Security researcher Sam Curry said a grand jury subpoena calling him to testify was later canceled.
A U.S. security researcher is warning of a chilling effect after he was detained at an airport and his phone was searched and he was ordered to testify to a grand jury, only to have prosecutors reverse course and drop the investigation.
On Wednesday, Sam Curry, a security engineer at Yuga Labs, said in a series of posts on X, formerly Twitter, he was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service's Criminal Investigation Unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington, DC about a 'high-profile phishing campaign', searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.
The grand jury was looking into wire fraud and money laundering, according to a photo posted by Curry.
He said he later received certification that the copy of his device data was deleted and the grand jury subpoena was canceled when prosecutors realized that Curry was investigating the theft of crypto and not involved in it.
s see if there's anything we can do to help. And then if we can't, obviously we can't. It's tricky, because there are so many of these phishing campaigns, Curry said in a phone call to TechCrunch.
I'm sharing this because I think it's something people should be aware of if they're doing similar work. It was widely shared that the private key was leaked and my background as a security researcher wasn't enough to dissuade using immigrations and a grand jury to intimidate me, Curry said.
Curry, who is a well-known security researcher, has helped discover flaws in airline rewards programs and connected vehicles, and discovered security weaknesses at Apple and Starbucks. Curry was flying to Washington, DC, to attend an election security research forum set up by U.S. cybersecurity agency CISA to audit U.S. voting machines.
After being released from the airport, he spoke with his lawyer, who told federal investigators that Curry was investigating the incident as part of routine work as a security researcher.
Curry said in a statement that he understands why the feds are investigating the incident, but criticized their approach.
S obviously done a multi-million dollar phishing scam and use that private key to sign in to OpenSea, Curry said.
While he acknowledges the legal demand, Curry said he 'felt dirty' when the Feds handed back his phone after searching its contents. The U.S. government can search a person's cell phone without a warrant, including Americans, but the law is less clear on whether a person must comply. Only U.S. citizens cannot be denied entry for not fulfilling their obligations, but they can have their devices seized indefinitely.
The U.S. Attorney's Office for the Southern District of New York, where the grand jury subpoena was filed, declined to comment. The IRS-CI, the criminal investigation arm of the US tax authority known for investigating crypto thefts, did not return a request for comment.
It's not unheard of for U.S. authorities to target security researchers or journalists with threats of prosecution or other forms of legal procedure to compel testimony, like grand juries, which convene in secret to determine whether formal criminal charges should be brought against a person.
The relationship between U.S. authorities and the security community has improved, as both attitudes towards good-faith hackers and the legal landscape for security researchers have changed for the better. But instances such as this could weaken the trust built in recent years by diminincting researchers from engaging in security defense and remediation if they think their actions could be prosecuted.
In recent years, security researchers have taken matters into their own hands during thefts and hacking campaigns that target and steal cryptocurrencies. White hatting, the term used in crypto, refers to the traditional distinction between cybercriminals or hackers who hack with harmful or illegal intent and white hats, researchers and hackers who operate without criminal or ill intent.
But accessing a victim's wallet - even a scammer's wallet - in an effort to recover funds falls in a real gray area of the law, former prosecutor Elizabeth Roper told Motherboard last year.
We would not use our resources to prosecute that person, he said, but again it depends on the specific case.