{ "backfill_queue": [], "cases": [ { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State + International (GDPR, BIPA)" ], "module_ids": [ "02a" ], "module_paths": [ "artifacts/modules/02a-osint-legal-limits-dark-web.md" ], "module_titles": [ "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence" ], "slug": "aclu-v-clearview-ai-n-d-ill-2022-settlement", "statutes": [ "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 2261A (federal cyberstalking)", "18 U.S.C. \u00a7 1029 (access device fraud)", "18 U.S.C. \u00a7 875 (interstate threats)", "18 U.S.C. \u00a7 1956 (money laundering)", "GDPR Article 5", "GDPR Article 9", "California Civil Code \u00a7 1798.100 (CCPA)", "California AB 1732 (2022)", "New York Exec. Law \u00a7 79-n", "740 ILCS 14 (Illinois BIPA)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "ACLU v. Clearview AI (N.D. Ill. 2022 settlement)", "topics": [ "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02e" ], "module_paths": [ "artifacts/modules/02e-hipaa-security-rule-full.md" ], "module_titles": [ "HIPAA Security Rule: A Complete Operational Guide for Security Researchers and Healthcare Pen Testers" ], "slug": "advocate-aurora-health-pixel-tracking-breach-2022", "statutes": [ "HIPAA (Pub. L. 104-191)", "HITECH Act (Pub. L. 111-5)", "45 C.F.R. Parts 160, 164", "45 C.F.R. \u00a7 164.308 (Administrative Safeguards)", "45 C.F.R. \u00a7 164.310 (Physical Safeguards)", "45 C.F.R. \u00a7 164.312 (Technical Safeguards)", "45 C.F.R. \u00a7 164.402 (Breach Definition)", "45 C.F.R. \u00a7 164.404 (Individual Notice)", "45 C.F.R. \u00a7 164.406 (Media Notice)", "45 C.F.R. \u00a7 164.408 (HHS Notice)", "45 C.F.R. \u00a7 164.410 (BA Breach Notification)", "45 C.F.R. \u00a7 164.504(e) (BAA Requirements)", "42 U.S.C. \u00a7 1320d-5 (Civil Monetary Penalties)", "42 U.S.C. \u00a7 1320d-6 (Criminal Penalties)", "21 U.S.C. \u00a7 524B (FD&C Act Medical Device Cybersecurity)", "California Civil Code \u00a7 56 (CMIA)", "Texas Health & Safety Code \u00a7 181 (TMRPA)", "New York SHIELD Act (2019)" ], "title": "Advocate Aurora Health \u2014 pixel tracking breach (2022)", "topics": [ "HIPAA Security Rule", "ePHI", "PHI", "covered entities", "business associates", "BAA", "Business Associate Agreement", "subcontractor chain", "Privacy Rule", "Breach Notification Rule", "administrative safeguards", "physical safeguards", "technical safeguards", "required vs addressable controls", "addressable implementation specification", "risk analysis", "unique user identification", "audit controls", "transmission security", "encryption safe harbor", "60-day breach notification clock", "Wall of Shame", "500-person threshold", "media notice", "surrogate notice", "OCR civil monetary penalties", "4-tier CMP framework", "willful neglect", "42 U.S.C. \u00a7 1320d-6 criminal penalties", "false pretenses 5 years", "personal gain 10 years", "HITECH Act", "Change Healthcare breach 2024", "ALPHV BlackCat", "UnitedHealth Group", "Advocate Aurora pixel tracking", "Meta Pixel HIPAA", "HCA Healthcare breach 2023", "FDA 2023 Cybersecurity Guidance", "Section 524B FD&C Act", "cyber device", "SBOM medical device", "postmarket cybersecurity obligations", "healthcare pen test scope letter", "PHI handling during testing", "minimum necessary standard", "data destruction NIST SP 800-88", "California CMIA", "Cal. Civ. Code \u00a7 56", "CMIA private right of action", "Texas Health & Safety Code \u00a7 181", "TMRPA", "New York SHIELD Act", "state health privacy law overlay", "45 C.F.R. Part 164", "safe grey red healthcare matrix", "BOLA EHR vulnerability", "packet capture ePHI destruction", "medical device pen testing", "infusion pump security", "state AG HIPAA enforcement" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02b" ], "module_paths": [ "artifacts/modules/02b-zero-day-market-commercial-spyware.md" ], "module_titles": [ "Zero-Day Market and Commercial Spyware Law" ], "slug": "apple-v-nso-group", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 2511", "17 U.S.C. \u00a7 1201", "15 C.F.R. Parts 730-774", "EAR ECCN 4E001" ], "title": "Apple v. NSO Group", "topics": [ "zero-day market", "export controls", "NSO Group", "Pegasus", "commercial spyware", "stalkerware", "VEP", "bug bounty vs broker", "government procurement", "DMCA Section 1201", "Wassenaar Arrangement", "UK CMA", "Germany StGB 202c" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; U.S. State (California); EU (GDPR)" ], "module_ids": [ "01f" ], "module_paths": [ "artifacts/modules/01f-victim-remedies.md" ], "module_titles": [ "Victim Remedies and Procedural Hurdles" ], "slug": "calder-v-jones-1984", "statutes": [ "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "California Penal Code \u00a7 502", "California Civil Code \u00a7 1798.150 (CCPA)", "Foreign Sovereign Immunities Act (FSIA)", "GDPR Article 82" ], "title": "Calder v. Jones (1984)", "topics": [ "restitution", "forfeiture", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CFAA civil action", "CCPA damages", "class action against breached organization", "standing", "Spokeo", "TransUnion", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "venue", "forum non conveniens", "foreign sovereign immunity", "FSIA terrorism exception", "extradition", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State", "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "01x", "02c" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md", "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap", "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "carpenter-v-united-states-585-u-s-296-2018", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06", "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "Carpenter v. United States, 585 U.S. 296 (2018)", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing", "Wiretap Act", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02e" ], "module_paths": [ "artifacts/modules/02e-hipaa-security-rule-full.md" ], "module_titles": [ "HIPAA Security Rule: A Complete Operational Guide for Security Researchers and Healthcare Pen Testers" ], "slug": "change-healthcare-uhg-hhs-ocr-investigation-2024", "statutes": [ "HIPAA (Pub. L. 104-191)", "HITECH Act (Pub. L. 111-5)", "45 C.F.R. Parts 160, 164", "45 C.F.R. \u00a7 164.308 (Administrative Safeguards)", "45 C.F.R. \u00a7 164.310 (Physical Safeguards)", "45 C.F.R. \u00a7 164.312 (Technical Safeguards)", "45 C.F.R. \u00a7 164.402 (Breach Definition)", "45 C.F.R. \u00a7 164.404 (Individual Notice)", "45 C.F.R. \u00a7 164.406 (Media Notice)", "45 C.F.R. \u00a7 164.408 (HHS Notice)", "45 C.F.R. \u00a7 164.410 (BA Breach Notification)", "45 C.F.R. \u00a7 164.504(e) (BAA Requirements)", "42 U.S.C. \u00a7 1320d-5 (Civil Monetary Penalties)", "42 U.S.C. \u00a7 1320d-6 (Criminal Penalties)", "21 U.S.C. \u00a7 524B (FD&C Act Medical Device Cybersecurity)", "California Civil Code \u00a7 56 (CMIA)", "Texas Health & Safety Code \u00a7 181 (TMRPA)", "New York SHIELD Act (2019)" ], "title": "Change Healthcare / UHG \u2014 HHS OCR investigation (2024)", "topics": [ "HIPAA Security Rule", "ePHI", "PHI", "covered entities", "business associates", "BAA", "Business Associate Agreement", "subcontractor chain", "Privacy Rule", "Breach Notification Rule", "administrative safeguards", "physical safeguards", "technical safeguards", "required vs addressable controls", "addressable implementation specification", "risk analysis", "unique user identification", "audit controls", "transmission security", "encryption safe harbor", "60-day breach notification clock", "Wall of Shame", "500-person threshold", "media notice", "surrogate notice", "OCR civil monetary penalties", "4-tier CMP framework", "willful neglect", "42 U.S.C. \u00a7 1320d-6 criminal penalties", "false pretenses 5 years", "personal gain 10 years", "HITECH Act", "Change Healthcare breach 2024", "ALPHV BlackCat", "UnitedHealth Group", "Advocate Aurora pixel tracking", "Meta Pixel HIPAA", "HCA Healthcare breach 2023", "FDA 2023 Cybersecurity Guidance", "Section 524B FD&C Act", "cyber device", "SBOM medical device", "postmarket cybersecurity obligations", "healthcare pen test scope letter", "PHI handling during testing", "minimum necessary standard", "data destruction NIST SP 800-88", "California CMIA", "Cal. Civ. Code \u00a7 56", "CMIA private right of action", "Texas Health & Safety Code \u00a7 181", "TMRPA", "New York SHIELD Act", "state health privacy law overlay", "45 C.F.R. Part 164", "safe grey red healthcare matrix", "BOLA EHR vulnerability", "packet capture ePHI destruction", "medical device pen testing", "infusion pump security", "state AG HIPAA enforcement" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01w" ], "module_paths": [ "artifacts/modules/01w-physical-pentest-red-team-law.md" ], "module_titles": [ "Physical Penetration Testing and Red Team Operations: Exact Statute + Case Analysis for Security Researchers" ], "slug": "coalfire-linn-county-iowa-2019-de-mercurio-and-wynn-arrest", "statutes": [ "18 U.S.C. \u00a7 1030(a)(3)", "18 U.S.C. \u00a7 1036", "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 2511 (Wiretap Act)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1030(a)(5)", "California Penal Code \u00a7 459 (Burglary)", "California Penal Code \u00a7 602 (Trespass)", "Texas Penal Code \u00a7 30.05", "Texas Penal Code \u00a7 16.01", "Texas Gov't Code \u00a7 423.003", "New York Penal Law \u00a7 140.05\u2013\u00a7 140.35", "New York Penal Law \u00a7 140.35 (Burglar's Tools)", "Florida \u00a7 810.06", "Illinois 720 ILCS 5/19-2", "14 C.F.R. Part 107 (FAA drone rules)", "Tex. Gov't Code \u00a7 423.0045", "Fla. Stat. \u00a7 934.50", "N.C. Gen. Stat. \u00a7 15A-300.1" ], "title": "Coalfire / Linn County, Iowa (2019) \u2014 De Mercurio and Wynn arrest", "topics": [ "physical penetration test", "red team operation", "rules of engagement", "scope of work", "verbal authorization", "get-out-of-jail letter", "authorization letter", "18 U.S.C. \u00a7 1030(a)(3)", "18 U.S.C. \u00a7 1036", "18 U.S.C. \u00a7 2701", "Stored Communications Act", "California Penal Code \u00a7 602", "Texas Penal Code \u00a7 30.05", "New York Penal Law \u00a7 140.05", "criminal trespass", "burglary trespass escalation", "lockpick legal status", "criminal instrument Texas", "burglar's tools New York", "lock pick possession Florida", "tailgating", "impersonation wire fraud", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "false personation federal officer", "hardware implants", "LAN tap", "Raspberry Pi red team", "keystroke logger", "CFAA \u00a7 1030(a)(5) damage", "Wiretap Act", "18 U.S.C. \u00a7 2511", "wiretapping network tap", "drone recon", "FAA Part 107", "state anti-drone laws", "Texas drone surveillance", "Florida drone law", "RFID cloning", "badge clone", "dumpster diving", "Coalfire Iowa courthouse 2019", "United States v. Rendelman", "safe grey red matrix physical", "pre-engagement checklist", "police did not honor authorization", "24/7 emergency contact" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal + State + International" ], "module_ids": [ "01z" ], "module_paths": [ "artifacts/modules/01z-scada-iot-automotive-hacking-law.md" ], "module_titles": [ "SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers" ], "slug": "colonial-pipeline-darkside-ransomware-2-3m-btc-recovery-doj-2021", "statutes": [ "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 32 (aircraft sabotage)", "47 U.S.C. \u00a7 333 (RF interference)", "18 U.S.C. \u00a7 1365 (consumer product tampering)", "18 U.S.C. \u00a7 1362 (government communication interference)", "49 U.S.C. \u00a7 30170", "42 U.S.C. \u00a7 7522 (EPA emission controls)", "16 U.S.C. \u00a7 824o (Federal Power Act / NERC CIP)", "California Civil Code \u00a7 1798.91.04", "15 U.S.C. \u00a7 45 (FTC Act \u00a7 5)", "21 U.S.C. \u00a7 301 et seq. (FD&C Act \u00a7 524B)" ], "title": "Colonial Pipeline DarkSide ransomware ($2.3M BTC recovery DOJ 2021)", "topics": [ "SCADA hacking law", "ICS security law", "OT cybersecurity legal framework", "PPD-21 critical infrastructure", "CFAA \u00a7 1030(c)(4)(B) enhancement", "critical infrastructure sentencing 20 years", "substantial disruption standard", "Colonial Pipeline legal aftermath", "DarkSide ransomware OFAC", "Oldsmar water treatment plant 2021", "ICS-CERT coordinated disclosure", "CISA vulnerability disclosure ICS", "hospital ransomware Change Healthcare", "UHS ransomware", "involuntary manslaughter ransomware theory", "IoT hacking CFAA", "Mirai botnet Jha 2018", "botnet recruitment \u00a7 1030(a)(5)", "FTC Act \u00a7 5 insecure IoT", "NISTIR 8259 IoT security", "California IoT security law \u00a7 1798.91.04", "Oregon SB 90 IoT", "vehicle ECU CFAA", "automotive hacking law", "Miller Valasek Jeep hack 2015", "Tesla bug bounty scope", "49 U.S.C. \u00a7 30170 vehicle safety", "SPY Car Act", "OBD-II port testing legal", "EPA emissions ECU modification", "drone hacking law", "FAA Part 107", "counter-UAS authority", "FAA Reauthorization Act 2018", "18 U.S.C. \u00a7 32 aircraft sabotage", "GPS spoofing legal risk", "RF jamming 47 U.S.C. \u00a7 333", "drone jamming federal crime", "NERC CIP mandatory standards", "FERC enforcement authority", "critical electric infrastructure information CEII", "smart grid security law", "FDA cybersecurity final rule 2023", "medical device hacking CFAA", "HIPAA medical device PHI", "\u00a7 524B FD&C Act SBOM", "Vitek Boden Maroochy Water 2001", "Stuxnet legal implications", "Ukraine power grid GRU indictment Sandworm", "TRITON TRISIS SIS attack", "Evgeny Gladkikh indictment", "lab vs production ICS testing", "Shodan ICS reconnaissance legal", "safe grey red ICS matrix", "NERC CIP CEII data handling" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "compuserve-inc-v-cyber-promotions-inc-962-f-supp-1015-s-d-ohio-1997", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "CompuServe Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015 (S.D. Ohio 1997)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. State (California, Illinois, Virginia, Colorado, Texas, Connecticut, Nevada, Utah, Montana, Oregon, Iowa, Washington)" ], "module_ids": [ "02f" ], "module_paths": [ "artifacts/modules/02f-state-privacy-laws-ccpa-cpra.md" ], "module_titles": [ "U.S. State Privacy Law: CCPA/CPRA and the State Patchwork" ], "slug": "cothron-v-white-castle-system-inc-2023-il-128004-ill-2023", "statutes": [ "Cal. Civ. Code \u00a7 1798.100", "Cal. Civ. Code \u00a7 1798.105", "Cal. Civ. Code \u00a7 1798.106", "Cal. Civ. Code \u00a7 1798.110", "Cal. Civ. Code \u00a7 1798.120", "Cal. Civ. Code \u00a7 1798.121", "Cal. Civ. Code \u00a7 1798.125", "Cal. Civ. Code \u00a7 1798.140", "Cal. Civ. Code \u00a7 1798.150", "Cal. Civ. Code \u00a7 1798.155", "Cal. Civ. Code \u00a7 1798.185", "Cal. Civ. Code \u00a7 1798.199.10", "Cal. Civ. Code \u00a7 1798.82", "Cal. Bus. & Prof. Code \u00a7 1798.99.80 (Data Broker Registration)", "Va. Code \u00a7\u00a7 59.1-571\u201359.1-581 (CDPA)", "C.R.S. \u00a7\u00a7 6-1-1301\u20136-1-1313 (Colorado Privacy Act)", "Tex. Bus. & Comm. Code \u00a7\u00a7 541.001\u2013541.201 (TDPSA)", "Tex. Bus. & Comm. Code \u00a7 521.053 (TX breach notification)", "Conn. Gen. Stat. \u00a7\u00a7 42-515\u201342-525 (CTDPA)", "Nev. Rev. Stat. \u00a7 603A", "Utah Code \u00a7\u00a7 13-61-101 et seq. (UCPA)", "Mont. Code Ann. \u00a7\u00a7 30-14-3001 et seq. (MTCDPA)", "ORS \u00a7\u00a7 646A.570 et seq. (OCPA)", "Iowa Code \u00a7 715D (ICDPA)", "N.Y. Gen. Bus. Law \u00a7 899-aa (SHIELD Act)", "740 ILCS 14/1 et seq. (Illinois BIPA)", "Wash. Rev. Code \u00a7 70.372 (WMHDA)" ], "title": "Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. 2023)", "topics": [ "CCPA", "CPRA", "California Consumer Privacy Act", "California Privacy Rights Act", "Cal. Civ. Code 1798.100", "Cal. Civ. Code 1798.150", "right to know", "right to delete", "right to correct", "right to opt-out", "sensitive personal information", "CPPA enforcement agency", "CPPA rulemaking", "Virginia CDPA", "Colorado Privacy Act", "Global Privacy Control GPC", "Texas TDPSA", "Connecticut CTDPA", "Nevada SB 220 SB 370", "Utah UCPA", "Montana MTCDPA", "Oregon OCPA", "Iowa ICDPA", "breach notification California 30 day", "breach notification Texas 60 day", "breach notification New York 30 day", "SHIELD Act", "Illinois BIPA", "740 ILCS 14", "biometric privacy", "per-scan vs per-person damages", "Cothron v White Castle", "Washington My Health MY Data Act", "WMHDA", "cure period sunset", "private right of action", "AG only enforcement", "data protection assessment", "data broker registration", "Delete Act SB 362", "scraping aggregation CCPA", "CCPA deletion demand during research", "PII minimization responsible disclosure", "breach data retention researcher", "safe grey red matrix privacy", "$100 $750 statutory damages", "$1000 $5000 BIPA damages", "class action data breach", "reasonable security", "business threshold CCPA" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "daubert-v-merrell-dow-pharmaceuticals-inc-509-u-s-579-1993", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "dpp-v-bignell-1998-uk", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "DPP v. Bignell (1998) (UK)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "ebay-inc-v-bidder-s-edge-inc-100-f-supp-2d-1058-n-d-cal-2000", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "facebook-v-duguid-592-u-s-395-2021-atds-definition", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "Facebook v. Duguid, 592 U.S. 395 (2021) \u2014 ATDS definition", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "intermediate", "beginner" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California, New York); International (Budapest Convention)", "U.S. Federal", "U.S. Federal + State + International (GDPR, BIPA)" ], "module_ids": [ "01d", "01j", "01m", "02a" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01j-bug-bounty-legal.md", "artifacts/modules/01m-hacker-lawsuits.md", "artifacts/modules/02a-osint-legal-limits-dark-web.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have", "Hacker Lawsuits: The Cases That Define Your Scope", "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence" ], "slug": "facebook-inc-v-power-ventures-inc-844-f-3d-1058-9th-cir-2016", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "California Penal Code \u00a7 502", "New York Penal Law Article 156", "CISA Binding Operational Directive 20-01", "Budapest Convention Article 6", "17 U.S.C. \u00a7 1201 (DMCA)", "DOJ Charging Policy for CFAA (2022)", "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 2261A (federal cyberstalking)", "18 U.S.C. \u00a7 1029 (access device fraud)", "18 U.S.C. \u00a7 875 (interstate threats)", "18 U.S.C. \u00a7 1956 (money laundering)", "GDPR Article 5", "GDPR Article 9", "California Civil Code \u00a7 1798.100 (CCPA)", "California AB 1732 (2022)", "New York Exec. Law \u00a7 79-n", "740 ILCS 14 (Illinois BIPA)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "bug bounty programs", "vulnerability disclosure policy", "VDP", "CFAA good faith research", "DOJ charging policy 2022", "Van Buren authorized access", "CISA BOD 20-01", "HackerOne", "Bugcrowd", "Intigriti", "HackerOne AI Research Safe Harbor", "coordinated vulnerability disclosure", "responsible disclosure", "90-day disclosure timeline", "ISO/IEC 29147", "ISO/IEC 30111", "Google Project Zero standard", "full disclosure", "scope discipline", "contractual authorization", "state computer crime statutes", "California PC 502", "New York Penal Law Article 156", "CFAA reform proposals", "Security Research Act", "Budapest Convention Article 6", "AI security research", "prompt injection", "model extraction", "federal VDP mandate", "terms of service violations post-Van Buren", "civil CFAA suits", "safe harbor proposals", "hiQ LinkedIn scraping", "Power Ventures CFAA", "Auernheimer venue", "bug bounty authorization", "scope creep", "CFAA researcher exposure", "Sandvig v. Barr ToS research", "DOJ good-faith policy 2022", "safe harbor", "HackerOne platform safe harbor", "civil CFAA suits against researchers", "DMCA 1201 security research", "authorized security research exemption", "penetration testing contracts", "scope authorization", "SolarWinds CISO liability", "NSO Group spyware civil liability", "Mitnick supervised release", "researcher sentencing", "hacker-first legal doctrine", "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "ftc-v-drizly-llc-docket-no-c-4762-2023", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "FTC v. Drizly, LLC, Docket No. C-4762 (2023)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "ftc-v-easy-healthcare-corp-premom-2023", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "FTC v. Easy Healthcare Corp. (Premom) (2023)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Colorado)" ], "module_ids": [ "02g" ], "module_paths": [ "artifacts/modules/02g-coppa-ferpa-student-data-privacy.md" ], "module_titles": [ "COPPA, FERPA, and Student Data Privacy Law for Security Researchers" ], "slug": "ftc-v-google-llc-and-youtube-llc-2019-170m-coppa-settlement", "statutes": [ "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "16 C.F.R. Part 312 (FTC COPPA Rule)", "20 U.S.C. \u00a7 1232g (FERPA)", "34 C.F.R. Part 99 (FERPA Regulations)", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Cal. Ed. Code \u00a7\u00a7 22584\u201322585 (SOPIPA)", "N.Y. Ed. Law \u00a7 2-d", "8 NYCRR Part 121", "Colo. Rev. Stat. \u00a7\u00a7 22-16-101\u2013115" ], "title": "FTC v. Google LLC and YouTube LLC (2019) \u2014 $170M COPPA settlement", "topics": [ "COPPA", "FERPA", "children's online privacy", "child under 13", "operator definition", "verifiable parental consent", "VPC methods", "actual knowledge standard", "mixed-audience sites", "school official exception", "data minimization", "retention limits", "FTC COPPA enforcement", "COPPA 2.0", "age-16 expansion", "design prohibition", "KOSA Kids Online Safety Act", "education records", "directory information", "legitimate educational interest", "FERPA enforcement", "no private right of action FERPA", "Gonzaga v. Doe", "funding withdrawal never used", "PowerSchool 2025 breach", "Los Angeles USD ransomware", "Illuminate Education breach", "K-12 ed-tech security", "student information system", "SIS vendor authorization", "SOPIPA California", "New York Ed Law 2-d", "Colorado SB 21-231", "CARU safe harbor", "kidSAFE seal", "persistent identifier COPPA", "behavioral advertising prohibition", "student PII during pentest", "responsible disclosure school districts", "FERPA redisclosure restrictions", "safe grey red matrix education" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "ftc-v-google-llc-and-youtube-llc-2019", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "FTC v. Google LLC and YouTube, LLC (2019)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (MLAT, Budapest Convention)" ], "module_ids": [ "01e" ], "module_paths": [ "artifacts/modules/01e-enforcement-agencies.md" ], "module_titles": [ "Enforcement Agencies and Mechanisms" ], "slug": "ftc-v-kochava-inc", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1963 (RICO)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "18 U.S.C. \u00a7 2703", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Budapest Convention Article 35" ], "title": "FTC v. Kochava, Inc.", "topics": [ "DOJ", "CCIPS", "National Security Division", "U.S. Attorneys Offices", "Office of International Affairs", "FBI", "Cyber Division", "IC3", "CISA", "CIRCIA", "Binding Operational Directives", "SEC", "FTC", "OFAC", "SDN list", "ransomware sanctions", "SolarWinds", "public-company cyber disclosure", "internal accounting controls", "disclosure controls", "FinCEN", "Bank Secrecy Act", "SAR filing", "NSA", "Vulnerabilities Equities Process", "MLAT", "infrastructure seizure", "domain seizure", "cryptocurrency seizure", "blockchain forensics", "criminal vs regulatory enforcement", "law enforcement cooperation", "parallel criminal and regulatory tracks", "forfeiture", "restitution", "Colonial Pipeline", "LockBit", "Hive ransomware" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02b" ], "module_paths": [ "artifacts/modules/02b-zero-day-market-commercial-spyware.md" ], "module_titles": [ "Zero-Day Market and Commercial Spyware Law" ], "slug": "ftc-v-spyfone", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 2511", "17 U.S.C. \u00a7 1201", "15 C.F.R. Parts 730-774", "EAR ECCN 4E001" ], "title": "FTC v. SpyFone", "topics": [ "zero-day market", "export controls", "NSO Group", "Pegasus", "commercial spyware", "stalkerware", "VEP", "bug bounty vs broker", "government procurement", "DMCA Section 1201", "Wassenaar Arrangement", "UK CMA", "Germany StGB 202c" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "ftc-v-wyndham-worldwide-corp-799-f-3d-236-3d-cir-2015", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "gary-mckinnon-extradition-proceedings-2012", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "Gary McKinnon extradition proceedings (2012)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Colorado)" ], "module_ids": [ "02g" ], "module_paths": [ "artifacts/modules/02g-coppa-ferpa-student-data-privacy.md" ], "module_titles": [ "COPPA, FERPA, and Student Data Privacy Law for Security Researchers" ], "slug": "gonzaga-university-v-doe-536-u-s-273-2002", "statutes": [ "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "16 C.F.R. Part 312 (FTC COPPA Rule)", "20 U.S.C. \u00a7 1232g (FERPA)", "34 C.F.R. Part 99 (FERPA Regulations)", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Cal. Ed. Code \u00a7\u00a7 22584\u201322585 (SOPIPA)", "N.Y. Ed. Law \u00a7 2-d", "8 NYCRR Part 121", "Colo. Rev. Stat. \u00a7\u00a7 22-16-101\u2013115" ], "title": "Gonzaga University v. Doe, 536 U.S. 273 (2002)", "topics": [ "COPPA", "FERPA", "children's online privacy", "child under 13", "operator definition", "verifiable parental consent", "VPC methods", "actual knowledge standard", "mixed-audience sites", "school official exception", "data minimization", "retention limits", "FTC COPPA enforcement", "COPPA 2.0", "age-16 expansion", "design prohibition", "KOSA Kids Online Safety Act", "education records", "directory information", "legitimate educational interest", "FERPA enforcement", "no private right of action FERPA", "Gonzaga v. Doe", "funding withdrawal never used", "PowerSchool 2025 breach", "Los Angeles USD ransomware", "Illuminate Education breach", "K-12 ed-tech security", "student information system", "SIS vendor authorization", "SOPIPA California", "New York Ed Law 2-d", "Colorado SB 21-231", "CARU safe harbor", "kidSAFE seal", "persistent identifier COPPA", "behavioral advertising prohibition", "student PII during pentest", "responsible disclosure school districts", "FERPA redisclosure restrictions", "safe grey red matrix education" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02e" ], "module_paths": [ "artifacts/modules/02e-hipaa-security-rule-full.md" ], "module_titles": [ "HIPAA Security Rule: A Complete Operational Guide for Security Researchers and Healthcare Pen Testers" ], "slug": "hca-healthcare-breach-2023", "statutes": [ "HIPAA (Pub. L. 104-191)", "HITECH Act (Pub. L. 111-5)", "45 C.F.R. Parts 160, 164", "45 C.F.R. \u00a7 164.308 (Administrative Safeguards)", "45 C.F.R. \u00a7 164.310 (Physical Safeguards)", "45 C.F.R. \u00a7 164.312 (Technical Safeguards)", "45 C.F.R. \u00a7 164.402 (Breach Definition)", "45 C.F.R. \u00a7 164.404 (Individual Notice)", "45 C.F.R. \u00a7 164.406 (Media Notice)", "45 C.F.R. \u00a7 164.408 (HHS Notice)", "45 C.F.R. \u00a7 164.410 (BA Breach Notification)", "45 C.F.R. \u00a7 164.504(e) (BAA Requirements)", "42 U.S.C. \u00a7 1320d-5 (Civil Monetary Penalties)", "42 U.S.C. \u00a7 1320d-6 (Criminal Penalties)", "21 U.S.C. \u00a7 524B (FD&C Act Medical Device Cybersecurity)", "California Civil Code \u00a7 56 (CMIA)", "Texas Health & Safety Code \u00a7 181 (TMRPA)", "New York SHIELD Act (2019)" ], "title": "HCA Healthcare breach (2023)", "topics": [ "HIPAA Security Rule", "ePHI", "PHI", "covered entities", "business associates", "BAA", "Business Associate Agreement", "subcontractor chain", "Privacy Rule", "Breach Notification Rule", "administrative safeguards", "physical safeguards", "technical safeguards", "required vs addressable controls", "addressable implementation specification", "risk analysis", "unique user identification", "audit controls", "transmission security", "encryption safe harbor", "60-day breach notification clock", "Wall of Shame", "500-person threshold", "media notice", "surrogate notice", "OCR civil monetary penalties", "4-tier CMP framework", "willful neglect", "42 U.S.C. \u00a7 1320d-6 criminal penalties", "false pretenses 5 years", "personal gain 10 years", "HITECH Act", "Change Healthcare breach 2024", "ALPHV BlackCat", "UnitedHealth Group", "Advocate Aurora pixel tracking", "Meta Pixel HIPAA", "HCA Healthcare breach 2023", "FDA 2023 Cybersecurity Guidance", "Section 524B FD&C Act", "cyber device", "SBOM medical device", "postmarket cybersecurity obligations", "healthcare pen test scope letter", "PHI handling during testing", "minimum necessary standard", "data destruction NIST SP 800-88", "California CMIA", "Cal. Civ. Code \u00a7 56", "CMIA private right of action", "Texas Health & Safety Code \u00a7 181", "TMRPA", "New York SHIELD Act", "state health privacy law overlay", "45 C.F.R. Part 164", "safe grey red healthcare matrix", "BOLA EHR vulnerability", "packet capture ePHI destruction", "medical device pen testing", "infusion pump security", "state AG HIPAA enforcement" ] }, { "difficulties": [ "intermediate", "beginner" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California, New York); International (Budapest Convention)", "U.S. Federal", "U.S. Federal + State", "U.S. Federal; U.S. State; EU (GDPR); International", "U.S. Federal + State + International (GDPR, BIPA)" ], "module_ids": [ "01d", "01j", "01m", "01t", "01u", "02a" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01j-bug-bounty-legal.md", "artifacts/modules/01m-hacker-lawsuits.md", "artifacts/modules/01t-flipper-zero-legal-liability.md", "artifacts/modules/01u-safe-harbor-vdp-bug-bounty.md", "artifacts/modules/02a-osint-legal-limits-dark-web.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have", "Hacker Lawsuits: The Cases That Define Your Scope", "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers", "Safe Harbor, VDPs, and Bug Bounty Legal Limits", "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence" ], "slug": "hiq-labs-inc-v-linkedin-corp-31-f-4th-1180-9th-cir-2022", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "California Penal Code \u00a7 502", "New York Penal Law Article 156", "CISA Binding Operational Directive 20-01", "Budapest Convention Article 6", "17 U.S.C. \u00a7 1201 (DMCA)", "DOJ Charging Policy for CFAA (2022)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040", "GDPR Article 33", "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 2261A (federal cyberstalking)", "18 U.S.C. \u00a7 1029 (access device fraud)", "18 U.S.C. \u00a7 875 (interstate threats)", "18 U.S.C. \u00a7 1956 (money laundering)", "GDPR Article 5", "GDPR Article 9", "California Civil Code \u00a7 1798.100 (CCPA)", "California AB 1732 (2022)", "New York Exec. Law \u00a7 79-n", "740 ILCS 14 (Illinois BIPA)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "bug bounty programs", "vulnerability disclosure policy", "VDP", "CFAA good faith research", "DOJ charging policy 2022", "Van Buren authorized access", "CISA BOD 20-01", "HackerOne", "Bugcrowd", "Intigriti", "HackerOne AI Research Safe Harbor", "coordinated vulnerability disclosure", "responsible disclosure", "90-day disclosure timeline", "ISO/IEC 29147", "ISO/IEC 30111", "Google Project Zero standard", "full disclosure", "scope discipline", "contractual authorization", "state computer crime statutes", "California PC 502", "New York Penal Law Article 156", "CFAA reform proposals", "Security Research Act", "Budapest Convention Article 6", "AI security research", "prompt injection", "model extraction", "federal VDP mandate", "terms of service violations post-Van Buren", "civil CFAA suits", "safe harbor proposals", "hiQ LinkedIn scraping", "Power Ventures CFAA", "Auernheimer venue", "bug bounty authorization", "scope creep", "CFAA researcher exposure", "Sandvig v. Barr ToS research", "DOJ good-faith policy 2022", "safe harbor", "HackerOne platform safe harbor", "civil CFAA suits against researchers", "DMCA 1201 security research", "authorized security research exemption", "penetration testing contracts", "scope authorization", "SolarWinds CISO liability", "NSO Group spyware civil liability", "Mitnick supervised release", "researcher sentencing", "hacker-first legal doctrine", "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter", "authorized access", "Van Buren good faith", "bug bounty safe harbor", "coordinated disclosure", "Auernheimer problem", "DMCA 1201 security research exemption", "HackerOne legal protection", "Bugcrowd scope", "CVD timeline", "90-day disclosure", "state computer fraud law", "New York Penal Law 156", "Texas PC 33.02", "GDPR during testing", "international extradition", "pen test authorization", "scope letter legal effect", "good faith research defense", "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites" ] }, { "difficulties": [ "intermediate", "advanced" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California); EU (GDPR)" ], "module_ids": [ "01d", "01f" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01f-victim-remedies.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Victim Remedies and Procedural Hurdles" ], "slug": "in-re-zappos-com-inc-888-f-3d-1020-9th-cir-2018", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "California Penal Code \u00a7 502", "California Civil Code \u00a7 1798.150 (CCPA)", "GDPR Article 82" ], "title": "In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CCPA damages", "class action against breached organization", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "forum non conveniens", "FSIA terrorism exception", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "intel-corp-v-hamidi-30-cal-4th-1342-2003", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "Intel Corp. v. Hamidi, 30 Cal. 4th 1342 (2003)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "02c" ], "module_paths": [ "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "joffe-v-google-inc-729-f-3d-1262-9th-cir-2013", "statutes": [ "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "California Penal Code \u00a7 632", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "Joffe v. Google, Inc., 729 F.3d 1262 (9th Cir. 2013)", "topics": [ "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "02c" ], "module_paths": [ "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "konop-v-hawaiian-airlines-302-f-3d-868-9th-cir-2002", "statutes": [ "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "California Penal Code \u00a7 632", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Cir. 2002)", "topics": [ "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "labmd-inc-v-ftc-894-f-3d-1221-11th-cir-2018", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "LabMD, Inc. v. FTC, 894 F.3d 1221 (11th Cir. 2018)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal" ], "module_ids": [ "01r" ], "module_paths": [ "artifacts/modules/01r-doctrinal-sentencing.md" ], "module_titles": [ "Doctrinal Gaps: Restitution, Parallel Proceedings, Crypto Forfeiture, OFAC Liability, and Critical Infrastructure Sentencing" ], "slug": "landis-v-north-american-co-299-u-s-248-1936", "statutes": [ "18 U.S.C. \u00a7 3663A (MVRA)", "18 U.S.C. \u00a7 1030(e)(11)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "USSG \u00a7 2B1.1" ], "title": "Landis v. North American Co., 299 U.S. 248 (1936)", "topics": [ "restitution calculation CFAA", "MVRA", "CFAA loss definition", "reasonable cost to respond", "breach notification as restitution", "credit monitoring restitution", "loss inflation defense", "USSG \u00a7 2B1.1", "loss table sentencing", "parallel civil criminal proceedings", "Fifth Amendment adverse inference", "Landis stay doctrine", "SolarWinds multi-forum pattern", "IR report privilege", "Garner doctrine shareholder access", "cryptocurrency forfeiture", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "Lichtenstein Bitfinex seizure", "Colonial Pipeline Bitcoin recovery", "Silk Road forfeiture", "Tornado Cash Roman Storm", "smart contract developer liability", "OFAC ransomware strict liability", "Evil Corp alias evasion", "CNA Financial OFAC", "OFAC safe harbor discretionary", "critical infrastructure enhanced sentencing", "18 U.S.C. \u00a7 1030(c)(4)(B)", "PPD-21 sectors", "hospital ransomware", "Change Healthcare", "UHS attack", "involuntary manslaughter ransomware theory", "USSG \u00a7 2B1.1(b)(18)" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "mcnally-v-united-states-483-u-s-350-1987", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "McNally v. United States, 483 U.S. 350 (1987)", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; EU (Cyber Resilience Act); International (insurance)", "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "01s", "02h" ], "module_paths": [ "artifacts/modules/01s-emerging-cyber-law.md", "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Emerging Cyber Law: AI/LLM Security Research, Supply Chain Liability, and Cyber Insurance", "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "merck-co-v-ace-american-insurance-co-n-j-super-ct-2023", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7\u00a7 1831-1832 (EEA)", "Executive Order 14028 (2021)", "EU Cyber Resilience Act (2024)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "Merck & Co. v. ACE American Insurance Co. (N.J. Super. Ct. 2023)", "topics": [ "AI security research CFAA", "LLM probing authorized access", "Van Buren AI gate analysis", "prompt injection legal theory", "model extraction EEA", "training data extraction", "HackerOne AI safe harbor 2026", "ToS post-Van Buren AI", "adversarial ML liability", "jailbreaking legal risk", "AI legal risk matrix", "supply chain attack liability", "SolarWinds downstream liability", "3CX supply chain", "XZ Utils", "economic loss rule software", "software product liability gap", "EO 14028 SBOM", "CISA secure by design", "EU Cyber Resilience Act", "CRA extraterritorial", "SEC software disclosure", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Mondelez v. Zurich war exclusion", "Lloyd's Y5381 exclusion", "ransomware business interruption coverage", "OFAC ransom payment insurance", "double extortion dual coverage", "consent to pay requirement", "cyber insurance market hardening", "pre-incident policy review", "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; EU (Cyber Resilience Act); International (insurance)" ], "module_ids": [ "01s" ], "module_paths": [ "artifacts/modules/01s-emerging-cyber-law.md" ], "module_titles": [ "Emerging Cyber Law: AI/LLM Security Research, Supply Chain Liability, and Cyber Insurance" ], "slug": "mondelez-international-v-zurich-american-insurance-co-settled-2023", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7\u00a7 1831-1832 (EEA)", "Executive Order 14028 (2021)", "EU Cyber Resilience Act (2024)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "Mondelez International v. Zurich American Insurance Co. (settled 2023)", "topics": [ "AI security research CFAA", "LLM probing authorized access", "Van Buren AI gate analysis", "prompt injection legal theory", "model extraction EEA", "training data extraction", "HackerOne AI safe harbor 2026", "ToS post-Van Buren AI", "adversarial ML liability", "jailbreaking legal risk", "AI legal risk matrix", "supply chain attack liability", "SolarWinds downstream liability", "3CX supply chain", "XZ Utils", "economic loss rule software", "software product liability gap", "EO 14028 SBOM", "CISA secure by design", "EU Cyber Resilience Act", "CRA extraterritorial", "SEC software disclosure", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Mondelez v. Zurich war exclusion", "Lloyd's Y5381 exclusion", "ransomware business interruption coverage", "OFAC ransom payment insurance", "double extortion dual coverage", "consent to pay requirement", "cyber insurance market hardening", "pre-incident policy review" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "r-v-boden-2002-australia", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "R v. Boden (2002) (Australia)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "r-v-bow-street-magistrates-court-ex-parte-government-of-the-united-states-2006", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "R v. Bow Street Magistrates Court ex parte Government of the United States (2006)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "r-v-gold-schifreen-1988-uk", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "R v. Gold & Schifreen (1988) (UK)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "r-v-mclaughlin-2017-canada", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "R v. McLaughlin (2017) (Canada)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal + State + International" ], "module_ids": [ "01z" ], "module_paths": [ "artifacts/modules/01z-scada-iot-automotive-hacking-law.md" ], "module_titles": [ "SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers" ], "slug": "r-v-vitek-boden-queensland-australia-2001-maroochy-water", "statutes": [ "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 32 (aircraft sabotage)", "47 U.S.C. \u00a7 333 (RF interference)", "18 U.S.C. \u00a7 1365 (consumer product tampering)", "18 U.S.C. \u00a7 1362 (government communication interference)", "49 U.S.C. \u00a7 30170", "42 U.S.C. \u00a7 7522 (EPA emission controls)", "16 U.S.C. \u00a7 824o (Federal Power Act / NERC CIP)", "California Civil Code \u00a7 1798.91.04", "15 U.S.C. \u00a7 45 (FTC Act \u00a7 5)", "21 U.S.C. \u00a7 301 et seq. (FD&C Act \u00a7 524B)" ], "title": "R v. Vitek Boden (Queensland, Australia 2001) \u2014 Maroochy Water", "topics": [ "SCADA hacking law", "ICS security law", "OT cybersecurity legal framework", "PPD-21 critical infrastructure", "CFAA \u00a7 1030(c)(4)(B) enhancement", "critical infrastructure sentencing 20 years", "substantial disruption standard", "Colonial Pipeline legal aftermath", "DarkSide ransomware OFAC", "Oldsmar water treatment plant 2021", "ICS-CERT coordinated disclosure", "CISA vulnerability disclosure ICS", "hospital ransomware Change Healthcare", "UHS ransomware", "involuntary manslaughter ransomware theory", "IoT hacking CFAA", "Mirai botnet Jha 2018", "botnet recruitment \u00a7 1030(a)(5)", "FTC Act \u00a7 5 insecure IoT", "NISTIR 8259 IoT security", "California IoT security law \u00a7 1798.91.04", "Oregon SB 90 IoT", "vehicle ECU CFAA", "automotive hacking law", "Miller Valasek Jeep hack 2015", "Tesla bug bounty scope", "49 U.S.C. \u00a7 30170 vehicle safety", "SPY Car Act", "OBD-II port testing legal", "EPA emissions ECU modification", "drone hacking law", "FAA Part 107", "counter-UAS authority", "FAA Reauthorization Act 2018", "18 U.S.C. \u00a7 32 aircraft sabotage", "GPS spoofing legal risk", "RF jamming 47 U.S.C. \u00a7 333", "drone jamming federal crime", "NERC CIP mandatory standards", "FERC enforcement authority", "critical electric infrastructure information CEII", "smart grid security law", "FDA cybersecurity final rule 2023", "medical device hacking CFAA", "HIPAA medical device PHI", "\u00a7 524B FD&C Act SBOM", "Vitek Boden Maroochy Water 2001", "Stuxnet legal implications", "Ukraine power grid GRU indictment Sandworm", "TRITON TRISIS SIS attack", "Evgeny Gladkikh indictment", "lab vs production ICS testing", "Shodan ICS reconnaissance legal", "safe grey red ICS matrix", "NERC CIP CEII data handling" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal" ], "module_ids": [ "01m" ], "module_paths": [ "artifacts/modules/01m-hacker-lawsuits.md" ], "module_titles": [ "Hacker Lawsuits: The Cases That Define Your Scope" ], "slug": "sandvig-v-barr-451-f-supp-3d-73-d-d-c-2020", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "17 U.S.C. \u00a7 1201 (DMCA)", "DOJ Charging Policy for CFAA (2022)", "CISA Binding Operational Directive 20-01" ], "title": "Sandvig v. Barr, 451 F. Supp. 3d 73 (D.D.C. 2020)", "topics": [ "Van Buren authorized access", "hiQ LinkedIn scraping", "Power Ventures CFAA", "Auernheimer venue", "bug bounty authorization", "scope creep", "CFAA researcher exposure", "Sandvig v. Barr ToS research", "DOJ good-faith policy 2022", "safe harbor", "HackerOne platform safe harbor", "civil CFAA suits against researchers", "DMCA 1201 security research", "authorized security research exemption", "penetration testing contracts", "scope authorization", "SolarWinds CISO liability", "NSO Group spyware civil liability", "Mitnick supervised release", "researcher sentencing", "hacker-first legal doctrine" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Colorado)" ], "module_ids": [ "02g" ], "module_paths": [ "artifacts/modules/02g-coppa-ferpa-student-data-privacy.md" ], "module_titles": [ "COPPA, FERPA, and Student Data Privacy Law for Security Researchers" ], "slug": "sec-v-pearson-plc-2021-breach-disclosure", "statutes": [ "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "16 C.F.R. Part 312 (FTC COPPA Rule)", "20 U.S.C. \u00a7 1232g (FERPA)", "34 C.F.R. Part 99 (FERPA Regulations)", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Cal. Ed. Code \u00a7\u00a7 22584\u201322585 (SOPIPA)", "N.Y. Ed. Law \u00a7 2-d", "8 NYCRR Part 121", "Colo. Rev. Stat. \u00a7\u00a7 22-16-101\u2013115" ], "title": "SEC v. Pearson PLC (2021) \u2014 breach disclosure", "topics": [ "COPPA", "FERPA", "children's online privacy", "child under 13", "operator definition", "verifiable parental consent", "VPC methods", "actual knowledge standard", "mixed-audience sites", "school official exception", "data minimization", "retention limits", "FTC COPPA enforcement", "COPPA 2.0", "age-16 expansion", "design prohibition", "KOSA Kids Online Safety Act", "education records", "directory information", "legitimate educational interest", "FERPA enforcement", "no private right of action FERPA", "Gonzaga v. Doe", "funding withdrawal never used", "PowerSchool 2025 breach", "Los Angeles USD ransomware", "Illuminate Education breach", "K-12 ed-tech security", "student information system", "SIS vendor authorization", "SOPIPA California", "New York Ed Law 2-d", "Colorado SB 21-231", "CARU safe harbor", "kidSAFE seal", "persistent identifier COPPA", "behavioral advertising prohibition", "student PII during pentest", "responsible disclosure school districts", "FERPA redisclosure restrictions", "safe grey red matrix education" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "sec-v-ripple-labs-inc-no-20-cv-10832-s-d-n-y-2023", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "SEC v. Ripple Labs, Inc., No. 20-cv-10832 (S.D.N.Y. 2023)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; International (MLAT, Budapest Convention)" ], "module_ids": [ "01d", "01e" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01e-enforcement-agencies.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Enforcement Agencies and Mechanisms" ], "slug": "sec-v-solarwinds-corp-and-timothy-g-brown-no-1-23-cv-09518-s-d-n-y", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1963 (RICO)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "18 U.S.C. \u00a7 2703", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Budapest Convention Article 35" ], "title": "SEC v. SolarWinds Corp. and Timothy G. Brown, No. 1:23-cv-09518 (S.D.N.Y.)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "DOJ", "CCIPS", "National Security Division", "U.S. Attorneys Offices", "Office of International Affairs", "FBI", "Cyber Division", "IC3", "CISA", "CIRCIA", "Binding Operational Directives", "SEC", "FTC", "OFAC", "SDN list", "ransomware sanctions", "public-company cyber disclosure", "FinCEN", "Bank Secrecy Act", "SAR filing", "NSA", "Vulnerabilities Equities Process", "MLAT", "infrastructure seizure", "domain seizure", "criminal vs regulatory enforcement", "law enforcement cooperation", "parallel criminal and regulatory tracks", "Colonial Pipeline", "LockBit", "Hive ransomware" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "sec-v-w-j-howey-co-328-u-s-293-1946", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "SEC v. W.J. Howey Co., 328 U.S. 293 (1946)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate", "advanced" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California); EU (GDPR)" ], "module_ids": [ "01d", "01f" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01f-victim-remedies.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Victim Remedies and Procedural Hurdles" ], "slug": "spokeo-inc-v-robins-2016", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "California Penal Code \u00a7 502", "California Civil Code \u00a7 1798.150 (CCPA)", "GDPR Article 82" ], "title": "Spokeo, Inc. v. Robins (2016)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CCPA damages", "class action against breached organization", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "forum non conveniens", "FSIA terrorism exception", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act" ] }, { "difficulties": [ "intermediate", "advanced" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California); EU (GDPR)" ], "module_ids": [ "01d", "01f" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01f-victim-remedies.