MalwareTech Prosecution Appears To Be Falling Apart As Gov't Plays Keep Away With Documents Requested By Defense

from the piling-up-fatal-errors? dept

Marcus Hutchins, a.k.a. MalwareTech, went from internet hero (following his inadvertent shutdown of the WannaCry ransomware) to federal government detainee in a surprisingly short amount of time. Three months after saving the world from rampaging malware built on NSA exploits, Hutchins was arrested at the Las Vegas airport as he waited for his flight home to the UK.

When the indictment was published, many people noted the charges didn’t seem to be backed by much evidence. The government accused Hutchins of creating and selling the Kronos malware, but the offered very little to support this claim. While it’s true much of the evidence against Hutchins will be produced in court, the indictment appeared to be stretching legal definitions of certain computer crimes to their limits.

The government’s case appears to be weak and reliant on dubious legal theories. It’s not even 100% clear that creating and selling malware is an illegal act in and of itself. The charges the government brought rely heavily on proving Hutchins constructed malware with the intent to cause damage to computers. This isn’t so easily proven, especially when the government itself is buying malware to deploy for its own purposes and has yet to bring charges against any of the vendors it buys from. Anyone selling exploits to governments could be said to be creating malware with intent to cause harm. That it’s a government, rather than an individual, causing the harm shouldn’t make any difference — at least not if the government wants to claim selling of malware alone is a federal offense.

The case appears to be even weaker now that more paperwork has been filed by both parties. If the government has a lot of evidence to use against Hutchins, it has yet to present it to Hutchins’ lawyers. What’s detailed in the motion to compel recently filed by Hutchins’ defense team shows the government is either playing keep-away with crucial information or simply does not have much evidence on hand.

Marcy Wheeler digs into the motion to compel [PDF] and notes it appears to show the government’s case is incredibly weak. And if sketchy, minimal evidence doesn’t undo the government’s case, the actions of the FBI agents involved might.

First, there are some questions about the circumstances surrounding Hutchins’ detainment at the Las Vegas airport. As the motion points out, there’s a good chance Hutchins was in no condition to consent to an interrogation, having been up late the night before drinking and celebrating the wrap-up of the conferences he had attended.

The defense needs all communications and materials related to the surveillance and arrest of Mr. Hutchins to help establish that his post-arrest statements were involuntary and in violation of Miranda. The defense intends to argue that the government coerced Mr. Hutchins, who was sleep-deprived and intoxicated, to talk. As such, his decision to speak with the agents was not knowing, intelligent, and made in full awareness of the nature of the right given up and the consequences of giving up that right, as the law requires. Coleman v. Hardy, 690 F.3d 811, 815 (7th Cir. 2012).

The Seventh Circuit recognizes that intoxication is relevant to the voluntariness—legally, in terms of a statement’s admissibility, and factually, in terms of the weight to be given to an admissible statement—of post-arrest statements. See, e.g., United States v. Carson, 582 F.3d 827, 833 (7th Cir. 2009). The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest.

Note the mention of the Miranda warning. This poses its own problems for a couple of reasons. As the motion points out, it’s unclear how (or when) [or if] Hutchins was Mirandized. The FBI could have given Hutchins the actual Miranda warning, which makes it clear arrestees have both the right to remain silent and the right to an attorney. Or the agents could have decided the UK version was more applicable for the British citizen. This version does not guarantee the right to an attorney and notes remaining silent can be used against you in court.

Given the fact Hutchins is being prosecuted in the US, it’s likely agents would have given him the American version. But there’s no way to tell which version Hutchins received because the FBI’s recording of the interrogation doesn’t contain any recording of a Miranda warning being delivered.

After Mr. Hutchins was taken into custody, two law enforcement agents interviewed him at the airport. The memorandum of that interview generically states: “After being advised of the identity of the interviewing Agents, the nature of the interview and being advised of his rights, HUTCHINS provided the following information . . .” A lengthy portion of Mr. Hutchins’ interview with the agents was audio recorded. Importantly, however, the agents did not record the part of the interview in which they purportedly advised of him of his Miranda rights, answered any questions he might have had, and had him sign a Miranda waiver form.

If the government plans to introduce the interrogation recording as evidence, the lack of a recorded Miranda warning or signed Miranda waiver should weigh against the admissibility of any incriminating statements Hutchins might have made. Combine that with Hutchins’ alleged mental state (exhausted, intoxicated) at the time of the questioning and the FBI may have proactively destroyed a substantial amount of first-hand testimony.

The motion to compel goes on to point out there’s plenty of information the government has yet to turn over to the defense. Hutchins’ defense still hasn’t seen anything related to his alleged co-conspirator (who still remains at large) — not even the information the government apparently received as the result of an MLAT (Mutual Legal Assistance Treaty) request sent to the co-conspirator’s home country.

