling the malware), there’s no affirmative tie made to Wisconsin.

As part of the purported conspiracy, the indictment alleges that Mr. Hutchins created the Kronos software, described as “a particular type of malware that recorded and exfiltrated user credentials and personal identifying information from protected computers.” (Id. ¶¶ 3(e), 4(a).) It also alleges that Mr. Hutchins and his co-defendant later updated Kronos. (Id. ¶ 4(d).)

All other alleged overt acts in furtherance of the purported conspiracy pertain solely to Mr. Hutchins’ co-defendant. Per the indictment, the codefendant (1) used a video posted to YouTube to demonstrate how Kronos worked, (2) advertised Kronos on internet forums, (3) sold a version of Kronos, and (4) offered crypting services for Kronos. (Id. ¶¶ 4(b), (c), (e), (f), (g).)

Aside from a bare allegation that each offense was committed “in the state and Eastern District of Wisconsin and elsewhere,” the indictment does not describe any connection to this District.

While the government has long suggested that the case is in EDWI because an FBI agent located there bought a copy of Kronos, the motion suggests Hutchins’ team hasn’t even seen good evidence of that yet.

Here, the indictment reflects that Mr. Hutchins was on foreign soil, and any acts he performed occurred there. There is no indication that damage was caused in the Eastern District of Wisconsin—or, indeed, that any damage occurred at all. At best, a buyer was present in this District. But the buyer would then need to use Kronos to cause damage in the District for venue to lie. Nothing [i]n the indictment supports that conclusion.

The charging of two foreigners is all the more problematic on the four wiretapping charges, given that (unlike CFAA), Congress did not mean to apply it to foreigners.

There is evidence that Congress intended the CFAA—the legal basis of Counts One and Six—to have extraterritorial application. The CFAA prohibits certain conduct with respect to “protected computers,” 18 U.S.C. § 1030(e)(2)(B), and the legislative history shows that Congress crafted the definition of that term with foreign-based attackers in mind. S. Rep. 104-357, at 4-5 (1996).

The Wiretap Act—at issue in Counts Two through Five—is different, though. That law does not reflect a clear congressional mandate that it should apply extraterritorially. Accordingly, courts have repeatedly found that it “has no extraterritorial force.” Huff v. Spaw, 794 F.3d 543, 547 (6th Cir. 2015) (quoting United States v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987)).

There is a great deal of precedent to establish venue based on where a federal agent bought something. Indeed, the main AlphaBay case against Alexandre Cazes consisted of that (remember that Kronos was ultimately sold on AlphaBay). But that case was based on the illegal sale of drugs and ATM skimmers, not software, which given the challenge to the CFAA and Wiretapping application here, might make the EDWI purchase of Kronos insufficient to justify venue here.

I’m not sure whether this motion will succeed or not. But one way or another, given that the defense appears to have seen no real basis for venue here, this motion may serve as critical groundwork for what appears to be a justifiable argument that this case should never have been charged in the US.

I keep waiting for DOJ to give up this case in the face of having to argue that the guy who sinkholed WannaCry should be prosecuted because he refused to accept a plea deal on charges with no known US victims. But they’re probably too stubborn to do that.

Update: Corrected Joseph’s name. h/t GM.

Government Won’t Be Able to Hide Its Informant in MalwareTech Case

While Paul Manafort was busy getting charged with 32 new charges (more on that tomorrow), I was in Milwaukee at a motion hearing in MalwareTech (Marcus Hutchins’) case.

Hutchins was asking for five things from the government:

  1. More information on his surveillance in Vegas, partly to challenge the claim he wasn’t drunk or exhausted when he waived Miranda rights, partly to understand whether he really understood how Miranda works in the US, and partly for probably unstated other reasons
  2. Information on Tran, his co-defendant, who remains at large in some other country, that he would have gotten if Tran were in custody facing the same charges with Hutchins
  3. More information on “Randy,” the informant who provided chat logs and a copy of the Kronos malware while trying to proffer his way out of his own cyber-crimes
  4. The instructions provided to the grand jury, to see if the importance of intentionality to the charges was properly emphasized
  5. Both the MLAT request used to get information on Tran and the search warrant used to search Randy’s home

Here are my pieces on the motion, the government’s response, and Hutchins’ reply.

At Thursday’s hearing, Judge Nancy Johnson made the following decisions:

  1. Based on the government’s representation that it had no more information on surveillance of Hutchins, she denied that motion barring any further evidence that it exists (though she did make the prosecution check again to make sure there weren’t text messages between Agents)
  2. Based on the government’s representation that there was nothing Hutchins would get about Tran were he in custody that he hasn’t already gotten, she denied that without prejudice
  3. Required the government to provide “Randy’s” identity 30 days before trial
  4. Took the request for grand jury instructions under advisement
  5. Denied the request for the search warrant for “Randy’s” house, but asked for more briefing on other cases pertaining to MLAT requests

While the discussion about materials pertaining to Tran were uninteresting, my comments about the other requests follow:

What surveillance happens in Vegas stays in Vegas

Much of this discussion pertained to clarifications that the defense wasn’t looking for the FBI Agents’ lunch place recommendations, though Hutchins’ lawyer Brian Klein said he’d take them if he got them. Klein admitted, however, that they want the surveillance materials, in part, because they think the government intentionally waited to arrest Hutchins until after he had been partying with other hackers for a week. “[W]e have our reasons to believe they arrested him at very end of Vegas trip, there was maybe a very pointed reason to believe they chose to wait until the end.” Note, I’m not sure they’re after (just) the exhaustion of DefCon, or even the government’s desire to hold off on a real rebellion if they had arrested Hutchins just as everyone was arriving to Las Vegas. 

