Security researcher warns of chilling effect after feds search phone at airport
A U.S. security researcher is warning of a chilling effect after he was detained on arrival at a U.S. airport, his phone was searched, and was ordered to testify to a grand jury, only to have prosecutors reverse course and drop the investigation later.
On Wednesday, Sam Curry, a security engineer at blockchain technology company Yuga Labs, said in a series of posts on X, formerly Twitter, that he was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service’s Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington DC about a “high profile phishing campaign,” searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.
According to a photo of the subpoena that Curry posted, the grand jury was investigating wire fraud and money laundering.
But Curry said he later received confirmation that the copy of his device data was deleted and the grand jury subpoena was canceled once prosecutors realized that Curry was investigating the theft of crypto, and not involved in it.
In a post, Curry said that in December 2022 he discovered that scammers had inadvertently exposed their Ethereum private key in the source code of a phishing website that had stolen millions of dollars worth of crypto. Curry said he imported the key to his own crypto wallet to see if there was anything left in the alleged scammers’ wallet, but that he found the key “five minutes too late and the stolen assets were gone.”
Curry said he was “on my home IP address and obviously not attempting to conceal my identity as I was simply investigating this.”
“We normally take this approach where it’s seeing if there’s anything we can do to help. And then if we can’t, obviously we can’t. It’s tricky, because there are so many of these phishing campaigns,” Curry told TechCrunch in a phone call.
Curry said that the feds had requested the authorization logs from crypto marketplace OpenSea, which Curry used to check the contents of the scammers’ wallet. Those logs included Curry’s home IP address. Curry accused the feds of using his arrival to the U.S. “as an excuse to ask for my device and summon me to a grand jury, rather than just email me or something.”
“I’m sharing this because I think it’s something people should be aware of if they’re doing similar work. It was widely shared that the private key was leaked and my background as a security researcher wasn’t enough to dissuade using immigrations and a grand jury to intimidate me,” Curry said in his post.
Curry is a widely known security researcher, whose work has helped to discover flaws in airline rewards programs, connected vehicles, and helped to uncover security weaknesses at Apple, and Starbucks. Curry said was flying into Washington DC to attend an election security research forum set up by U.S. cybersecurity agency CISA to audit U.S. voting machines.
After he was released from the airport, he spoke to his attorney, who told the federal investigators that Curry was investigating the incident as part of routine work as a security researcher.
In a call, Curry told TechCrunch he understood why the feds were investigating the incident, but criticized their approach.
“The thing I will give credit for is if in any other circumstance somebody has the private key, someone who’s obviously done a multimillion dollar phishing scam, and use that private key to sign in to OpenSea, yeah, I think it is a little suspicious and that’s like definitely something to investigate,” said Curry.
“They had a manila folder with my photo and my Twitter and all my social media, and I would have assumed that they would have looked into it a little bit,” said Curry. “Even just a brief read — just who I am and what I do — I feel it would have cleared things up a lot.”
While he believes the legal demand is resolved, Curry said that he “felt dirty” when the feds handed back his phone after searching its contents. U.S. authorities can search a person’s phone at the border without a warrant, including Americans, though the law is less clear on whether a person must comply. Only U.S. citizens cannot be denied entry for not complying, but they can have their devices seized indefinitely.
Nicholas Biase, a spokesperson for the U.S. Attorney’s Office for the Southern District of New York, where the grand jury subpoena was filed, declined to comment when reached Wednesday. Terry Lemons, a spokesperson for the IRS-CI, the criminal investigative arm of the U.S. tax authority known for probing crypto thefts, did not return a request for comment.
It’s not unheard of for U.S. authorities to target security researchers or journalists with threats of prosecution or other kinds of legal process to compel testimony, like grand juries, which convene in secret to determine if formal criminal charges should be brought against a person.
The relationship between U.S. authorities and the security community has largely improved in recent years as both attitudes towards good-faith hackers and the legal landscape for security researchers have changed for the better. But instances like this threaten to weaken the trust built in recent years by disincentivizing researchers from engaging in security defense and remediation if they think their actions could be prosecuted.
In the last few years, security researchers have taken matters into their own hands during thefts and hacking campaigns that target and steal cryptocurrencies. In the crypto world, this is called “white hatting,” a term that refers to the traditional distinction between black hats, cybercriminals or hackers who hack with malicious or illegal intent, and white hats, researchers and hackers who operate with no criminal or ill intent.
But accessing a victim’s wallet — even a scammer’s wallet — in an attempt to recover funds falls in “a real gray area” of the law, former prosecutor Elizabeth Roper told Motherboard last year.
“If it ends up saving everyone, every user on the platform and a bunch of money and the person who did it kind of immediately discloses it,” Roper said, “maybe we wouldn’t use our resources to prosecute that person, but again it depends on the specific case.”
Lorenzo Franceschi-Bicchierai contributed reporting.