chat
expand_more

How Cybercriminals Attempt To Dodge Prosecution With Legal Disclaimers

Learn how cybercriminals use superficial disclaimers to deceive others while facilitating illegal activity on cybercrime forums.
May 21, 2024

On cybercrime forums and networks, it's not uncommon to come across malware creators and sellers who attempt to evade responsibility by including disclaimers stating that their tools are intended for "educational purposes and penetration testing only." However, a closer examination of these claims often reveals a different reality.

To illustrate this point, let’s examine the context, creators, and users of these tools more closely to see how they reveal malicious intentions.

True Intentions Behind Malware Disclaimers

We recently discovered a piece of malware called Pure Miner on a low-level cybercrime forum. The software is advertised as a tool for mining cryptocurrency.

Legal Disc1

Advertisement for a cryptocurrency miner called Pure Miner

When a potential buyer attempts to purchase Pure Miner, they are immediately presented with a terms of service (TOS) agreement.

This TOS explicitly states that the software is not intended for malicious use and should only be used for educational or penetration testing purposes. However, this disclaimer seems to be nothing more than a superficial attempt to avoid legal repercussions.

Legal Disc2

Terms of service belonging to Pure Miner

One of the most glaring red flags is that PureCoder, the creator of Pure Miner, actively advertises the software on well-known cybercrime forums. These forums are popular gathering places for hackers, malware developers, and other cybercriminals. If the true intention of Pure Miner was legitimate, it would be highly unlikely for it to be advertised in such places.

In one thread where Pure Miner is advertised, PureCoder has included testimonials from satisfied customers. However, upon closer examination, it becomes apparent that these “customers” are using Pure Miner for malicious purposes.

Legal Disc3

Customer testimonials for Pure Miner

If you read the testimonials, you will notice that two keywords stand out: "bots" and "crypt." For anyone unfamiliar with cybercrime terminology, a 'bot' generally refers to an infected machine, and the process of "crypting" involves making a piece of malware undetectable by antivirus solutions. This is another indicator of malicious use as there would be no reason to put a piece of software through a crypting process if you were deploying it on machines that you have legitimate access to, and you certainly wouldn't refer to them as "bots."

A review of PureCoder's user profile also suggests that they have a history of selling botnets, stealers, and spreading methods to obtain more bots. This information further undermines the credibility of the claim that Pure Miner is intended solely for educational or penetration testing purposes.

Legal Disc4

Example activity from PureCoder’s user profile

Another important aspect of Pure Miner is the advertised stealth functionality. This feature is designed to help the malware evade detection by antivirus software and other security measures. While this capability could potentially be used for legitimate penetration testing, its inclusion in a tool marketed on cybercrime forums raises serious doubts about its intended use.

Legal Disc5

Reference to Pure Miner’s stealth functionality

It's important to note that the issues highlighted in the case of Pure Miner are not unique. Similar patterns can be observed with other pieces of malware and hacking tools found on cybercrime forums.

Here's another example: On the same cybercrime forum, a user shared 20 "hacking" methods, 90 "tools", and even provided malicious use cases. Then, they proceeded to follow this with a bizarre disclaimer stating that the material should not be used on innocent people and was only for educational purposes.

Legal Disc6

User sharing 20 hacking methods and 90 hacking tools

By examining the context in which these tools are advertised, the reputation of their creators, and the behavior of their users, it becomes evident that the true intentions behind many of these products are far from benign. The use of disclaimers is often a thinly veiled attempt to avoid legal consequences while knowingly facilitating malicious activities.

Cybercrime Disclaimers Have Been Tested In Court

Putting a disclaimer at the end of your sales thread for malware is likely not going to make you immune to prosecution in the eyes of the law. We know this because there have been several cases where malware authors have been arrested and subsequently sent to prison despite a disclaimer being present on their product page.

A prominent example is the case of LuminosityLink, a remote access trojan (RAT) that was marketed as a legitimate piece of software:

Legal Disc7

Defunct homepage for LuminosityLink

Despite claims that it was intended for legitimate purposes, the creator of LuminosityLink, Colton Grubbs, was prosecuted for his involvement in the malware's distribution. The plea agreement signed by Grubbs read as follows:

Legal Disc8

LuminosityLink author’s plea agreement

This example highlights that even if a malware author claims their tool is for legitimate purposes if they knowingly market it on cybercrime forums and are aware that customers will use it maliciously, they can still face serious legal consequences.

When there are more aspects indicating that you're selling malware rather than a legitimate tool, you're likely going to end up facing prosecution and potential prison time, regardless of any disclaimers.

Stay One Step Ahead of Sophisticated Cybercriminals with Abnormal

These fake disclaimers are yet another example of cybercriminals using any and all tactics to exploit trust and manipulate human behavior, which makes it increasingly difficult for the average user to protect themselves and their organization.

Fortunately, Abnormal AI understands human behavior even better than humans. Our behavioral approach has enabled us to contextually analyze every interaction and gather vital threat intelligence in order to stop the most advanced phishing attacks, fraud, socially engineered threats, and account takeovers across cloud email with >10x the efficacy and accuracy of any other solution.

Interested in learning more about how Abnormal can provide you with the tools and insights you need to stay one step ahead of cybercriminals? Schedule a demo today!

Schedule a Demo
How Cybercriminals Attempt To Dodge Prosecution With Legal Disclaimers

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B SOC Prod
Learn how AI-driven automation boosts SOC productivity by reducing false positives, addressing skills gaps, and enhancing threat detection. Discover strategies to future-proof your SOC and strengthen cybersecurity defenses.
Read More
B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More