The 21-year-old developer who cooked up LuminosityLink – the $39.99, turnkey, remote-access Trojan (RAT) used as spyware, keylogger, electricity/CPU-stealing cryptocurrency miner, and distributed denial-of-service (DDoS) launchpad by cybercrooks in 78 countries – was sentenced last week to 30 months in federal prison.
In a plea deal, Colton Grubbs also gave up the $725,000 worth of bitcoin he made from peddling the malware, which was marketed as a legitimate remote-administration tool but which he knew full well was being used by plenty of customers to remotely access and control their victims’ computers without their knowledge or consent.
The Department of Justice (DOJ) for the Eastern District of Kentucky announced last Monday that Grubbs had signed a plea deal that covered charges of conspiracy to unlawfully access computers in furtherance of a criminal act, conspiracy to commit money laundering, and the illegal removal of property to prevent its lawful seizure.
Grubbs pleaded guilty in July to the federal charges of creating, selling and providing technical support for the RAT to his customers, who used it to gain unauthorized access to thousands of computers across 78 countries worldwide. Grubbs also pleaded guilty to trying to hide incriminating evidence.
According to the plea agreement after learning the FBI was about to search his apartment in Lexington, Kentucky, Grubbs gave his laptop to his roommate and asked him to conceal it in the roommate’s car.
Grubbs also called a PayPal user who was collecting LuminosityLink payments on his behalf (PayPal had banned him for selling malware) and warned him to “clean your room.”
Grubbs also hid a debit card associated with his bitcoin account in a kitchen cabinet; tucked a phone storing his bitcoin information away in his roommate’s closet; spirited away the hard drives from his desktop computer, removing them from his apartment before the search; and then, three days later, shuffled over 114 bitcoins – currently worth $725,000 – from his LuminosityLink bitcoin address into six new bitcoin addresses.
LuminosityLink was shut down, and Grubbs was captured, after a dozen law enforcement agencies in Europe, Australia and North America took part in a Europol dragnet led by the UK in September 2017 that went after hackers linked to the tool.
The investigation uncovered a network of crooks who distributed and used LuminosityLink worldwide and sold it to more than 8,600 buyers via the Luminosity.link website and the public internet forum HackForums.net. It sold for as little as $39.99 and was, as Europol described it, pretty much a turnkey malware kit, requiring little technical knowledge to be unleashed on thousands of victims.
Grubbs offered assistance to his customers on how to use LuminosityLink for unauthorized computer intrusions through posts and group chats on websites including HackForums.net.
In a sentencing memorandum, Neeraj K. Gupta, an assistant US attorney, had asked for a sentence of 36 months, writing that Grubbs’ messages showed that he was contemptuous of the law:
Grubbs made a business of flouting the law (except where it benefitted him) and profited from helping less sophisticated people commit computer intrusions. His messages show that he has no respect for the law and show contempt for moral rules and social norms. His crimes and conspiracies require a lengthy sentence.
The judge split the difference between what the prosecutors and defense attorneys were after. The DOJ says that Grubbs has to serve 85% of his prison sentence. After he gets out, he’ll be looking at another three years of probation.