United States v. Hutchins
361 F. Supp. 3d 779
E.D. Wis.2019Background
- Marcus Hutchins, a U.K. citizen and well-known "white hat" hacker, was indicted on charges relating to two malware programs (Kronos and UPAS Kit) and allegedly providing/distributing them to others between 2012–2015; a superseding indictment added multiple counts under the CFAA, Wiretap Act, §1001, and wire fraud conspiracy.
- Hutchins was arrested at a Las Vegas airport on Aug. 2, 2017; agents read Miranda rights, interviewed him for ~105 minutes in custody, and obtained his consent to search devices; he later made recorded jail calls.
- Hutchins moved to suppress his post-arrest statements (arguing no valid Miranda waiver due to intoxication, unfamiliarity with U.S. procedure, and agent deception) and filed multiple motions to dismiss counts of the superseding indictment (challenging sufficiency, multiplicity, extraterritoriality, and nexus).
- Magistrate Judge Nancy Joseph recommended denying all motions; the district court reviewed de novo, largely adopted the recommendation, and denied suppression and all dismissal motions.
- Key factual findings: agents testified rights were given at interview start; Hutchins appeared alert and coherent; agents did not present the arrest warrant until over an hour into the interrogation; the indictment alleges domestic acts (promotion/sales into E.D. Wis.).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Validity of Miranda waiver / suppression | Hutchins: no valid waiver — he was hungover/intoxicated, unfamiliar with U.S. warnings, and deceived by agents; thus statements involuntary | Government: Hutchins was read Miranda, appeared alert, did not invoke rights, and voluntarily waived under totality | Denied: court found Miranda rights were given and waiver voluntary under totality (no clear and convincing evidence of material deception or incapacity) |
| Sufficiency of indictment re: "damage" under CFAA (Counts 1,7) | Hutchins: alleged exfiltration/copying is not "damage" as defined by CFAA | Government: indictment alleges malware that exfiltrated and was "malicious" — alleging impairment to data/system suffices | Denied: allegations that malware stole/exfiltrated data and was malicious sufficiently plead "damage" for pleading stage |
| Whether software qualifies as a "device" under Wiretap Act (Counts 1–6) | Hutchins: software alone is not an "electronic, mechanical, or other device" within §2510(5) | Government: statutory language and authorities support reading "mechanism" to include software/programs | Denied: court agrees software may be a "device" and the indictment plausibly alleges such use |
| Extraterritoriality / due process nexus | Hutchins: statutes (Wiretap Act, CFAA, §1001, wire fraud) lack extraterritorial reach and insufficient U.S. contacts | Government: allegations identify domestic conduct (sales/promotions into E.D. Wis.) | Denied: court finds indictment alleges conduct relevant to statutes' focus occurred in U.S.; adequate nexus for prosecution |
Key Cases Cited
- Berghuis v. Thompkins, 560 U.S. 370 (2010) (waiver of Miranda may be found from voluntary statements and conduct)
- Moran v. Burbine, 475 U.S. 412 (1986) (waiver must be voluntary, knowing, and intelligent)
- Duckworth v. Eagan, 492 U.S. 195 (1989) (Miranda warnings need not follow a talismanic script; look to whether rights were fully conveyed)
- Frazier v. Cupp, 394 U.S. 731 (1969) (police misrepresentations do not necessarily render a confession involuntary)
- Patane v. United States, 542 U.S. 630 (2004) (Miranda violations require suppression of statements but not derivative physical evidence)
- Fidlar Tech. v. LPS Real Estate Data Solutions, Inc., 810 F.3d 1075 (7th Cir. 2016) (interpretation of "damage" under CFAA; not limited to overtly destructive acts)
- United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010) (analysis of what constitutes a "device" under communications statutes in context of software/rules)
- RJR Nabisco, Inc. v. European Cmty., 136 S. Ct. 2090 (2016) (statutory extraterritoriality: require clear indication of congressional intent; if absent, assess statute's focus and where relevant conduct occurred)
- Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010) (framework for presumption against extraterritoriality and domestic-foreign focus inquiry)
- Resendiz-Ponce v. United States, 549 U.S. 102 (2007) (criminal attempt inherently includes intent element)