Hacking, Phishing, And Ransomware Offenses
Overview — the offenses and the legal framework (short)
Hacking / Unauthorized access (U.S. context): most criminal prosecutions use the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. Key elements often include (1) accessing a protected computer, (2) without authorization or exceeding authorized access, and (3) obtaining information, causing damage, or committing fraud. State laws mirror federal concepts.
Phishing: usually prosecuted under wire fraud (18 U.S.C. § 1343), identity-theft statutes, access-device fraud, or specific computer-fraud provisions. Elements: scheme to defraud (or obtain money/property), use of electronic communications, and often the obtaining of credentials or funds.
Ransomware: prosecutions combine unauthorized access, damage to protected computers under CFAA (including transmission of malicious code), wire fraud, extortion statutes, and sometimes money-laundering counts. Attribution and transnational issues are common.
I’ll avoid describing how to commit these crimes; below focuses on legal issues, precedent, and outcomes.
Key cases (detailed)
1) United States v. Morris — the “Morris worm” (2d Cir., decision 1991; conviction 1989–1991)
Facts: In 1988 Robert Tappan Morris released a self-propagating worm that infected thousands of university and government computers, causing significant disruption. He claimed it was an experiment, not intended to cause harm.
Charges: Violations of the CFAA (then codified similarly), among other counts.
Court holdings & outcome: Morris was convicted. On appeal the Second Circuit affirmed criminal liability under the relevant statutes and sentenced him (sentence included probation, community service, fine). The court held that causing damage and impairment of use through unauthorized access (or propagation) falls within federal statute.
Why it matters: This was one of the first major federal computer-crime cases. It established that self-propagating malware causing real-world damage can be criminal under the CFAA and demonstrated the statute’s reach to novel network harms. It also sparked debate about mens rea and the breadth of the law, influencing later statutory interpretation and policy.
2) United States v. Nosal (9th Cir., two major opinions: Nosal I, 676 F.3d 854 (2012) and Nosal II, 844 F.3d 1024 (2016))
Facts: David Nosal recruited former employees to obtain confidential information from his former employer by using their authorized credentials. The government prosecuted under the CFAA for “exceeding authorized access.”
Holdings:
Nosal I (2012): The Ninth Circuit initially interpreted the CFAA in the context of conspiring to obtain trade-secret data using others’ authorized access; it allowed prosecution on those facts.
Nosal II (2016): On rehearing the court clarified and narrowed the statute: the CFAA’s phrase “exceeds authorized access” does not apply to employees who access information that is otherwise available to them but do so for improper purposes (e.g., violating an employer’s use policy). The Ninth Circuit held that interpreting “exceeds authorized access” to punish policy violations (like using work credentials for non-work purposes) would turn ordinary terms-of-use breaches into federal crimes. The Ninth Circuit therefore limited criminal liability to cases where access rights themselves were revoked or where the defendant accessed information he was not entitled to obtain.
Why it matters: Nosal II is one of the most important modern limits on CFAA scope — it prevents criminalizing large amounts of ordinary workplace misconduct or violations of website terms of service. It draws a bright line between technical authorization (access rights) and misuse of authorized access. Many courts outside the Ninth Circuit have wrestled with whether to follow this narrower interpretation.
3) United States v. Auernheimer (3d Cir., 2014)
Facts: Andrew Auernheimer (aka “weev”) and a collaborator wrote a script that collected email addresses of iPad owners from AT&T’s public web interface (the data was accessible through predictable URLs). They posted a large list of addresses and were prosecuted under the CFAA and identity-theft statutes.
Holding & outcome: The Third Circuit vacated Auernheimer’s convictions, not on the underlying CFAA interpretation, but because the government prosecuted him in an improper venue (the site’s servers were in New Jersey, but defendant was in Arkansas). The court held that venue in criminal cases must be proper and vacated the conviction on that basis. The government later faced issues reindicting.
Why it matters: Auernheimer’s case shows two things: (1) courts will scrutinize technicalities like venue in cyber-cases, and (2) it underscores the tricky line between scraping publicly accessible data and “unauthorized access.” Although the data were publicly accessible, the case triggered debate about whether automated scraping could be criminalized.
4) United States v. Lori Drew / The Lori Drew prosecution (2008–2009)
Facts: Lori Drew created a fake MySpace profile of a teenage boy and used it to communicate with Megan Meier, who later committed suicide. The U.S. Attorney pursued prosecution under the CFAA, arguing that creating the fake account violated MySpace’s Terms of Service and therefore constituted unauthorized access to the site.
Outcome & legal significance: A jury convicted on some misdemeanor counts but a federal judge (and later appellate consideration/Application of statutory interpretation) substantially overturned or limited the convictions, finding that interpreting the CFAA to reach violations of website terms of service would be unconstitutionally vague and could criminalize massive amounts of ordinary internet behavior. The case chilled the DOJ’s use of the CFAA for ordinary conduct and pushed policymakers to seek clearer statutes for online harms.