The government claims it only has active surveillance from July 26, and August 2, as he headed for the airport. Prosecutor Michael Chmelar described the July 26 date as Hutchins’ arrival, though I think that’s incorrect as I noted here.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

Chmelar also seemed to describe a discussion about “certain preparations put in place if he did travel to the US,” which is curious given that Hutchins was publicly talking about his trip to Vegas for some time, and given the apparently weird start date of the surveillance. Chmelar also described, for the first time, a 302 on his unrecorded comments on the way to the detention facility. Chmelar made it clear that they want to force Hutchins to take the stand if he’s going to challenge his Miranda warning.

One more comment about this: Black Hat and DefCon are among the most spooked up conventions going. There would have been tons of law enforcement types wandering around unassociated with Hutchins, specifically. Would he get any surveillance from those guys?

FBI finally dug through its AlphaBay loot to find materials supporting a six month old arrest

Hutchins’ co-defendant, Tran, allegedly sold the Kronos malware at issue on AlphaBay. FBI, working with international partners (and probably using the Tor exception), took AlphaBay down on July 20, even before Hutchins’ arrest, and immediately started using those materials to prosecute crimes that, unlike Hutchins’ alleged crime, have actual American victims.

Out of the “several hundred” investigations cited by Phirippidis, other publicly known active US prosecutions arising out of AlphaBay sales involve clear American victims and perpetrators: a person in California suspected of paying an Israeli teenagerto phone and email bomb threats to Jewish Community Centers around the country;a group that fulfilled over 78,000 marijuana orders over the last two yearsmaking them largest vendor on AlphaBay; a transaction that led to the fentanyl overdose death of an 18-year old girl in Oregon; another transaction that led to a fentanyl overdose death, this time of a 24-year old Orlando woman; a fentanyl vendor suspected of making over $120,000 in profits who is tied to a non-lethal overdose; an investigation out of Atlanta into a still unidentified American who worked for AlphaBay. Other, earlier prosecutions, include the sales of heroin,fentanyl, and marijuana laid out in the indictment of AlphaBay’s head, Alexandre Cazes.

In Chmelar’s explanation that the government really doesn’t have any materials on Tran, he revealed what he (incorrectly) thought had been revealed in the government response: an unencrypted copy of AlphaBay material pertaining to the Kronos sale “just became available,” and they have put in a request for the material. “If anything is produced in that request,” Chmelar said he’d turn it over.

Again, the lackadaisical approach to establishing evidence of the sale of Kronos as compared to other AlphaBay prosecutions suggests the sale of Kronos really wasn’t that big of a priority.

As Klein noted, the government had spent three pages of their response arguing that Hutchins couldn’t have any material pertaining to Tran; at the hearing Chmelar represented nothing existed. Based on that representation, Johnson denied any further discovery.

“Randy” is not just a tipster

Michael Chmelar is a well-spoken guy. But he stumbled a lot, umming and uhing, during his discussion of “Randy,” the government informant who reportedly had chats with Hutchins about Kronos.

He received Kronos from Mr. Hutchins, before he was acting as a government , um um source, we’ve produced the malware that was received. As Mr. [Benjamin] Proctor and I noted, if we determine that uh this individual would be called as a witness, we would disclose him as district court requires.

The government really, really wants to hide certain details about “Randy” (and as Chmelar admitted, the 302 in which he proffered up Hutchins and others includes pages and pages of redacted details of “Randy’s” own crimes.

As Johnson pointed out, even if the government uses Hutchins’ own statements to admit “Randy’s” testimony, Hutchins’s team can decide to call “Randy” themselves.

In any case, while she said “Randy” wasn’t fully a transactional witness, he is closer to that than to the tipster the government is claiming. So while the defense won’t get his identity, yet, they will before trial.

The government seems to have dropped its enthusiasm for a superseding indictment

Hutchins wants the instructions given to the grand jury because two of the charges don’t include the necessary language about the required intentionality. Chmelar used one of the charges, where in parallel ones in the indictment the intentionality language is correct, to suggest this was just a scrivener’s error — something he could disappear away with a stipulation — to suggest both were. But Klein argued “These are not just little nits or typos, it goes to mens rea, [Hutchins’] alleged mental state.”

There was also an interesting subtext about whether the grand jury instructions exist. Chmelar claimed that normally he doesn’t instruct the grand jury. Klein noted the government had claimed, ‘We’re not required to instruct them.’ “Well, they did.” And it seems that Chmelar did, indeed, admit that the jury had gotten instructions on this point (I’d have to look at the transcript to make sure).

Ultimately, Johnson said she’d take the request under advisement and do more research on what constituted a compelling need to obtain grand jury instructions, but wouldn’t rule until the defense submitted their challenges to the indictment.  

But what was just as interesting about this discussion is that, whereas previously there had been discussion about the government obtaining a superseding indictment (perhaps to lard on charges that might be easier to defend), Chmelar seemed unenthused about doing so here.

The government continues to insist documents sent to other countries are internal documents

Because privacy rights are not transitive in the United States (meaning, the Fourth Amendment only protects the privacy of the person whose premise is being searched, not those who might be implicated by the search), Hutchins is not going to get the search warrant for “Randy’s” house that led to chat logs involving Kronos to be discovered.

But the question of whether he’ll get the MLAT request to whatever foreign country had information on his co-defendant, Tran (but may not be arresting him), is still a matter Johnson is weighing. The government at first argued that they didn’t have to turn over the request because it was written by lawyers, not law enforcement officers. In the hearing, Chmelar defended withholding the request because the request, which was sent to a foreign country, was an internal document.

Both sides will submit more caselaw on when and whether such requests get turned over (and the open file discovery here may make turning it over more likely).