The defense also wants more info on the FBI’s witness known only as “Randy.” The government is trying to have it both ways here. “Randy” appears to be a witness, but the government has downgraded “Randy” to a mere “tipster” to avoid turning any info over on “Randy” to the defense. Informant confidentiality can be maintained under some circumstances, but not if the government is hoping to use this informant as a witness.

Here, the government’s refusal to disclose even the identity of “Randy’s” attorney is apparently the result of miscategorizing an important witness as a mere tipster. “Randy” is a cooperating witness, one whose provision of information to law enforcement was facilitated by consideration—proffer immunity, at the least—from the government. This circumstance alone weighs against continuing confidentiality because “Randy” surely knows his cooperation will be revealed…

The defense expects “Randy” to testify at trial because he is alleged to have had extensive online chats with Mr. Hutchins around the time of the purported crimes in which Mr. Hutchins discussed his purported criminal activity. Any communications and materials relating to “Randy” are therefore material to defense preparations.

Wheeler speculates the hide-and-seek nature of the government’s handling of “Randy”-related material has something to do with “Randy’s” possible lack of usefulness. Hence the last-minute downgrade of “Randy’s” stature and the ongoing refusal to produce documents.

I’m guessing if the government were required to put “Randy” on the stand they’d contemplate dismissing the charges against Hutchins immediately. I’m guessing the government now realizes “Randy” took them for a ride — perhaps an enormous one. And given how easy it is to reconstitute chat logs — but here, it’s not even clear “Randy” has the chat logs, but just claimed to have been a part of them, in an effort to incriminate him — I’m guessing this part of the case against Hutchins won’t hold up.

The defense is also seeking discovery of the grand jury instructions. As noted earlier in this post, the government set a high bar for itself, offering up charges that require it to prove intent to harm, rather than simply the creation and distribution of malware. As the government appears to have only limited evidence related to proof of intent, it may have secured the indictment by glossing over the “intent” part of the charges. If the instructions were insufficiently clear, the indictment itself might be in trouble.

Wheeler suggests now might be the time for government to cut its losses and give Hutchins back his freedom. But, as she notes, the government prefers to double-down when on hole-digging in these situations. If the government is realizing its case against Hutchins is bullshit, it may dig in and impede discovery efforts just to make the accused pay for daring to fight back.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “MalwareTech Prosecution Appears To Be Falling Apart As Gov't Plays Keep Away With Documents Requested By Defense”

Subscribe: RSS Leave a comment
Anonymous Coward says:

And this is why...

…security researchers like me stay far, far away from any kind of public involvement. If I have anything to disclose, it’ll be anonymous with no warning to the affected entities.

Why? Because trying to be nice doesn’t work. At best, the report will be denied, the followup will be stonewalled, the company/country will make groundless accusations, and then eventually, maybe, the problem will be quietly addressed and someone else will take credit for it.

At worst, the door will be kicked down at 5 AM and all my stuff will be confiscated, I’ll be arrested and charged with anything/everything, and my ability to make a living will be destroyed. If I ever manage to get out from under the legal problems, I’ll be bankrupt and then homeless.

So while I could do some modest good here and there, I’m going to lift a finger. I’ve learned the lesson.

Anonymous Coward says:

Re: And this is why...

And this is why……security researchers like me stay far, far away from any kind of public involvement. If I have anything to disclose, it’ll be anonymous with no warning to the affected entities.

Sadly, I agree with this. Every time I have been nice, I’ve been threatened with lawsuits and my employers have been contacted and told to fire me. Luckily, my employers have basically told them to pound sand and ask them when they are going to fix their shit. With that, and this, it ain’t worth my time or energy to do it the right way.

alternatives() says:

Re: Mad Dogs and Englishmen WAS And this is why...

Another take away is Don’t come to America. I believe old John Mad Dog Hall has the position of not traveling to the nation to avoid being subjected to its laws and enforcement.

A fine “protest” would be to make some open source code on more open hardware like a Raspberry PI to allow people who’d like to be at, say, DefCon have remote tele presence. Futureama Hall of Presidents style. Perhaps call it Rsides?

Anonymous Coward says:

Now, now, kids: relying on technicalities likely means DOOMED.

Trying to take back what admitted is going to be tough.

This isn’t blurting once "I did it!", which might be misunderstanding or confusion, but apparently long series of statements by a highly intelligent indiv, among which are admitting writing the malware.

For perverse cause that always intrigues me, Techdirt, knowing no more than me, just automatically sides with likely criminals. Here, a confessed author of malware makes for likely regardless of all else, yet Techdirt tries to ‘splain that away as having all sorts of possible good reasons.

Never change, Techdirt! You are the patron site of lost causes.

