Hackers used their “Scan4You” program to see if anti-virus programs would identify their software as malicious; it could be adapted into malware kits sold to cybercriminals. Bondars argued there are legal uses for the product and he was not responsible for when it was used illegally.
“Our position protects all online businesses; all online businesses have legitimate and illegitimate users,” defense attorney Jessica Carmichael said in court Friday.
“It’s an interesting theory,” Judge Liam O’Grady responded, but not one that applies in criminal cases. He told Bondars, “There’s zero chance that you didn’t know the harm being done by the malware hackers used your service to perfect.”
Prosecutors said it is common and perfectly legal to hold software developers liable for creating products that could be used for good as well as ill.
“The defendant apparently thinks he is unique in being charged for creating and selling a computer product that had theoretical lawful uses. He is not. Malware often has theoretical lawful uses,” Assistant U.S. Attorney Kellen Dwyer wrote in his sentencing argument.
A co-conspirator Taylor Huddleston made a similar argument in an interview with the Daily Beast last year, saying he was being prosecuted for designing software he never intended as malicious. Huddleston, 27, ultimately pleaded guilty to a hacking-related crime in Alexandria; one of his co-defendants testified against Bondars.
One Scan4You user was behind the 2013 theft of credit card information from about 40 million of Target customers.
“I feel ashamed that some of the website users used it for such terrible things,” Bondars told the court in halting English Friday.
But Bondars argued in court filings that the service had little to do with the massive data breach, which cost the retailer hundreds of millions of dollars. He emphasized the malware was also run through a mainstream virus-detection service and that Target’s own security system saw the breach but it was ignored. Bondars’s product was not actually used to help get into Target’s system or steal the information, according to court testimony. An expert from Verizon who helped investigate the hack said the files tested in Scan4You were likely used to figure out where payment information was stored.
Cybersecurity experts have said the hacker, identified in court as “Profile 958,” is likely a Ukrainian named Andrey Hodirevski.
Target is demanding restitution from Bondars; an amount has yet to be decided.
While Bondars was never charged with direct involvement in any hacking and made little money from Scan4You, court documents show he had used malware to trick people into buying anti-virus services they did not need.
Services like Scan4You remain easy to find online; prosecutors say it was an “innovation” in malware that has inspired copycats.
“At the beginning Scan4You was so small,” Bondars said Friday. “It got much bigger very quickly; it happened so fast.”