A Latvian computer programmer was sentenced to 14 years in prison for designing a program that helped hackers improve malware, including some used in the 2013 Target breach.
Ruslan Bondars, a 37-year-old Latvian citizen, was found guilty at a May trial in federal court in Alexandria, Va., during which a co-conspirator revealed the pair had worked with Russian law enforcement.
Hackers used their “Scan4You” program to see if antivirus programs would identify their software as malicious; it could be adapted into malware kits sold to cybercriminals. Bondars argued that there are legal uses for the product and that he was not responsible for when it was used illegally.
“Our position protects all online businesses; all online businesses have legitimate and illegitimate users,” defense attorney Jessica Carmichael said in court Friday.
“It’s an interesting theory,” but not one that applies in criminal cases, Judge Liam O’Grady responded. He told Bondars, “There’s zero chance that you didn’t know the harm being done by the malware hackers used your service to perfect.”
Prosecutors said it is common and perfectly legal to hold software developers liable for creating products that could be used for good as well as ill.
“The defendant apparently thinks he is unique in being charged for creating and selling a computer product that had theoretical lawful uses. He is not. Malware often has theoretical lawful uses,” Asst. U.S. Atty. Kellen Dwyer wrote in his sentencing argument.
Co-conspirator Taylor Huddleston made a similar argument in an interview with the Daily Beast last year, saying he was being prosecuted for designing software he never intended as malicious. Huddleston, 27, ultimately pleaded guilty to a hacking-related crime in Alexandria; one of his co-defendants testified against Bondars.
One Scan4You user was behind the 2013 theft of credit card information from about 40 million Target customers.
“I feel ashamed that some of the website users used it for such terrible things,” Bondars told the court in halting English on Friday.
Bondars argued in court filings that the service had little to do with the massive data breach, which cost Target hundreds of millions of dollars. He emphasized that the malware was also run through a mainstream virus-detection service and that Target’s own security system saw the breach but it was ignored. Bondars’ product was not actually used to help get into Target’s system or steal the information, according to court testimony. An expert from Verizon who helped investigate the hack said the files tested in Scan4You were probably used to figure out where payment information was stored.
Cybersecurity experts have said the hacker, identified in court as “Profile 958,” is probably a Ukrainian named Andrey Hodirevski.
Target is demanding restitution from Bondars; an amount has yet to be decided.
Although Bondars was never charged with direct involvement in any hacking and made little money from Scan4You, court documents show he had used malware to rob people and to trick people into buying antivirus services they did not need.
Services like Scan4You remain easy to find online; prosecutors say it was an “innovation” in malware that has inspired copycats.