Criminal Liability For Creating And Spreading Malware
1. Legal Framework: Malware in Chinese Criminal Law
a. Key Provisions
Criminal Law of the People’s Republic of China:
Article 285: Criminalizes illegal access to computer information systems.
Article 286: Covers the destruction of computer information systems or damage caused via malware or viruses.
Article 287: Covers illegal control of computer systems for profit or personal gain.
Cybersecurity Law (2017):
Establishes that the creation, dissemination, and use of malware are illegal, particularly if they cause harm to information systems, financial institutions, or critical infrastructure.
Key Elements of Liability:
Intentional creation of malware (virus, trojan horse, ransomware, etc.).
Distribution via the internet, removable media, or network tools.
Resulting harm: system shutdown, data destruction, financial loss, or disruption of public services.
Knowledge and awareness of potential harm is sufficient for criminal liability.
2. Detailed Case Law Examples
Case 1: Wang Xiaojun – Virus Creation Case (2002)
Facts:
Wang Xiaojun developed a computer virus that infected thousands of computers across several provinces.
The virus caused data loss in government and corporate systems, disrupting normal operations for weeks.
Charges:
Creating and spreading malware.
Damage to computer systems (Criminal Law Art. 286).
Outcome:
Wang was sentenced to five years imprisonment and fined, marking one of the earliest high-profile malware cases in China.
Significance:
Established that both individual creators and distributors of malware could face criminal liability.
Highlighted early recognition of cybercrime as a serious threat to public and private sectors.
Case 2: Chen Lei – Trojan Horse Distribution Case (2007)
Facts:
Chen Lei designed a trojan horse program to steal bank login credentials.
The malware infected over 2,000 computers and siphoned money from personal bank accounts.
Charges:
Illegal control of computer systems (Criminal Law Art. 287).
Theft and fraud using malware.
Outcome:
Chen received seven years imprisonment, plus restitution of stolen funds.
Significance:
First major case linking malware creation to financial fraud.
Clarified that intent to profit through malware enhances criminal liability.
Case 3: Li Ming – Ransomware Attack on Small Businesses (2015)
Facts:
Li Ming released ransomware targeting small business networks in multiple cities.
The ransomware encrypted business data and demanded ransom payments in digital currency.
Charges:
Creating and spreading malware (Criminal Law Art. 286).
Extortion and fraud.
Outcome:
Li Ming was sentenced to ten years imprisonment and ordered to repay victims.
Significance:
Introduced the concept of ransomware-related extortion under Chinese criminal law.
Showed courts’ willingness to impose long prison terms for malware that directly harms economic interests.
Case 4: Zhang Wei – Botnet Operation (2016)
Facts:
Zhang Wei created and controlled a botnet of 100,000 infected computers.
The botnet was rented out to third parties for spam campaigns and distributed malware.
Charges:
Illegal control of computer systems (Criminal Law Art. 287).
Organizing and distributing malware.
Outcome:
Zhang Wei was sentenced to twelve years imprisonment. The court emphasized the large scale of the network and its systemic risk.
Significance:
Demonstrated enhanced penalties for large-scale, organized malware operations.
Highlighted that “indirect harm” (via renting botnets to others) constitutes criminal liability.
Case 5: Zhao Lei – Malware Targeting Critical Infrastructure (2018)
Facts:
Zhao Lei developed malware intended to disrupt water treatment and power systems.
Although the malware was detected and neutralized before causing major damage, the intent was clear.
Charges:
Creating malware targeting critical infrastructure (Criminal Law Art. 286).
Potential endangerment of public safety.
Outcome:
Zhao received fifteen years imprisonment, showing harsher penalties for crimes endangering public safety.
Significance:
Even attempted or intercepted malware attacks against critical systems are treated severely.
Sets a precedent for punitive measures proportional to potential harm.
Case 6: Sun Yong – Online Malware Kit Developer (2019)
Facts:
Sun Yong developed and sold malware kits on underground forums, allowing others to launch attacks without programming skills.
The malware kits were used in phishing campaigns and bank theft.
Charges:
Production and distribution of malware for profit.
Facilitating computer system intrusion.
Outcome:
Sun received twelve years imprisonment, with confiscation of illegal earnings.
Significance:
Established liability not only for direct malware attacks but also for creating tools that enable others to commit cybercrimes.
Case 7: Liu Chen – Mobile Malware Developer (2021)
Facts:
Liu Chen developed malware targeting Android devices, stealing personal information, banking data, and location info.
The malware affected over 500,000 users nationwide.
Charges:
Illegal control of computer information systems (Art. 287).
Theft of personal data.
Outcome:
Liu received ten years imprisonment, highlighting that mobile device malware is treated on par with PC malware.
Significance:
Demonstrates that criminal liability extends across platforms, including smartphones and IoT devices.
3. Key Observations Across Cases
Intent Matters: Creation of malware with harmful intent (financial, public safety, or data theft) triggers criminal liability.
Distribution and Scale Enhance Punishment: Larger infections, botnets, or ransomware campaigns lead to heavier sentences.
Economic Harm Increases Severity: Cases involving theft, extortion, or fraud receive longer imprisonment.
Critical Infrastructure Attacks Are Heavily Penalized: Even attempted attacks on essential services result in long sentences.
Facilitation Liability: Creating and selling malware kits for others is punishable, even if the creator does not deploy the malware directly.
Mobile and Cross-Platform Applicability: Liability applies equally to PCs, servers, and mobile devices.
RELATED Blog
comments