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Victim Remedies and Procedural Hurdles" ], "slug": "transunion-llc-v-ramirez-2021", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "California Penal Code \u00a7 502", "California Civil Code \u00a7 1798.150 (CCPA)", "GDPR Article 82" ], "title": "TransUnion LLC v. Ramirez (2021)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CCPA damages", "class action against breached organization", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "forum non conveniens", "FSIA terrorism exception", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal (1st, 2nd, 7th circuits)" ], "module_ids": [ "01n" ], "module_paths": [ "artifacts/modules/01n-criminal-prosecution-history.md" ], "module_titles": [ "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins" ], "slug": "united-states-v-albert-gonzalez-d-mass-d-n-j-2010", "statutes": [ "18 U.S.C. \u00a7 1030(a)(5)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964 (RICO)", "18 U.S.C. \u00a7 1956", "21 U.S.C. \u00a7 841" ], "title": "United States v. Albert Gonzalez (D. Mass. / D.N.J. 2010)", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-alexander-vinnik-2017", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Alexander Vinnik (2017+)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (NCA, Europol coordination)" ], "module_ids": [ "01p" ], "module_paths": [ "artifacts/modules/01p-ransomware-prosecutions.md" ], "module_titles": [ "Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges" ], "slug": "united-states-v-alla-witte-n-d-ohio-2023", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1349", "21 U.S.C. \u00a7 853", "18 U.S.C. \u00a7 981", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "United States v. Alla Witte (N.D. Ohio 2023)", "topics": [ "ransomware prosecution", "DOJ disruption operations", "REvil", "Sodinokibi", "Yaroslav Vasinskyi", "affiliate liability", "Kaseya attack", "JBS attack", "DarkSide", "Colonial Pipeline", "ransom recovery", "cryptocurrency seizure", "FBI private key access", "Conti group", "Mikhail Matveev", "Wazawaka", "Alla Witte", "Trickbot developer", "OFAC Conti designation", "ALPHV", "BlackCat", "FBI decryption keys", "Change Healthcare", "LockBit", "Operation Cronos", "Dmitry Khoroshev", "LockBitSupp unmasking", "NCA operation", "credential stuffing prosecution", "OFAC ransomware payment liability", "Evil Corp alias rotation", "ransom payment sanctions violation", "ransomware-as-a-service", "RaaS affiliate model", "money mule liability", "infrastructure seizure", "forfeiture cryptocurrency" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-arthur-budovsky-s-d-n-y-2013", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Arthur Budovsky (S.D.N.Y. 2013)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (NCA, Europol coordination)" ], "module_ids": [ "01p" ], "module_paths": [ "artifacts/modules/01p-ransomware-prosecutions.md" ], "module_titles": [ "Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges" ], "slug": "united-states-v-artur-sungatov-and-ivan-kondratyev-d-n-j-2024", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1349", "21 U.S.C. \u00a7 853", "18 U.S.C. \u00a7 981", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "United States v. Artur Sungatov and Ivan Kondratyev (D.N.J. 2024)", "topics": [ "ransomware prosecution", "DOJ disruption operations", "REvil", "Sodinokibi", "Yaroslav Vasinskyi", "affiliate liability", "Kaseya attack", "JBS attack", "DarkSide", "Colonial Pipeline", "ransom recovery", "cryptocurrency seizure", "FBI private key access", "Conti group", "Mikhail Matveev", "Wazawaka", "Alla Witte", "Trickbot developer", "OFAC Conti designation", "ALPHV", "BlackCat", "FBI decryption keys", "Change Healthcare", "LockBit", "Operation Cronos", "Dmitry Khoroshev", "LockBitSupp unmasking", "NCA operation", "credential stuffing prosecution", "OFAC ransomware payment liability", "Evil Corp alias rotation", "ransom payment sanctions violation", "ransomware-as-a-service", "RaaS affiliate model", "money mule liability", "infrastructure seizure", "forfeiture cryptocurrency" ] }, { "difficulties": [ "intermediate", "advanced", "beginner" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California); EU (GDPR)", "U.S. Federal", "U.S. Federal + State", "U.S. Federal; U.S. State; EU (GDPR); International", "U.S. Federal; UK; International" ], "module_ids": [ "01d", "01f", "01m", "01t", "01u", "01v" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01f-victim-remedies.md", "artifacts/modules/01m-hacker-lawsuits.md", "artifacts/modules/01t-flipper-zero-legal-liability.md", "artifacts/modules/01u-safe-harbor-vdp-bug-bounty.md", "artifacts/modules/01v-hackers-hall-of-fame.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits", "Victim Remedies and Procedural Hurdles", "Hacker Lawsuits: The Cases That Define Your Scope", "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers", "Safe Harbor, VDPs, and Bug Bounty Legal Limits", "Hackers Who Got Caught: 50 Years of Prosecutions, Verdicts, and Doctrine" ], "slug": "united-states-v-auernheimer-748-f-3d-525-3d-cir-2014", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "California Penal Code \u00a7 502", "California Civil Code \u00a7 1798.150 (CCPA)", "GDPR Article 82", "17 U.S.C. \u00a7 1201 (DMCA)", "DOJ Charging Policy for CFAA (2022)", "CISA Binding Operational Directive 20-01", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040", "New York Penal Law Article 156", "GDPR Article 33", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 2339B" ], "title": "United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CCPA damages", "class action against breached organization", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "forum non conveniens", "FSIA terrorism exception", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act", "Van Buren authorized access", "hiQ LinkedIn scraping", "Power Ventures CFAA", "Auernheimer venue", "bug bounty authorization", "scope creep", "CFAA researcher exposure", "Sandvig v. Barr ToS research", "DOJ good-faith policy 2022", "safe harbor", "HackerOne platform safe harbor", "civil CFAA suits against researchers", "DMCA 1201 security research", "authorized security research exemption", "penetration testing contracts", "scope authorization", "SolarWinds CISO liability", "NSO Group spyware civil liability", "Mitnick supervised release", "researcher sentencing", "hacker-first legal doctrine", "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter", "authorized access", "Van Buren good faith", "bug bounty safe harbor", "vulnerability disclosure policy", "coordinated disclosure", "Auernheimer problem", "DMCA 1201 security research exemption", "HackerOne legal protection", "Bugcrowd scope", "CVD timeline", "90-day disclosure", "state computer fraud law", "California PC 502", "New York Penal Law 156", "Texas PC 33.02", "GDPR during testing", "international extradition", "pen test authorization", "scope letter legal effect", "good faith research defense", "Kevin Mitnick", "Albert Gonzalez", "Gary McKinnon", "Lauri Love", "Marcus Hutchins", "Hector Monsegur Sabu", "Jeremy Hammond", "Andrew Auernheimer weev", "Jonathan James c0mrade", "Adrian Lamo", "Paige Thompson Capital One", "Joseph James O'Connor PlugwalkJoe", "Graham Clark Twitter hack", "Lapsus$ Arion Kurtaj", "LockBit Dmitry Khoroshev", "REvil Yaroslav Vasinskyi", "Evgeniy Bogachev GameOver Zeus", "Vladislav Klyushin", "Joseph Sullivan Uber CISO", "Ardit Ferizi ISIS hacker", "Aleksei Burkov", "Mikhail Matveev Wazawaka", "Conti Trickbot", "Andrei Tyurin JPMorgan", "cooperation sentencing", "extradition fight mental health", "Russia no extradition", "infrastructure seizure without arrest", "juvenile hacking prosecution", "ransomware sentencing", "CISO liability", "hacker hall of fame" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01t" ], "module_paths": [ "artifacts/modules/01t-flipper-zero-legal-liability.md" ], "module_titles": [ "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers" ], "slug": "united-states-v-bhatt-d-n-j-car-relay-attack-rf-credential-capture", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040" ], "title": "United States v. Bhatt (D.N.J.) \u2014 car relay attack / RF credential capture", "topics": [ "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "united-states-v-chelsea-manning-e-d-va-2013", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "United States v. Chelsea Manning (E.D. Va. 2013)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "02c" ], "module_paths": [ "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "united-states-v-councilman-418-f-3d-67-1st-cir-2005-en-banc", "statutes": [ "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "California Penal Code \u00a7 632", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "United States v. Councilman, 418 F.3d 67 (1st Cir. 2005) (en banc)", "topics": [ "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "united-states-v-czubinski-106-f-3d-1069-1st-cir-1997", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal + State + International" ], "module_ids": [ "01z" ], "module_paths": [ "artifacts/modules/01z-scada-iot-automotive-hacking-law.md" ], "module_titles": [ "SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers" ], "slug": "united-states-v-evgeny-viktorovich-gladkikh-d-d-c-2022-triton-sis-attack", "statutes": [ "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 32 (aircraft sabotage)", "47 U.S.C. \u00a7 333 (RF interference)", "18 U.S.C. \u00a7 1365 (consumer product tampering)", "18 U.S.C. \u00a7 1362 (government communication interference)", "49 U.S.C. \u00a7 30170", "42 U.S.C. \u00a7 7522 (EPA emission controls)", "16 U.S.C. \u00a7 824o (Federal Power Act / NERC CIP)", "California Civil Code \u00a7 1798.91.04", "15 U.S.C. \u00a7 45 (FTC Act \u00a7 5)", "21 U.S.C. \u00a7 301 et seq. (FD&C Act \u00a7 524B)" ], "title": "United States v. Evgeny Viktorovich Gladkikh (D.D.C. 2022) \u2014 TRITON/SIS attack", "topics": [ "SCADA hacking law", "ICS security law", "OT cybersecurity legal framework", "PPD-21 critical infrastructure", "CFAA \u00a7 1030(c)(4)(B) enhancement", "critical infrastructure sentencing 20 years", "substantial disruption standard", "Colonial Pipeline legal aftermath", "DarkSide ransomware OFAC", "Oldsmar water treatment plant 2021", "ICS-CERT coordinated disclosure", "CISA vulnerability disclosure ICS", "hospital ransomware Change Healthcare", "UHS ransomware", "involuntary manslaughter ransomware theory", "IoT hacking CFAA", "Mirai botnet Jha 2018", "botnet recruitment \u00a7 1030(a)(5)", "FTC Act \u00a7 5 insecure IoT", "NISTIR 8259 IoT security", "California IoT security law \u00a7 1798.91.04", "Oregon SB 90 IoT", "vehicle ECU CFAA", "automotive hacking law", "Miller Valasek Jeep hack 2015", "Tesla bug bounty scope", "49 U.S.C. \u00a7 30170 vehicle safety", "SPY Car Act", "OBD-II port testing legal", "EPA emissions ECU modification", "drone hacking law", "FAA Part 107", "counter-UAS authority", "FAA Reauthorization Act 2018", "18 U.S.C. \u00a7 32 aircraft sabotage", "GPS spoofing legal risk", "RF jamming 47 U.S.C. \u00a7 333", "drone jamming federal crime", "NERC CIP mandatory standards", "FERC enforcement authority", "critical electric infrastructure information CEII", "smart grid security law", "FDA cybersecurity final rule 2023", "medical device hacking CFAA", "HIPAA medical device PHI", "\u00a7 524B FD&C Act SBOM", "Vitek Boden Maroochy Water 2001", "Stuxnet legal implications", "Ukraine power grid GRU indictment Sandworm", "TRITON TRISIS SIS attack", "Evgeny Gladkikh indictment", "lab vs production ICS testing", "Shodan ICS reconnaissance legal", "safe grey red ICS matrix", "NERC CIP CEII data handling" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "united-states-v-facebook-inc-d-d-c-2019", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "United States v. Facebook, Inc. (D.D.C. 2019)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "united-states-v-fahd-c-d-cal-2019-at-t-insider-bribery", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "United States v. Fahd (C.D. Cal. 2019) \u2014 AT&T insider bribery", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (extradition/diplomacy)" ], "module_ids": [ "01o" ], "module_paths": [ "artifacts/modules/01o-nation-state-indictments.md" ], "module_titles": [ "Nation-State Indictments: Charging Foreign Hackers the U.S. Cannot Extradite" ], "slug": "united-states-v-farhad-abdolahi-et-al-mabna-institute-s-d-n-y-2018", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 371", "18 U.S.C. \u00a7 951", "18 U.S.C. \u00a7\u00a7 1831-1832 (Economic Espionage Act)", "18 U.S.C. \u00a7 1956", "50 U.S.C. \u00a7 1705 (IEEPA sanctions)" ], "title": "United States v. Farhad Abdolahi et al. \u2014 Mabna Institute (S.D.N.Y. 2018)", "topics": [ "GRU", "APT28", "Fancy Bear", "Viktor Netyksho", "DNC hack", "X-Agent malware", "Guccifer 2.0", "DCLeaks", "Mueller indictment", "unregistered foreign agent", "APT10", "Cloud Hopper", "MSP compromise", "supply chain espionage", "Xu Yanjun", "MSS", "Jiangsu State Security Department", "Economic Espionage Act", "turbofan blade theft", "extradition from Belgium", "first Chinese intel officer convicted", "Mabna Institute", "Iranian IRGC hacking", "university data theft", "OFAC SDN designation", "indictment plus sanctions combo", "Park Jin Hyok", "Lazarus Group", "North Korea", "Sony Pictures hack", "Bangladesh Bank SWIFT heist", "WannaCry attribution", "DPRK cryptocurrency revenue", "in absentia indictment", "attribution standard", "foreign policy instrument", "extradition gap", "nation-state prosecution doctrine" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "united-states-v-graham-clark-florida-state-court-2020", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "United States v. Graham Clark (Florida state court 2020)", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "intermediate", "advanced" ], "jurisdictions": [ "U.S. Federal + State + International (GDPR, BIPA)", "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02a", "02h" ], "module_paths": [ "artifacts/modules/02a-osint-legal-limits-dark-web.md", "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence", "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-gratkowski-964-f-3d-307-5th-cir-2020", "statutes": [ "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 2261A (federal cyberstalking)", "18 U.S.C. \u00a7 1029 (access device fraud)", "18 U.S.C. \u00a7 875 (interstate threats)", "18 U.S.C. \u00a7 1956 (money laundering)", "GDPR Article 5", "GDPR Article 9", "California Civil Code \u00a7 1798.100 (CCPA)", "California AB 1732 (2022)", "New York Exec. Law \u00a7 79-n", "740 ILCS 14 (Illinois BIPA)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Gratkowski, 964 F.3d 307 (5th Cir. 2020)", "topics": [ "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites", "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02b" ], "module_paths": [ "artifacts/modules/02b-zero-day-market-commercial-spyware.md" ], "module_titles": [ "Zero-Day Market and Commercial Spyware Law" ], "slug": "united-states-v-harold-martin", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 2511", "17 U.S.C. \u00a7 1201", "15 C.F.R. Parts 730-774", "EAR ECCN 4E001" ], "title": "United States v. Harold Martin", "topics": [ "zero-day market", "export controls", "NSO Group", "Pegasus", "commercial spyware", "stalkerware", "VEP", "bug bounty vs broker", "government procurement", "DMCA Section 1201", "Wassenaar Arrangement", "UK CMA", "Germany StGB 202c" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)" ], "module_ids": [ "01d" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits" ], "slug": "united-states-v-ilya-lichtenstein-and-heather-morgan-2022-arrests-2024-sentencing", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)" ], "title": "United States v. Ilya Lichtenstein and Heather Morgan (2022 arrests; 2024 sentencing)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal" ], "module_ids": [ "01r" ], "module_paths": [ "artifacts/modules/01r-doctrinal-sentencing.md" ], "module_titles": [ "Doctrinal Gaps: Restitution, Parallel Proceedings, Crypto Forfeiture, OFAC Liability, and Critical Infrastructure Sentencing" ], "slug": "united-states-v-ilya-lichtenstein-and-heather-morgan-2024-sentencing", "statutes": [ "18 U.S.C. \u00a7 3663A (MVRA)", "18 U.S.C. \u00a7 1030(e)(11)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "USSG \u00a7 2B1.1" ], "title": "United States v. Ilya Lichtenstein and Heather Morgan (2024 sentencing)", "topics": [ "restitution calculation CFAA", "MVRA", "CFAA loss definition", "reasonable cost to respond", "breach notification as restitution", "credit monitoring restitution", "loss inflation defense", "USSG \u00a7 2B1.1", "loss table sentencing", "parallel civil criminal proceedings", "Fifth Amendment adverse inference", "Landis stay doctrine", "SolarWinds multi-forum pattern", "IR report privilege", "Garner doctrine shareholder access", "cryptocurrency forfeiture", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "Lichtenstein Bitfinex seizure", "Colonial Pipeline Bitcoin recovery", "Silk Road forfeiture", "Tornado Cash Roman Storm", "smart contract developer liability", "OFAC ransomware strict liability", "Evil Corp alias evasion", "CNA Financial OFAC", "OFAC safe harbor discretionary", "critical infrastructure enhanced sentencing", "18 U.S.C. \u00a7 1030(c)(4)(B)", "PPD-21 sectors", "hospital ransomware", "Change Healthcare", "UHS attack", "involuntary manslaughter ransomware theory", "USSG \u00a7 2B1.1(b)(18)" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-ilya-lichtenstein-and-heather-morgan-d-d-c-2022-2024", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Ilya Lichtenstein and Heather Morgan (D.D.C. 2022/2024)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "united-states-v-jack-teixeira-d-mass-2024", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "United States v. Jack Teixeira (D. Mass. 2024)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal (1st, 2nd, 7th circuits)" ], "module_ids": [ "01n" ], "module_paths": [ "artifacts/modules/01n-criminal-prosecution-history.md" ], "module_titles": [ "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins" ], "slug": "united-states-v-jeremy-hammond-s-d-n-y-2013", "statutes": [ "18 U.S.C. \u00a7 1030(a)(5)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964 (RICO)", "18 U.S.C. \u00a7 1956", "21 U.S.C. \u00a7 841" ], "title": "United States v. Jeremy Hammond (S.D.N.Y. 2013)", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal; UK; International" ], "module_ids": [ "01v" ], "module_paths": [ "artifacts/modules/01v-hackers-hall-of-fame.md" ], "module_titles": [ "Hackers Who Got Caught: 50 Years of Prosecutions, Verdicts, and Doctrine" ], "slug": "united-states-v-joseph-sullivan-n-d-cal-2022", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 2339B", "18 U.S.C. \u00a7 1030(c)(4)(B)" ], "title": "United States v. Joseph Sullivan (N.D. Cal. 2022)", "topics": [ "Kevin Mitnick", "Albert Gonzalez", "Gary McKinnon", "Lauri Love", "Marcus Hutchins", "Hector Monsegur Sabu", "Jeremy Hammond", "Andrew Auernheimer weev", "Jonathan James c0mrade", "Adrian Lamo", "Paige Thompson Capital One", "Joseph James O'Connor PlugwalkJoe", "Graham Clark Twitter hack", "Lapsus$ Arion Kurtaj", "LockBit Dmitry Khoroshev", "REvil Yaroslav Vasinskyi", "Evgeniy Bogachev GameOver Zeus", "Vladislav Klyushin", "Joseph Sullivan Uber CISO", "Ardit Ferizi ISIS hacker", "Aleksei Burkov", "Mikhail Matveev Wazawaka", "Conti Trickbot", "Andrei Tyurin JPMorgan", "cooperation sentencing", "extradition fight mental health", "Russia no extradition", "infrastructure seizure without arrest", "juvenile hacking prosecution", "ransomware sentencing", "CISO liability", "hacker hall of fame" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)" ], "module_ids": [ "01d" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits" ], "slug": "united-states-v-karim-baratov-2017-charges-2019-sentencing", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)" ], "title": "United States v. Karim Baratov (2017 charges; 2019 sentencing)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-keonne-rodriguez-and-william-hill-s-d-n-y-2024", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Keonne Rodriguez and William Hill (S.D.N.Y. 2024)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal (1st, 2nd, 7th circuits)" ], "module_ids": [ "01n" ], "module_paths": [ "artifacts/modules/01n-criminal-prosecution-history.md" ], "module_titles": [ "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins" ], "slug": "united-states-v-kevin-mitnick-c-d-cal-1999", "statutes": [ "18 U.S.C. \u00a7 1030(a)(5)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964 (RICO)", "18 U.S.C. \u00a7 1956", "21 U.S.C. \u00a7 841" ], "title": "United States v. Kevin Mitnick (C.D. Cal. 1999)", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability" ] }, { "difficulties": [ "beginner", "intermediate" ], "jurisdictions": [ "U.S. Federal (1st, 2nd, 7th circuits)", "U.S. Federal + State", "U.S. Federal; U.S. State; EU (GDPR); International" ], "module_ids": [ "01n", "01t", "01u" ], "module_paths": [ "artifacts/modules/01n-criminal-prosecution-history.md", "artifacts/modules/01t-flipper-zero-legal-liability.md", "artifacts/modules/01u-safe-harbor-vdp-bug-bounty.md" ], "module_titles": [ "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins", "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers", "Safe Harbor, VDPs, and Bug Bounty Legal Limits" ], "slug": "united-states-v-marcus-hutchins-e-d-wis-2019", "statutes": [ "18 U.S.C. \u00a7 1030(a)(5)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964 (RICO)", "18 U.S.C. \u00a7 1956", "21 U.S.C. \u00a7 841", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040", "17 U.S.C. \u00a7 1201 (DMCA)", "New York Penal Law Article 156", "GDPR Article 33" ], "title": "United States v. Marcus Hutchins (E.D. Wis. 2019)", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability", "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter", "authorized access", "Van Buren good faith", "bug bounty safe harbor", "vulnerability disclosure policy", "coordinated disclosure", "Auernheimer problem", "DMCA 1201 security research exemption", "HackerOne legal protection", "Bugcrowd scope", "CVD timeline", "90-day disclosure", "state computer fraud law", "California PC 502", "New York Penal Law 156", "Texas PC 33.02", "GDPR during testing", "international extradition", "pen test authorization", "scope letter legal effect", "good faith research defense" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal" ], "module_ids": [ "01r" ], "module_paths": [ "artifacts/modules/01r-doctrinal-sentencing.md" ], "module_titles": [ "Doctrinal Gaps: Restitution, Parallel Proceedings, Crypto Forfeiture, OFAC Liability, and Critical Infrastructure Sentencing" ], "slug": "united-states-v-middleton-231-f-3d-1207-9th-cir-2000", "statutes": [ "18 U.S.C. \u00a7 3663A (MVRA)", "18 U.S.C. \u00a7 1030(e)(11)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "USSG \u00a7 2B1.1" ], "title": "United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000)", "topics": [ "restitution calculation CFAA", "MVRA", "CFAA loss definition", "reasonable cost to respond", "breach notification as restitution", "credit monitoring restitution", "loss inflation defense", "USSG \u00a7 2B1.1", "loss table sentencing", "parallel civil criminal proceedings", "Fifth Amendment adverse inference", "Landis stay doctrine", "SolarWinds multi-forum pattern", "IR report privilege", "Garner doctrine shareholder access", "cryptocurrency forfeiture", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "Lichtenstein Bitfinex seizure", "Colonial Pipeline Bitcoin recovery", "Silk Road forfeiture", "Tornado Cash Roman Storm", "smart contract developer liability", "OFAC ransomware strict liability", "Evil Corp alias evasion", "CNA Financial OFAC", "OFAC safe harbor discretionary", "critical infrastructure enhanced sentencing", "18 U.S.C. \u00a7 1030(c)(4)(B)", "PPD-21 sectors", "hospital ransomware", "Change Healthcare", "UHS attack", "involuntary manslaughter ransomware theory", "USSG \u00a7 2B1.1(b)(18)" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (NCA, Europol coordination)" ], "module_ids": [ "01p" ], "module_paths": [ "artifacts/modules/01p-ransomware-prosecutions.md" ], "module_titles": [ "Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges" ], "slug": "united-states-v-mikhail-matveev-d-n-j-e-d-mich-2023-indictment", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1349", "21 U.S.C. \u00a7 853", "18 U.S.C. \u00a7 981", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "United States v. Mikhail Matveev (D.N.J. / E.D. Mich. 2023 indictment)", "topics": [ "ransomware prosecution", "DOJ disruption operations", "REvil", "Sodinokibi", "Yaroslav Vasinskyi", "affiliate liability", "Kaseya attack", "JBS attack", "DarkSide", "Colonial Pipeline", "ransom recovery", "cryptocurrency seizure", "FBI private key access", "Conti group", "Mikhail Matveev", "Wazawaka", "Alla Witte", "Trickbot developer", "OFAC Conti designation", "ALPHV", "BlackCat", "FBI decryption keys", "Change Healthcare", "LockBit", "Operation Cronos", "Dmitry Khoroshev", "LockBitSupp unmasking", "NCA operation", "credential stuffing prosecution", "OFAC ransomware