An Onymous Coward (profile) says:

Re: Now, now, kids: relying on technicalities likely means DOOMED.

Criminal or not, simply writing malware or even selling it is not (currently) illegal. If your entire argument rests on that then you have no argument. Malware is a crappy thing to release into the wild but it’s going to happen and in the US, at least, it’s not a crime. Unless the FBI decides it doesn’t like you.

If he had planted it himself and caused destruction of property in some form then that’s illegal and he should suffer the consequences. If you can manage a few minutes of critical thinking and reading comprehension you’ll see that’s not what this article describes.

TD defends rights, not “feels”.

Anonymous Coward says:

Re: Now, now, kids: relying on technicalities likely means DOOMED.

Even if he is a guilty, malicious criminal, it’s important for the freedom and justice of the innocent that we do not allow people to be jailed based upon insufficient evidence or for merely writing software.

But if he is so malicious and guilty (as you seem to believe), then why did he shut down the WannaCry ransomware?

JMT (profile) says:

Re: Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.

That’s NOT a technicality, it’s an extremely important part of the justice system. Protections like this were put in place because of rampant historical abuse by the authorities. You absolutely should but be belittling them, since you obviously don’t know where they came from.

discordian_eris (profile) says:

Feds Have a Serious Credibility Problem

I’m reminded of this quote almost every time the FBI is involved in a case.

He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions.

Thomas Jefferson

The FBI lies so habitually I fail to see how any judge can treat them as credible.

alternatives() says:

Milwaukee County and Wisconsin has plenty of crooked timbers when it comes to lawyers.

Lawyers being stupid in Milwaukee doesn’t shock me.

At least California was willing to throw out a lawyer who was accused of wife strangulation and plead out to battery.

In Wisconsin you can act as the lawyers for a company, claim the general manager doesn’t know who the owners are of the company THEN do 40+ hours of billable work against the company while NOT being the attorneys of record. Why does the state bar do nothing? Your CEO is the treasurer for an appellate court judge may be a factor.

Meanwhile the chief judge of Milw County is secreting court records as they would show the court worked to prevent charges being pressed against a public official who ‘recanted’ his sworn statements.

As the one judge said to me “We do things loose here”.

TrickyRickDreamsOfScreams (profile) says:

Re: Re:

This could also be an Asshole John, but that would be depending upon the nuanced specifics, but like wikipedia, the law (as well as these comments) is SUPPOSED to not be about “winning.” Seriously, are all of these judges and prosecutors Charlie Sheen? Because they only care about winning, as opposed to actually carrying justice, and I swear, they’ve all gotta be on drugs, legit coked out, because they make NO SENSE. I’m having pop culture flashbacks to 2010, here. What’s next, screaming about having tiger blood?

That Anonymous Coward (profile) says:

This is all an orchestrated effort to scare white hats.

They represent a huge liability to companies who prefer security by obscurity, to pocket the savings.
They represent a huge threat to the government, they might discover vulnerabilities, that they paid out handsomely for, and patch them. (Ignoring their habit of letting them lay around on any old server).

How dare these regular people invest their own time into trying to secure everyone, and make the governments job of hacking & stealing harder.
We squeezed this little fish into a ramp to a bigger target & amazingly our case lacks reality. We loved the story of this whitehat turning to the dark side, and working against the interests of the US. It was thrilling & we were sure we’d get bonuses & that sweet sweet cyber money added to our budget. We didn’t need to check anything, he talks computer he must be evil.

@b says:

On that which has not yet been evidenced....

How will the prosecution argue that they did not need to hand-over the evidence they will later admit to have received?

What are their options? For example, maybe they can easily claim a “withheld” document is not yet discovered, and then later reveal “oh look, this just in”. Is that possible? Easy to get away with? Undesirable for some strategic reason?

A lot hinges on how these cases tend to play out. Otherwise we all just guess.

alternatives() says:

Re: On that which has not yet been evidenced....

<i>For example, maybe they can easily claim a “withheld” document is not yet discovered, and then later reveal “oh look, this just in”. Is that possible?</i>

There are 3 “sets” of “rules” at play here. Rules of evidence, the bar rules and the rules for the prosecutor. The Discovery rules state things can be turned in later ‘as found’. Bar rules talk about honesty to the tribunal. And the rules for the prosecutor – I’ve not used but when I’ve looked at ’em they appear to be more strict than the bar rules.

ENFORCEMENT of the rules, well, that is another matter. My guess is it is lip service and as this case is Judge Statmuller and he’s a DOJer from the 1970’s I’m guessing that unless people are lined up deeper in that courtroom than the Aug hearing “seeking answers” as to why the prosecutor isn’t answering Discovery he’ll be favorable to the DOJer.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...