Security researcher warns of chilling effect after Feds search phone at airport

Security researcher warns of chilling effect after Feds search phone at airport

Security researcher Sam Curry warns of chilling effect after Feds search phone at the airport.

A U.S. security researcher is warning of a chilling effect after he was detained at a U.S. airport, his phone was searched and he was ordered to testify to a grand jury, only to have prosecutors reverse course and drop the investigation.

On Wednesday, Sam Curry, a security engineer at blockchain tech company Yuga Labs, said in a series of posts on X, formerly Twitter, he was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service's Criminal Investigation Unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington, D.C., about a 'high-profile phishing campaign,' searched his unlocked phone and served him with a grand jury subpoena to testify in New York the week after.

The grand jury was investigating wire fraud and money laundering, according to a photo of Curry's subpoena.

But Curry later said he received confirmation that his device data was deleted and the grand jury subpoena was canceled after prosecutors realized that Curry was investigating the theft of crypto and not involved in it.

I know there's nothing we can do to help, but s seeing if there's anything we can do to help. And then if we can't, obviously we can't. But Curry said it's tricky, because there are so many of these phishing campaigns.

I'm sharing this because I think it's something people should be aware of if they're doing similar work. It was widely shared that the private key was leaked and my background as a security researcher wasn't enough to dissuade using immigrations and a grand jury to intimidate me, Curry said.

Curry, a well-known security researcher, has led efforts to discover flaws in airline rewards programs and connected vehicles, and helped to uncover security flaws at Apple and Starbucks. Curry was planning to attend an election security research forum set up by U.S. cybersecurity agency CISA to audit U.S. voting machines.

After being released from the airport, he spoke to his attorney, who told the FBI investigators that Curry was investigating the incident as part of routine work as a security researcher.

Curry said he understands why the feds were investigating the incident, but criticized their approach.

''S obviously done a multi-million dollar phishing scam and use that private key to sign in to OpenSea, yes, I think it is a little suspicious and that's like definitely something to investigate,'' Curry said.

While he believed the legal demand was resolved, Curry said he 'felt dirty' when the feds hand-signed his phone after searching its contents. U.S. authorities can search a persons phone at the border without a warrant, including Americans, though the law is less clear on whether a person must comply. Only U.S. citizens can be denied entry for not complying, but they can have their devices seized indefinitely.

Nicholas Biase, a spokeswoman for the U.S. Attorney's Office for the Southern District of New York, said the grand jury subpoena was filed. Terry Lemons, the spokeswoman for the IRS-CI, the criminal investigation arm of the U.S. tax authority known for investigating crypto thefts, did not return a request for comment.

It's not unheard of for US authorities to target security researchers or journalists with threats of prosecution or other kinds of legal process to compel testimony, such as grand juries, which convene in secret to determine whether formal criminal charges should be brought against a person.

The relationship between U.S. authorities and the security sector has largely improved in recent years, with both attitudes towards good-faith hackers and the legal landscape for security researchers changing for the better. But instances like this have the potential to weaken the trust built in recent years by disseminating researchers from engaging in security defense and remediation if they think their actions could be prosecuted.

The last few years, Security researchers have taken matters into their own hands during thefts and hacking campaigns that aim at and steal cryptocurrencies. White hatting, a term used in the crypto world, refers to the traditional distinction between Black hats, cybercriminals or hackers who hack with malicious or illegal intent, and White hats, researchers and hackers who operate without criminal or ill intent.

But accessing a victim's wallet - even a scammer's wallet - in an attempt to recover funds falls in a real gray area of the law, former prosecutor Elizabeth Roper told Motherboard last year.

But Roper said: 'Maybe we would not use our resources to prosecute that person, but again it depends on the specific case.