Security researcher Sam Curry says a grand jury subpoena ordering him to testify was later canceled.
A security researcher is warning of a chilling effect after he was detained on arrival at a U.S. airport, his phone was searched and he was ordered to testify to a grand jury, only to have prosecutors reverse course and drop the investigation.
On Friday, Sam Curry, a security engineer at Yuga Labs, said in a series of posts on X, formerly Twitter, he was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service's Criminal Investigation Unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington, D.C., about a 'high-profile phishing campaign,' searched his unlocked phone and served him with a grand jury subpoena to testify in New York the week after.
Curry posted a photo of the subpoena that the grand jury was investigating wire fraud and money laundering.
Curry said he later received confirmation that the copy of his device data was deleted and the grand jury subpoena was canceled once prosecutors realized that Curry was investigating the theft of crypto and not involved in it.
''see if there's anything we can do to help'' And then if we can't, obviously we can't. It's tricky because there are so many of these phishing campaigns, Mr. Curry said in a phone call with TechCrunch.
I'm sharing this because I think it's something people should be aware of if they're doing similar work. It was widely shared that my background as a security researcher wasn't enough to dissuade using immigrations and a grand jury to intimidate me, Curry said.
Curry, a well-known security researcher, has been working to discover flaws in airline rewards programs and connected vehicles, and helped discover security flaws at Apple and Starbucks. The conference is being held in Washington, D.C., and Curry was on hand to attend an election security research forum set up by the U.S. cybersecurity agency CISA to audit U.S. voting machines.
After arriving at the airport, he spoke with his attorney, who told federal investigators that Curry was investigating the incident as part of routine work as a security researcher.
In a call with TechCrunch, Curry said he understands why the feds are investigating the incident, but criticized their approach.
''S obviously done a multi-million dollar phishing scam and use that private key to sign in to OpenSea, yeah, I think it is a little suspicious and that is like definitely something to investigate,'' Curry said.
While he feels the legal demand is resolved, Curry said he felt dirty when the feds handed back his phone after searching its contents. In the United States, authorities can search a person's phone at the border without a warrant, including Americans, though the law is less clear on whether a person must comply. Only U.S. citizens can be denied entry for not complying, but they can have their devices seized indefinitely.
Nicholas Biase, a spokeswoman for the American Attorney's Office for the Southern District of New York, declined to comment on the grand jury subpoena. Terry Lemons, a spokeswoman for the IRS-CI, the criminal investigative arm of the U.S. tax authority known for investigating crypto thefts, did not return a request for comment.
It's not unheard of for U.S. authorities to target security researchers or journalists with threats of prosecution or other legal process to compel testimony, like grand juries, which convene in secret to determine whether formal criminal charges should be brought against a person.
The relationship between U.S. authorities and the security community has improved significantly, with both attitudes toward good-faith hackers and the legal environment for security researchers improving for the better. But instances like this may weaken the trust built in recent years by diddling investigators from engaging in security defense and remediation if they think their actions could be prosecuted.
In recent years, cybersecurity researchers have taken matters into their own hands in crimes and hacking campaigns that target and steal cryptocurrencies. White hatting is the traditional distinction between black hats, cybercriminals or hackers who hack with illegal intent, and white hats, researchers and hackers who operate with no criminal or ill intent.
But accessing a victim's wallet, even a scammer's wallet, falls in a real gray area of the law, former Prosecutor Elizabeth Roper told Motherboard last year.
It depends on the specific case, but Roper said, maybe we wouldn't use our resources to prosecute that person.