payment liability", "Evil Corp alias rotation", "ransom payment sanctions violation", "ransomware-as-a-service", "RaaS affiliate model", "money mule liability", "infrastructure seizure", "forfeiture cryptocurrency" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal; UK; International" ], "module_ids": [ "01v" ], "module_paths": [ "artifacts/modules/01v-hackers-hall-of-fame.md" ], "module_titles": [ "Hackers Who Got Caught: 50 Years of Prosecutions, Verdicts, and Doctrine" ], "slug": "united-states-v-morris-928-f-2d-504-2d-cir-1991", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 2339B", "18 U.S.C. \u00a7 1030(c)(4)(B)" ], "title": "United States v. Morris, 928 F.2d 504 (2d Cir. 1991)", "topics": [ "Kevin Mitnick", "Albert Gonzalez", "Gary McKinnon", "Lauri Love", "Marcus Hutchins", "Hector Monsegur Sabu", "Jeremy Hammond", "Andrew Auernheimer weev", "Jonathan James c0mrade", "Adrian Lamo", "Paige Thompson Capital One", "Joseph James O'Connor PlugwalkJoe", "Graham Clark Twitter hack", "Lapsus$ Arion Kurtaj", "LockBit Dmitry Khoroshev", "REvil Yaroslav Vasinskyi", "Evgeniy Bogachev GameOver Zeus", "Vladislav Klyushin", "Joseph Sullivan Uber CISO", "Ardit Ferizi ISIS hacker", "Aleksei Burkov", "Mikhail Matveev Wazawaka", "Conti Trickbot", "Andrei Tyurin JPMorgan", "cooperation sentencing", "extradition fight mental health", "Russia no extradition", "infrastructure seizure without arrest", "juvenile hacking prosecution", "ransomware sentencing", "CISO liability", "hacker hall of fame" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Colorado)" ], "module_ids": [ "02g" ], "module_paths": [ "artifacts/modules/02g-coppa-ferpa-student-data-privacy.md" ], "module_titles": [ "COPPA, FERPA, and Student Data Privacy Law for Security Researchers" ], "slug": "united-states-v-musical-ly-2019-5-7m-coppa", "statutes": [ "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "16 C.F.R. Part 312 (FTC COPPA Rule)", "20 U.S.C. \u00a7 1232g (FERPA)", "34 C.F.R. Part 99 (FERPA Regulations)", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Cal. Ed. Code \u00a7\u00a7 22584\u201322585 (SOPIPA)", "N.Y. Ed. Law \u00a7 2-d", "8 NYCRR Part 121", "Colo. Rev. Stat. \u00a7\u00a7 22-16-101\u2013115" ], "title": "United States v. Musical.ly (2019) \u2014 $5.7M COPPA", "topics": [ "COPPA", "FERPA", "children's online privacy", "child under 13", "operator definition", "verifiable parental consent", "VPC methods", "actual knowledge standard", "mixed-audience sites", "school official exception", "data minimization", "retention limits", "FTC COPPA enforcement", "COPPA 2.0", "age-16 expansion", "design prohibition", "KOSA Kids Online Safety Act", "education records", "directory information", "legitimate educational interest", "FERPA enforcement", "no private right of action FERPA", "Gonzaga v. Doe", "funding withdrawal never used", "PowerSchool 2025 breach", "Los Angeles USD ransomware", "Illuminate Education breach", "K-12 ed-tech security", "student information system", "SIS vendor authorization", "SOPIPA California", "New York Ed Law 2-d", "Colorado SB 21-231", "CARU safe harbor", "kidSAFE seal", "persistent identifier COPPA", "behavioral advertising prohibition", "student PII during pentest", "responsible disclosure school districts", "FERPA redisclosure restrictions", "safe grey red matrix education" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "united-states-v-o-connor-s-d-n-y-2023-sim-swap-twitter-hack", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "United States v. O Connor (S.D.N.Y. 2023) \u2014 SIM swap Twitter hack", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "International (UK, EU, Germany, Canada, Australia) + U.S." ], "module_ids": [ "01y" ], "module_paths": [ "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md" ], "module_titles": [ "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure" ], "slug": "united-states-v-o-connor-e-d-n-y", "statutes": [ "Computer Misuse Act 1990 (UK) \u00a7\u00a7 1, 2, 3, 3A", "Strafgesetzbuch \u00a7\u00a7 202a, 202b, 202c (Germany)", "EU NIS2 Directive 2022/2555 Art. 21, 25", "GDPR Regulation 2016/679 Art. 3, 5, 28, 32, 33", "Canada Criminal Code \u00a7\u00a7 342.1, 430(1.1)", "Australia Criminal Code Act 1995 \u00a7\u00a7 477.1, 477.2, 477.3, 478.1", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 1029 (Access Device Fraud)", "FCC Report and Order FCC-23-111 (2023)" ], "title": "United States v. O'Connor (E.D.N.Y.)", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01x" ], "module_paths": [ "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "united-states-v-ogoshi-d-nev-2023-bec-wire-fraud", "statutes": [ "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 156.05", "Texas Penal Code \u00a7 33.02", "Florida Statutes \u00a7 815.06" ], "title": "United States v. Ogoshi (D. Nev. 2023) \u2014 BEC wire fraud", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal + State + International" ], "module_ids": [ "01z" ], "module_paths": [ "artifacts/modules/01z-scada-iot-automotive-hacking-law.md" ], "module_titles": [ "SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers" ], "slug": "united-states-v-paras-jha-d-alaska-2018-mirai-botnet", "statutes": [ "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 32 (aircraft sabotage)", "47 U.S.C. \u00a7 333 (RF interference)", "18 U.S.C. \u00a7 1365 (consumer product tampering)", "18 U.S.C. \u00a7 1362 (government communication interference)", "49 U.S.C. \u00a7 30170", "42 U.S.C. \u00a7 7522 (EPA emission controls)", "16 U.S.C. \u00a7 824o (Federal Power Act / NERC CIP)", "California Civil Code \u00a7 1798.91.04", "15 U.S.C. \u00a7 45 (FTC Act \u00a7 5)", "21 U.S.C. \u00a7 301 et seq. (FD&C Act \u00a7 524B)" ], "title": "United States v. Paras Jha (D. Alaska 2018) \u2014 Mirai botnet", "topics": [ "SCADA hacking law", "ICS security law", "OT cybersecurity legal framework", "PPD-21 critical infrastructure", "CFAA \u00a7 1030(c)(4)(B) enhancement", "critical infrastructure sentencing 20 years", "substantial disruption standard", "Colonial Pipeline legal aftermath", "DarkSide ransomware OFAC", "Oldsmar water treatment plant 2021", "ICS-CERT coordinated disclosure", "CISA vulnerability disclosure ICS", "hospital ransomware Change Healthcare", "UHS ransomware", "involuntary manslaughter ransomware theory", "IoT hacking CFAA", "Mirai botnet Jha 2018", "botnet recruitment \u00a7 1030(a)(5)", "FTC Act \u00a7 5 insecure IoT", "NISTIR 8259 IoT security", "California IoT security law \u00a7 1798.91.04", "Oregon SB 90 IoT", "vehicle ECU CFAA", "automotive hacking law", "Miller Valasek Jeep hack 2015", "Tesla bug bounty scope", "49 U.S.C. \u00a7 30170 vehicle safety", "SPY Car Act", "OBD-II port testing legal", "EPA emissions ECU modification", "drone hacking law", "FAA Part 107", "counter-UAS authority", "FAA Reauthorization Act 2018", "18 U.S.C. \u00a7 32 aircraft sabotage", "GPS spoofing legal risk", "RF jamming 47 U.S.C. \u00a7 333", "drone jamming federal crime", "NERC CIP mandatory standards", "FERC enforcement authority", "critical electric infrastructure information CEII", "smart grid security law", "FDA cybersecurity final rule 2023", "medical device hacking CFAA", "HIPAA medical device PHI", "\u00a7 524B FD&C Act SBOM", "Vitek Boden Maroochy Water 2001", "Stuxnet legal implications", "Ukraine power grid GRU indictment Sandworm", "TRITON TRISIS SIS attack", "Evgeny Gladkikh indictment", "lab vs production ICS testing", "Shodan ICS reconnaissance legal", "safe grey red ICS matrix", "NERC CIP CEII data handling" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)" ], "module_ids": [ "01d" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits" ], "slug": "united-states-v-park-jin-hyok-2018-doj-indictment", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)" ], "title": "United States v. Park Jin Hyok (2018 DOJ indictment)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (extradition/diplomacy)" ], "module_ids": [ "01o" ], "module_paths": [ "artifacts/modules/01o-nation-state-indictments.md" ], "module_titles": [ "Nation-State Indictments: Charging Foreign Hackers the U.S. Cannot Extradite" ], "slug": "united-states-v-park-jin-hyok-et-al-c-d-cal-2018-expanded-2021", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 371", "18 U.S.C. \u00a7 951", "18 U.S.C. \u00a7\u00a7 1831-1832 (Economic Espionage Act)", "18 U.S.C. \u00a7 1956", "50 U.S.C. \u00a7 1705 (IEEPA sanctions)" ], "title": "United States v. Park Jin Hyok et al. (C.D. Cal. 2018, expanded 2021)", "topics": [ "GRU", "APT28", "Fancy Bear", "Viktor Netyksho", "DNC hack", "X-Agent malware", "Guccifer 2.0", "DCLeaks", "Mueller indictment", "unregistered foreign agent", "APT10", "Cloud Hopper", "MSP compromise", "supply chain espionage", "Xu Yanjun", "MSS", "Jiangsu State Security Department", "Economic Espionage Act", "turbofan blade theft", "extradition from Belgium", "first Chinese intel officer convicted", "Mabna Institute", "Iranian IRGC hacking", "university data theft", "OFAC SDN designation", "indictment plus sanctions combo", "Park Jin Hyok", "Lazarus Group", "North Korea", "Sony Pictures hack", "Bangladesh Bank SWIFT heist", "WannaCry attribution", "DPRK cryptocurrency revenue", "in absentia indictment", "attribution standard", "foreign policy instrument", "extradition gap", "nation-state prosecution doctrine" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "united-states-v-reality-winner-s-d-ga-2018", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "United States v. Reality Winner (S.D. Ga. 2018)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01w" ], "module_paths": [ "artifacts/modules/01w-physical-pentest-red-team-law.md" ], "module_titles": [ "Physical Penetration Testing and Red Team Operations: Exact Statute + Case Analysis for Security Researchers" ], "slug": "united-states-v-rendelman-641-f-3d-36-4th-cir-2011", "statutes": [ "18 U.S.C. \u00a7 1030(a)(3)", "18 U.S.C. \u00a7 1036", "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 2511 (Wiretap Act)", "18 U.S.C. \u00a7 1343 (Wire Fraud)", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1030(a)(5)", "California Penal Code \u00a7 459 (Burglary)", "California Penal Code \u00a7 602 (Trespass)", "Texas Penal Code \u00a7 30.05", "Texas Penal Code \u00a7 16.01", "Texas Gov't Code \u00a7 423.003", "New York Penal Law \u00a7 140.05\u2013\u00a7 140.35", "New York Penal Law \u00a7 140.35 (Burglar's Tools)", "Florida \u00a7 810.06", "Illinois 720 ILCS 5/19-2", "14 C.F.R. Part 107 (FAA drone rules)", "Tex. Gov't Code \u00a7 423.0045", "Fla. Stat. \u00a7 934.50", "N.C. Gen. Stat. \u00a7 15A-300.1" ], "title": "United States v. Rendelman, 641 F.3d 36 (4th Cir. 2011)", "topics": [ "physical penetration test", "red team operation", "rules of engagement", "scope of work", "verbal authorization", "get-out-of-jail letter", "authorization letter", "18 U.S.C. \u00a7 1030(a)(3)", "18 U.S.C. \u00a7 1036", "18 U.S.C. \u00a7 2701", "Stored Communications Act", "California Penal Code \u00a7 602", "Texas Penal Code \u00a7 30.05", "New York Penal Law \u00a7 140.05", "criminal trespass", "burglary trespass escalation", "lockpick legal status", "criminal instrument Texas", "burglar's tools New York", "lock pick possession Florida", "tailgating", "impersonation wire fraud", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "false personation federal officer", "hardware implants", "LAN tap", "Raspberry Pi red team", "keystroke logger", "CFAA \u00a7 1030(a)(5) damage", "Wiretap Act", "18 U.S.C. \u00a7 2511", "wiretapping network tap", "drone recon", "FAA Part 107", "state anti-drone laws", "Texas drone surveillance", "Florida drone law", "RFID cloning", "badge clone", "dumpster diving", "Coalfire Iowa courthouse 2019", "United States v. Rendelman", "safe grey red matrix physical", "pre-engagement checklist", "police did not honor authorization", "24/7 emergency contact" ] }, { "difficulties": [ "beginner", "intermediate" ], "jurisdictions": [ "U.S. Federal (1st, 2nd, 7th circuits)", "U.S. Federal + State" ], "module_ids": [ "01n", "01t" ], "module_paths": [ "artifacts/modules/01n-criminal-prosecution-history.md", "artifacts/modules/01t-flipper-zero-legal-liability.md" ], "module_titles": [ "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins", "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers" ], "slug": "united-states-v-robert-t-morris-928-f-2d-504-2d-cir-1991", "statutes": [ "18 U.S.C. \u00a7 1030(a)(5)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964 (RICO)", "18 U.S.C. \u00a7 1956", "21 U.S.C. \u00a7 841", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040" ], "title": "United States v. Robert T. Morris, 928 F.2d 504 (2d Cir. 1991)", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability", "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-roman-sterlingov-d-d-c-2023", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Roman Sterlingov (D.D.C. 2023)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal" ], "module_ids": [ "01r" ], "module_paths": [ "artifacts/modules/01r-doctrinal-sentencing.md" ], "module_titles": [ "Doctrinal Gaps: Restitution, Parallel Proceedings, Crypto Forfeiture, OFAC Liability, and Critical Infrastructure Sentencing" ], "slug": "united-states-v-roman-storm-s-d-n-y-2023-indictment", "statutes": [ "18 U.S.C. \u00a7 3663A (MVRA)", "18 U.S.C. \u00a7 1030(e)(11)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "USSG \u00a7 2B1.1" ], "title": "United States v. Roman Storm (S.D.N.Y. 2023 indictment)", "topics": [ "restitution calculation CFAA", "MVRA", "CFAA loss definition", "reasonable cost to respond", "breach notification as restitution", "credit monitoring restitution", "loss inflation defense", "USSG \u00a7 2B1.1", "loss table sentencing", "parallel civil criminal proceedings", "Fifth Amendment adverse inference", "Landis stay doctrine", "SolarWinds multi-forum pattern", "IR report privilege", "Garner doctrine shareholder access", "cryptocurrency forfeiture", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "Lichtenstein Bitfinex seizure", "Colonial Pipeline Bitcoin recovery", "Silk Road forfeiture", "Tornado Cash Roman Storm", "smart contract developer liability", "OFAC ransomware strict liability", "Evil Corp alias evasion", "CNA Financial OFAC", "OFAC safe harbor discretionary", "critical infrastructure enhanced sentencing", "18 U.S.C. \u00a7 1030(c)(4)(B)", "PPD-21 sectors", "hospital ransomware", "Change Healthcare", "UHS attack", "involuntary manslaughter ransomware theory", "USSG \u00a7 2B1.1(b)(18)" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; EU (Cyber Resilience Act); International (insurance)", "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "01s", "02h" ], "module_paths": [ "artifacts/modules/01s-emerging-cyber-law.md", "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Emerging Cyber Law: AI/LLM Security Research, Supply Chain Liability, and Cyber Insurance", "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-roman-storm-s-d-n-y-2023", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7\u00a7 1831-1832 (EEA)", "Executive Order 14028 (2021)", "EU Cyber Resilience Act (2024)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Roman Storm (S.D.N.Y. 2023)", "topics": [ "AI security research CFAA", "LLM probing authorized access", "Van Buren AI gate analysis", "prompt injection legal theory", "model extraction EEA", "training data extraction", "HackerOne AI safe harbor 2026", "ToS post-Van Buren AI", "adversarial ML liability", "jailbreaking legal risk", "AI legal risk matrix", "supply chain attack liability", "SolarWinds downstream liability", "3CX supply chain", "XZ Utils", "economic loss rule software", "software product liability gap", "EO 14028 SBOM", "CISA secure by design", "EU Cyber Resilience Act", "CRA extraterritorial", "SEC software disclosure", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Mondelez v. Zurich war exclusion", "Lloyd's Y5381 exclusion", "ransomware business interruption coverage", "OFAC ransom payment insurance", "double extortion dual coverage", "consent to pay requirement", "cyber insurance market hardening", "pre-incident policy review", "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "02c" ], "module_paths": [ "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "united-states-v-ropp-347-f-supp-2d-831-c-d-cal-2004", "statutes": [ "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "California Penal Code \u00a7 632", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "United States v. Ropp, 347 F. Supp. 2d 831 (C.D. Cal. 2004)", "topics": [ "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "beginner", "advanced" ], "jurisdictions": [ "U.S. Federal (1st, 2nd, 7th circuits)", "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "01n", "02h" ], "module_paths": [ "artifacts/modules/01n-criminal-prosecution-history.md", "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins", "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "united-states-v-ross-ulbricht-31-f-supp-3d-540-s-d-n-y-2014", "statutes": [ "18 U.S.C. \u00a7 1030(a)(5)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964 (RICO)", "18 U.S.C. \u00a7 1956", "21 U.S.C. \u00a7 841", "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "United States v. Ross Ulbricht, 31 F. Supp. 3d 540 (S.D.N.Y. 2014)", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability", "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01t" ], "module_paths": [ "artifacts/modules/01t-flipper-zero-legal-liability.md" ], "module_titles": [ "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers" ], "slug": "united-states-v-salinas-d-nev-2019-hotel-keycard-cloning-1029", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040" ], "title": "United States v. Salinas (D. Nev. 2019) \u2014 hotel keycard cloning \u00a7 1029", "topics": [ "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter" ] }, { "difficulties": [ "advanced", "intermediate" ], "jurisdictions": [ "U.S. Federal", "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "01r", "02c" ], "module_paths": [ "artifacts/modules/01r-doctrinal-sentencing.md", "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "Doctrinal Gaps: Restitution, Parallel Proceedings, Crypto Forfeiture, OFAC Liability, and Critical Infrastructure Sentencing", "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "united-states-v-szymuszkiewicz-622-f-3d-701-7th-cir-2010", "statutes": [ "18 U.S.C. \u00a7 3663A (MVRA)", "18 U.S.C. \u00a7 1030(e)(11)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)", "USSG \u00a7 2B1.1", "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "California Penal Code \u00a7 632", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010)", "topics": [ "restitution calculation CFAA", "MVRA", "CFAA loss definition", "reasonable cost to respond", "breach notification as restitution", "credit monitoring restitution", "loss inflation defense", "USSG \u00a7 2B1.1", "loss table sentencing", "parallel civil criminal proceedings", "Fifth Amendment adverse inference", "Landis stay doctrine", "SolarWinds multi-forum pattern", "IR report privilege", "Garner doctrine shareholder access", "cryptocurrency forfeiture", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "Lichtenstein Bitfinex seizure", "Colonial Pipeline Bitcoin recovery", "Silk Road forfeiture", "Tornado Cash Roman Storm", "smart contract developer liability", "OFAC ransomware strict liability", "Evil Corp alias evasion", "CNA Financial OFAC", "OFAC safe harbor discretionary", "critical infrastructure enhanced sentencing", "18 U.S.C. \u00a7 1030(c)(4)(B)", "PPD-21 sectors", "hospital ransomware", "Change Healthcare", "UHS attack", "involuntary manslaughter ransomware theory", "USSG \u00a7 2B1.1(b)(18)", "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Colorado)" ], "module_ids": [ "02g" ], "module_paths": [ "artifacts/modules/02g-coppa-ferpa-student-data-privacy.md" ], "module_titles": [ "COPPA, FERPA, and Student Data Privacy Law for Security Researchers" ], "slug": "united-states-v-tiktok-bytedance-doj-ftc-2024-proposed-1-5b", "statutes": [ "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "16 C.F.R. Part 312 (FTC COPPA Rule)", "20 U.S.C. \u00a7 1232g (FERPA)", "34 C.F.R. Part 99 (FERPA Regulations)", "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "Cal. Ed. Code \u00a7\u00a7 22584\u201322585 (SOPIPA)", "N.Y. Ed. Law \u00a7 2-d", "8 NYCRR Part 121", "Colo. Rev. Stat. \u00a7\u00a7 22-16-101\u2013115" ], "title": "United States v. TikTok / ByteDance (DOJ/FTC 2024 proposed $1.5B)", "topics": [ "COPPA", "FERPA", "children's online privacy", "child under 13", "operator definition", "verifiable parental consent", "VPC methods", "actual knowledge standard", "mixed-audience sites", "school official exception", "data minimization", "retention limits", "FTC COPPA enforcement", "COPPA 2.0", "age-16 expansion", "design prohibition", "KOSA Kids Online Safety Act", "education records", "directory information", "legitimate educational interest", "FERPA enforcement", "no private right of action FERPA", "Gonzaga v. Doe", "funding withdrawal never used", "PowerSchool 2025 breach", "Los Angeles USD ransomware", "Illuminate Education breach", "K-12 ed-tech security", "student information system", "SIS vendor authorization", "SOPIPA California", "New York Ed Law 2-d", "Colorado SB 21-231", "CARU safe harbor", "kidSAFE seal", "persistent identifier COPPA", "behavioral advertising prohibition", "student PII during pentest", "responsible disclosure school districts", "FERPA redisclosure restrictions", "safe grey red matrix education" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [], "module_ids": [ "02d" ], "module_paths": [ "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md" ], "module_titles": [ "FTC Act Section 5 Cybersecurity Enforcement" ], "slug": "united-states-v-twitter-inc-n-d-cal-2022", "statutes": [ "15 U.S.C. \u00a7 45 (FTC Act Section 5)", "15 U.S.C. \u00a7 45(m) (civil penalty authority)", "15 U.S.C. \u00a7\u00a7 6501\u20136506 (COPPA)", "15 U.S.C. \u00a7\u00a7 6801\u20136809 (GLBA)", "16 C.F.R. Part 314 (FTC Safeguards Rule)", "16 C.F.R. Part 312 (COPPA Rule)", "16 C.F.R. Part 318 (Health Breach Notification Rule)", "Cal. Bus. & Prof. Code \u00a7 17200 (California UCL)", "N.Y. Gen. Bus. Law \u00a7 349", "Tex. Bus. & Com. Code \u00a7\u00a7 17.41\u201317.826 (Texas DTPA)" ], "title": "United States v. Twitter, Inc. (N.D. Cal. 2022)", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State + International (GDPR, BIPA)" ], "module_ids": [ "02a" ], "module_paths": [ "artifacts/modules/02a-osint-legal-limits-dark-web.md" ], "module_titles": [ "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence" ], "slug": "united-states-v-ulbricht-31-f-supp-3d-540-s-d-n-y-2014", "statutes": [ "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 2261A (federal cyberstalking)", "18 U.S.C. \u00a7 1029 (access device fraud)", "18 U.S.C. \u00a7 875 (interstate threats)", "18 U.S.C. \u00a7 1956 (money laundering)", "GDPR Article 5", "GDPR Article 9", "California Civil Code \u00a7 1798.100 (CCPA)", "California AB 1732 (2022)", "New York Exec. Law \u00a7 79-n", "740 ILCS 14 (Illinois BIPA)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "United States v. Ulbricht, 31 F. Supp. 3d 540 (S.D.N.Y. 2014)", "topics": [ "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01t" ], "module_paths": [ "artifacts/modules/01t-flipper-zero-legal-liability.md" ], "module_titles": [ "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers" ], "slug": "united-states-v-valle-2d-cir-2015", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040" ], "title": "United States v. Valle (2d Cir. 2015)", "topics": [ "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (extradition/diplomacy)" ], "module_ids": [ "01o" ], "module_paths": [ "artifacts/modules/01o-nation-state-indictments.md" ], "module_titles": [ "Nation-State Indictments: Charging Foreign Hackers the U.S. Cannot Extradite" ], "slug": "united-states-v-viktor-netyksho-et-al-d-d-c-2018", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 371", "18 U.S.C. \u00a7 951", "18 U.S.C. \u00a7\u00a7 1831-1832 (Economic Espionage Act)", "18 U.S.C. \u00a7 1956", "50 U.S.C. \u00a7 1705 (IEEPA sanctions)" ], "title": "United States v. Viktor Netyksho et al. (D.D.C. 2018)", "topics": [ "GRU", "APT28", "Fancy Bear", "Viktor Netyksho", "DNC hack", "X-Agent malware", "Guccifer 2.0", "DCLeaks", "Mueller indictment", "unregistered foreign agent", "APT10", "Cloud Hopper", "MSP compromise", "supply chain espionage", "Xu Yanjun", "MSS", "Jiangsu State Security Department", "Economic Espionage Act", "turbofan blade theft", "extradition from Belgium", "first Chinese intel officer convicted", "Mabna Institute", "Iranian IRGC hacking", "university data theft", "OFAC SDN designation", "indictment plus sanctions combo", "Park Jin Hyok", "Lazarus Group", "North Korea", "Sony Pictures hack", "Bangladesh Bank SWIFT heist", "WannaCry