Why it matters: Drew is often cited alongside Nosal as reflecting judicial reluctance to expand CFAA criminality to simple breaches of website rules or terms of service. It also raised questions about the proper tool for prosecuting online harassment versus classic computer-crime statutes.
5) Prosecution of Marcus “MalwareTech” Hutchins (plea in 2019)
Facts: Marcus Hutchins, a UK researcher who famously helped stop the WannaCry ransomware worm in May 2017, was arrested in the U.S. in 2017 and charged with developing and distributing Kronos banking malware earlier in his career. The government alleged he created and trafficked in malware designed to steal banking credentials.
Outcome: Hutchins pleaded guilty in 2019 to two counts related to writing and distributing malware and was sentenced to time served and a year of supervised release. He explained he had written code earlier in his life and expressed remorse.
Why it matters: The Hutchins prosecution balances two themes: (1) law enforcement will pursue creators/distributors of malware even if they later turned “white hat,” and (2) prosecutorial discretion and remediation (cooperation/rehabilitation) can influence outcomes. It also shows how international researchers can become entangled in U.S. charges because malware affects U.S. systems.
6) U.S. Indictments of State-linked Actors (example: North Korean “WannaCry” and other campaigns) — e.g., indictment of Park Jin Hyok (2018)
Facts & charges: The U.S. Department of Justice publicly indicted DPRK cyber-operatives (including Park Jin Hyok) for a multi-year campaign: the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and other intrusions. The indictments allege conspiracy to commit computer fraud, wire fraud, and money laundering.
Legal significance & issues: These are criminal indictments rather than cases resolved by conviction in U.S. courts because the defendants are outside U.S. custody. Such indictments serve multiple functions: they document attribution (the government’s theory of responsibility), enable sanctions, and support international cooperation. They also raise difficult questions about extraterritorial jurisdiction, diplomatic issues, and how to pursue defendants whom the U.S. cannot easily bring to trial.
Why it matters: These indictments illustrate how ransomware and nation-state cyber operations are treated as serious federal crimes (and sometimes as acts of state-sponsored wrongdoing). They also show prosecutors using a mix of CFAA, wire fraud, and money-laundering statutes to build cases.
7) Aaron Swartz / High-profile CFAA controversy (2011–2013)
Facts: Aaron Swartz, an activist and programmer, downloaded a large number of academic articles from JSTOR via MIT’s network (using a campus computer account and a script to fetch files). Prosecutors charged him under the CFAA and other statutes, seeking significant prison time. Swartz faced aggressive federal charges; he died by suicide in 2013 before trial. The prosecution drew heavy public criticism.
Legal and policy impact: Though not a traditional appellate “case” that established precedent, Swartz’s prosecution had major policy consequences: it sparked debates about CFAA overreach, proportionality of charges, prosecutorial discretion, and the need for statutory reform. Legislators and legal scholars cited the affair when pushing for narrower CFAA language and when advocating for more careful charging decisions in computer-related matters.
Why it matters: Swartz’s situation highlights the human and ethical dimensions of applying broad computer-crime laws to conduct that some view as civil disobedience or policy protest. It influenced both public opinion and reform efforts.
Themes & legal doctrines that emerge from these cases
Statutory scope and ambiguity (CFAA): Courts are wary of interpretations that would turn routine policy violations (e.g., terms-of-service breaches) into federal crimes. Nosal II and Lori Drew are central to that principle.
“Without authorization” vs “exceeds authorized access”: Many disputes turn on the meaning of these phrases. Some courts take a broad view; others (like the Ninth Circuit in Nosal II) narrow the language to avoid criminalizing trivial conduct.
Venue, extradition, and transnational issues: Auernheimer and the state-linked indictments show courts scrutinize proper venue; yet many cyber-cases involve foreign defendants who may never face trial in the U.S., making indictment a mix of law enforcement and policy tool.
Mens rea and intent: Courts differ on how much illicit intent the government must prove. For serious malware or ransomware where damage and extortion are clear, intent is often easily shown. For “access” cases the required mental state and whether a civil policy breach becomes a crime are hotly litigated.
Charging strategies & statutory layering: Prosecutors commonly stack CFAA counts with wire fraud, identity-theft, extortion, money-laundering, and immigration or export–control counts to cover multiple legal theories.
Public policy and proportionality: Prosecutions that seek severe punishment for conduct that seems minor in context (e.g., reuse of credentials, scraping public data) have attracted judicial and public criticism.
Practical takeaways (for students, lawyers, policymakers)
If access is technically available to you (your login works and the data isn’t locked down), courts may still distinguish between (A) authorized access and (B) wrongful purpose while authorized. Many courts will not convert (B) into a federal crime unless there’s proof you accessed data you were not permitted to access at all.
Creating or distributing malware, causing damage, or engaging in extortion (ransomware) is treated very seriously and is likely to lead to criminal liability and harsh sentences.
International attribution and indictments are common in ransomware; even if the defendant isn’t brought to trial, indictments support sanctions and diplomatic pressure.
The CFAA remains a powerful but controversial tool; interpretation varies across circuits. Watch for venue issues and the growing legislative interest in reform.
RELATED Blog
0 comments