Wednesday, July 08, 2009


You’ve probably seen the news stories about the Ukrainians who extracted $415,000 from a Kentucky bank, courtesy of a Trojan horse program.

If you haven’t seen the stories, here’s a brief recap: Ukrainian hackers used a Trojan horse program to acquire access to and authentication authority over bank accounts belonging to Bullitt County, Kentucky. The Trojan gave the hackers access to the County Treasurer’s computer, according to the stories I read, and to the email account of the judge who had to approve wire transfers from the County’s account. They created accounts in the names of fictitious employees and then transferred $415,000 to those accounts.

Posing as the Fairlove Delivery Service, the Ukrainians had earlier hired people to edit text for them, primarily fixing the English from what I gather. They then approached at least some of these people, telling them the company had trouble getting funds to its clients oversees and asking if the employees would help them with their problem. Those who agreed accepted wire transfers of funds ($9,900) into their bank accounts, took part of the money (say, $500) as their “commission” and then wired the rest to a bank account in the Ukraine.

This post isn’t about the theft of the funds from the Bullitt County government’s bank account, as such. It’s clear that the Ukrainians who are responsible for the theft committed a variety of federal cybercrimes: unauthorized access to computers (the Treasurer’s and judge’s computers, at the very least), transmitting a program, code or information and causing damage (the Trojan horse program) and maybe accessing a computer without authorization to further a scheme to defraud (if we decide this was fraud, not theft). As I’ve explained, the general federal cybercrime statute – 18 U.S. Code § 1030(a) – criminalizes each of these acts: Section 1030(a)(5)(B) makes it a crime to gain unauthorized access to a computer and cause damage (which is defined as impairing the integrity or availability of data); section 1030(a)(5)(A) makes it a crime to transmit a code, program or information and cause damage; and section 1030(a)(4) makes it a crime to access a computer without authorization to further a scheme to defraud. (To make what they did fraud, we’d have to figure out someone who was defrauded into letting them have the money in the accounts. I’m not sure that one will work.) We’d also have conspiring to violate § 1030 in violation of 18 U.S. Code § (b), and a host of other federal crimes.

Okay, the perpetrators are easy. If they’re ever caught, there are plenty of crimes they can be charged with and, I’m sure, easily convicted of.

I want to focus on the mules . . . the people who received the initial transfers of funds from the County’s account at the banks and wired most of what they received to the account in the Ukraine. I’ve seen no indication that anyone intends to prosecute them for their role in the scam, but it’s still early in the investigation; and even if they aren’t actually prosecuted, I think the issue warrants exploring.

Since the mules didn’t play any role in the actual execution of the theft of the funds, they can’t be charged as actual perpetrators of any of the crimes outlined above. Their role essentially came after the theft had been committed; they helped the Ukrainians move the funds out of the U.S. and into their own, home account.

There are two possible ways a prosecutor could hold the mules liable for the theft of the funds. One is what’s called the Pinkerton doctrine. In Pinkerton v. U.S., 328 U.S. 640 (1946), the U.S. Supreme Court held that, as far as federal cases are concerned, one member of a conspiracy can be held liable for the substantive crimes the other members of the conspiracy commits. They become each other’s agents, in effect. In the Pinkerton case, two brothers were making liquor and selling it in violation of federal revenue laws. Daniel got caught, convicted and was serving time in jail when Walter committed some further violations of federal revenue laws. Daniel and Walter were both charged with committing those crimes, on the theory that they had conspired to violate federal revenue laws, which meant Daniel was responsible for what Walter did, even when Daniel wasn’t there. The Supreme Court accepted that theory, and held Daniel liable.

We could conceivably use that in this case, since I’m assuming federal charges, but for Pinkerton liability to apply, the person has to have joined the conspiracy the object of which is to commit the target crime – here, theft – before the crimes were committed. The crimes have to be a foreseeable consequence of the conspiracy the person joined, and occur after they joined the conspiracy. Since I’m assuming the theft was complete – more on that in a minute – I don’t think Pinkerton would work here. Even if the mules entered into a conspiracy to dispose of the funds, that couldn’t be used to hold them liable to taking the funds, IMHO.

