How Cybercriminals Attempt To Dodge Prosecution With Legal Disclaimers

On cybercrime forums and networks, it's not uncommon to come across malware creators and sellers who attempt to evade responsibility by including disclaimers stating that their tools are intended for "educational purposes and penetration testing only." However, a closer examination of these claims often reveals a different reality.

To illustrate this point, let’s examine the context, creators, and users of these tools more closely to see how they reveal malicious intentions.

We recently discovered a piece of malware called Pure Miner on a low-level cybercrime forum. The software is advertised as a tool for mining cryptocurrency.

When a potential buyer attempts to purchase Pure Miner, they are immediately presented with a terms of service (TOS) agreement.

This TOS explicitly states that the software is not intended for malicious use and should only be used for educational or penetration testing purposes. However, this disclaimer seems to be nothing more than a superficial attempt to avoid legal repercussions.

One of the most glaring red flags is that PureCoder, the creator of Pure Miner, actively advertises the software on well-known cybercrime forums. These forums are popular gathering places for hackers, malware developers, and other cybercriminals. If the true intention of Pure Miner was legitimate, it would be highly unlikely for it to be advertised in such places.

In one thread where Pure Miner is advertised, PureCoder has included testimonials from satisfied customers. However, upon closer examination, it becomes apparent that these “customers” are using Pure Miner for malicious purposes.

If you read the testimonials, you will notice that two keywords stand out: "bots" and "crypt." For anyone unfamiliar with cybercrime terminology, a 'bot' generally refers to an infected machine, and the process of "crypting" involves making a piece of malware undetectable by antivirus solutions. This is another indicator of malicious use as there would be no reason to put a piece of software through a crypting process if you were deploying it on machines that you have legitimate access to, and you certainly wouldn't refer to them as "bots."

A review of PureCoder's user profile also suggests that they have a history of selling botnets, stealers, and spreading methods to obtain more bots. This information further undermines the credibility of the claim that Pure Miner is intended solely for educational or penetration testing purposes.

Another important aspect of Pure Miner is the advertised stealth functionality. This feature is designed to help the malware evade detection by antivirus software and other security measures. While this capability could potentially be used for legitimate penetration testing, its inclusion in a tool marketed on cybercrime forums raises serious doubts about its intended use.

It's important to note that the issues highlighted in the case of Pure Miner are not unique. Similar patterns can be observed with other pieces of malware and hacking tools found on cybercrime forums.

Here's another example: On the same cybercrime forum, a user shared 20 "hacking" methods, 90 "tools", and even provided malicious use cases. Then, they proceeded to follow this with a bizarre disclaimer stating that the material should not be used on innocent people and was only for educational purposes.

By examining the context in which these tools are advertised, the reputation of their creators, and the behavior of their users, it becomes evident that the true intentions behind many of these products are far from benign. The use of disclaimers is often a thinly veiled attempt to avoid legal consequences while knowingly facilitating malicious activities.

Putting a disclaimer at the end of your sales thread for malware is likely not going to make you immune to prosecution in the eyes of the law. We know this because there have been several cases where malware authors have been arrested and subsequently sent to prison despite a disclaimer being present on their product page.

A prominent example is the case of LuminosityLink, a remote access trojan (RAT) that was marketed as a legitimate piece of software:

Despite claims that it was intended for legitimate purposes, the creator of LuminosityLink, Colton Grubbs, was prosecuted for his involvement in the malware's distribution. The plea agreement signed by Grubbs read as follows:

This example highlights that even if a malware author claims their tool is for legitimate purposes if they knowingly market it on cybercrime forums and are aware that customers will use it maliciously, they can still face serious legal consequences.

When there are more aspects indicating that you're selling malware rather than a legitimate tool, you're likely going to end up facing prosecution and potential prison time, regardless of any disclaimers.

These fake disclaimers are yet another example of cybercriminals using any and all tactics to exploit trust and manipulate human behavior, which makes it increasingly difficult for the average user to protect themselves and their organization.

Fortunately, Abnormal AI understands human behavior even better than humans. Our behavioral approach has enabled us to contextually analyze every interaction and gather vital threat intelligence in order to stop the most advanced phishing attacks, fraud, socially engineered threats, and account takeovers across cloud email with >10x the efficacy and accuracy of any other solution.

Interested in learning more about how Abnormal can provide you with the tools and insights you need to stay one step ahead of cybercriminals? Schedule a demo today!