DOJ Stacks Charges On MalwareTech, Including Stuff Put Out Of Reach By The Statute Of Limitations
from the 'lying-to-feds'-bingo-card-complete dept
The government’s case against Marcus Hutchins, aka MalwareTech, isn’t getting any stronger. After detaining him at a Las Vegas airport following some post-conference partying, the FBI decided to hit the guy who inadvertently shut down WannaCry with charges for allegedly creating the Kronos malware. In essence, the case is about criminalizing security research, and the government’s indictment decided to hang Hutchins out to dry while allowing the people who actually sold the malware to remain unarrested and unindicted.
The charges were weak and the government appeared to know it. Deployment of malware to cause damage and wreak havoc is one thing, but creating malware — something lots of security researchers do — isn’t a criminal activity in and of itself. Thrown into the mix were wiretap charges based on the very thin premise that the malware was used to intercept communications.
Hutchins’ defense team pushed back, forcing the government to actually show its work. A discovery request intended to show Hutchins was drunk and tired when he was “interviewed” by the FBI was rebuffed by the government. It also appears — using the FBI’s own testimony and recordings — that Hutchins was never properly Mirandized.
Between them, the agents described how they flew out to Vegas the night before the arrest. Surveilling agents tracked Hutchins as he went to the airport and got through TSA then sat down at a first class lounge. As soon as Hutchins ordered a drink that turned out to be Coke but that the agents worried might be booze, Chartier, wearing business casual civvies, and two CBP agents wearing official jackets pulled Hutchins away from the lounge, placed him under arrest and cuffed him in a stairwell inside the secure area, and walked him to a CBP interview room, where Chartier and Butcher Mirandized him, then interrogated him for 90 to 100 minutes.
Even in telling that story, Chartier and Butcher’s stories conflicted in ways that are significant for determining when Hutchins was Mirandized. He said it took “seconds” to get into the stairwell and then to the interview room. She noted that the “Airport is rather large. Would have taken awhile.” to walk from place to place (it was 36 minutes between the time Hutchins cleared TSA, walked to the lounge, ordered a Coke, and the time Chartier first approached Hutchins). There seems to be a discrepancy on how many CBP agents were where when (that is, whether one or two accompanied Chartier and Hutchins all the way to to the interrogation room). Those discrepancies remained in spite of the fact that, as Butcher admitted, they had spoken, “Generally, about the interview, and Miranda, and making sure that we were on, that our facts were the same.”
Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning.
With all of this going on, and the government’s charges relying on some very generous interpretations of the CFAA and wiretap laws, the feds appear unable to close this case successfully. Prosecutors were unable to get Hutchins to agree to a plea deal with their first try, so they’re going to take another crack at it. A superseding indictment [PDF] has been entered by the government and, as Marcy Wheeler explains, it’s even worse than the extremely shaky one it’s replacing.
[T]he government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment.
The government has added another piece of malware to its indictment — UPAS Kit — and is attempting to tie it to Hutchins. Even if it’s able to do this, it likely won’t help the government secure a conviction for two reasons. First, if the date is accurate, it means Hutchins was still a minor when this alleged crime took place. Second, the government has only five years to prosecute and the July 2012 date stated in the indictment means the statute of limitations has tolled.
There’s far more to it than that. Wheeler’s post detailing everything wrong with the superseding indictment is a masterpiece deconstruction of government desperation. The indictment wants jurors to believe simply writing about malware is a criminal act, even when the post cited actually details how to thwart malware. And it now includes an old DOJ favorite: making false statements to the FBI.
This last one might cause more problems for the FBI than it will solve. This will rely on statements made during the interrogation of Hutchins — one that’s already been marred by conflicting testimony by FBI agents.
First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.
So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.
The best case scenario, as Wheeler explains, in the government tying the 2012 (past the statute of limitations) criminal act to some “marketing” of the malware in 2014, allowing it to salvage all these charges.
In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube.
And if it can tie anything to this YouTube video, it can nail down venue because YouTube is a US company. (Hutchins is a UK resident.)
What it may also be is another attempt to get Hutchins to cave to a plea deal. This indictment adds more charges, which could mean additional jail time and fines if he’s convicted. But that’s a huge if. What the government has shown so far doesn’t even meet the lowest standards of competency. It’s a garbage prosecution made worse by the FBI’s apparent decision to let the two people who actually marketed and sold malware walk away from this — either because the agency can’t locate them or (at least in “Randy’s” case) has already agreed to drop charges in exchange for testimony.