attribution", "DPRK cryptocurrency revenue", "in absentia indictment", "attribution standard", "foreign policy instrument", "extradition gap", "nation-state prosecution doctrine" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal; UK; International" ], "module_ids": [ "01v" ], "module_paths": [ "artifacts/modules/01v-hackers-hall-of-fame.md" ], "module_titles": [ "Hackers Who Got Caught: 50 Years of Prosecutions, Verdicts, and Doctrine" ], "slug": "united-states-v-vladislav-klyushin-d-mass-2023", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 2339B", "18 U.S.C. \u00a7 1030(c)(4)(B)" ], "title": "United States v. Vladislav Klyushin (D. Mass. 2023)", "topics": [ "Kevin Mitnick", "Albert Gonzalez", "Gary McKinnon", "Lauri Love", "Marcus Hutchins", "Hector Monsegur Sabu", "Jeremy Hammond", "Andrew Auernheimer weev", "Jonathan James c0mrade", "Adrian Lamo", "Paige Thompson Capital One", "Joseph James O'Connor PlugwalkJoe", "Graham Clark Twitter hack", "Lapsus$ Arion Kurtaj", "LockBit Dmitry Khoroshev", "REvil Yaroslav Vasinskyi", "Evgeniy Bogachev GameOver Zeus", "Vladislav Klyushin", "Joseph Sullivan Uber CISO", "Ardit Ferizi ISIS hacker", "Aleksei Burkov", "Mikhail Matveev Wazawaka", "Conti Trickbot", "Andrei Tyurin JPMorgan", "cooperation sentencing", "extradition fight mental health", "Russia no extradition", "infrastructure seizure without arrest", "juvenile hacking prosecution", "ransomware sentencing", "CISO liability", "hacker hall of fame" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)" ], "module_ids": [ "02c" ], "module_paths": [ "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md" ], "module_titles": [ "ECPA: Wiretap Act, Stored Communications, and Pen Registers" ], "slug": "united-states-v-warshak-631-f-3d-266-6th-cir-2010", "statutes": [ "18 U.S.C. \u00a7\u00a7 2510\u20132522 (Wiretap Act)", "18 U.S.C. \u00a7\u00a7 2701\u20132713 (Stored Communications Act)", "18 U.S.C. \u00a7\u00a7 3121\u20133127 (Pen Register Act)", "18 U.S.C. \u00a7 2511", "18 U.S.C. \u00a7 2511(2)(a)(i)", "18 U.S.C. \u00a7 2511(2)(c)", "18 U.S.C. \u00a7 2511(2)(d)", "18 U.S.C. \u00a7 2515", "18 U.S.C. \u00a7 2520", "18 U.S.C. \u00a7 2701", "18 U.S.C. \u00a7 2702", "18 U.S.C. \u00a7 2703", "18 U.S.C. \u00a7 2707", "18 U.S.C. \u00a7 3121", "California Penal Code \u00a7 632", "Florida Stat. \u00a7 934.03", "720 ILCS 5/14-2", "Mass. Gen. Laws ch. 272 \u00a7 99", "Pa. Cons. Stat. \u00a7 5703", "Wash. Rev. Code \u00a7 9.73.030" ], "title": "United States v. Warshak, 631 F.3d 266 (6th Cir. 2010)", "topics": [ "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (extradition/diplomacy)", "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01o", "01q" ], "module_paths": [ "artifacts/modules/01o-nation-state-indictments.md", "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Nation-State Indictments: Charging Foreign Hackers the U.S. Cannot Extradite", "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "united-states-v-xu-yanjun-s-d-ohio-2022", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 371", "18 U.S.C. \u00a7 951", "18 U.S.C. \u00a7\u00a7 1831-1832 (Economic Espionage Act)", "18 U.S.C. \u00a7 1956", "50 U.S.C. \u00a7 1705 (IEEPA sanctions)", "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "United States v. Xu Yanjun (S.D. Ohio 2022)", "topics": [ "GRU", "APT28", "Fancy Bear", "Viktor Netyksho", "DNC hack", "X-Agent malware", "Guccifer 2.0", "DCLeaks", "Mueller indictment", "unregistered foreign agent", "APT10", "Cloud Hopper", "MSP compromise", "supply chain espionage", "Xu Yanjun", "MSS", "Jiangsu State Security Department", "Economic Espionage Act", "turbofan blade theft", "extradition from Belgium", "first Chinese intel officer convicted", "Mabna Institute", "Iranian IRGC hacking", "university data theft", "OFAC SDN designation", "indictment plus sanctions combo", "Park Jin Hyok", "Lazarus Group", "North Korea", "Sony Pictures hack", "Bangladesh Bank SWIFT heist", "WannaCry attribution", "DPRK cryptocurrency revenue", "in absentia indictment", "attribution standard", "foreign policy instrument", "extradition gap", "nation-state prosecution doctrine", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)" ], "module_ids": [ "01d" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits" ], "slug": "united-states-v-yaroslav-vasinskyi-2021-indictment-2024-sentencing", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)" ], "title": "United States v. Yaroslav Vasinskyi (2021 indictment; 2024 sentencing)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "difficulties": [ "beginner" ], "jurisdictions": [ "U.S. Federal; UK; International" ], "module_ids": [ "01v" ], "module_paths": [ "artifacts/modules/01v-hackers-hall-of-fame.md" ], "module_titles": [ "Hackers Who Got Caught: 50 Years of Prosecutions, Verdicts, and Doctrine" ], "slug": "united-states-v-yaroslav-vasinskyi-2024-sentencing", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1029", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 2339B", "18 U.S.C. \u00a7 1030(c)(4)(B)" ], "title": "United States v. Yaroslav Vasinskyi (2024 sentencing)", "topics": [ "Kevin Mitnick", "Albert Gonzalez", "Gary McKinnon", "Lauri Love", "Marcus Hutchins", "Hector Monsegur Sabu", "Jeremy Hammond", "Andrew Auernheimer weev", "Jonathan James c0mrade", "Adrian Lamo", "Paige Thompson Capital One", "Joseph James O'Connor PlugwalkJoe", "Graham Clark Twitter hack", "Lapsus$ Arion Kurtaj", "LockBit Dmitry Khoroshev", "REvil Yaroslav Vasinskyi", "Evgeniy Bogachev GameOver Zeus", "Vladislav Klyushin", "Joseph Sullivan Uber CISO", "Ardit Ferizi ISIS hacker", "Aleksei Burkov", "Mikhail Matveev Wazawaka", "Conti Trickbot", "Andrei Tyurin JPMorgan", "cooperation sentencing", "extradition fight mental health", "Russia no extradition", "infrastructure seizure without arrest", "juvenile hacking prosecution", "ransomware sentencing", "CISO liability", "hacker hall of fame" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (NCA, Europol coordination)" ], "module_ids": [ "01p" ], "module_paths": [ "artifacts/modules/01p-ransomware-prosecutions.md" ], "module_titles": [ "Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges" ], "slug": "united-states-v-yaroslav-vasinskyi-n-d-tex-2024-sentencing", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1349", "21 U.S.C. \u00a7 853", "18 U.S.C. \u00a7 981", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "United States v. Yaroslav Vasinskyi (N.D. Tex. 2024 sentencing)", "topics": [ "ransomware prosecution", "DOJ disruption operations", "REvil", "Sodinokibi", "Yaroslav Vasinskyi", "affiliate liability", "Kaseya attack", "JBS attack", "DarkSide", "Colonial Pipeline", "ransom recovery", "cryptocurrency seizure", "FBI private key access", "Conti group", "Mikhail Matveev", "Wazawaka", "Alla Witte", "Trickbot developer", "OFAC Conti designation", "ALPHV", "BlackCat", "FBI decryption keys", "Change Healthcare", "LockBit", "Operation Cronos", "Dmitry Khoroshev", "LockBitSupp unmasking", "NCA operation", "credential stuffing prosecution", "OFAC ransomware payment liability", "Evil Corp alias rotation", "ransom payment sanctions violation", "ransomware-as-a-service", "RaaS affiliate model", "money mule liability", "infrastructure seizure", "forfeiture cryptocurrency" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)" ], "module_ids": [ "01d" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits" ], "slug": "united-states-v-yevgeniy-nikulin-2016-indictment-2020-sentencing", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)" ], "title": "United States v. Yevgeniy Nikulin (2016 indictment; 2020 sentencing)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (NCA, Europol coordination)" ], "module_ids": [ "01p" ], "module_paths": [ "artifacts/modules/01p-ransomware-prosecutions.md" ], "module_titles": [ "Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges" ], "slug": "united-states-v-yevgeniy-polyanin-n-d-tex-2021-indictment", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1349", "21 U.S.C. \u00a7 853", "18 U.S.C. \u00a7 981", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "United States v. Yevgeniy Polyanin (N.D. Tex. 2021 indictment)", "topics": [ "ransomware prosecution", "DOJ disruption operations", "REvil", "Sodinokibi", "Yaroslav Vasinskyi", "affiliate liability", "Kaseya attack", "JBS attack", "DarkSide", "Colonial Pipeline", "ransom recovery", "cryptocurrency seizure", "FBI private key access", "Conti group", "Mikhail Matveev", "Wazawaka", "Alla Witte", "Trickbot developer", "OFAC Conti designation", "ALPHV", "BlackCat", "FBI decryption keys", "Change Healthcare", "LockBit", "Operation Cronos", "Dmitry Khoroshev", "LockBitSupp unmasking", "NCA operation", "credential stuffing prosecution", "OFAC ransomware payment liability", "Evil Corp alias rotation", "ransom payment sanctions violation", "ransomware-as-a-service", "RaaS affiliate model", "money mule liability", "infrastructure seizure", "forfeiture cryptocurrency" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal + State + International" ], "module_ids": [ "01z" ], "module_paths": [ "artifacts/modules/01z-scada-iot-automotive-hacking-law.md" ], "module_titles": [ "SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers" ], "slug": "united-states-v-yuriy-sergeyevich-andrienko-et-al-w-d-pa-2020-sandworm-gru", "statutes": [ "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 32 (aircraft sabotage)", "47 U.S.C. \u00a7 333 (RF interference)", "18 U.S.C. \u00a7 1365 (consumer product tampering)", "18 U.S.C. \u00a7 1362 (government communication interference)", "49 U.S.C. \u00a7 30170", "42 U.S.C. \u00a7 7522 (EPA emission controls)", "16 U.S.C. \u00a7 824o (Federal Power Act / NERC CIP)", "California Civil Code \u00a7 1798.91.04", "15 U.S.C. \u00a7 45 (FTC Act \u00a7 5)", "21 U.S.C. \u00a7 301 et seq. (FD&C Act \u00a7 524B)" ], "title": "United States v. Yuriy Sergeyevich Andrienko et al. (W.D. Pa. 2020) \u2014 Sandworm GRU", "topics": [ "SCADA hacking law", "ICS security law", "OT cybersecurity legal framework", "PPD-21 critical infrastructure", "CFAA \u00a7 1030(c)(4)(B) enhancement", "critical infrastructure sentencing 20 years", "substantial disruption standard", "Colonial Pipeline legal aftermath", "DarkSide ransomware OFAC", "Oldsmar water treatment plant 2021", "ICS-CERT coordinated disclosure", "CISA vulnerability disclosure ICS", "hospital ransomware Change Healthcare", "UHS ransomware", "involuntary manslaughter ransomware theory", "IoT hacking CFAA", "Mirai botnet Jha 2018", "botnet recruitment \u00a7 1030(a)(5)", "FTC Act \u00a7 5 insecure IoT", "NISTIR 8259 IoT security", "California IoT security law \u00a7 1798.91.04", "Oregon SB 90 IoT", "vehicle ECU CFAA", "automotive hacking law", "Miller Valasek Jeep hack 2015", "Tesla bug bounty scope", "49 U.S.C. \u00a7 30170 vehicle safety", "SPY Car Act", "OBD-II port testing legal", "EPA emissions ECU modification", "drone hacking law", "FAA Part 107", "counter-UAS authority", "FAA Reauthorization Act 2018", "18 U.S.C. \u00a7 32 aircraft sabotage", "GPS spoofing legal risk", "RF jamming 47 U.S.C. \u00a7 333", "drone jamming federal crime", "NERC CIP mandatory standards", "FERC enforcement authority", "critical electric infrastructure information CEII", "smart grid security law", "FDA cybersecurity final rule 2023", "medical device hacking CFAA", "HIPAA medical device PHI", "\u00a7 524B FD&C Act SBOM", "Vitek Boden Maroochy Water 2001", "Stuxnet legal implications", "Ukraine power grid GRU indictment Sandworm", "TRITON TRISIS SIS attack", "Evgeny Gladkikh indictment", "lab vs production ICS testing", "Shodan ICS reconnaissance legal", "safe grey red ICS matrix", "NERC CIP CEII data handling" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "united-states-v-zhang-e-d-n-y-2020", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "United States v. Zhang (E.D.N.Y. 2020)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; U.S. State (California, New York, Texas)" ], "module_ids": [ "01q" ], "module_paths": [ "artifacts/modules/01q-missing-statutes.md" ], "module_titles": [ "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels" ], "slug": "united-states-v-zheng-xiaoqing-n-d-n-y-2022", "statutes": [ "18 U.S.C. \u00a7\u00a7 1831-1839 (Economic Espionage Act)", "18 U.S.C. \u00a7 793 (Espionage Act)", "California Penal Code \u00a7 502 (CDAFA)", "New York Penal Law Article 156", "Texas Penal Code \u00a7 33.02", "18 U.S.C. \u00a7 1030 (CFAA)" ], "title": "United States v. Zheng Xiaoqing (N.D.N.Y. 2022)", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02e" ], "module_paths": [ "artifacts/modules/02e-hipaa-security-rule-full.md" ], "module_titles": [ "HIPAA Security Rule: A Complete Operational Guide for Security Researchers and Healthcare Pen Testers" ], "slug": "united-states-v-zhou-8th-cir-2012-hipaa-criminal-knowing-standard", "statutes": [ "HIPAA (Pub. L. 104-191)", "HITECH Act (Pub. L. 111-5)", "45 C.F.R. Parts 160, 164", "45 C.F.R. \u00a7 164.308 (Administrative Safeguards)", "45 C.F.R. \u00a7 164.310 (Physical Safeguards)", "45 C.F.R. \u00a7 164.312 (Technical Safeguards)", "45 C.F.R. \u00a7 164.402 (Breach Definition)", "45 C.F.R. \u00a7 164.404 (Individual Notice)", "45 C.F.R. \u00a7 164.406 (Media Notice)", "45 C.F.R. \u00a7 164.408 (HHS Notice)", "45 C.F.R. \u00a7 164.410 (BA Breach Notification)", "45 C.F.R. \u00a7 164.504(e) (BAA Requirements)", "42 U.S.C. \u00a7 1320d-5 (Civil Monetary Penalties)", "42 U.S.C. \u00a7 1320d-6 (Criminal Penalties)", "21 U.S.C. \u00a7 524B (FD&C Act Medical Device Cybersecurity)", "California Civil Code \u00a7 56 (CMIA)", "Texas Health & Safety Code \u00a7 181 (TMRPA)", "New York SHIELD Act (2019)" ], "title": "United States v. Zhou (8th Cir. 2012) \u2014 HIPAA criminal knowing standard", "topics": [ "HIPAA Security Rule", "ePHI", "PHI", "covered entities", "business associates", "BAA", "Business Associate Agreement", "subcontractor chain", "Privacy Rule", "Breach Notification Rule", "administrative safeguards", "physical safeguards", "technical safeguards", "required vs addressable controls", "addressable implementation specification", "risk analysis", "unique user identification", "audit controls", "transmission security", "encryption safe harbor", "60-day breach notification clock", "Wall of Shame", "500-person threshold", "media notice", "surrogate notice", "OCR civil monetary penalties", "4-tier CMP framework", "willful neglect", "42 U.S.C. \u00a7 1320d-6 criminal penalties", "false pretenses 5 years", "personal gain 10 years", "HITECH Act", "Change Healthcare breach 2024", "ALPHV BlackCat", "UnitedHealth Group", "Advocate Aurora pixel tracking", "Meta Pixel HIPAA", "HCA Healthcare breach 2023", "FDA 2023 Cybersecurity Guidance", "Section 524B FD&C Act", "cyber device", "SBOM medical device", "postmarket cybersecurity obligations", "healthcare pen test scope letter", "PHI handling during testing", "minimum necessary standard", "data destruction NIST SP 800-88", "California CMIA", "Cal. Civ. Code \u00a7 56", "CMIA private right of action", "Texas Health & Safety Code \u00a7 181", "TMRPA", "New York SHIELD Act", "state health privacy law overlay", "45 C.F.R. Part 164", "safe grey red healthcare matrix", "BOLA EHR vulnerability", "packet capture ePHI destruction", "medical device pen testing", "infusion pump security", "state AG HIPAA enforcement" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal; International (extradition/diplomacy)" ], "module_ids": [ "01o" ], "module_paths": [ "artifacts/modules/01o-nation-state-indictments.md" ], "module_titles": [ "Nation-State Indictments: Charging Foreign Hackers the U.S. Cannot Extradite" ], "slug": "united-states-v-zhu-hua-and-zhang-shilong-s-d-n-y-2018", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 371", "18 U.S.C. \u00a7 951", "18 U.S.C. \u00a7\u00a7 1831-1832 (Economic Espionage Act)", "18 U.S.C. \u00a7 1956", "50 U.S.C. \u00a7 1705 (IEEPA sanctions)" ], "title": "United States v. Zhu Hua and Zhang Shilong (S.D.N.Y. 2018)", "topics": [ "GRU", "APT28", "Fancy Bear", "Viktor Netyksho", "DNC hack", "X-Agent malware", "Guccifer 2.0", "DCLeaks", "Mueller indictment", "unregistered foreign agent", "APT10", "Cloud Hopper", "MSP compromise", "supply chain espionage", "Xu Yanjun", "MSS", "Jiangsu State Security Department", "Economic Espionage Act", "turbofan blade theft", "extradition from Belgium", "first Chinese intel officer convicted", "Mabna Institute", "Iranian IRGC hacking", "university data theft", "OFAC SDN designation", "indictment plus sanctions combo", "Park Jin Hyok", "Lazarus Group", "North Korea", "Sony Pictures hack", "Bangladesh Bank SWIFT heist", "WannaCry attribution", "DPRK cryptocurrency revenue", "in absentia indictment", "attribution standard", "foreign policy instrument", "extradition gap", "nation-state prosecution doctrine" ] }, { "difficulties": [ "intermediate", "beginner" ], "jurisdictions": [ "U.S. Federal", "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "U.S. Federal; U.S. State (California, New York); International (Budapest Convention)", "U.S. Federal; U.S. State; EU (GDPR); International", "U.S. Federal + State + International (GDPR, BIPA)" ], "module_ids": [ "01a", "01d", "01j", "01m", "01u", "02a" ], "module_paths": [ "artifacts/modules/01a-cfaa-federal-statutes.md", "artifacts/modules/01d-landmark-cases.md", "artifacts/modules/01j-bug-bounty-legal.md", "artifacts/modules/01m-hacker-lawsuits.md", "artifacts/modules/01u-safe-harbor-vdp-bug-bounty.md", "artifacts/modules/02a-osint-legal-limits-dark-web.md" ], "module_titles": [ "CFAA and the Federal Criminal Toolkit", "Landmark Cases: Prosecutions and Civil Suits", "Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have", "Hacker Lawsuits: The Cases That Define Your Scope", "Safe Harbor, VDPs, and Bug Bounty Legal Limits", "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence" ], "slug": "van-buren-v-united-states-141-s-ct-1648-2021", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7\u00a7 1961-1964", "18 U.S.C. \u00a7 1963", "18 U.S.C. \u00a7 1956", "15 U.S.C. \u00a7 45", "18 U.S.C. \u00a7 1030 (CFAA)", "Foreign Sovereign Immunities Act (FSIA)", "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "California Penal Code \u00a7 502", "New York Penal Law Article 156", "CISA Binding Operational Directive 20-01", "Budapest Convention Article 6", "17 U.S.C. \u00a7 1201 (DMCA)", "DOJ Charging Policy for CFAA (2022)", "Texas Penal Code \u00a7 33.02", "GDPR Article 33", "18 U.S.C. \u00a7 2701 (Stored Communications Act)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 2261A (federal cyberstalking)", "18 U.S.C. \u00a7 1029 (access device fraud)", "18 U.S.C. \u00a7 875 (interstate threats)", "18 U.S.C. \u00a7 1956 (money laundering)", "GDPR Article 5", "GDPR Article 9", "California Civil Code \u00a7 1798.100 (CCPA)", "California AB 1732 (2022)", "New York Exec. Law \u00a7 79-n", "740 ILCS 14 (Illinois BIPA)", "50 U.S.C. \u00a7 1705 (IEEPA/OFAC)" ], "title": "Van Buren v. United States, 141 S. Ct. 1648 (2021)", "topics": [ "CFAA", "unauthorized access", "exceeds authorized access", "protected computer", "wire fraud", "aggravated identity theft", "RICO", "Van Buren", "FTC Act Section 5", "money laundering", "forfeiture", "federal cybercrime prosecutions", "CCIPS", "mandatory consecutive sentence", "criminal enterprise", "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls", "bug bounty programs", "vulnerability disclosure policy", "VDP", "CFAA good faith research", "DOJ charging policy 2022", "Van Buren authorized access", "CISA BOD 20-01", "HackerOne", "Bugcrowd", "Intigriti", "HackerOne AI Research Safe Harbor", "coordinated vulnerability disclosure", "responsible disclosure", "90-day disclosure timeline", "ISO/IEC 29147", "ISO/IEC 30111", "Google Project Zero standard", "full disclosure", "scope discipline", "contractual authorization", "state computer crime statutes", "California PC 502", "New York Penal Law Article 156", "CFAA reform proposals", "Security Research Act", "Budapest Convention Article 6", "AI security research", "prompt injection", "model extraction", "federal VDP mandate", "terms of service violations post-Van Buren", "civil CFAA suits", "safe harbor proposals", "hiQ LinkedIn scraping", "Power Ventures CFAA", "Auernheimer venue", "bug bounty authorization", "scope creep", "CFAA researcher exposure", "Sandvig v. Barr ToS research", "DOJ good-faith policy 2022", "safe harbor", "HackerOne platform safe harbor", "civil CFAA suits against researchers", "DMCA 1201 security research", "authorized security research exemption", "penetration testing contracts", "scope authorization", "SolarWinds CISO liability", "NSO Group spyware civil liability", "Mitnick supervised release", "researcher sentencing", "hacker-first legal doctrine", "authorized access", "Van Buren good faith", "DOJ 2022 CFAA charging policy", "bug bounty safe harbor", "coordinated disclosure", "Auernheimer problem", "DMCA 1201 security research exemption", "HackerOne legal protection", "Bugcrowd scope", "CVD timeline", "90-day disclosure", "state computer fraud law", "New York Penal Law 156", "Texas PC 33.02", "GDPR during testing", "international extradition", "pen test authorization", "scope letter legal effect", "good faith research defense", "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal + State" ], "module_ids": [ "01t", "01x" ], "module_paths": [ "artifacts/modules/01t-flipper-zero-legal-liability.md", "artifacts/modules/01x-social-engineering-legal-limits.md" ], "module_titles": [ "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers", "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap" ], "slug": "van-buren-v-united-states-593-u-s-374-2021", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1030(a)(2)", "18 U.S.C. \u00a7 1030(a)(5)(A)", "18 U.S.C. \u00a7 1030(a)(5)(C)", "18 U.S.C. \u00a7 1030(c)(4)(B)", "18 U.S.C. \u00a7 1029(a)(2)", "18 U.S.C. \u00a7 1029(a)(3)", "18 U.S.C. \u00a7 1029(a)(4)", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1343", "47 U.S.C. \u00a7 333 (FCC jamming prohibition)", "47 U.S.C. \u00a7 501 (FCC criminal penalties)", "California Penal Code \u00a7 502", "New York Penal Law \u00a7 165.15", "Texas Penal Code \u00a7 33.02", "Washington RCW 9A.90.040", "18 U.S.C. \u00a7 912", "18 U.S.C. \u00a7 1028", "18 U.S.C. \u00a7 2511", "15 U.S.C. \u00a7\u00a7 6821-6827 (GLBA)", "15 U.S.C. \u00a7 7701 (CAN-SPAM)", "18 U.S.C. \u00a7 1037", "18 U.S.C. \u00a7 1030(a)(5)", "47 U.S.C. \u00a7 227 (TCPA)", "47 U.S.C. \u00a7 227(e) (Truth in Caller ID Act)", "47 C.F.R. \u00a7 64.1604", "California Penal Code \u00a7 632", "California Business & Professions Code \u00a7 17200", "New York Penal Law \u00a7 156.05", "Florida Statutes \u00a7 815.06" ], "title": "Van Buren v. United States, 593 U.S. 374 (2021)", "topics": [ "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter", "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; International (OFAC, FATF)" ], "module_ids": [ "02h" ], "module_paths": [ "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md" ], "module_titles": [ "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers" ], "slug": "van-loon-v-department-of-treasury-5th-cir-2024", "statutes": [ "31 U.S.C. \u00a7 5330", "31 U.S.C. \u00a7\u00a7 5311-5336 (Bank Secrecy Act)", "18 U.S.C. \u00a7 1960", "50 U.S.C. \u00a7 1705 (IEEPA)", "18 U.S.C. \u00a7 1956", "18 U.S.C. \u00a7 1957", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "21 U.S.C. \u00a7 853(p)", "15 U.S.C. \u00a7 78j (Securities Exchange Act \u00a7 10(b))", "15 U.S.C. \u00a7 77a et seq. (Securities Act of 1933)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1030(a)(4)", "26 U.S.C. \u00a7 7201" ], "title": "Van Loon v. Department of Treasury (5th Cir. 2024)", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [ "U.S. Federal; U.S. State (California); EU (GDPR)" ], "module_ids": [ "01f" ], "module_paths": [ "artifacts/modules/01f-victim-remedies.md" ], "module_titles": [ "Victim Remedies and Procedural Hurdles" ], "slug": "whatsapp-llc-v-nso-group-technologies-9th-cir-2021", "statutes": [ "18 U.S.C. \u00a7 1030(g) (CFAA civil action)", "18 U.S.C. \u00a7 3663A (Mandatory Victims Restitution Act)", "California Penal Code \u00a7 502", "California Civil Code \u00a7 1798.150 (CCPA)", "Foreign Sovereign Immunities Act (FSIA)", "GDPR Article 82" ], "title": "WhatsApp LLC v. NSO Group Technologies (9th Cir. 2021)", "topics": [ "restitution", "forfeiture", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CFAA civil action", "CCPA damages", "class action against breached organization", "standing", "Spokeo", "TransUnion", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "venue", "forum non conveniens", "foreign sovereign immunity", "FSIA terrorism exception", "extradition", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act" ] }, { "difficulties": [ "intermediate" ], "jurisdictions": [ "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)" ], "module_ids": [ "01d" ], "module_paths": [ "artifacts/modules/01d-landmark-cases.md" ], "module_titles": [ "Landmark Cases: Prosecutions and Civil Suits" ], "slug": "whatsapp-llc-v-nso-group-technologies-12-f-4th-1-9th-cir-2021", "statutes": [ "18 U.S.C. \u00a7 1030 (CFAA)", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 1028A", "18 U.S.C. \u00a7 1956", "Foreign Sovereign Immunities Act (FSIA)" ], "title": "WhatsApp LLC v. NSO Group Technologies, 12 F.4th 1 (9th Cir. 2021)", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "difficulties": [ "advanced" ], "jurisdictions": [], "module_ids": [ "02b" ], "module_paths": [ "artifacts/modules/02b-zero-day-market-commercial-spyware.md" ], "module_titles": [ "Zero-Day Market and Commercial Spyware Law" ], "slug": "whatsapp-v-nso-group", "statutes": [ "18 U.S.C. \u00a7 1030", "18 U.S.C. \u00a7 2511", "17 U.S.C. \u00a7 1201", "15 C.F.R. Parts 730-774", "EAR ECCN 4E001" ], "title": "WhatsApp v. NSO Group", "topics": [ "zero-day market", "export controls", "NSO Group", "Pegasus", "commercial spyware", "stalkerware", "VEP", "bug bounty vs broker", "government procurement", "DMCA Section 1201", "Wassenaar Arrangement", "UK CMA", "Germany StGB 202c" ] } ], "content_files_scanned": 29, "generated_at": "2026-04-17T18:47:53.878404+00:00", "launch_offline": false, "launch_status": "healthy", "learned_keyword_count": 50, "modules": [ { "audience": [ "criminal defense attorneys", "prosecutors", "compliance officers", "security researchers", "corporate counsel" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01a-cfaa-federal-statutes.md", "id": "01a", "jurisdiction": "U.S. Federal", "last_updated": "2026-04-12", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01a.md", "status": "complete", "summary": "This post explains the main federal anti-hacking law in plain English. The key modern question is whether someone broke into a part of a computer system they were not allowed to enter, not just whether they misused information they could already see. It also shows why federal cyber cases usually include extra charges beyond the CFAA.", "title": "CFAA and the Federal Criminal Toolkit", "topics": [ "CFAA", "unauthorized access", "exceeds authorized access", "protected computer", "wire fraud", "aggravated identity theft", "RICO", "Van Buren", "FTC Act Section 5", "money laundering", "forfeiture", "federal cybercrime prosecutions", "CCIPS", "mandatory consecutive sentence", "criminal enterprise" ] }, { "audience": [ "corporate counsel", "compliance officers", "class action litigators", "privacy attorneys", "data breach response teams" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01b-state-breach-notification.md", "id": "01b", "jurisdiction": "U.S. State (California, New York, Texas); EU (comparative)", "last_updated": "2026-04-12", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01b.md", "status": "complete", "summary": "This post explains what companies owe people after a data breach. If a business waits too long to notify customers or regulators, it can face lawsuits, fines, and higher damages even if the hacker is the one who carried out the attack. California and New York now make that timeline much tighter.", "title": "State Breach Notification and Private Damages", "topics": [ "breach notification", "discovery date", "30-day notification deadline", "reasonable security", "CCPA private right of action", "statutory damages", "class action", "California breach notification", "New York breach notification", "Texas breach notification", "DFS cybersecurity regulation", "72-hour notification", "law enforcement delay exception", "notice and cure", "civil penalties", "personal information definition", "AG notification" ] }, { "audience": [ "international counsel", "data protection officers", "compliance officers", "incident response counsel", "corporate counsel advising EU-touching organizations" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01c-eu-international-frameworks.md", "id": "01c", "jurisdiction": "European Union; International (Budapest Convention parties); U.S. Federal (CLOUD Act)", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01c.md", "status": "complete", "summary": "EU cyber law is not one rule. GDPR is about personal data, NIS2 is about security duties and incident reporting, and the Budapest Convention helps countries cooperate on cybercrime investigations. One ransomware event can trigger all three at once.", "title": "EU Frameworks: GDPR, NIS2, and the Budapest Convention", "topics": [ "GDPR", "NIS2", "Budapest Convention", "essential entities", "important entities", "72-hour notification", "24-hour early warning", "personal data breach", "supervisory authority", "data protection authority", "CSIRT", "ENISA", "MLAT", "Second Additional Protocol", "CLOUD Act", "24/7 contact network", "Article 35", "Article 33", "Article 34", "Article 83", "double 72-hour clock", "cross-border evidence", "international cooperation", "NIS2 fines", "GDPR fines", "Data Protection Commission", "Meta", "TikTok", "WhatsApp", "supply chain security", "risk management measures" ] }, { "audience": [ "litigators", "criminal defense attorneys", "prosecutors", "corporate counsel", "privacy and cybersecurity attorneys" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01d-landmark-cases.md", "id": "01d", "jurisdiction": "U.S. Federal (3rd, 9th, and SCOTUS circuits); International (extradition cases)", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01d.md", "status": "complete", "summary": "This post is the case-law map for cybersecurity. It explains the court decisions that define what counts as hacking, when data-breach victims can sue, how spyware cases fit in U.S. courts, and why extradition and procedure often matter as much as the underlying facts.", "title": "Landmark Cases: Prosecutions and Civil Suits", "topics": [ "venue", "jurisdiction", "standing", "Spokeo", "TransUnion", "CFAA criminal prosecution", "CFAA civil action", "extradition", "nation-state hacking", "Lazarus Group", "North Korea", "Yahoo hack", "Russian FSB", "LinkedIn breach", "REvil ransomware", "Kaseya supply chain attack", "Bitfinex laundering", "cryptocurrency seizure", "blockchain forensics", "FSIA", "foreign sovereign immunity", "NSO Group", "Pegasus spyware", "web scraping", "public data access", "cease and desist plus technical blocks", "unauthorized access revocation", "ransomware prosecution", "restitution", "forfeiture", "indictment without custody", "SolarWinds", "SUNBURST", "SEC cyber disclosure enforcement", "internal accounting controls", "disclosure controls" ] }, { "audience": [ "corporate counsel", "criminal defense attorneys", "compliance officers", "incident response counsel", "government attorneys" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01e-enforcement-agencies.md", "id": "01e", "jurisdiction": "U.S. Federal; International (MLAT, Budapest Convention)", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01e.md", "status": "complete", "summary": "After a cyber incident, different government bodies do different jobs. The FBI investigates crimes, CISA helps with defense and coordination, regulators like the FTC and SEC look at the company's conduct, and OFAC can turn ransomware into a sanctions problem. This post maps that enforcement lineup.", "title": "Enforcement Agencies and Mechanisms", "topics": [ "DOJ", "CCIPS", "National Security Division", "U.S. Attorneys Offices", "Office of International Affairs", "FBI", "Cyber Division", "IC3", "CISA", "CIRCIA", "Binding Operational Directives", "SEC", "FTC", "OFAC", "SDN list", "ransomware sanctions", "SolarWinds", "public-company cyber disclosure", "internal accounting controls", "disclosure controls", "FinCEN", "Bank Secrecy Act", "SAR filing", "NSA", "Vulnerabilities Equities Process", "MLAT", "infrastructure seizure", "domain seizure", "cryptocurrency seizure", "blockchain forensics", "criminal vs regulatory enforcement", "law enforcement cooperation", "parallel criminal and regulatory tracks", "forfeiture", "restitution", "Colonial Pipeline", "LockBit", "Hive ransomware" ] }, { "audience": [ "litigators", "corporate counsel", "class action attorneys", "criminal defense attorneys", "incident response counsel" ], "difficulty": "advanced", "file_path": "artifacts/modules/01f-victim-remedies.md", "id": "01f", "jurisdiction": "U.S. Federal; U.S. State (California); EU (GDPR)", "last_updated": "2026-04-12", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01f.md", "status": "complete", "summary": "Winning a cyber case is not just about proving harm. Victims still have to identify the right defendant, show the court has power over that person, prove they suffered a concrete injury, and find a realistic way to collect money or get relief. This post explains those practical hurdles.", "title": "Victim Remedies and Procedural Hurdles", "topics": [ "restitution", "forfeiture", "injunctive relief", "TRO", "compensatory damages", "punitive damages", "CFAA civil action", "CCPA damages", "class action against breached organization", "standing", "Spokeo", "TransUnion", "Article III standing", "injury in fact", "attribution problem", "John Doe defendants", "personal jurisdiction", "venue", "forum non conveniens", "foreign sovereign immunity", "FSIA terrorism exception", "extradition", "dual criminality", "privilege over forensics reports", "attorney-client privilege", "work product doctrine", "circuit split on standing", "negligence", "breach of contract", "GDPR data subject compensation", "Mandatory Victims Restitution Act" ] }, { "audience": [ "policy counsel", "corporate counsel", "security researchers", "compliance officers", "incident response counsel", "government attorneys" ], "difficulty": "advanced", "file_path": "artifacts/modules/01g-emerging-issues.md", "id": "01g", "jurisdiction": "U.S. Federal; International (UK, Budapest Convention parties)", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01g.md", "status": "complete", "summary": "This post covers the parts of cyber law that are changing fastest: zero-day markets, ransomware sanctions, bug bounty safe harbors, cross-border evidence, and encryption fights. The main takeaway is that organizations need policies that can adapt, because the legal rules are still moving.", "title": "Emerging Issues in Cybersecurity Law", "topics": [ "zero-day markets", "Vulnerabilities Equities Process", "VEP", "Zerodium", "EternalBlue", "WannaCry", "NotPetya", "ransomware payments", "OFAC sanctions", "SDN list", "FinCEN", "BSA", "SAR filing", "ransomware disruption operations", "LockBit takedown", "Hive takedown", "bug bounty", "VDP", "CISA BOD 20-01", "DOJ good-faith security research policy", "CFAA reform", "safe harbor for security research", "encryption", "lawful access", "going dark", "Apple UK TCN", "Investigatory Powers Act", "CLOUD Act", "Budapest Convention Second Additional Protocol", "MLAT latency", "CIRCIA rulemaking", "payment ban proposals", "cross-border e-evidence" ] }, { "audience": [ "corporate counsel", "compliance officers", "incident response counsel", "critical infrastructure operators", "government contractors" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01h-circia.md", "id": "01h", "jurisdiction": "U.S. Federal", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01h.md", "status": "complete", "summary": "CIRCIA will require many critical infrastructure companies to report serious cyber incidents to CISA within 72 hours and ransomware payments within 24 hours once the final rule takes effect. It adds a new federal reporting clock, but it does not replace state, sector, or other breach-notice duties.", "title": "CIRCIA: Cyber Incident Reporting for Critical Infrastructure", "topics": [ "CIRCIA", "critical infrastructure", "covered entity", "covered cyber incident", "72-hour reporting", "24-hour ransomware payment reporting", "PPD-21", "16 critical infrastructure sectors", "CISA", "NPRM", "safe harbor", "FOIA protection", "no admission of liability", "subpoena authority", "civil penalties", "debarment", "substantially similar reports", "operational technology", "ransomware payment reporting", "sector risk management agencies", "CIRCIA versus state breach laws", "CIRCIA versus GDPR", "CIRCIA versus NIS2", "SEC 8-K cyber disclosure", "DFS 23 NYCRR 500" ] }, { "audience": [ "healthcare attorneys", "HIPAA compliance officers", "health system counsel", "business associate counsel", "privacy attorneys" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01i-hipaa-security-rule.md", "id": "01i", "jurisdiction": "U.S. Federal (HIPAA); U.S. State (enforcement by state AGs)", "last_updated": "2026-04-12", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01i.md", "status": "complete", "summary": "This post explains the proposed HIPAA Security Rule overhaul in plain English. HHS is trying to make healthcare cybersecurity less flexible and more mandatory, especially around basics like MFA, encryption, and vendor reporting. It is an important proposal, but it is still not the final rule.", "title": "HIPAA Security Rule Update: The 2025 Overhaul", "topics": [ "HIPAA Security Rule", "ePHI", "covered entities", "business associates", "subcontractors", "required vs addressable distinction", "elimination of addressable standard", "MFA mandatory", "encryption mandatory", "technology asset inventory", "network map", "vulnerability scanning 6-month frequency", "penetration testing 12-month frequency", "72-hour system restoration", "BAA enhanced notification", "24-hour business associate notification", "annual compliance audit", "risk analysis", "HIPAA Breach Notification Rule", "HHS OCR enforcement", "Wall of Shame", "HITECH", "state AG HIPAA enforcement", "Change Healthcare breach", "45 CFR Part 164", "90 Fed. Reg. 898", "NPRM 2025", "civil penalties per violation", "willful neglect" ] }, { "audience": [ "security researchers", "corporate counsel", "compliance officers", "technology companies", "AI/ML security teams" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01j-bug-bounty-legal.md", "id": "01j", "jurisdiction": "U.S. Federal; U.S. State (California, New York); International (Budapest Convention)", "last_updated": "2026-04-12", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01j.md", "status": "complete", "summary": "Bug bounty work is not automatically legal just because it improves security. The safest protection comes from written permission through a bug bounty or disclosure program, because DOJ policy alone does not stop civil suits, state-law claims, or arguments that a researcher went outside authorized scope.", "title": "Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have", "topics": [ "bug bounty programs", "vulnerability disclosure policy", "VDP", "CFAA good faith research", "DOJ charging policy 2022", "Van Buren authorized access", "CISA BOD 20-01", "HackerOne", "Bugcrowd", "Intigriti", "HackerOne AI Research Safe Harbor", "coordinated vulnerability disclosure", "responsible disclosure", "90-day disclosure timeline", "ISO/IEC 29147", "ISO/IEC 30111", "Google Project Zero standard", "full disclosure", "scope discipline", "contractual authorization", "state computer crime statutes", "California PC 502", "New York Penal Law Article 156", "CFAA reform proposals", "Security Research Act", "Budapest Convention Article 6", "AI security research", "prompt injection", "model extraction", "federal VDP mandate", "terms of service violations post-Van Buren", "civil CFAA suits", "safe harbor proposals" ] }, { "audience": [ "AI/ML practitioners", "corporate counsel", "compliance officers", "policy counsel", "product teams" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01k-aiml-regulations.md", "id": "01k", "jurisdiction": "EU; U.S. Federal; International", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01k.md", "status": "complete", "summary": "There is no single AI law that covers everything everywhere. Companies have to map where they operate, what kind of AI they use, and whether that system triggers EU, state, sector, or consumer-protection rules. This post explains that patchwork with cybersecurity risk in mind.", "title": "AI/ML Regulations: Cross-Jurisdiction Map", "topics": [ "EU AI Act", "AI risk categories", "prohibited AI systems", "high-risk AI", "NIST AI RMF", "Executive Order 14110", "FTC AI enforcement", "algorithmic accountability", "AI bias", "AI transparency", "AI governance", "GDPR automated decision-making", "Article 22 GDPR", "right to explanation", "AI liability", "model cards", "AI audit requirements", "conformity assessment", "CE marking AI", "AI sandboxes" ] }, { "audience": [ "corporate counsel", "compliance officers", "CISOs", "incident response counsel", "critical infrastructure operators" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01l-incident-reporting.md", "id": "01l", "jurisdiction": "U.S. Federal; EU; U.S. State (New York)", "last_updated": "2026-04-15", "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01l.md", "status": "complete", "summary": "One cyberattack can start several different reporting clocks at the same time. This post explains who has to be told, how fast each notice is due, which reports stay private, and why companies need a single decision process instead of treating each law in isolation.", "title": "Cyber Incident Reporting: Multi-Framework Comparison", "topics": [ "incident reporting", "CIRCIA 72-hour", "SEC 8-K disclosure", "GDPR 72-hour notification", "NIS2 early warning 24-hour", "HIPAA 60-day breach notification", "FinCEN SAR", "multi-framework reporting", "reporting clock triggers", "materiality determination", "substantial business impact", "ransomware payment reporting", "CISA reporting portal", "DFS 72-hour notification", "notification fatigue", "reporting overlap" ] }, { "audience": [ "security researchers", "hackers", "bug bounty hunters", "corporate counsel", "criminal defense attorneys" ], "difficulty": "beginner", "file_path": "artifacts/modules/01m-hacker-lawsuits.md", "id": "01m", "jurisdiction": "U.S. Federal", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01m.md", "status": "complete", "summary": "This module is the technical translation of cybersecurity case law. It explains court decisions not through legal jargon, but through the lens of technical authorization, authentication bypass, and system boundaries. If you probe systems, scrape data, or conduct security research, these are the cases that determine where the \"Safe Harbor\" ends and the \"Felony\" begins.", "title": "Hacker Lawsuits: The Cases That Define Your Scope", "topics": [ "Van Buren authorized access", "hiQ LinkedIn scraping", "Power Ventures CFAA", "Auernheimer venue", "bug bounty authorization", "scope creep", "CFAA researcher exposure", "Sandvig v. Barr ToS research", "DOJ good-faith policy 2022", "safe harbor", "HackerOne platform safe harbor", "civil CFAA suits against researchers", "DMCA 1201 security research", "authorized security research exemption", "penetration testing contracts", "scope authorization", "SolarWinds CISO liability", "NSO Group spyware civil liability", "Mitnick supervised release", "researcher sentencing", "hacker-first legal doctrine" ] }, { "audience": [ "security researchers", "criminal defense attorneys", "hackers", "students", "compliance officers" ], "difficulty": "beginner", "file_path": "artifacts/modules/01n-criminal-prosecution-history.md", "id": "01n", "jurisdiction": "U.S. Federal (1st, 2nd, 7th circuits)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01n.md", "status": "complete", "summary": "Six prosecutions shaped every legal rule that applies to hackers and security researchers today. They established what \"damage\" means under the CFAA, whether operators of illegal marketplaces go to prison even if they never touched the contraband, why Bitcoin is not anonymous, and what happens to researchers who wrote malware before they became heroes. Understanding these cases is not optional background \u2014 they are the foundation of every charging decision, every plea negotiation, and every supervised release condition that will touch you if something goes wrong.", "title": "Foundational Criminal Prosecutions: Morris Worm to Marcus Hutchins", "topics": [ "Morris Worm", "Robert T. Morris", "CFAA first conviction", "Kevin Mitnick", "social engineering", "supervised release internet ban", "Albert Gonzalez", "TJ Maxx breach", "Heartland Payment Systems", "SQL injection prosecution", "concurrent sentencing", "section 1029 access device fraud", "Ross Ulbricht", "Silk Road", "dark web marketplace", "operator liability", "RICO cybercrime", "life sentence hacking", "Bitcoin seizure", "Jeremy Hammond", "LulzSec", "Anonymous", "STRATFOR hack", "FBI informant entrapment", "AntiSec", "Marcus Hutchins", "WannaCry killswitch", "Kronos banking malware", "DEF CON arrest", "researcher sentencing mitigation", "time served cybercrime", "malware authorship liability" ] }, { "audience": [ "security researchers", "threat intelligence analysts", "corporate counsel", "government attorneys", "policy counsel" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01o-nation-state-indictments.md", "id": "01o", "jurisdiction": "U.S. Federal; International (extradition/diplomacy)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01o.md", "status": "complete", "summary": "The U.S. government regularly charges Russian military intelligence officers, Chinese MSS operatives, Iranian IRGC-linked hackers, and North Korean state programmers with federal crimes \u2014 knowing full well that none of them will show up for arraignment. These indictments are not primarily criminal justice instruments. They are foreign policy tools: they create a public evidentiary record, enable sanctions, restrict travel, freeze assets, and signal to allied governments what attribution the U.S. is prepared to defend in court. In the rare case where a charged nation-state actor makes the mistake of traveling through a cooperating jurisdiction, extradition becomes real. This module explains what these indictments are, what they accomplish, and what defenders can learn from them about attacker tradecraft, attribution methodology, and statutory exposure.", "title": "Nation-State Indictments: Charging Foreign Hackers the U.S. Cannot Extradite", "topics": [ "GRU", "APT28", "Fancy Bear", "Viktor Netyksho", "DNC hack", "X-Agent malware", "Guccifer 2.0", "DCLeaks", "Mueller indictment", "unregistered foreign agent", "APT10", "Cloud Hopper", "MSP compromise", "supply chain espionage", "Xu Yanjun", "MSS", "Jiangsu State Security Department", "Economic Espionage Act", "turbofan blade theft", "extradition from Belgium", "first Chinese intel officer convicted", "Mabna Institute", "Iranian IRGC hacking", "university data theft", "OFAC SDN designation", "indictment plus sanctions combo", "Park Jin Hyok", "Lazarus Group", "North Korea", "Sony Pictures hack", "Bangladesh Bank SWIFT heist", "WannaCry attribution", "DPRK cryptocurrency revenue", "in absentia indictment", "attribution standard", "foreign policy instrument", "extradition gap", "nation-state prosecution doctrine" ] }, { "audience": [ "security researchers", "incident response professionals", "corporate counsel", "criminal defense attorneys", "IR teams" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01p-ransomware-prosecutions.md", "id": "01p", "jurisdiction": "U.S. Federal; International (NCA, Europol coordination)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01p.md", "status": "complete", "summary": "The U.S. government no longer just charges ransomware actors \u2014 it runs multi-agency \"disruption operations\" combining indictments, server seizures, cryptocurrency recovery, and sanctions designations. Most ransomware operators live in Russia, Belarus, or North Korea where extradition is impossible. So DOJ has developed a toolkit that imposes costs short of a courtroom: freeze wallets, expose identities, publish stolen negotiation logs, and release decryption keys to victims. When someone does get extradited \u2014 typically a lower-level affiliate or money launderer \u2014 they face CFAA charges (unauthorized access) plus federal money laundering statutes that carry decades of exposure. If you work in incident response, threat intelligence, or security research, this module maps who got charged, on what theory, why some people walk free, and where ransomware victims themselves can become OFAC defendants.", "title": "Ransomware Group Prosecutions: DOJ Disruption Operations and Criminal Charges", "topics": [ "ransomware prosecution", "DOJ disruption operations", "REvil", "Sodinokibi", "Yaroslav Vasinskyi", "affiliate liability", "Kaseya attack", "JBS attack", "DarkSide", "Colonial Pipeline", "ransom recovery", "cryptocurrency seizure", "FBI private key access", "Conti group", "Mikhail Matveev", "Wazawaka", "Alla Witte", "Trickbot developer", "OFAC Conti designation", "ALPHV", "BlackCat", "FBI decryption