FBI Arrests Hacker Who Hacked No One
Taylor Huddleston woke early on December 6th, hours before the Arkansas winter morning would stir to life with the sound of roosters and dogs. Since selling off the last piece of his software business two months earlier, Huddleston had nothing in particular to do, and he’d been keeping odd hours. While his girlfriend slept in the next room, he browsed Reddit and YouTube, then sat down with a microwaved Jimmy Dean Breakfast Bowl to start the day right.
Something crunched in his mouth, and he spat out a wad of breakfast bowl into a napkin, just as the pounding started at his front door.
Huddleston’s first thought was that somebody had crashed their car and needed to use his phone. But when he opened the door, he was met by about two dozen serious-looking men and women, some in bulletproof vests, holding handguns at the ready, one shouldering an assault rifle, another carrying a battering ram. He was accustomed to seeing uniformed sheriff’s deputies in his neighborhood—drugs, he assumed—but most of these cops wore suits. More suits than he’d ever seen in one place.
The visitors were from the FBI, and after a 90-minute search of his house, they left with his computers, only to return two months later with handcuffs. Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions.
Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself—hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies.
Depending on whose view prevails, Huddleston could face prison time and lose his home, in a case that raises a novel question: when is a programmer criminally responsible for the actions of his users? “Everybody seems to acknowledge that this software product had a legitimate purpose,” says Travis Morrissey, a lawyer in Hot Springs who represented Huddleston at his bail hearing. “It’s like saying that if someone buys a handgun and uses it to rob a liquor store, that the handgun manufacturer is complicit.”
Some experts say the answer to that question could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways. The chill would be felt most profoundly by independent coders without ready access to legal support, but eventually even large corporations like Facebook or Google could face new uncertainty. Can a social networking site face charges when members stalk or threaten an ex? If ISIS starts using an encrypted messaging app, should the developer start looking for a good bail bondsman? “Even if prosecutors don’t plan to use their discretion against big companies, it can have a chilling effect,” says Cornell law professor James Grimmelmann. “Because you never know for sure.”
Huddleston began coding NanoCore in late 2012 in a bid to lift himself out of a hardscrabble life. He was a high-school dropout and struggling programmer, working and living in a run down trailer slowly rusting on his mother’s property. Until then, his most ambitious project as a newbie coder had been a low-cost license management system called Net Seal that allowed developers to control access to their products, letting them shut down, for example, a copy that was bought with a stolen PayPal account. Making Net Seal taught Huddleston to code well, and when he discovered that people were making money selling Windows remote management tools, he thought he’d give it a try.
His first version was weak, but after months of work NanoCore developed into a full featured product, with a plug-in capability that made it endlessly flexible, and a user interface that one computer security firm praised as “simple yet robust.” Install a NanoCore client on a Windows box, and you can remotely log keystrokes, download stored passwords, turn on the web cam, access files, and watch the user’s screen in real time. NanoCore’s powers mirror some of the functionality in popular commercial offerings like GoToMyPC, and Huddleston says he had high hopes that his $25 tool might be adopted by budget-conscious school IT administrators, tech support firms, server farms, and parents worried about what their kids are doing online.
Security experts who have examined NanoCore say there’s nothing in the code to disprove Huddleston’s claim that he intended it for lawful use, though they’re inherently skeptical. “It is plausible the tool was created for legitimate reasons,” says Anthony Kasza, a senior threat researcher at Palo Alto Networks. “However, this is a common claim amongst RAT authors. … Features of RATs are not inherently malicious or benign. It all comes down to intent.”
Prosecutors say they have no doubt about Huddleston’s intent. “Huddleston designed the NanoCore RAT for the purpose of enabling its users to commit unauthorized and illegal intrusions against victim computers,” wrote Assistant U.S. Attorney Kellen Dwyer in Huddleston’s 14-page indictment, which was unsealed last month. Because NanoCore has both legal and illegal uses, establishing that Huddleston wrote it for criminals is crucial for prosecutors. “It’s a dual-use technology case,” says Grimmelman. “And you typically don’t get criminal liability in dual-use technology cases unless there’s a pretty clear intent to promote the criminal use instead of the legitimate ones.”
The court filings don’t detail why the government is so certain that Huddleston wanted to help hackers, but the indictment mentions eight times the name of the website where Huddleston announced and supported NanoCore: HackForums.net.
HackForums is a popular site, boasting over three million registered users, and housing well-trafficked forums on coding, computer gaming, even financial investment strategies. With long threads about PokeMon and how to craft a cool YouTube page, HackForums is several shades too light for the Dark Web. But, true to its name, the first subject category listed on its homepage is a forum called “Hack,” with individual bulletin boards like “Beginner Hacking” and “Website and Forum Hacking.”
This isn’t “hacking” in the innocent “innovative coding” sense of the word. The participants in these particular sub forums are largely discussing computer intrusion, some academically, others practically. You won’t find Russian super-hackers on HackForums, but computer crime newbies and amateurs building their very first botnet appear to be commonplace. One recent thread posed the question, “How would you spread malware through iframe tags?” and drew knowing advice: serve malicious Java on a fake Minecraft landing page; lure victims with a bogus ad for a recent movie.
Huddleston joined the site in 2009 under the nickname “Aeonhack.” Online communities were important to him. In childhood, he and his two brothers relocated frequently as their single mother pursued job opportunities through a tumble of small towns and cities in New Mexico and Arkansas. The frequent moves coupled with his inherent shyness left Huddleston virtually friendless in school, and he finally dropped out in the 12th Grade. Throughout it all, the internet was his lifeline. When he started learning to program, he says, he gravitated to the large and helpful community in the “coding” section of HackForums.
So when he was ready with the alpha version of NanoCore in January 2013, it only made sense that he’d announce it in a place where he was known and liked, and that had nurtured him as a beginner.
It would soon become clear that it was a terrible place to launch a legitimate remote administration tool. There aren’t a lot of corporate procurement officers on HackForums. Instead, many of Huddleston’s new customers had purely illicit uses for a slick remote access tool. In short order, Huddleston found himself routinely admonishing people not to use his software for crime. “NanoCore does not permit illegal use,” he wrote in one post. In another, “NanoCore is NOT malware. It is intended to be used legitimately and I don’t want to see words like ‘slave’ and ‘infect.’” Huddleston backed his words with action. Whenever he saw evidence that a particular buyer was using the product to hack, he’d log in to Net Seal and disable that user’s copy, cutting the hacker off from his infected slaves.
“I had a very strict zero tolerance policy,” he says.
He was fighting an uphill battle. Tutorials on how to covertly infect a victim’s machine appeared on YouTube by the thousands; Huddleston responded by quietly changed NanoCore’s control panel to display the user’s license ID, so he could revoke that copy when he saw it in a video. His righteous attitude started to irk some of NanoCore’s fans. “What the hell do you expect? You’re selling a Remote Administration Tool on a hacking forum,” one wrote in 2015. “That’s like selling guns in a warzone but making a policy, ‘You’re not allowed to use these guns for dangerous purposes only target shooting.”’ Still more gripes came when Huddleston removed the tool’s ability to steal passwords and log keystrokes. “You can’t do any blackhat activities with it,” one user complained. “No one who buys a RAT wants one with the main features taken out.”
The users who got cut off were even more angry, and sometimes inclined to retaliate. “I’d get these really threatening emails and people harassing me just viciously,” Huddleston says. “They would go and send me dozens of fraudulent payments in PayPal and charge them back.” PayPal interprets chargebacks as a sign of a fraudulent vendor who might have to be cut off, making that ploy an existential threat to Huddleston’s budding business. “There’s no defense against it. You can’t block someone from sending you money.”
When Huddleston’s crackdowns became too troublesome, the hackers cracked his Net Seal code and distributed pirated versions of the product on other sites. Computer security companies spotted a new trend in attacks. Every time a new cracked version of NanoCore appeared, a huge spike in the code’s use in computer intrusion attempts followed. In early March 2015, Symantec detected a mysterious phishing campaign flinging NanoCore at energy companies in Asia and the Middle East. Symantec researcher Mark Balanza charted the pattern and penned a 900-word paean to Aeonhack’s “persistence in the face of endless setbacks.”
“It seems that every time the author tries to develop and improve NanoCore, one of the customers invariably ends up leaking a copy of it for free,” Balanza wrote. “This surely has to be a major disincentive for the original developer, but they seem to possess endless optimism and persist to create new versions with enhanced capabilities, maybe in the hope that eventually enough customers will pay.”
Early the next year, Palo Alto Networks caught NanoCore starring in a phishing campaign tied to tax season. By then, Huddleston’s optimism had already run dry. “I was just in way over my head,” he says.
“I loved creating it. I loved learning how to create it,” Huddleston recalls. “You get that rush from solving all these complex issues, and this is by far, hands down, the most difficult and the biggest project that I ever created. I learned so much from it that I could never have learned otherwise.”
But he was weary of all the drama, coupled with the pressure of running a small business on his own, Huddleston began divesting himself from NanoCore in early 2015. First he handed off the business end to another HackForum member, while continuing to develop the code as an “advisor” in exchange for 60 percent of every sale. It wasn’t until year’s end that he finally divorced himself entirely from the project , accepting a $5,000 buy-out from the new owner. Last October, he sold off Net Seal for $3,000.
In the end, Huddleston got what he wanted from both projects. He scrimped and saved enough from his NanoCore and Net Seal income that he and his girlfriend were able to move out of the trailer and buy a $60,000 house in a low-income corner of Hot Springs, Arkansas.
Now even Huddleston’s modest home is in jeopardy. As part of their case, prosecutors are seeking forfeiture of any property derived from the proceeds of NanoCore, as well as from Huddleston’s anti piracy system, which is also featured in the indictment. “Net Seal licensing software is licensing software for cybercriminals,” the indictment declares. For this surprising charge—remember, Huddleston use the licenses to fight crooks and pirates—the government leans on the conviction of a Virginia college student named Zachary Shames, who pleaded guilty in January to selling hackers a keystroke logging program called Limitless. Unlike Huddleston, Shames embraced malicious use of his code. And he used Net Seal to protect and distribute it.
Huddleston admits an acquaintanceship with Shames, who was known on HackForums as “Mephobia,” but bristles at the accusation that Net Seal was built for crime. “Net Seal is literally the exact opposite of aiding and abetting” criminals, he says. “It logs their IP addresses, it block their access to the software, it stops them from sharing it with other cyber criminals. I mean, every aspect of it fundamentally prevents cybercrime. For them to say that [crime] is its intention is just ridiculous.”
Grimmelman, a specialist in technology law, says the case may fit a trend he’s noticed in online law enforcement: prosecute the defendants you can easily find as proxies for those you can’t. “The government’s frustration with criminal users who are anonymous splashes back in a variety of ways on targets who are easier to identify,” says Grimmelman. “It’s kind of unusual to target a software developer, but I definitely feel that’s the way the winds are blowing.”
Huddleston suspects the entire prosecution is the FBI’s way of saving face after raiding him. He thinks the feds expected to uncover evidence on his computer, like chat logs or private message, showing that he was secretly colluding with hackers even as he publicly battled them. When they didn’t, they decided to charge him anyway.
Another motive for the indictment might be found in the 2012 prosecution of Michael “xVisceral” Hogue, who once helped create and sell a remote access program called Blackshades. Sold in the underground for $40, Blackshades was blatant malware, implicated in attacks on one million computers around the world. It was particularly favored in online ransom schemes, where an attacker freezes a victim’s machine and demands a payoff to set it free.
The government made a cooperation deal with Hogue, and with his help U.S. and European law enforcement rounded up 100 Blackshades users in a two-year-long investigation. It was a masterful play by the bureau that multiplied one bust into scores. It also worked out well for Hogue, who was sentenced to probation in 2014.
The feds may have hoped to do the same with Huddleston and NanoCore. If so, they might have done better leaving the assault rifle at the office. By his account, Huddleston was himself a victim of his hacker users, and he might have welcomed a chance to help the FBI make some arrests.
Instead, his most vivid memory of the December raid involves sitting down with the lead agent, who’d come in from Washington D.C. to execute the search warrant personally.
Huddleston was still in his pajamas, and obsessing over the embarrassing blob of meat sitting on the table, as the agent explained that NanoCore’s abuse had international implications. “This is a global thing. We’re working with other countries,” Huddleston remembers the agent saying. “You’re a little fish in a big pond… Are you going to cooperate?”
When Huddleston replied that he wouldn’t talk to the FBI without a lawyer, the agent became visibly irritated, he says. In February the bureau returned with an arrest warrant, and Huddleston spent a week in jail before a judge released him on a $5,000 signature bond.
Now he’s anxious about the future. Before the raid, he was pondering his next project. “I wanted to get into game development.” When The Daily Beast spoke to Huddleston last week, he was planning his 16-hour road trip to Arlington, Virginia for arraignment. He’ll have to make the trip without Google Maps—the judge ordered him to stay completely off the Internet, whether by computer or smartphone. Part of him seems not to believe the whole thing is really happening.
There’s a corporate-friendly double standard at play in the charges, he argues. Hackers have used commercial remote administration tools for years. Big name brands like TeamView and VNC have figured in malware campaigns even more insidious than those waged by NanoCore hackers. But the FBI doesn’t show up at their corporate headquarters with guns drawn.
“NanoCore is abused in the same way that those are,” says Huddleston, his good humor finally breaking into exasperation. “The difference is I proactivity go after these people and build security into the software to catch these people.” His corporate competitors had “money and thousands of employees.” Huddleston had a trailer and microwavable food. “I’m just one guy.”