Malware Dev Who Used Spam Botnet to Pay for College Gets No Prison Time

Security News ThreatsCybercrime Uncategorized

Cyber map

A Pittsburgh judge sentenced a malware dev to two years probation and no prison time for his involvement with a spam botnet.

The man in question is Sean Tiernan, 29, of Santa Clara, California, and the FBI says he was in control of a botnet made up of over 77,000 computers infected with malware that Tiernan was using to send spam messages.

Authorities say Tiernan rented this botnet to others and made profits by offering to send spam on their behalf.

Tiernan caught in 2012, admitted crime right away

The FBI tracked down and executed a search warrant at Tiernan’s residence on October 1, 2012. The suspect confessed immediately, cooperated with authorities right away, and pleaded guilty to a CAN-SPAM violation a year later, in 2013.

Tiernan was sentenced on Monday, this week, October 30. According to court documents obtained by Bleeping Computer, Tiernan’s lawyers requested a probation period instead of prison time due to the non-intrusive nature of his crime.

Tiernan argued that the malware he created and spread via social media only transformed infected computers into proxies and did not steal users’ financial data, nor was any extortion involved.

Furthermore, the malware was also “easily removable,” and only collected people’s IP addresses, a type of information that US courts don’t consider to be private data anymore.

Accused used money to pay for college

Tiernan also argued that the spam he sent were only advertisements, not malware-laden files, and “although the scheme lasted for several years, the scheme’s profits were comparatively small.”

Tiernan’s lawyers say he “used most of the money that he made on the scheme to pay for college and associated educational and living  expenses.”

“In short, the harm caused by the scheme – while real– was comparatively minor,” lawyers argued in a sentencing memorandum.

Tiernan got involved with the spam botnet while just a kid

They also argued that Tiernan, who is the son of a computer consultant, “followed in his father’s footsteps and learned how to code and navigate the internet at a very young age,” but became involved with the spam botnet while a minor in the 2000s. Tiernan operated the botnet together with other adults.

“At the time that he joined the scheme, Sean did not appreciate the seriousness of what he and his co-schemers were involved in or that he could potentially land in jail,” Tiernan’s lawyers argued.

“He thought (wrongly) that as long as they were not accessing private information such as banking or financial records on these computers, they were not doing anything particularly wrong,” lawyers said.

Tiernan is now working in the cybersecurity business

Tiernan was a student at Cal Poly when FBI agents searched his house and confronted him about the scheme. Since then, Tiernan has chosen a career in cybersecurity  and “has been employed continuously with a well-known company in the cybersecurity sector.”

According to his lawyer, Tiernan is now enrolled in the Stanford CyberSecurity Graduate Program and is working toward becoming a Certified Information Systems Security Professional (CISSP).

Tiernan, while not as famous as other hackers, is not the first person to switch over from criminal ranks to the cybersecurity sector after breaking the law while a minor [1, 2].