keys", "Change Healthcare", "LockBit", "Operation Cronos", "Dmitry Khoroshev", "LockBitSupp unmasking", "NCA operation", "credential stuffing prosecution", "OFAC ransomware payment liability", "Evil Corp alias rotation", "ransom payment sanctions violation", "ransomware-as-a-service", "RaaS affiliate model", "money mule liability", "infrastructure seizure", "forfeiture cryptocurrency" ] }, { "audience": [ "security researchers", "criminal defense attorneys", "corporate counsel", "privacy attorneys", "hackers" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01q-missing-statutes.md", "id": "01q", "jurisdiction": "U.S. Federal; U.S. State (California, New York, Texas)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01q.md", "status": "complete", "summary": "The CFAA is not the only law that can land a hacker, researcher, or employee in federal prison. Four other legal frameworks operate alongside \u2014 and sometimes independently of \u2014 the CFAA:", "title": "Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels", "topics": [ "Economic Espionage Act", "18 U.S.C. \u00a7 1831", "18 U.S.C. \u00a7 1832", "trade secret theft via hacking", "foreign government nexus", "independent economic value", "reasonable measures to protect", "Xu Yanjun EEA conviction", "Zheng Xiaoqing steganography", "Apple AV engineer EEA", "Espionage Act", "18 U.S.C. \u00a7 793", "national defense information", "classified vs NDI distinction", "Chelsea Manning", "Edward Snowden", "Reality Winner", "Jack Teixeira Discord leaks", "printer steganography", "extraterritorial Espionage Act", "California Penal Code \u00a7 502", "CDAFA", "no damage floor California", "private right of action state", "New York Penal Law Article 156", "computer tampering", "Texas Penal Code \u00a7 33.02", "multi-state cybercrime exposure", "state AG enforcement", "trespass to chattels", "CompuServe v. Cyber Promotions", "Intel v. Hamidi", "eBay v. Bidder's Edge", "functional impairment requirement", "scraping civil liability", "pre-CFAA tort theory" ] }, { "audience": [ "criminal defense attorneys", "incident response counsel", "corporate counsel", "IR professionals", "compliance officers" ], "difficulty": "advanced", "file_path": "artifacts/modules/01r-doctrinal-sentencing.md", "id": "01r", "jurisdiction": "U.S. Federal", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01r.md", "status": "complete", "summary": "Five doctrinal areas that don't make headlines but determine what actually happens after a cybercrime prosecution or regulatory action:", "title": "Doctrinal Gaps: Restitution, Parallel Proceedings, Crypto Forfeiture, OFAC Liability, and Critical Infrastructure Sentencing", "topics": [ "restitution calculation CFAA", "MVRA", "CFAA loss definition", "reasonable cost to respond", "breach notification as restitution", "credit monitoring restitution", "loss inflation defense", "USSG \u00a7 2B1.1", "loss table sentencing", "parallel civil criminal proceedings", "Fifth Amendment adverse inference", "Landis stay doctrine", "SolarWinds multi-forum pattern", "IR report privilege", "Garner doctrine shareholder access", "cryptocurrency forfeiture", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "21 U.S.C. \u00a7 853", "Lichtenstein Bitfinex seizure", "Colonial Pipeline Bitcoin recovery", "Silk Road forfeiture", "Tornado Cash Roman Storm", "smart contract developer liability", "OFAC ransomware strict liability", "Evil Corp alias evasion", "CNA Financial OFAC", "OFAC safe harbor discretionary", "critical infrastructure enhanced sentencing", "18 U.S.C. \u00a7 1030(c)(4)(B)", "PPD-21 sectors", "hospital ransomware", "Change Healthcare", "UHS attack", "involuntary manslaughter ransomware theory", "USSG \u00a7 2B1.1(b)(18)" ] }, { "audience": [ "AI security researchers", "security researchers", "corporate counsel", "IR professionals", "insurance counsel" ], "difficulty": "advanced", "file_path": "artifacts/modules/01s-emerging-cyber-law.md", "id": "01s", "jurisdiction": "U.S. Federal; EU (Cyber Resilience Act); International (insurance)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01s.md", "status": "complete", "summary": "Three legal fault lines are reshaping what AI security researchers, software vendors, and corporate IR teams can and cannot do without serious legal exposure:", "title": "Emerging Cyber Law: AI/LLM Security Research, Supply Chain Liability, and Cyber Insurance", "topics": [ "AI security research CFAA", "LLM probing authorized access", "Van Buren AI gate analysis", "prompt injection legal theory", "model extraction EEA", "training data extraction", "HackerOne AI safe harbor 2026", "ToS post-Van Buren AI", "adversarial ML liability", "jailbreaking legal risk", "AI legal risk matrix", "supply chain attack liability", "SolarWinds downstream liability", "3CX supply chain", "XZ Utils", "economic loss rule software", "software product liability gap", "EO 14028 SBOM", "CISA secure by design", "EU Cyber Resilience Act", "CRA extraterritorial", "SEC software disclosure", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Mondelez v. Zurich war exclusion", "Lloyd's Y5381 exclusion", "ransomware business interruption coverage", "OFAC ransom payment insurance", "double extortion dual coverage", "consent to pay requirement", "cyber insurance market hardening", "pre-incident policy review" ] }, { "audience": [ "security researchers", "hardware hackers", "red teamers", "penetration testers", "criminal defense attorneys", "RF/NFC/BadUSB practitioners" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01t-flipper-zero-legal-liability.md", "id": "01t", "jurisdiction": "U.S. Federal + State", "last_updated": null, "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01t.md", "status": "complete", "summary": "The Flipper Zero is a legitimate multi-protocol security research tool that can also be a federal crime instrument in under thirty seconds depending on the target. Sub-GHz replay against your own garage door is legal; the same replay against a neighbor's gate is CFAA unauthorized access plus potential FCC jamming liability with no \"authorized use\" carve-out. This module maps each hardware feature \u2014 Sub-GHz, NFC/RFID, BadUSB, IR, BLE \u2014 to the exact federal statutes and state codes that apply, the 2021 Van Buren authorization framework that changed how courts read \"exceeds authorized access,\" and the DOJ 2022 charging policy that nominally protects good-faith research but contains gaps that will swallow a Flipper user who cannot document authorization clearly.", "title": "Flipper Zero Legal Liability: Exact Statute + Case Analysis for Security Researchers", "topics": [ "Flipper Zero", "Sub-GHz replay attack", "KeeLoq rolling code", "RollJam attack", "CC1101 transceiver", "NFC cloning", "RFID skimming", "Mifare Classic attack", "ST25R3916", "EMV contactless skimming", "BadUSB", "HID injection", "Ducky Script", "USB HID keyboard emulation", "IR blaster", "TV-B-Gone", "ATM IR manipulation", "BLE spam", "BlueSnarfing", "BlueBorne", "GATT enumeration", "CFAA unauthorized access", "exceeds authorized access", "Van Buren analysis", "DOJ 2022 CFAA charging policy", "good-faith security research", "FCC jamming prohibition", "47 U.S.C. \u00a7 333", "strict liability jamming", "ISM band", "Part 15 intentional radiator", "authorized pen-test context", "access device fraud", "device-making equipment", "counterfeit access device", "hotel keycard cloning", "payment card skimming", "wire fraud data exfiltration", "aggravated identity theft mandatory consecutive", "critical infrastructure sentencing enhancement", "hospital equipment IR", "safe grey red matrix", "firmware selection legal implications", "Unleashed firmware", "RogueMaster firmware", "Faraday cage testing", "California Penal Code \u00a7 502", "Texas Penal Code \u00a7 33.02", "RF shielded bag rule", "scope letter HID injection", "get-out-of-jail letter" ] }, { "audience": [ "security researchers", "pen testers", "bug bounty hunters", "hackers", "corporate counsel", "CISO" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01u-safe-harbor-vdp-bug-bounty.md", "id": "01u", "jurisdiction": "U.S. Federal; U.S. State; EU (GDPR); International", "last_updated": null, "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01u.md", "status": "complete", "summary": "Bug bounty programs and vulnerability disclosure policies tell you which systems to test, but they do not immunize you from criminal prosecution \u2014 that power belongs to prosecutors, not companies. The Supreme Court's 2021 Van Buren ruling narrowed what \"unauthorized access\" means under the CFAA, but left enormous grey zones that researchers routinely stumble into. This module maps exactly what creates legal exposure even when you think you have permission, why \"in scope\" is not the same as \"authorized,\" and what you need to document before, during, and after any research engagement to minimize your risk.", "title": "Safe Harbor, VDPs, and Bug Bounty Legal Limits", "topics": [ "authorized access", "Van Buren good faith", "DOJ 2022 CFAA charging policy", "bug bounty safe harbor", "vulnerability disclosure policy", "coordinated disclosure", "Auernheimer problem", "DMCA 1201 security research exemption", "HackerOne legal protection", "Bugcrowd scope", "CVD timeline", "90-day disclosure", "state computer fraud law", "California PC 502", "New York Penal Law 156", "Texas PC 33.02", "GDPR during testing", "international extradition", "pen test authorization", "scope letter legal effect", "good faith research defense" ] }, { "audience": [ "security researchers", "OSINT practitioners", "threat intelligence analysts", "criminal defense attorneys", "privacy attorneys", "corporate counsel" ], "difficulty": "intermediate", "file_path": "artifacts/modules/02a-osint-legal-limits-dark-web.md", "id": "02a", "jurisdiction": "U.S. Federal + State + International (GDPR, BIPA)", "last_updated": null, "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02a.md", "status": "complete", "summary": "Open-source intelligence (OSINT) \u2014 gathering information from publicly visible sources \u2014 is broadly legal in the U.S., but a series of narrow statutes and court decisions create hard edges that practitioners can cross without realizing it. The main dividing lines are: whether a data source requires credentials to access, whether the collected data is used to surveil or harass an individual, and whether operations move from passively viewing dark web content to actively participating in illegal markets. Blockchain activity is public by design, but privacy coins and mixer services carry money-laundering risk even for researchers.", "title": "OSINT Legal Limits, Dark Web Operations, and Blockchain Intelligence", "topics": [ "OSINT", "Stored Communications Act", "SCA 18 U.S.C. \u00a7 2701", "scraping public data", "hiQ v. LinkedIn", "Facebook v. Power Ventures", "Van Buren scraping", "CFAA \u00a7 1030(a)(2)", "GDPR Article 5 scraping", "CCPA scraping", "cyberstalking 18 U.S.C. \u00a7 2261A", "state stalking statutes", "aggregation problem", "doxxing", "no federal doxxing statute", "California AB 1732", "New York Exec. Law \u00a7 79-n", "intentional infliction of emotional distress", "Tor legal status", "Tor exit node liability", "dark web marketplace", "Silk Road", "Ulbricht", "buying on dark web", "access device fraud \u00a7 1029", "drug trafficking conspiracy", "continuing criminal enterprise", "Bitcoin evidence", "Gratkowski no 4th Amendment blockchain", "blockchain analytics admissibility", "Chainalysis", "Elliptic", "privacy coins", "Monero legal risk", "Tornado Cash OFAC sanctions", "cryptocurrency mixing", "Clearview AI", "BIPA 740 ILCS 14", "biometric data", "GDPR Article 9 special category", "facial recognition scraping", "threat intelligence forums", "criminal forum access", "ISAC antitrust", "AIS CISA", "safe grey red OSINT matrix", "Google dorking", "LinkedIn scraping", "Shodan", "HaveIBeenPwned", "Maltego", "reverse image search", "public records FOIA", "paste sites" ] }, { "audience": [ "physical penetration testers", "red team operators", "security researchers", "criminal defense attorneys", "corporate counsel", "CISOs" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01w-physical-pentest-red-team-law.md", "id": "01w", "jurisdiction": "U.S. Federal + State", "last_updated": null, "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01w.md", "status": "complete", "summary": "Physical penetration testing and red team operations are the most legally dangerous work in the security industry because the gap between \"authorized\" and \"arrested\" is a single ambiguous contract clause. Every physical attack vector \u2014 tailgating, lock picking, badge cloning, device implants, dumpster diving, drone recon \u2014 maps to at least one criminal statute at the federal or state level, and courts have ruled that a client's verbal authorization is legally worthless. The 2019 Coalfire/Iowa courthouse arrests proved that even a written letter signed by the contracting organization is not enough when the letter fails to specify the exact physical locations in scope and the police cannot reach a 24/7 verification contact.", "title": "Physical Penetration Testing and Red Team Operations: Exact Statute + Case Analysis for Security Researchers", "topics": [ "physical penetration test", "red team operation", "rules of engagement", "scope of work", "verbal authorization", "get-out-of-jail letter", "authorization letter", "18 U.S.C. \u00a7 1030(a)(3)", "18 U.S.C. \u00a7 1036", "18 U.S.C. \u00a7 2701", "Stored Communications Act", "California Penal Code \u00a7 602", "Texas Penal Code \u00a7 30.05", "New York Penal Law \u00a7 140.05", "criminal trespass", "burglary trespass escalation", "lockpick legal status", "criminal instrument Texas", "burglar's tools New York", "lock pick possession Florida", "tailgating", "impersonation wire fraud", "18 U.S.C. \u00a7 1343", "18 U.S.C. \u00a7 912", "false personation federal officer", "hardware implants", "LAN tap", "Raspberry Pi red team", "keystroke logger", "CFAA \u00a7 1030(a)(5) damage", "Wiretap Act", "18 U.S.C. \u00a7 2511", "wiretapping network tap", "drone recon", "FAA Part 107", "state anti-drone laws", "Texas drone surveillance", "Florida drone law", "RFID cloning", "badge clone", "dumpster diving", "Coalfire Iowa courthouse 2019", "United States v. Rendelman", "safe grey red matrix physical", "pre-engagement checklist", "police did not honor authorization", "24/7 emergency contact" ] }, { "audience": [ "security researchers", "hackers", "criminal defense attorneys", "compliance officers", "CISO" ], "difficulty": "beginner", "file_path": "artifacts/modules/01v-hackers-hall-of-fame.md", "id": "01v", "jurisdiction": "U.S. Federal; UK; International", "last_updated": null, "phase": 2, "quiz_path": "artifacts/quizzes/quiz-01v.md", "status": "complete", "summary": "This module catalogs the most significant cybercriminal prosecutions from 1988 to 2025, with emphasis on the last decade. Each entry extracts the controlling legal doctrine, the technical conduct alleged, and the actual sentence \u2014 giving security researchers a map of exactly where the law has drawn lines and what it looks like when it draws them wrong.", "title": "Hackers Who Got Caught: 50 Years of Prosecutions, Verdicts, and Doctrine", "topics": [ "Kevin Mitnick", "Albert Gonzalez", "Gary McKinnon", "Lauri Love", "Marcus Hutchins", "Hector Monsegur Sabu", "Jeremy Hammond", "Andrew Auernheimer weev", "Jonathan James c0mrade", "Adrian Lamo", "Paige Thompson Capital One", "Joseph James O'Connor PlugwalkJoe", "Graham Clark Twitter hack", "Lapsus$ Arion Kurtaj", "LockBit Dmitry Khoroshev", "REvil Yaroslav Vasinskyi", "Evgeniy Bogachev GameOver Zeus", "Vladislav Klyushin", "Joseph Sullivan Uber CISO", "Ardit Ferizi ISIS hacker", "Aleksei Burkov", "Mikhail Matveev Wazawaka", "Conti Trickbot", "Andrei Tyurin JPMorgan", "cooperation sentencing", "extradition fight mental health", "Russia no extradition", "infrastructure seizure without arrest", "juvenile hacking prosecution", "ransomware sentencing", "CISO liability", "hacker hall of fame" ] }, { "audience": [ "penetration testers", "security researchers", "bug bounty hunters", "security consultants", "criminal defense attorneys", "compliance officers", "CISO" ], "difficulty": "advanced", "file_path": "artifacts/modules/01y-international-pentest-uk-cma-sim-swap.md", "id": "01y", "jurisdiction": "International (UK, EU, Germany, Canada, Australia) + U.S.", "last_updated": null, "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01y.md", "status": "complete", "summary": "Security professionals who test computer systems face not just U.S. law but the criminal codes of every country whose systems, data, or infrastructure they touch \u2014 and sometimes just the country they travel to with a Kali Linux laptop. This module maps the specific statutes, penalties, and legal gaps in six major jurisdictions, explains why SIM swapping is federally prosecutable under three separate U.S. statutes, and gives you a multi-jurisdiction engagement checklist so you know what legal review to demand before your first packet hits a target with offices in the UK or Germany.", "title": "International Penetration Testing Law: UK CMA, Germany \u00a7 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure", "topics": [ "UK Computer Misuse Act 1990", "CMA section 1 unauthorized access", "CMA section 2 intent further offence", "CMA section 3 impairing operation", "CMA section 3A hacking tools", "R v Gold Schifreen 1988", "Metasploit UK law", "Kali Linux UK law", "Flipper Zero UK law", "Germany 202a unauthorized data access", "Germany 202b phishing", "Germany 202c preparation hacking tools", "StGB dual-use tools", "BSI Act Germany", "EU NIS2 Directive 2022", "GDPR Article 5 data minimization", "GDPR Article 3 extraterritorial", "GDPR penetration testing", "Canada Criminal Code 342.1", "Canada 430(1.1) mischief computer data", "colour of right Canada", "Australia Criminal Code 477", "Australia 477.1 unauthorized access", "Australian Signals Directorate ASD", "SIM swap CFAA", "SIM swap wire fraud 1343", "SIM swap access device fraud 1029", "FCC SIM swap order 2023", "carrier employee bribery", "extradition cybercrime", "double criminality", "US-UK extradition treaty", "Gary McKinnon extradition", "multi-jurisdiction pen test checklist", "international engagement contract", "GDPR data processing agreement", "international security testing risk matrix" ] }, { "audience": [ "penetration testers", "red teamers", "social engineers", "security researchers", "corporate counsel", "criminal defense attorneys", "compliance officers" ], "difficulty": "intermediate", "file_path": "artifacts/modules/01x-social-engineering-legal-limits.md", "id": "01x", "jurisdiction": "U.S. Federal + State", "last_updated": null, "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01x.md", "status": "complete", "summary": "Social engineering \u2014 phishing, vishing, pretexting, impersonation \u2014 sits in a legal no-man's-land where a signed pen test scope letter often provides less protection than operators assume. Federal wire fraud (18 U.S.C. \u00a7 1343), impersonation statutes (18 U.S.C. \u00a7 912), ECPA wiretapping (18 U.S.C. \u00a7 2511), and state all-party-consent recording laws can all reach conduct that a client explicitly authorized, because a company cannot legally authorize a tester to commit fraud against its own employees or record calls without those employees' consent. This module maps every major social engineering technique to the exact statutes that govern it, the case law that defines liability limits, and a clear safe/grey/red matrix for practitioners.", "title": "Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap", "topics": [ "social engineering", "wire fraud", "scheme to defraud", "18 U.S.C. \u00a7 1343", "United States v. Czubinski", "scheme to defraud element", "phishing authorization gap", "federal impersonation", "18 U.S.C. \u00a7 912", "false personation federal officer", "identity document fraud", "18 U.S.C. \u00a7 1028", "ECPA", "wiretapping", "18 U.S.C. \u00a7 2511", "one-party consent", "all-party consent", "California Penal Code \u00a7 632", "vishing recording", "GLBA pretexting", "15 U.S.C. \u00a7 6821", "FTC pretexting enforcement", "financial institution social engineering", "CAN-SPAM Act", "CFAA phishing malware", "phishing damage", "TCPA bulk SMS", "SMiShing", "Truth in Caller ID Act", "47 U.S.C. \u00a7 227(e)", "caller ID spoofing", "caller ID spoofing legal vs illegal", "California Business and Professions Code \u00a7 17200", "UCL unfair business practices", "state deceptive practices", "human element authorization gap", "employee consent third party", "Van Buren authorization principle", "pen test scope letter limits", "company authorization employee rights", "safe grey red matrix social engineering", "AT&T insider bribery Fahd", "SIM swap prosecution", "Joseph O Connor PlugwalkJoe", "Graham Clark Twitter SIM swap", "BEC wire fraud", "business email compromise", "FDIC impersonation", "pretexting pre-engagement notice", "GLBA customer financial records", "TCPA ATDS Facebook v. Duguid", "red team impersonation IT helpdesk", "LinkedIn OSINT legal limits", "dumpster diving legal", "shoulder surfing" ] }, { "audience": [ "ICS/OT security researchers", "penetration testers", "security researchers", "criminal defense attorneys", "corporate counsel", "CISO", "critical infrastructure operators", "drone security researchers", "automotive security researchers" ], "difficulty": "advanced", "file_path": "artifacts/modules/01z-scada-iot-automotive-hacking-law.md", "id": "01z", "jurisdiction": "U.S. Federal + State + International", "last_updated": null, "phase": 1, "quiz_path": "artifacts/quizzes/quiz-01z.md", "status": "complete", "summary": "Hacking a power grid controller or hospital infusion pump is a different legal universe than hacking a web application. The CFAA sentencing ceiling doubles \u2014 from 10 years to 20 \u2014 when the target qualifies as critical infrastructure, and prosecutors have used that enhancement against ransomware operators who hit hospitals and pipeline operators. This module maps every major physical-world computing target (SCADA, IoT botnets, vehicle ECUs, drones, smart meters, medical devices) to the exact statutes, cases, and sentencing ranges that apply, then gives researchers a clear safe/grey/red matrix for each activity class.", "title": "SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers", "topics": [ "SCADA hacking law", "ICS security law", "OT cybersecurity legal framework", "PPD-21 critical infrastructure", "CFAA \u00a7 1030(c)(4)(B) enhancement", "critical infrastructure sentencing 20 years", "substantial disruption standard", "Colonial Pipeline legal aftermath", "DarkSide ransomware OFAC", "Oldsmar water treatment plant 2021", "ICS-CERT coordinated disclosure", "CISA vulnerability disclosure ICS", "hospital ransomware Change Healthcare", "UHS ransomware", "involuntary manslaughter ransomware theory", "IoT hacking CFAA", "Mirai botnet Jha 2018", "botnet recruitment \u00a7 1030(a)(5)", "FTC Act \u00a7 5 insecure IoT", "NISTIR 8259 IoT security", "California IoT security law \u00a7 1798.91.04", "Oregon SB 90 IoT", "vehicle ECU CFAA", "automotive hacking law", "Miller Valasek Jeep hack 2015", "Tesla bug bounty scope", "49 U.S.C. \u00a7 30170 vehicle safety", "SPY Car Act", "OBD-II port testing legal", "EPA emissions ECU modification", "drone hacking law", "FAA Part 107", "counter-UAS authority", "FAA Reauthorization Act 2018", "18 U.S.C. \u00a7 32 aircraft sabotage", "GPS spoofing legal risk", "RF jamming 47 U.S.C. \u00a7 333", "drone jamming federal crime", "NERC CIP mandatory standards", "FERC enforcement authority", "critical electric infrastructure information CEII", "smart grid security law", "FDA cybersecurity final rule 2023", "medical device hacking CFAA", "HIPAA medical device PHI", "\u00a7 524B FD&C Act SBOM", "Vitek Boden Maroochy Water 2001", "Stuxnet legal implications", "Ukraine power grid GRU indictment Sandworm", "TRITON TRISIS SIS attack", "Evgeny Gladkikh indictment", "lab vs production ICS testing", "Shodan ICS reconnaissance legal", "safe grey red ICS matrix", "NERC CIP CEII data handling" ] }, { "audience": [ "security researchers", "penetration testers", "network engineers", "hackers", "corporate counsel", "criminal defense attorneys", "red teamers" ], "difficulty": "intermediate", "file_path": "artifacts/modules/02c-ecpa-wiretapping-stored-comms.md", "id": "02c", "jurisdiction": "U.S. Federal; U.S. State (California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02c.md", "status": "complete", "summary": "If you run Wireshark on a corporate network, spin up a honeypot, or capture Wi-Fi packets for research, you are operating inside the territory of the Electronic Communications Privacy Act. ECPA is a 1986 statute that predates the modern internet but still controls who can intercept a communication while it is moving (Title I \u2014 the Wiretap Act), who can access a communication sitting on a server (Title II \u2014 the Stored Communications Act), and who can collect metadata about communications without reading their content (Title III \u2014 the Pen Register Act). The law was written for telephone networks, has been stretched awkwardly over TCP/IP, and has produced circuit splits that create genuine legal risk even for good-faith security research.", "title": "ECPA: Wiretap Act, Stored Communications, and Pen Registers", "topics": [ "ECPA", "Wiretap Act", "18 U.S.C. \u00a7 2511", "Stored Communications Act", "18 U.S.C. \u00a7 2701", "Pen Register Act", "18 U.S.C. \u00a7 3121", "ECS vs RCS", "electronic communication service", "remote computing service", "one-party consent", "all-party consent", "California \u00a7 632", "Florida \u00a7 934.03", "provider exception", "\u00a7 2511(2)(a)(i)", "subscriber records vs content", "compelled disclosure \u00a7 2703", "voluntary disclosure \u00a7 2702", "war-driving", "packet sniffing", "network tap", "honeypot legal design", "SSL MITM ECPA", "VoIP intercept", "BLE sniffing", "TOR exit node monitoring", "Wi-Fi payload capture", "Joffe v. Google Street View", "Councilman email interception", "Konop v. Hawaiian Airlines", "United States v. Ropp keylogger", "Warshak email warrant", "Carpenter cell-site location", "inadvertently obtained doctrine", "pen register metadata", "dialing routing addressing signaling", "electronic storage", "temporary intermediate storage", "ECPA civil damages", "\u00a7 2520 civil recovery", "suppression remedy \u00a7 2515", "dual ECPA CFAA exposure", "ECPA pre-engagement checklist" ] }, { "audience": [ "hackers", "pen testers", "security researchers", "bug bounty hunters" ], "difficulty": "advanced", "file_path": "artifacts/modules/02b-zero-day-market-commercial-spyware.md", "id": "02b", "jurisdiction": null, "last_updated": null, "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02b.md", "status": "unknown", "summary": "Selling a software vulnerability to a broker is not explicitly illegal under U.S. law \u2014 there is no statute that says \"you may not sell zero-days\" \u2014 but the surrounding ecosystem is governed by a dense web of export control regulations, wiretapping statutes, CFAA provisions, and international arms-control agreements that create serious criminal exposure depending on who buys the vulnerability, what country they are in, and what the tool does. Commercial spyware vendors face a separate and harsher legal environment: manufacturing and deploying tools that intercept communications without consent violates the federal Wiretap Act, FTC enforcement authority has now been invoked against stalkerware companies, and the NSO Group litigation has tested whether sovereign immunity shields a foreign company that deployed malware at foreign government direction against U.S. persons.", "title": "Zero-Day Market and Commercial Spyware Law", "topics": [ "zero-day market", "export controls", "NSO Group", "Pegasus", "commercial spyware", "stalkerware", "VEP", "bug bounty vs broker", "government procurement", "DMCA Section 1201", "Wassenaar Arrangement", "UK CMA", "Germany StGB 202c" ] }, { "audience": [ "security researchers", "hackers", "bug bounty hunters", "penetration testers", "corporate counsel", "compliance officers", "CISOs", "privacy attorneys" ], "difficulty": "intermediate", "file_path": "artifacts/modules/02d-ftc-section5-cybersecurity-enforcement.md", "id": "02d", "jurisdiction": null, "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02d.md", "status": "complete", "summary": "The Federal Trade Commission is the main federal cop for corporate cybersecurity failures in the United States. It does not prosecute hackers \u2014 it sues the companies that got hacked when those companies had terrible security and made promises to customers they could not keep. If a company tells you \"we take your privacy seriously\" and then stores passwords in plaintext and gets breached, the FTC calls that a deceptive practice and can drag that company into a decade-long consent decree. The Wyndham hotel case established that the FTC can do this under a broad statutory hook \u2014 \"unfair or deceptive acts or practices\" \u2014 without Congress passing a specific cybersecurity law.", "title": "FTC Act Section 5 Cybersecurity Enforcement", "topics": [ "FTC Act Section 5", "15 U.S.C. \u00a7 45", "unfair or deceptive acts", "unfairness standard", "deception theory", "consent decree mechanics", "civil penalties FTC", "no private right of action", "Wyndham standard", "foreseeability", "counterfactual prevention", "LabMD unfairness boundary", "Drizly CEO personal liability", "Twitter 2FA advertising deception", "Meta Cambridge Analytica $5B", "FTC Safeguards Rule", "16 C.F.R. Part 314", "GLBA financial institutions", "written information security program", "risk assessment", "encryption at rest", "MFA mandatory", "penetration testing mandate", "30-day FTC breach notification", "Health Breach Notification Rule", "16 C.F.R. Part 318", "PHR vendors", "HIPAA FTC overlap", "Premom enforcement 2023", "COPPA", "15 U.S.C. \u00a7 6501", "verifiable parental consent", "age gate requirements", "data minimization children", "YouTube COPPA settlement", "Epic Games COPPA", "VDP adoption FTC pressure", "FTC complaint escalation tool", "California UCL \u00a7 17200", "New York GBL \u00a7 349", "Texas DTPA", "state FTC analogs", "Tiversa LabMD controversy", "privacy policy deception", "cookie disclosure", "reasonable security representation", "20-year monitoring period", "Civil Investigative Demand", "biennial third-party audit" ] }, { "audience": [ "security researchers", "privacy attorneys", "compliance officers", "corporate counsel", "class action litigators", "data breach response teams", "threat intelligence analysts" ], "difficulty": "intermediate", "file_path": "artifacts/modules/02f-state-privacy-laws-ccpa-cpra.md", "id": "02f", "jurisdiction": "U.S. State (California, Illinois, Virginia, Colorado, Texas, Connecticut, Nevada, Utah, Montana, Oregon, Iowa, Washington)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02f.md", "status": "complete", "summary": "The U.S. has no single federal privacy law. Instead, roughly 20 states have enacted their own comprehensive privacy statutes, each with different thresholds, consumer rights, enforcement models, and breach notification clocks. California leads with the most aggressive regime \u2014 a standalone enforcement agency (the CPPA), a private right of action for breach victims worth $100\u2013$750 per consumer, and some of the broadest definitions of \"sensitive data\" in the country. Illinois has a biometric-specific law (BIPA) that generates more class action litigation per capita than any other privacy statute in the U.S., with per-scan damages reaching $5,000. For security researchers, this patchwork matters in three specific ways: (1) if you hold breach data during responsible disclosure, deletion demands from individuals are legally enforceable in California, (2) if your research scrapes or aggregates personal information, you may be holding data subject to multiple state laws simultaneously, and (3) every state has its own definition of what personal information triggers breach notification, meaning one incident may generate 12 different notification clocks running at different speeds.", "title": "U.S. State Privacy Law: CCPA/CPRA and the State Patchwork", "topics": [ "CCPA", "CPRA", "California Consumer Privacy Act", "California Privacy Rights Act", "Cal. Civ. Code 1798.100", "Cal. Civ. Code 1798.150", "right to know", "right to delete", "right to correct", "right to opt-out", "sensitive personal information", "CPPA enforcement agency", "CPPA rulemaking", "Virginia CDPA", "Colorado Privacy Act", "Global Privacy Control GPC", "Texas TDPSA", "Connecticut CTDPA", "Nevada SB 220 SB 370", "Utah UCPA", "Montana MTCDPA", "Oregon OCPA", "Iowa ICDPA", "breach notification California 30 day", "breach notification Texas 60 day", "breach notification New York 30 day", "SHIELD Act", "Illinois BIPA", "740 ILCS 14", "biometric privacy", "per-scan vs per-person damages", "Cothron v White Castle", "Washington My Health MY Data Act", "WMHDA", "cure period sunset", "private right of action", "AG only enforcement", "data protection assessment", "data broker registration", "Delete Act SB 362", "scraping aggregation CCPA", "CCPA deletion demand during research", "PII minimization responsible disclosure", "breach data retention researcher", "safe grey red matrix privacy", "$100 $750 statutory damages", "$1000 $5000 BIPA damages", "class action data breach", "reasonable security", "business threshold CCPA" ] }, { "audience": [ "security researchers", "ed-tech security teams", "corporate counsel", "privacy attorneys", "compliance officers", "pen testers", "bug bounty hunters" ], "difficulty": "intermediate", "file_path": "artifacts/modules/02g-coppa-ferpa-student-data-privacy.md", "id": "02g", "jurisdiction": "U.S. Federal; U.S. State (California, New York, Colorado)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02g.md", "status": "complete", "summary": "Two federal statutes govern the data of children and students: COPPA locks down personal information collected from kids under 13 online, and FERPA controls who can access education records. Neither statute was written with security researchers in mind, but both create landmines for anyone who finds vulnerabilities in apps, platforms, or school systems. If you pop a children's app and the data you're looking at includes birthdates, device IDs, or photos of kids under 13, COPPA is in the room. If you're inside a student information system or an ed-tech platform used by a school, FERPA is in the room. This module maps both statutes, their enforcement mechanisms, the worst breach disasters in the K-12 space, and exactly how to disclose responsibly when the victims are minors.", "title": "COPPA, FERPA, and Student Data Privacy Law for Security Researchers", "topics": [ "COPPA", "FERPA", "children's online privacy", "child under 13", "operator definition", "verifiable parental consent", "VPC methods", "actual knowledge standard", "mixed-audience sites", "school official exception", "data minimization", "retention limits", "FTC COPPA enforcement", "COPPA 2.0", "age-16 expansion", "design prohibition", "KOSA Kids Online Safety Act", "education records", "directory information", "legitimate educational interest", "FERPA enforcement", "no private right of action FERPA", "Gonzaga v. Doe", "funding withdrawal never used", "PowerSchool 2025 breach", "Los Angeles USD ransomware", "Illuminate Education breach", "K-12 ed-tech security", "student information system", "SIS vendor authorization", "SOPIPA California", "New York Ed Law 2-d", "Colorado SB 21-231", "CARU safe harbor", "kidSAFE seal", "persistent identifier COPPA", "behavioral advertising prohibition", "student PII during pentest", "responsible disclosure school districts", "FERPA redisclosure restrictions", "safe grey red matrix education" ] }, { "audience": [ "security researchers", "healthcare pen testers", "red teamers", "healthcare attorneys", "HIPAA compliance officers", "CISOs", "business associate counsel", "incident response professionals" ], "difficulty": "advanced", "file_path": "artifacts/modules/02e-hipaa-security-rule-full.md", "id": "02e", "jurisdiction": null, "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02e.md", "status": "complete", "summary": "HIPAA is not just a compliance checkbox \u2014 it is a federal regulatory regime with civil fines up to $1.9 million per violation category per year, criminal penalties up to 10 years, and an HHS public \"Wall of Shame\" that names every organization that breaches 500 or more patient records. For security researchers, healthcare pen testers, and red teamers, HIPAA creates obligations and risks that do not exist in ordinary commercial engagements. The data you touch during a test \u2014 even temporarily, even accidentally \u2014 is likely protected health information (PHI) subject to federal law. Your client's authorization letter does not automatically make you compliant. You need a Business Associate Agreement (BAA), a defined scope that avoids unnecessary PHI access, and a data destruction protocol for anything you do encounter. This module maps the full statute, enforcement history, and practical do/don't matrix so you can work in healthcare environments without becoming a defendant.", "title": "HIPAA Security Rule: A Complete Operational Guide for Security Researchers and Healthcare Pen Testers", "topics": [ "HIPAA Security Rule", "ePHI", "PHI", "covered entities", "business associates", "BAA", "Business Associate Agreement", "subcontractor chain", "Privacy Rule", "Breach Notification Rule", "administrative safeguards", "physical safeguards", "technical safeguards", "required vs addressable controls", "addressable implementation specification", "risk analysis", "unique user identification", "audit controls", "transmission security", "encryption safe harbor", "60-day breach notification clock", "Wall of Shame", "500-person threshold", "media notice", "surrogate notice", "OCR civil monetary penalties", "4-tier CMP framework", "willful neglect", "42 U.S.C. \u00a7 1320d-6 criminal penalties", "false pretenses 5 years", "personal gain 10 years", "HITECH Act", "Change Healthcare breach 2024", "ALPHV BlackCat", "UnitedHealth Group", "Advocate Aurora pixel tracking", "Meta Pixel HIPAA", "HCA Healthcare breach 2023", "FDA 2023 Cybersecurity Guidance", "Section 524B FD&C Act", "cyber device", "SBOM medical device", "postmarket cybersecurity obligations", "healthcare pen test scope letter", "PHI handling during testing", "minimum necessary standard", "data destruction NIST SP 800-88", "California CMIA", "Cal. Civ. Code \u00a7 56", "CMIA private right of action", "Texas Health & Safety Code \u00a7 181", "TMRPA", "New York SHIELD Act", "state health privacy law overlay", "45 C.F.R. Part 164", "safe grey red healthcare matrix", "BOLA EHR vulnerability", "packet capture ePHI destruction", "medical device pen testing", "infusion pump security", "state AG HIPAA enforcement" ] }, { "audience": [ "hackers", "security researchers", "bug bounty hunters", "OSINT analysts" ], "difficulty": "advanced", "file_path": "artifacts/modules/02h-cryptocurrency-blockchain-legal-framework.md", "id": "02h", "jurisdiction": "U.S. Federal; International (OFAC, FATF)", "last_updated": "2026-04-17", "phase": 2, "quiz_path": "artifacts/quizzes/quiz-02h.md", "status": "complete", "summary": "Crypto is not a legal gray zone \u2014 it is a legal minefield with live tripwires. The U.S. government has spent a decade building enforcement infrastructure around blockchain: FinCEN runs the money transmission layer, OFAC has sanctioned specific wallet addresses and smart contracts, the SEC is fighting in court over which tokens are securities, and DOJ has seized billions in BTC using private key recovery techniques. For security researchers, this matters because: your bug bounty might be paid in crypto, your OSINT tools analyze blockchain, you might discover an exploit in a DeFi protocol, or you might be asked to do a smart contract audit. Every one of those scenarios has specific legal exposure that has nothing to do with the CFAA. This module maps the real law to the real scenarios you will encounter.", "title": "Cryptocurrency and Blockchain Legal Frameworks for Security Researchers", "topics": [ "FinCEN MSB registration", "31 U.S.C. \u00a7 5330", "Bank Secrecy Act", "AML/KYC", "money transmitter", "FinCEN 2013 guidance", "FinCEN 2019 framework", "18 U.S.C. \u00a7 1960 unlicensed money transmitting", "OFAC sanctions", "SDN list", "Tornado Cash designation", "Van Loon v. Treasury 5th Circuit 2024", "immutable smart contracts", "Lazarus Group DPRK addresses", "OFAC strict liability", "blockchain analytics", "Chainalysis Reactor", "Howey test", "SEC v. Ripple programmatic sales", "SEC v. Coinbase", "SEC v. Binance", "staking as securities", "Liberty Reserve", "BTC-e Vinnik", "Tornado Cash founders prosecution", "Samourai Wallet CoinJoin", "crypto forfeiture", "21 U.S.C. \u00a7 881", "18 U.S.C. \u00a7 981", "18 U.S.C. \u00a7 982", "civil vs criminal forfeiture", "Silk Road Bitcoin seizure", "Bitfinex $3.6B seizure", "private key seizure", "ransomware payment OFAC liability", "Evil Corp alias evasion", "SAR filing", "cyber insurance war exclusion", "Merck v. ACE NotPetya", "Lloyd\u2019s Y5381 exclusion", "Gratkowski no 4th Amendment blockchain", "pseudonymity vs anonymity", "Daubert blockchain analytics", "Sterlingov Bitcoin Fog", "Monero regulatory pressure", "privacy coins", "CoinJoin", "Wasabi Wallet", "smart contract auditing liability", "white-hat returns Poly Network Euler Finance", "bug bounty crypto payment", "DOJ Kleptocracy rewards", "substitute asset forfeiture", "Colonial Pipeline BTC recovery" ] } ], "quick_links": [ { "label": "Launch Report", "path": "data/processed/launch/latest.json" }, { "label": "Launch Report (Markdown)", "path": "data/processed/launch/latest.md" }, { "label": "Current Handoff", "path": "state/handoffs/latest.md" }, { "label": "Hacker News", "url": "https://news.ycombinator.com/news" }, { "label": "README", "path": "README.md" }, { "label": "Architecture", "path": "docs/ARCHITECTURE.md" }, { "label": "Blog Standard", "path": "docs/BLOG-POST-STANDARD.md" }, { "label": "Blog Template", "path": "research/cybersecurity/blog-drafts/LAWZEEE-POST-TEMPLATE.md" } ], "research_files": [], "session": { "completed_tasks": [ { "completed_at": "2026-04-17T15:10:00Z", "cost_usd": 0.0, "model_used": "gemini-pro-1.5", "task": "Added Hacker News legal news aggregator (scripts/hn_lawsuits.py) with general and hacker-specific filters" }, { "completed_at": "2026-04-17T15:15:00Z", "cost_usd": 0.0, "model_used": "gemini-pro-1.5", "task": "Created Module 1M (01m-hacker-lawsuits.md) translating landmark cyber cases into technical hacker-centric concepts" }, { "completed_at": "2026-04-17T15:25:00Z", "cost_usd": 0.0, "model_used": "gemini-pro-1.5", "task": "Updated workspace governance (COUNCIL.md, WORKSPACE.json) and documentation (README.md, PROJECT.md) to formalize the 'Hacker-First' pivot" } ], "confidence_on_open_items": 0.98, "current_task": "Refocused LawZeee as a Hacker-First legal education platform and news aggregator. Added landmark case translation for hackers, integrated a filtered Hacker News lawsuit feed, and updated governance documents (COUNCIL.md, WORKSPACE.json, README.md, PROJECT.md) to reflect the new mandate.", "last_updated": "2026-04-17T15:30:00Z", "model_usage_today": { "invocations": 12, "models_used": [ "gemini-pro-1.5" ], "total_cost_usd": 0.0 }, "next_actions": [ "Run 'make news-hacker' to verify the latest high-signal legal updates", "Integrate news aggregation into local_ui.py to allow browser-based viewing of the filtered feed", "Add more 'Hacker-First' case studies to Module 1M (e.g., Sony v. George Hotz, Google v. Oracle API ruling)", "Run 'make qa' to ensure new content meets workspace standards" ], "open_loops": [ { "created_at": "2026-04-17T15:25:00Z", "description": "Integrate the 'make news-hacker' feed into the local_ui.py dashboard", "due_date": "2026-04-18", "id": "lawzeee-ui-news-integration", "owner": "operator" }, { "created_at": "2026-04-17T15:25:00Z", "description": "Expand Module 1M with deeper analysis of DMCA \u00a7 1201 and reverse engineering precedents", "due_date": "2026-04-19", "id": "lawzeee-dmca-research", "owner": "operator" } ], "session_id": "lawzeee-hacker-pivot-2026-04-17T15:00:00Z", "workspace_id": "lawzeee" }, "source_watch": [ { "changed": false, "checked_at": "2026-04-17T18:47:36.221652+00:00", "content_hash": "ee1751fb5aa35eda7a412d25c81e25f6ab1b17331d79427e546576c2d7e01280", "content_title": "CIRCIA FAQs | CISA", "etag": null, "id": "circia", "label": "CIRCIA reporting status", "last_modified": null, "offline": false, "status_code": 200, "url": "https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/circia/faqs", "version": 2 }, { "changed": true, "checked_at": "2026-04-17T18:47:36.837337+00:00", "content_hash": "0fe5e49195d83a657c9a354541a847b2d6cba5eda9e473a989495efc5e463a2b", "content_title": "SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies", "etag": "\"1776451657\"", "id": "sec-cyber-disclosure", "label": "SEC cyber disclosure rule", "last_modified": "Fri, 17 Apr 2026 18:47:37 GMT", "offline": false, "status_code": 200, "url": "https://www.sec.gov/newsroom/press-releases/2023-139", "version": 2 }, { "changed": false, "checked_at": "2026-04-17T18:47:38.339502+00:00", "content_hash": "fc128f65ca713c60b0362b2c1b2deb9e6e84343ad4b67088eb779e92b53381fc", "content_title": "Federal Register :: Request Access", "etag": null, "id": "hipaa-security-rule", "label": "HIPAA Security Rule update", "last_modified": null, "offline": false, "status_code": 200, "url": "https://www.federalregister.gov/documents/2025/01/06/2024-30983/security-standards-for-the-protection-of-electronic-protected-health-information", "version": 2 }, { "changed": false, "checked_at": "2026-04-17T18:47:38.997838+00:00", "content_hash": "e96476a23f5bcfe1ebef3e6b768182f26211f9e89b4e625b20706328ac0554fc", "content_title": "NIS2 Directive: securing network and information systems | Shaping Europe\u2019s digital future", "etag": "W/\"1776448915-gzip\"", "id": "nis2-dora", "label": "NIS2 and DORA implementation", "last_modified": "Fri, 17 Apr 2026 18:01:55 GMT", "offline": false, "status_code": 200, "url": "https://digital-strategy.ec.europa.eu/en/policies/nis2-directive", "version": 2 }, { "changed": true, "checked_at": "2026-04-17T18:47:39.957378+00:00", "content_hash": "7f9c6a1a9fcd1102f5dddbbdb784e16189c2d5d034672385d7ea81f13fe72bf8", "content_title": "High-level summary of the AI Act | EU Artificial Intelligence Act", "etag": null, "id": "eu-ai-act", "label": "EU AI Act cyber-adjacent obligations", "last_modified": null, "offline": false, "status_code": 200, "url": "https://artificialintelligenceact.eu/high-level-summary/", "version": 2 }, { "changed": false, "checked_at": "2026-04-17T18:47:40.623448+00:00", "content_hash": "3c849cc1e7e8a2cc6571e7b2262e0bef6e9dcbdb7533f49991fef3bc31ae149e", "content_title": "Cyber-Related Sanctions | Office of Foreign Assets Control", "error": "The read operation timed out", "etag": null, "id": "ofac-ransomware", "label": "OFAC ransomware sanctions guidance", "last_modified": null, "offline": false, "status_code": 200, "url": "https://ofac.treasury.gov/sanctions-programs-and-country-information/sanctions-related-to-significant-malicious-cyber-enabled-activities", "version": 2 }, { "changed": true, "checked_at": "2026-04-17T18:47:50.312223+00:00", "content_hash": "22cb06a7d8b313d409f84aa8c36bdd1c0d25decc188e3033a4ec854d9d824187", "content_title": "Protecting Consumer Privacy and Security | Federal Trade Commission", "etag": "\"1776451613\"", "id": "ftc-privacy-security", "label": "FTC privacy and security enforcement", "last_modified": "Fri, 17 Apr 2026 18:46:53 GMT", "offline": false, "status_code": 200, "url": "https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security", "version": 2 }, { "changed": true, "checked_at": "2026-04-17T18:47:51.116018+00:00", "content_hash": "71aa66c34db6ab3fccaea431cb2d89ff2ec80fea029175975e1c47eb37b4e73d", "content_title": "Fines | Data Protection Commission", "etag": null, "id": "dpc-fines", "label": "Irish DPC fines and appeal status", "last_modified": null, "offline": false, "status_code": 200, "url": "https://dataprotection.ie/en/dpc-guidance/decisions/fines", "version": 2 }, { "changed": true, "checked_at": "2026-04-17T18:47:52.467039+00:00", "content_hash": "26e8ea33fca72a63dddf4b7743c21a3e9d908c5f9fa5af0d3ac835b73e76d6fd", "content_title": "FTC v Kochava, Inc. | Federal Trade Commission", "etag": "\"1776451443\"", "id": "kochava", "label": "FTC v. Kochava", "last_modified": "Fri, 17 Apr 2026 18:44:03 GMT", "offline": false, "status_code": 200, "url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/ftc-v-kochava-inc", "version": 2 }, { "changed": true, "checked_at": "2026-04-17T18:47:53.155960+00:00", "content_hash": "a2835dd2650bf9c98923096e79096af513b1b2e7f8f358df4ee52262e7e20ee7", "content_title": "FTC Investigation Leads to Lawsuit Against TikTok and ByteDance for Flagrantly Violating Children\u2019s Privacy Law | Federal Trade Commission", "etag": "\"1776451373\"", "id": "tiktok-bytedance-coppa", "label": "FTC/DOJ v. TikTok and ByteDance", "last_modified": "Fri, 17 Apr 2026 18:42:53 GMT", "offline": false, "status_code": 200, "url": "https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy-law", "version": 2 } ], "source_watch_changed": 6, "source_watch_count": 10, "source_watch_errors": 1, "workspace_name": "LawZeee" }