Prosecutors continue to use old tools to prosecute so-called cybercrimes.
On Tuesday January 28, Aleksandr Andreevich Panin plead guilty to conspiracy to commit wire and bank fraud, which can result in a prison term for up to 20 years, for being the primary developer and distributor of the SpyEye malware. SpyEye’s purpose was to create a botnet (robot network) with infected machines stealing identities and money from bank accounts without the knowledge of the victim. Infection with this malware allows criminals to log keystrokes, collect credit card information, passwords, and other confidential information that allows them to empty the victim’s bank accounts and max out their credit. According to the DOJ press release, Panin created the virus and sold customized versions to criminal clients for a couple of thousands of dollars a pop. These clients then turned and used the virus to steal millions of dollars from victims. The SpyEye virus and its component parts served as the toolkit of choice for malware development for several years before detection and removal programs caught up with it in 2012. Though, because many people do not use malware detection and removal software there continued to be tens of thousands of victims in 2013. Panin was brought down when law enforcement tracked him down and then arranged for undercover agents or informers to purchase a customized copy of SpyEye from him. DOJ experts estimate that millions of computers worldwide are infected with Spyeye.
Panin is a Russian national, working with Armenian criminal groups, and was apprehended by law enforcement when changing planes in Atlanta. Another co-defendant was picked up catching a flight in Thailand and later extradited to the United States. According to the DOJ press release, the investigation lead to the arrest of four clients of Panin in the United Kingdom and Bulgaria.
This prosecution shows the continued effectiveness of traditional conspiracy and mail and wire fraud statutes against emerging fraud schemes that use computers and the internet to steal from their victims. As long as the government can establish a scheme to defraud using the mails or wires it doesn’t matter the level of technological sophistication the scheme involves.
Criminal prosecutions using the “Cybercrime” statutes of Title 18 United States Code Section 1030 relating to computer trespass have for the most part involved either pedestrian activities or have resulted in controversy and embarrassment for the United States Attorneys bringing charges. These statutes are exceedingly broad, and thus rely heavily on prosecutorial discretion to decide whether a technical violation should be prosecuted (such as logging into a computer using a secretary’s username and password to retrieve personal files after employment has terminated). The cybercrime statutes have a lower cap on imprisonment, a one to 10 year ceiling compared to a 20 year ceiling with mail or wire fraud, and so prosecutors prefer the greater teeth of the wire and mail fraud statutes. Mail and wire fraud prosecutions are free from many of the about technical issues that can over-complicate a hacking trial. Generally, the cybercrime statutes are attractive for use in plea bargain negotiations because carry a lower exposure to imprisonment and misdemeanor violations are possible.
It is very likely that major prosecutions for cybercrime will still come under traditional and mail and wire fraud statutes. Major cybercrime statute prosecutions will be brought where the hackers weren’t seeking something of value to enrich themselves but were seeking to cause damage with their attack and have a greater ideological or political motive. Of course, the most well know cybercrime statute prosecution (that of Reddit co-founder Aaron Swartz) was not about money or causing damage, but about access to information–university studies funded with public money hidden behind paywalls.
These materials have been prepared for general informational and entertainment purposes only and are not intended as legal advice.