The Cybersecurity Canon: CRACK99: The Takedown of a $100 Million Chinese Software Pirate

Jan 12, 2016
7 minutes
... views


We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Steve Winterfeld: CRACK99: The Takedown of a $100 Million Chinese Software Pirate (2015) by David Locke Hall

Executive Summary

CRACK99: The Takedown of a $100 Million Chinese Software Pirate is the story of how the author, David Locke Hall, a federal prosecutor with no background in cyber forensics went after a cyber criminal. This is not a book that will help you develop better technical skills but rather help you understand how those outside the field deal with the challenges of applying their normal processes to the complexities of the virtual environment.

CRACK99 misses belonging in the Canon as it doesn’t develop a better cyber practitioner, but it is worth the read to understand the challenges the justice system faces in prosecuting cyber criminals. The style reminds me of Cuckoo's Egg or Takedown with a lot of side stories about the writer’s life. There are also chapters on subjects like arresting an Iranian arms dealer for export violations, justice system, and national cyber strategy. The author does a reasonable job of tying these subjects together as the actual material about the crime is not enough to fill a book.


CRACK99 is the true story of an Assistant United States Attorney (AUSA) who decided to go after a Chinese national who was selling stolen software. Most of the software was used in advanced design and simulation and had national economic/military implications. The AUSA decided to discreetly partner with Homeland Security Investigations (HSI). Normally a case like this would be handled by the Federal Bureau of Investigation (FBI), and the U.S. Attorney’s Office in Wilmington, Delaware would not focus resources on an international case. Finally, to keep the case with HSI, they classified it as smuggling.

One of the first applications they focused on was the Analytical Graphics Incorporated (AGI) Satellite Tool Kit (STK). The software normally sold for around $150,000; but, on the CRACK99 website, an illegal copy cost only $1,000. STK was a simulation that could replicate the performance of satellites, drones or other military assets. This was one of a host of applications for sale, most of them using the same third party to enforce licensing. The AUSA thought that a rogue employee at that firm was the culprit; but, as he came to understand the technology involved, realized that was not likely.

They purchased a copy of STK for the investigation and were told to use a Western Union money transfer. Sending the wire transfer from Delaware helped establish a case that the AUSA could prosecute. The operator of the site gave the user’s name and address in China. His name was Xiang Li, and he not only delivered the software but would help by providing guidance on how to install it. This was enough to get a warrant for the Gmail account Xiang Li was using. Analysis of emails revealed that there were over 450 illegal software sales worth over $100 million. Additionally it showed that his wife was involved as the money manager, and most of the sales were in the U.S.

The investigators came up with a plan to engage Li as potential business partners and lure him into the U.S. via a meeting in Saipan (a U.S. territory). They got a grand jury for indictment on copyright infringement, traffic in access control circumvention, wire fraud, interstate transportation of stolen property, smuggling, and trafficking in counterfeit labels. Li met them; was arrested; and, initially, was cooperative with the investigation. One of the big questions was how he got the software and who cracked the licensing. It was mostly fan groups, web forums, and hackers – he found what he sold through open searches (many were in Russia), and some were given by customers who wanted them cracked. Xiang Li asked for mercy but got 12 years. Of all the U.S. buyers, only two were prosecuted: Mr. Best got 3 years, and Mr. Wedderburn received probation.

CRACK99 provides great background on the justice system. The Federal Bureau of Investigation (FBI) is the big dog with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and Drug Enforcement Agency (DEA) getting news coverage. Homeland Security Investigations (HSI) is bigger than both but only half the size of the FBI. HIS came out of Customs, which became Immigration and Customs Enforcement (ICE). In 2010 the FBI moved from crime to intelligence collection. The AUSA didn’t want to give the case to them because they would not push for jail time.

The book also covers organizations like the Department of Justice (DOJ) Office of International Affairs, Mutual Legal Assistance Treaty (MLAT), Defense Criminal Investigative Services (DCIS), Office of the National Counterintelligence Executive (ONCIX). It provides insight into which law to prosecute under: economic espionage, smuggling, copyrights, conspiracy (too abstract for the jury), pen register (wiretap) rules, lure, embargo, or acts like the National Stolen Property Act and Sound Recordings Act. It also list resources like executive orders, commercial reports (Mandiant), and the Department of Defense (DOD) Science Board. The author also shares his opinion on case law, such as his belief that the Supreme Court was wrong in the Dowling decision.

While the author didn’t propose a strategy, he did frame many of the issues and possible solutions. One key theme was the concept that most law enforcement is hooked on fast food – low hanging fruit that is easy to prosecute but has no impact. He compares this to U.S. cyber strategy – a lot of talk and papers with strategy in the title but no actionable strategy. For example, much was made of Coreflood botnet being taken down, but nobody was arrested. The U.S. government indicted members of the Chinese People’s Liberation Army; but, again, there was no expectation they would be prosecuted. It was more of a political name and shame policy.

As part of his review of arresting arms dealers trying to avoid embargo restrictions, he said, “Dubai is a monument to the failure of the United States to control the proliferation of its own goods and technology.” He talks about the parallels to a lack of cyber strategy or concerted effort. The DOJ bragging sheet that covers their key cases had nothing about theft of intellectual property or cases against China – this despite the example of Microsoft having an application update downloaded 30 million times for one legitimate license. There is a real disconnect between the DOJ and national security / economic threats.


CRACK99 should be read by anyone who wants to understand more about how one prosecutor in the justice system took on a cyber criminal. The author does a decent job of covering both the tactical aspects of an investigation and the national strategy issues involved with the case. His side stories about getting pulled in to work other cases, such as those of drug dealers and even a mail carrier case that ended in a plea agreement, are interesting. It feels like he wrote the book over a period of years without updating some activities referenced. He talks about reports/actions ranging from 2011 to 2015. He also spends a lot of time talking about his Navy background and the potential Chinese government/military involvement but ends up with no proof.

Bottom line – this is not a Canon candidate but a quick and worthwhile read.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.