After being detained upon arrival at a U.S. airport, having his phone searched, and being ordered to testify before a grand jury, only to have prosecutors backtrack and drop the investigation, a U.S. security researcher is warning of a chilling effect.
After returning from a trip to Japan on September 15, Sam Curry, a security engineer at blockchain technology firm Yuga Labs, said in a series of posts on X (formerly Twitter) that he was detained for secondary inspection by U.S. federal agents. According to Curry, he was summoned to testify before a New York grand jury the following week after agents from the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington, DC about a “high profile phishing campaign,” searched his unlocked phone, and served him with a grand jury subpoena.
The grand jury appears to be looking into wire fraud and money laundering, as evidenced by the subpoena photo that Curry posted.
Once prosecutors learned that Curry was investigating the theft of crypto and was not involved in it, they reportedly canceled the grand jury subpoena and confirmed that the copy of his device data had been deleted.
According to a blog post by Curry, he uncovered a phishing website that had stolen millions of dollars’ worth of cryptocurrency in December 2022 after the scammers had left their Ethereum private key in the website’s source code. Curry claims he tried to see if the alleged scammers had anything left in their wallet by importing the key to his own cryptocurrency wallet, but he discovered the key “five minutes too late and the stolen assets were gone.”
According to Curry, he was “on my home IP address and obviously not attempting to conceal my identity as I was simply investigating this.”
“Typically, we take the tack of trying to determine what, if anything, can be done to aid the situation. If we can’t, then we clearly can’t. According to a phone conversation whit Curry, the widespread nature of phishing attacks makes detection difficult.
After discovering the scammers’ wallet contents, Curry reported that the FBI had requested the authorization logs from crypto exchange OpenSea. Curry’s home IP address was recorded there. In his complaint, Curry claimed that the federal government was using his arrival in the United States “as an excuse to ask for my device and summon me to a grand jury, rather than just email me or something.”
I’m passing this along because it’s information others working in a similar field should have. “Despite my reputation as a security researcher, the use of immigrations and a grand jury to intimidate me occurred after the news of the leak became public,” Curry wrote.
Curry is a well-known security researcher whose findings have led to the disclosure of holes in the reward systems of airlines and connected vehicles, as well as security issues at Apple and Starbucks. For an audit of American voting machines, Curry said he was flying to Washington, DC to participate in a forum for election security research organized by the United States’ CISA agency.
His lawyer told the federal investigators that Curry was looking into the incident as part of his normal duties as a security researcher after he was released from the airport.
Curry called to explain that while he appreciated the federal government’s interest in the case, he disagreed with the way they were going about it.
If “someone who has obviously done a multimillion dollar phishing scam” has the private key and uses it to sign in to OpenSea, then “yeah, I think that is a little suspicious and that is like definitely something to investigate,” as Curry put it.
“They had a manila folder with my photo, Twitter, and all my social media, and I would have assumed that they would have looked into it a little bit,” said Curry. Simply reading about who I am and what I do would have helped a great deal, I think.
Curry said he “felt dirty” when federal agents returned his phone to him after searching it, despite his belief that the legal demand had been satisfied. The law is less clear on whether a person must comply with a warrantless search of their phone by U.S. authorities at the border. Only U.S. citizens are exempt from being denied entry for failing to comply, but their devices can be held indefinitely.
The U.S. Attorney’s Office for the Southern District of New York, where the grand jury subpoena was filed, had a spokesperson named Nicholas Biase, who was reached for comment on Wednesday but declined. The IRS Criminal Investigation division is known for investigating crypto thefts, but their spokesperson, Terry Lemons, did not respond to a request for comment.
U.S. authorities frequently use grand juries, which meet in secret to decide if formal criminal charges should be brought against a person, as a tool to compel testimony from security researchers and journalists.
U.S. authorities’ views on hackers in general, and the legal climate for security researchers in particular, have changed for the better in recent years, leading to a marked improvement in relations with the security community. However, cases like these have the potential to erode the trust that has been established in recent years by discouraging researchers from assisting with security defense and remediation out of fear of legal repercussions.
During thefts and hacking campaigns aimed at stealing cryptocurrencies, security researchers have taken matters into their own hands in recent years. In the crypto community, this is referred to as “white hatting,” a term that alludes to the classic divide between “black hats,” or cybercriminals or hackers who hack with malicious or illegal intent, and “white hats,” or researchers and hackers who operate with no criminal or ill intent.
Former prosecutor Elizabeth Roper told Motherboard last year that accessing a victim’s wallet, or even a scammer’s wallet, in an attempt to recover funds falls in “a real gray area” of the law.
For example, “maybe we wouldn’t use our resources to prosecute that person,” Roper said, “but again it depends on the specific case.” This is because “if it ends up saving everyone, every user on the platform and a bunch of money and the person who did it kind of immediately discloses it,” then everyone benefits.