Security researcher says he was detained at US airport, dropped grand jury subpoena

80
4
Security researcher says he was detained at US airport, dropped grand jury subpoena

Security researcher Sam Curry says a grand jury subpoena ordering him to testify was later canceled.

A U.S. security researcher is warning of a chilling effect after being detained at a U.S. airport, his phone was searched and he was ordered to testify to a grand jury, only to have prosecutors reverse course and drop the investigation.

On Wednesday, Sam Curry, a security engineer at blockchain tech firm Yuga Labs, said that he was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service's Criminal Investigation Unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington, DC, about a 'high-profile phishing campaign,' searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.

The grand jury was investigating wire fraud and money laundering, according to a photo of Curry's subpoena.

Curry said he later received clarification that his device's copy of his device data was deleted and the grand jury subpoena was canceled when prosecutors realized that Curry was investigating the theft of crypto and not involved in it.

s seeing if there's anything we can do to help. And then if we can't, obviously we can't. It's tricky, because there are so many of these phishing campaigns, Curry said in a phone call.

I'm sharing this because I think it's something people should be aware of if they're doing similar work. It's widely shared that the private key was leaked and my background as a security researcher wasn't enough to dissuade using immigrations and a grand jury to intimidate me, he said.

Curry, a widely renowned security researcher, has worked to discover flaws in airline rewards programs and connected vehicles, and helped uncover security weaknesses at Apple and Starbucks. Curry was flying into Washington, DC to attend an election security research forum set up by the U.S. cybersecurity agency CISA to audit U.S. voting machines.

After being released from the airport, he spoke to his attorney, who told the federal investigators that Curry was investigating the incident as part of routine work as a security researcher.

Curry told TechCrunch he understands why the feds are investigating the incident but criticized their approach.

S obviously done a multi-million-dollar phishing scam and use that private key to sign in to OpenSea, Curry said.

While he feels that the legal demand is resolved, Curry said he felt dirty when the feds handed back his phone after searching its contents. The law is less clear on whether a person must comply with a warrant and if a person violates the law, which could mean that a person can be searched at the border without a warrant. Only American citizens can be denied entry for not complying, but they can have their devices seized indefinitely.

Nicholas Biase, a spokeswoman for the U.S. Attorney's Office for the Southern District of New York, declined to comment on the filing of the grand jury subpoena. Terry Lemons, a spokeswoman for the IRS-CI, the criminal investigation arm of the U.S. tax authority known for investigating crypto thefts, did not return a request for comment.

It's not unusual for U.S. authorities to target security researchers or journalists with threats of prosecution or other legal process to compel testimony, like grand juries, which convene in secret to determine whether formal criminal charges should be brought against a person.

The relationship between the U.S. authorities and the security community has improved, as both attitudes toward good-faith hackers and the legal landscape for security researchers have changed for the better. However, instances like this would threaten to weaken the trust built in recent years by disseminating researchers from engaging in security defense and remediation if they think their actions could be prosecuted.

Security researchers have taken matters into their own hands lately, with thefts and hacking campaigns aimed at stealing cryptocurrencies. In crypto, this is called 'white hatting', a distinction between black hats, cybercriminals or hackers who hack with malicious or illegal intent, and white hats, researchers and hackers who operate with no criminal or ill intent.

accessing a victim's wallet, even a scammer's wallet, in an attempt to recover funds falls in a real gray area of the law, former prosecutor Elizabeth Roper told Motherboard last year.

''Maybe we wouldn't use our resources to prosecute that person, but again it depends on the specific case,' said Roper.