Module 1D — Landmark Cases: Prosecutions and Civil Suits

Non-Lawyers Summary

This post is the case-law map for cybersecurity. It explains the court decisions that define what counts as hacking, when data-breach victims can sue, how spyware cases fit in U.S. courts, and why extradition and procedure often matter as much as the underlying facts.

The Cases That Built the Law

Every statute starts as words on paper. The cases are where those words collide with reality.

A hacker runs one unauthenticated HTTP request against an AT&T server and walks away with 114,000 email addresses. A Supreme Court justice writes a metaphor about gates. A ransomware crew that crippled 1,500 businesses in a single afternoon gets their member arrested at a Polish border crossing. An Israeli spyware company argues it cannot be sued because it only sells to governments. A Bitcoin launderer goes viral on Twitter while sitting on $4.5 billion in stolen cryptocurrency.

Cybersecurity law is built case by case. Statutes set the framework; litigation defines the edges. This module walks through the landmark decisions and prosecutions that have shaped the legal landscape — the cases that determined what CFAA actually reaches, whether you can sue a foreign spyware company in U.S. court, what it takes to have standing after your data is breached, and whether a hacker extradited from Eastern Europe will actually do time.

Understanding these cases is not optional background knowledge. They are the tools a practitioner reaches for when advising on CFAA charges, evaluating a breach class action, or arguing sovereign immunity.

What This Module Answers Fast

• Use this module when the real fight is venue, standing, access revocation, public scraping, sovereign immunity, extradition, or cyber-disclosure theory.
• Start here when someone cites a cyber case and you need to know what it actually moved before repeating the citation.
• This is the right module when the question is not "what happened," but which procedural or technical hinge changed the legal result.
• For litigators, this is the shortcut from a case name to the argument it supports and the limit on that argument.
• For in-house and compliance teams, this is the quickest way to distinguish live operational lessons from background doctrine.

The Quick Lookup — Find Your Case By Issue

Issue Map

flowchart LR
  A["Technical or procedural fact"] --> B["Case selection"]
  B --> C["Legal hinge"]
  C --> D["Usable consequence"]
  A1["Access after notice + blocks"] --> B1["Power Ventures"]
  B1 --> C1["Authorization revoked"]
  C1 --> D1["CFAA civil leverage"]
  A2["Public profiles, no login gate"] --> B2["hiQ v. LinkedIn"]
  B2 --> C2["Gates up / public access"]
  C2 --> D2["Public scraping argument"]
  A3["Data exposed, harm still disputed"] --> B3["Zappos"]
  B3 --> C3["Standing / concrete injury"]
  C3 --> D3["Breach pleading survival"]
  A4["Vendor acts for foreign state clients"] --> B4["WhatsApp v. NSO"]
  B4 --> C4["FSIA limit for private actors"]
  C4 --> D4["Civil suit can proceed"]
  A5["Cyber statements to investors"] --> B5["SEC v. SolarWinds"]
  B5 --> C5["Fraud and controls theory"]
  C5 --> D5["Disclosure risk framing"]

Timeline Overview

timeline
  title Cybersecurity law & hacker-litigation milestones (selected)
  2014 : Auernheimer (3d Cir.) vacates conviction on venue
  2016 : Power Ventures (9th Cir.) CFAA after access revocation/blocks
  2018 : Zappos (9th Cir.) standing after data breach
  2020 : Nikulin sentenced (extradition + corporate hacks)
  2021 : Van Buren (SCOTUS) narrows "exceeds authorized access"
  2021 : WhatsApp v NSO (9th Cir.) rejects foreign sovereign immunity claim
  2022 : U.S. signs Second Additional Protocol (Budapest Convention)
  2023 : SEC sues SolarWinds and its CISO over cyber-risk disclosures
  2024 : Vasinskyi (REvil) sentenced
  2024 : SEC v SolarWinds survives in part on motion to dismiss
  2024 : Lichtenstein/Morgan sentenced (Bitfinex)
  2025 : SEC and SolarWinds stipulate to dismissal with prejudice

Part I: Criminal Cases

Case 1 — United States v. Auernheimer

Citation: 748 F.3d 525 (3d Cir. 2014) Type: Criminal — CFAA Primary source: Third Circuit case page

The Worst Moment First

He was convicted. Sentenced. Already serving time in federal prison when his lawyers went back to the transcript and found it: the prosecution had filed the case in the wrong state.

Not wrong by a technicality. Wrong in the sense that neither defendant had any meaningful connection to New Jersey, no victim was located there, and none of the computers that were accessed — servers sitting in Texas and Georgia — had any relationship to the district in which the government chose to bring the case.

The Third Circuit vacated the conviction. Not on the merits. On venue.

What Happened

Andrew Auernheimer and a co-conspirator exploited a configuration error in AT&T's servers to extract over 100,000 iPad users' email addresses and ICC IDs. The exploit was a simple, unauthenticated GET request — no password was bypassed. No authentication was defeated. They sent a standard HTTP request and the server answered. They published the data and notified journalists. The government charged CFAA violations and conspiracy.

The Legal Question

Was New Jersey the proper venue for the prosecution? The computers accessed were in Texas and Georgia. Auernheimer was in Arkansas. Neither defendant had any contact with New Jersey.

What the Court Said

The Third Circuit vacated the conviction on venue grounds. The court found the government had not established that the crime "began, continued, or was completed" in New Jersey. The court did not reach the merits of whether the conduct constituted unauthorized access. The case that should have been the definitive ruling on what an unauthenticated API request means under CFAA ended without an answer on that question.

What Happened Next Would Define the Law for Decades

The case became a foundational lesson in federal criminal procedure: venue is not a technicality. In distributed cyberattacks touching multiple districts, choosing the wrong venue can void the entire prosecution. The government must affirmatively establish that the offense occurred in the chosen district. No element, no venue. No venue, no conviction.

What This Case Proves and What It Does Not

• For defense counsel: Venue challenges in CFAA cases are a real tool. If the defendant has no contact with the forum and the accessed computers were elsewhere, venue may be attackable.
• For prosecutors: Map the "where" of each element carefully before filing. The computers accessed, the defendant's location, and the victims' locations may all be in different districts.
• Limit: Auernheimer does not decide whether the underlying access was unauthorized. The CFAA question was never answered.

Case 2 — United States v. Park Jin Hyok

Action: 2018 DOJ indictment Type: Criminal — CFAA, wire fraud, conspiracy Primary source: DOJ complaint announcement

The Shadow Army

In a nondescript office building in Pyongyang, a group of programmers went to work every morning with the full backing of the North Korean state. They were not improvising. They were not teenagers in basements. They were professionals, organized, operating under military discipline, assigned to a unit that the rest of the world would eventually call the Lazarus Group.

What they built in those offices reshaped how the world thought about cyberwarfare.

The Scale of What They Did

The DOJ unsealed an indictment against Park Jin Hyok, a North Korean government programmer alleged to be a member of the Lazarus Group, for a series of devastating attacks:

• The 2014 Sony Pictures hack — destroyed computer systems, leaked corporate data, cost hundreds of millions in damages
• The 2016 Bangladesh Bank SWIFT heist — $81 million stolen from a central bank's account at the Federal Reserve in a single night
• The 2017 WannaCry ransomware attack — 200,000+ computers in 150 countries, hospitals unable to treat patients, entire economies disrupted

The Legal Question

Can the U.S. prosecute a North Korean government operative who has never set foot in the United States and is unlikely to ever be extradited?

The Answer — And Why the Point Was Never Trial

Indictment filed; Park remains at large. No trial, no custody. In 2021, the DOJ also indicted three other North Korean hackers linked to the same group.

But that wasn't the real story. The indictment was never about bringing Park Jin Hyok to trial. Indictments without custody are not failures — they are policy instruments. The U.S. government uses criminal indictments against state-sponsored hackers to:

• Create official public attribution backed by criminal-court-quality evidence
• Make travel risky — any country with a U.S. extradition treaty becomes dangerous
• Impose reputational and diplomatic costs on the North Korean government
• Lay groundwork for OFAC sanctions designations against the Lazarus Group

No one knew it yet — but this pattern of charging state-sponsored hackers by name would become the template for every major nation-state attribution in the decade that followed.

Limit: The Park Jin Hyok indictment does not mean the defendant will ever face trial in the United States. The realistic enforcement mechanism is sanctions — not incarceration.

Case 3 — United States v. Karim Baratov (The Yahoo Hack)

Action: 2017 charges; 2019 sentencing Type: Criminal — unauthorized access, computer hacking, aggravated identity theft Primary source: DOJ Yahoo/FSB charges announcement

The Largest Known Breach in History

Approximately three billion accounts. That number — three billion — is not a typo. The Yahoo hack compromised more accounts than any breach before or since: names, email addresses, passwords, security questions, backup email addresses, phone numbers. The digital fingerprints of billions of people, assembled in one place, stolen by Russian intelligence.

At the center of the operation were two FSB intelligence officers: Dmitry Dokuchaev and Igor Sushchin. They would never see the inside of an American courtroom.

But Karim Baratov would.

The Supply Chain of Hacking

Baratov, a Canadian national operating out of Canada, was a "hacker-for-hire." His job was specific: take the credentials stolen from Yahoo and use them to break into the targets' other accounts — Gmail, Yandex, other email services — wherever their Yahoo password or security questions still worked. He cracked email accounts on behalf of Russian intelligence for $100 per account.

He was not the mastermind. He was a tool — a weapon acquired off-market by a nation-state intelligence operation that needed plausible deniability and specialized capability.

The Legal Question

Can a Canadian hacker, operating in Canada, be extradited to the U.S. for crimes targeting U.S. companies and their users?

What Happened

Baratov was extradited to the United States, pled guilty, and was sentenced to 5 years in federal prison plus $2.25 million in restitution. The FSB officers were charged by the same indictment. They were never extradited.

What This Established

The extradition and plea pathway works for private actors. Unlike state-sponsored hackers who may enjoy de facto protection, private hackers operating in countries with U.S. extradition treaties face real custody risk. Baratov discovered this when Canadian authorities arrested him at U.S. request. The fact that the masterminds were beyond reach did not protect the accessible node in the chain.

The Shock Moment: $2.25 million in restitution — for a breach affecting three billion accounts. Individual criminal liability is almost never proportional to the actual scale of the harm.

Case 4 — United States v. Yevgeniy Nikulin

Action: 2016 indictment; 2020 sentencing Type: Criminal — computer intrusion, aggravated identity theft, trafficking in unauthorized access devices Primary source: DOJ sentencing announcement

The Diplomatic Battle Over a Hacker

In 2016, Czech authorities arrested Yevgeniy Nikulin at U.S. request. The charges: hacking LinkedIn, stealing 117 million credentials. Hacking Dropbox. Hacking Formspring. The stolen data had appeared for sale on dark web markets, traceable through infrastructure linked to Nikulin.

What came next was unexpected. Russia filed competing extradition requests. A diplomatic contest broke out — Moscow wanted Nikulin before Washington could get him. The Czech Republic took two years to decide.

It decided to send him to the United States.

The Legal Question

Would stolen credentials, dark web evidence, and infrastructure tracing be enough to convict a Russian national who chose to go to trial?

The Verdict

Convicted. Sentenced to approximately 88 months — more than 7 years — in federal prison plus restitution.

What the Case Established

Cross-border custody is possible but contested. When Russia files a competing extradition request for the same defendant, the political dimensions of a cybercrime case become visible. Nikulin's case shows that extradition is not only a legal decision — it is a geopolitical one.

It also shows that complex technical evidence holds up at trial. The government's case included purchased copies of the stolen databases from dark web markets, infrastructure tracing, and undercover investigation. The jury convicted.

The Long Tail: The LinkedIn breach, now known to have been used for years of follow-on social engineering attacks targeting executives, illustrates how corporate data becomes a weapon long after the initial intrusion. The criminal prosecution was a conclusion. The harm was ongoing.

Case 5 — United States v. Yaroslav Vasinskyi (REvil Ransomware)

Action: 2021 indictment; 2024 sentencing Type: Criminal — conspiracy to commit fraud, substantive CFAA, money laundering, extortion Primary source: DOJ sentencing announcement

The Weekend That Broke 1,500 Businesses

On a July 4th weekend in 2021, a single software update from a company called Kaseya — deployed to managed service providers across the world — became a weapon. REvil, the ransomware group, had found a vulnerability in Kaseya's VSA software. When managed service providers deployed the update, their clients' systems were encrypted simultaneously. Fifteen hundred businesses. In one afternoon. Via a legitimate software update channel.

The ransom demand: $70 million in Bitcoin. For a universal decryptor.

At a Polish border crossing in October 2021, Ukrainian national Yaroslav Vasinskyi made the mistake of traveling through a jurisdiction that had an extradition relationship with the United States.

The Outcome

Extradited. Convicted. Sentenced to 13 years and 7 months in federal prison plus approximately $16 million in restitution.

What This Case Shows About the Modern Prosecution Model

The ransomware prosecution lifecycle is now mature. Detection, attribution (by private sector and government intelligence working together), international arrest (when the suspect makes a travel error), conviction, significant sentencing. The model works when the suspect crosses into a cooperating jurisdiction.

The supply chain attack multiplier is now a recognized legal and legislative factor. The damage scope from a single supply chain compromise vastly exceeds direct attacks — Kaseya's customers became victims not because of anything they did wrong, but because their software vendor was targeted. Courts and legislators are incorporating this multiplier into harm assessments and sentencing calculations.

No one knew it yet, but the Vasinskyi prosecution would become the template for how governments around the world approach ransomware enforcement: follow the affiliates, extradite when travel allows, use the sentence as a deterrence signal to the crews still operating.

Case 6 — United States v. Ilya Lichtenstein + Heather Morgan (Bitfinex Hack Laundering)

Action: 2022 arrests; 2024 sentencing Type: Criminal — money laundering conspiracy (not the underlying hack) Primary source: DOJ sentencing announcement

$4.5 Billion, Hidden in Plain Sight

In 2016, approximately 120,000 Bitcoin were stolen from the Bitfinex cryptocurrency exchange — worth roughly $71 million at the time. The attacker was never identified. But the Bitcoin stayed on the blockchain, immovable and visible, waiting.

Six years later, the Bitcoin was worth $4.5 billion. And the people holding it were about to discover that blockchain forensics had been watching every move they made.

Ilya Lichtenstein and Heather Morgan — he was a tech entrepreneur; she was an eccentric rapper who wrote Forbes columns under the pseudonym "Razzlekhan" — had spent six years building an elaborate laundering architecture: chain hopping, mixing services, fictitious identities, darknet markets, and U.S. financial accounts. They did not conduct the hack. They laundered the proceeds.

The FBI traced every hop.

The Outcome

Both pled guilty to money laundering conspiracy. Lichtenstein: 5 years. Morgan: 18 months. The government seized approximately 94,000 Bitcoin — one of the largest cryptocurrency seizures in history — before and during the prosecution.

What This Changes

Modern cybercrime prosecution focuses on the monetization layer. When the actual hackers are unknown, unidentified, or beyond reach, prosecutors follow the money. Every Bitcoin transaction is recorded on a public ledger. Blockchain forensics has made cryptocurrency laundering progressively harder to conceal — even across years, even across chains, even across fictitious identities.

The "criminal mastermind" trap is real: Morgan's public persona as a Forbes contributor and rapper made her highly visible, highly traceable, and ultimately impossible to hide. Operational security failures by sophisticated criminals are not the exception — they are routine.

The Shock Moment: The biggest individual cryptocurrency seizure in history came not from catching the hacker, but from watching the launderer's moves — for six years — on a public blockchain.

Part II: Civil Cases

Case 7 — Facebook, Inc. v. Power Ventures, Inc.

Citation: 844 F.3d 1058 (9th Cir. 2016) Type: Civil — CFAA Primary source: Ninth Circuit opinion

The Day Authorization Died

Power Ventures built a platform that let users aggregate their social media data. Users consented. Power Ventures accessed Facebook on their behalf. For a while, Facebook tolerated it.

Then Facebook sent a cease-and-desist letter and implemented IP blocking.

Power Ventures routed around the blocks through proxy addresses and kept going.

Then the judge dropped the ruling that changed everything for CFAA civil litigation:

Access after receipt of a cease-and-desist letter combined with the implementation of technical barriers constitutes "without authorization" under CFAA. Prior user consent did not permanently authorize access — when Facebook revoked it and implemented technical measures, further access became unauthorized. The user's permission was irrelevant. The platform owner's revocation was what counted.

The CFAA Civil Playbook That Emerged

For any company seeking to use CFAA to stop unwanted access, Power Ventures establishes a two-step formula: (1) send a cease-and-desist letter; (2) implement technical access blocks. If access continues after both, you have a CFAA civil claim. This combination turned a statute designed for criminal prosecutions into a competitive tool for platform operators.

The Limit: The C&D-plus-technical-block formula applies when data is gated by user accounts. It does not govern truly public-web access where no authentication exists. That distinction would matter enormously in the case that came six years later.

Case 8 — In re Zappos.com, Inc.

Citation: 888 F.3d 1020 (9th Cir. 2018) Type: Civil — data breach class action; standing Primary source: Ninth Circuit opinion

The First Battle in Every Breach Case

Twenty-four million customers. Names, emails, phone numbers, partial credit card data, encrypted passwords — all exposed. Zappos had been hacked, and the breach was public.

The class action was filed. Then the district court dismissed it — not because the company hadn't been negligent, not because the breach hadn't happened, but because the plaintiffs couldn't prove they had been harmed. Not yet. Maybe not ever. Potential harm from a breach that hadn't yet been exploited was, the district court decided, too speculative to support standing.

The Ninth Circuit reversed.

The Holding

The complaint adequately alleged a risk of real harm — not merely speculative — from exposure of credential data. The court allowed standing based on allegations of credible risk of future misuse. The plaintiffs didn't need to have already suffered identity theft. They needed to allege a credible, non-speculative risk that the exposed data would be used against them.

The Standing Battlefield

Standing is the gatekeeper in breach class actions — the threshold question before any merits are reached. The Supreme Court's decisions in Spokeo v. Robins (2016) and TransUnion LLC v. Ramirez (2021) have made standing the primary battleground. Different circuits apply these decisions differently. The Ninth Circuit, as Zappos shows, has been more permissive than others. In circuits that require actual misuse rather than credible risk, many breach class actions never get past the standing stage.

Pleading choices decide cases: Plaintiffs who allege only statutory violation without concrete harm allegations may be dismissed before merits. Plaintiffs who allege specific credible risks — actual receipt of phishing emails after the breach, fraudulent account openings linked to the exposed data — have better standing chances.

Case 9 — Van Buren v. United States

Citation: 141 S. Ct. 1648 (2021) Type: Criminal — CFAA "exceeds authorized access" Primary source: Supreme Court opinion

(Full analysis in Module 1A. Here we focus on its civil litigation significance.)

Civil Significance — The Aftershocks

The Supreme Court's Van Buren ruling narrowed "exceeds authorized access" to crossing technical gates — not merely misusing data from an area one was authorized to access. The civil implications rippled out immediately:

• Post-Van Buren, CFAA civil claims based on "misuse of authorized access" are weaker. Companies cannot use CFAA to punish employees who access authorized systems and misuse the data — other theories (trade secret misappropriation, breach of fiduciary duty, breach of contract) must carry that water.
• Scraping litigation shifted: hiQ v. LinkedIn (below) interprets Van Buren in the public-web scraping context, finding that publicly available data is on the "gates up" side of the line.
• The ruling created the legal architecture in which the following case — and every scraping dispute since — is analyzed.

Case 10 — WhatsApp LLC v. NSO Group Technologies

Citation: 12 F.4th 1 (9th Cir. 2021) Type: Civil — immunity defenses; hacking/surveillance allegations Primary source: Ninth Circuit opinion

The Spyware Company That Argued It Was a Government

NSO Group's product, Pegasus, is one of the most sophisticated surveillance tools ever built. It can remotely access a target's smartphone — reading messages, activating the camera, recording calls — without the target knowing anything is happening. Governments around the world have purchased it. Journalists, dissidents, human rights lawyers, heads of state — all have been targeted by it.

In 2019, WhatsApp alleged that NSO Group had used WhatsApp's own infrastructure — its servers, its protocol — to silently deliver Pegasus to approximately 1,400 mobile devices. NSO's response was extraordinary: it argued it couldn't be sued in U.S. courts because it was effectively acting on behalf of foreign governments. Under the Foreign Sovereign Immunities Act, it claimed, the lawsuit had to be dismissed.

The Shock Moment: The very tools built for surveillance became the claimed justification for immunity from the consequences of that surveillance. A private company, selling spyware to foreign states, argued it was entitled to the legal protections of those states.

The Ninth Circuit's Answer

Foreign sovereign immunity does not extend to private actors — even government contractors — under the FSIA. NSO Group is a private company. The fact that it sells to governments does not make it a government. The lawsuit could proceed.

What This Means for the Commercial Spyware Industry

Civil suits against foreign spyware vendors are possible in U.S. courts. NSO sits in a complex space — it sells to governments but is incorporated and operated as a private company. The Ninth Circuit's ruling creates civil exposure for the entire commercial spyware industry when their tools are used to attack U.S. platforms or U.S. persons.

The Limit: FSIA does not strip sovereign immunity from actual foreign states. The Pegasus operators who are employees of foreign intelligence services retain sovereign immunity. The case reaches NSO. It does not reach the states that deployed NSO's tools against their own populations.

Case 11 — hiQ Labs, Inc. v. LinkedIn Corp.

Citation: 31 F.4th 1180 (9th Cir. 2022) Type: Civil — CFAA + public-web scraping Primary source: Ninth Circuit opinion

The Paradox That Broke the Old CFAA Theory

LinkedIn sent a cease-and-desist letter. LinkedIn implemented technical blocking measures. LinkedIn was doing everything Power Ventures said a company needed to do to establish that access was "without authorization."

But then the Ninth Circuit asked the question that collapsed the argument: what was hiQ accessing?

Public profiles. Information that LinkedIn itself had made available to anyone with a browser — no account, no login, no authentication of any kind. The gate wasn't just "up." There was no gate.

The Holding (Post-Van Buren Analysis)

Scraping publicly accessible data likely does not violate CFAA. Because LinkedIn's public profiles are available without any authentication, accessing them is not "without authorization" under CFAA. You cannot be unauthorized to access information the platform made available to everyone.

The C&D + Technical Block Formula Has Limits

Power Ventures gave platform operators a powerful tool. hiQ clarified the boundary: that tool only works when data is actually gated. A cease-and-desist letter cannot create CFAA exposure where the underlying access was to publicly available information. The gate metaphor from Van Buren does the work — if the gate is up for everyone, you can't make someone a trespasser for walking through it.

What This Means Now

Security researchers and data companies that collect publicly available data have stronger footing post-hiQ. The protection is specifically limited to genuinely publicly accessible information. The moment authentication is required — the moment a gate exists — the analysis shifts entirely.

Case 12 — SEC v. SolarWinds Corp. and Timothy G. Brown

Action: 2023 SEC enforcement action; 2024 partial dismissal ruling; 2025 stipulated dismissal Type: Civil / regulatory — securities fraud, false filings, cybersecurity controls, disclosure controls Primary source: SEC complaint | SEC litigation release

The Security Statement That Became Evidence

SUNBURST is one of the most sophisticated supply chain attacks ever documented. Nation-state attackers embedded malicious code into SolarWinds' Orion software updates — deployed to 18,000 customers, including nine federal agencies and dozens of Fortune 500 companies. For months, the backdoor moved invisibly through networks at the highest levels of the U.S. government.

When the attack finally became public in December 2020, a different question emerged — not just about the attack itself, but about what SolarWinds had said about its cybersecurity practices while the attackers were already inside.

The Twist No One Saw Coming

The SEC sued SolarWinds and its Chief Information Security Officer, Timothy G. Brown, not for being hacked, but for what the company had said about its security before and after the hack. The agency alleged that from the October 2018 IPO through the December 2020 disclosures, SolarWinds overstated its cybersecurity controls and understated known cyber risk in public materials — including on the company's website.

A Security Statement on a company's public website. The SEC argued that statement was a material representation to investors.

The Legal Questions

How far can ordinary securities-fraud, false-filing, internal accounting controls, and disclosure controls theories reach when a public company allegedly misdescribes its cybersecurity maturity?

Current Posture — The Complicated Truth

On July 18, 2024, the Southern District of New York granted the motion to dismiss in part and denied it in part. The court allowed the SEC's securities-fraud theories tied to SolarWinds' public-facing Security Statement to proceed, but dismissed the fraud and false-filing claims based on other statements and filings, dismissed all post-SUNBURST disclosure claims, and dismissed the internal accounting controls and disclosure controls claims. In November 2025, the SEC and defendants filed a joint stipulation dismissing the action with prejudice as to the conduct alleged in the amended complaint.

The Lesson Hidden in the Outcome

SEC cyber enforcement did not begin with the 2023 incident-disclosure rules — the SolarWinds case was brought under older antifraud and reporting theories. Public website statements can become securities statements when they paint a picture of cybersecurity maturity that investors rely on. But courts may resist extending controls theories too far — the dismissal of the internal accounting controls and disclosure controls counts is a warning that not every cybersecurity weakness can be repackaged as a standalone securities violation.