So let’s try the obvious choice: aiding and abetting, or what the Model Penal Code calls accomplice liability. As I explained in an earlier post, an accomplice is someone who helps another person commit a crime – they “aid and abet” the crime. Here, the mules helped the Ukrainians get the money out of the country, which definitely constituted aiding the commission of the theft. To be liable as accomplices, though, the mules had to have acted with the purpose of aiding and abetting the crime (the theft) and the crime must not have been completed before they provided their assistance.

As a federal district court noted recently, the intent to aid and abet “must be formed prior to or during the commission of the offense.” Pickles v. Adams, 2009 WL 789904 (U.S. District Court for the Eastern District of Michigan 2009). “Thus aider and abettor liability is established if the getaway driver forms `the intent to facilitate or encourage commission of the robbery prior to or during the carrying away of the loot to a place of temporary safety.’" Pickles v. Adams, supra. We’re not dealing with a getaway driver, but the principle is the same: Like the driver, the mules helped the thieves get the loot to a place where it was safe.

At this point, I’m assuming, for the purpose of analysis, that the mules did have the intent to aid and abet the thefts; I’ll get to whether that was true or not in a minute.

So, assuming that they acted with the intent to aid and abet the theft of the Bullitt County government’s money, did they form that intent during the commission of the crime itself? The answer seems to be a little tricky. Some of the cases I read said that if you only provide assistance after the crime itself has been committed – which, for theft, seems to mean that the thieves have taken the property from the rightful owner’s possession, so the owner has been divested of it – you can’t be an accomplice because you can’t aid and abet a crime that’s already been committed. If we go with that theory, then it seems the mules can’t be liable as accomplices, or aiders and abettors.

Some courts expand that out a little, especially in the area of theft crimes, and use the theory quoted above, i.e., that if the accomplice forms the intent to facilitate the commission of the theft either while it’s being committed or while the thieves are in the process of getting away with the loot, that’s enough to make them an accomplice. If we go with this theory, then it might be possible to prosecute the mules as aiders and abettors because they did help the Ukrainians get away with their loot. The Ukrainians had gotten it out of the Bullitt County bank but not out of the U.S. and into the Ukraine; I can see a good argument that part of the crime – the asportation of the stolen property – was still in process when the mules did what they did. And since what they did directly facilitated the Ukrainians’ getting the money out of the country, it should qualify as aiding and abetting.

There is, though, that residual but very important issue of intent. Law has traditionally required that to be an accomplice to a crime, you must purposely aid and abet its commission. So for the mules to be held liable as accomplices, the prosecution would have to prove beyond a reasonable doubt that their purpose in accepting the initial transfers of funds and then in sending most of the funds to the Ukrainian account was to abet the crime of theft.

Several of the stories I’ve read about the case say that the two mules who have talked to the investigators say they were duped. They seem to have believed it was a legitimate transaction, at least initially. One said she became suspicious and didn’t wire all of the money; the other one seems to have gone along with no suspicions.

A prosecutor, of course, might not believe their claims that they had not idea there was anything wrong with the transaction. In situations like this, prosecutors can use certain facts to support the inference that the mule – while claiming innocence – actually knew what was going on and acted with the intent to facilitate the underlying crime. One factor here that might be used to infer intent is the amount the mules were being paid. One story I read said they were told they’d receive $9,900 and should keep $500 before wiring the rest to the Ukrainian account. That seems like a pretty good commission to me; excessive payments can indicate illegal activity and might be used in inferring intent. A prosecutor might also point to the use of an offshore, Ukrainian account as the place to which the funds were going, but the employer said they were for offshore clients, so maybe that wouldn’t be particularly compelling. If the mules had kept doing this, over and over, that, too, might be a circumstance from which intent could be inferred.

Am I arguing that the mules in this case should be prosecuted? No, at least not on the basis of what I’ve seen so far. The rationale for punishing mules who do act with the intent of aiding and abetting a crime like this is to make it more difficult for Ukrainian hackers to find someone to do this in the future. Aside from holding these people liable, such a prosecution could publicize the scam and help ensure that others don’t fall for it.

And, of course, the mules are here, which means we can easily prosecute them, if we get over the hurdles I’ve noted above. As to the Ukrainian perpetrators, I suspect prosecuting them is unlikely.

No comments: