Developer gets prison after admitting backdoor was made for malice
An Arkansas man has been sentenced to serve almost three years in federal prison for developing advanced malware that he knew would be used to steal passwords, surreptitiously turn on webcams, and conduct other unlawful actions on infected computers.
Taylor Huddleston, 27, of Hot Springs, Arkansas, admitted in July that he was the developer of NanoCore, a remote-access trojan that he sold online, documents filed in federal court in Virginia show. In a statement of facts signed by Huddleston, the defendant confirmed that from 2012 to 2016 he marketed the malware on Hack Forums, a site that offers discussions on a wide range of topics including hacking. Huddleston also agreed with prosecutors that NanoCore and available plugins offered a full set of features including:
- a keylogger that allowed customers to record all keystrokes typed
- a password stealer that extracted passwords saved and sent them over the Internet to the customer
- the ability for customers to remotely turn on webcams and spy
- the ability to view, delete, and download files
- the ability to lock infected computers until users paid customers a ransom
- a "booter" or "stresser" that allowed infected computers to participate in distributed denial-of-service attacks
The statement of facts, signed on July 25, said:
By developing NanoCore and distributing it to hundreds of people, some of whom he knew intended to use it for malicious purposes, Huddleston knowingly and intentionally aided and abetted thousands of unlawful computer intrusions and attempted unlawful computer intrusions, including intrusions and attempted intrusions that occurred within the Eastern District of Virginia… Huddleston agrees the evidence would show that NanoCore was used in a massive "spear phishing" scheme designed to infect and attempt to infect thousands of victim computers, including computers within the Eastern District of Virginia.
In 2015, more than 500 websites inadvertently exposed their visitors to an attack that attempted to install NanoCore. Attackers pulled off the hack by compromising the account of an anti-adblocker service the sites used. The statement of facts made no mention of the incident. Huddleston also admitted he developed and sold a program called Net Seal to other developers, many of whom the defendant knew were using it to distribute their own malicious wares.
Huddleston's case gained national attention last March when Daily Beast reporter Kevin Poulsen argued that the case against Huddleston was novel because it prosecuted the developer of "dual-use software" who had "hacked no one." Huddleston, the article reported, insisted he wrote the $25 program as a legitimate remote administration tool for administrators, tech-support professionals, and parents. Poulsen went on to suggest Huddleston was being held accountable for the crimes of crooks who pirated and abused the software.
"The court filings don't detail why the government is so certain that Huddleston wanted to help hackers, but the indictment mentions eight times the name of the website where Huddleston announced and supported NanoCore: HackForums.net," Poulsen wrote. In an update in July, Poulsen reported that the self-taught programmer was pleading guilty after admitting NanoCore was intended for malicious purposes all along.
In addition to receiving 33 months in prison, Huddleston was sentenced to two years of supervised release following his prison sentence.