Teach This Correctly: SolarWinds is not "the SEC sued a company for getting hacked." It is a mixed-result case that narrowed sharply on motion to dismiss and ended in stipulated dismissal rather than a merits judgment. Cite the posture, not just the filing.

Part III: Cross-Cutting Patterns

Pattern 1: Venue and Jurisdiction as Case-Killers

Auernheimer is the proof that technically sound prosecution can fail on venue. Zappos illustrates how standing doctrine — itself a quasi-jurisdictional concept — filters civil cases before the merits. For every cyber case, practitioners must map: where did each element of the offense occur? Where was each defendant? Where were the victims? Where were the computers? The answers may point to multiple valid venues — or to a venue problem that defeats the entire case before any evidence is heard.

Pattern 2: Indictments Without Custody Are Not Failures

Park Jin Hyok, and the broader pattern of charging Chinese, Russian, Iranian, and North Korean hackers by name, shows that criminal indictments serve strategic purposes beyond prosecution. They create official U.S. government attribution backed by evidence standards, impose reputational costs, make travel dangerous for defendants, and lay groundwork for sanctions designations. For practitioners advising victims on whether to support or cooperate with government prosecution of overseas attackers, understand that the "case" may never go to trial — and that may not be the point.

Pattern 3: Standing Doctrine Is the Filter in Civil Breach Cases

The Supreme Court's decisions in Spokeo v. Robins (2016) and TransUnion LLC v. Ramirez (2021) have made standing the primary battleground in breach class actions. The merits — whether the company's security was "reasonable" — often never come into play because plaintiffs cannot establish concrete harm from the breach. In circuits that require actual misuse rather than risk of misuse, many breach class actions fail at the standing stage. Practitioners must build standing allegations carefully, documenting actual harm rather than relying on statutory violation alone.

Pattern 4: The Prosecution Is Increasingly About the Money Layer

Lichtenstein/Morgan (Bitfinex) shows the modern enforcement emphasis: follow the crypto. When attackers are unidentifiable or unreachable, law enforcement targets the laundering infrastructure. Blockchain forensics has matured to the point where even sophisticated multi-hop laundering can be traced. Companies that pay ransomware should understand they may receive calls from DOJ/FBI years later when the laundering chain is finally unraveled.

Pattern 5: The Sovereign Immunity Gap Is Narrowing for Private Actors

WhatsApp v. NSO establishes that private companies cannot shelter behind their government clients to claim FSIA immunity. This is significant for the growing commercial spyware and surveillance vendor market. But it does not reach the actual state actors who deploy these tools — Pegasus operators who are employees of foreign intelligence services retain sovereign immunity. The gap is narrowing. It has not closed.

Practical Use by Audience

Plaintiff-side / regulator use

• Use Zappos to frame why a breach plaintiff or regulator can treat credible future misuse as more than abstract risk.
• Use WhatsApp v. NSO to resist immunity arguments from private spyware vendors or other commercial cyber intermediaries.
• Use SolarWinds to show how cyber statements, security representations, and disclosure posture can become fraud or regulatory risk even before a final merits ruling.

Defense-side use

• Use Auernheimer to test whether venue is doing more work than the merits.
• Use Van Buren and hiQ to narrow CFAA theories that rely on misuse, terms-of-service breaches, or public-data access rather than true gate crossing.
• Use the narrowed controls theories in SolarWinds to argue that not every cyber weakness can be repackaged as a standalone securities-controls violation.

In-house / incident-response use

• Use Power Ventures to understand how authorization gets revoked in practice: notice plus technical blocks changes the CFAA posture.
• Use Nikulin and Vasinskyi to explain that extradition risk is real for private actors who travel, even when immediate arrest feels remote.
• Use Lichtenstein/Morgan to explain to leadership why the money layer, not just the intrusion layer, becomes a long-tail enforcement risk.

Training / teaching use

• Start associates with the lookup table above, then make them explain why each case is about a hinge rather than a headline.
• Test whether they can distinguish cases that answer access, standing, venue, immunity, extradition, and disclosure without collapsing them into "cyber case law."
• Make them state both what each case helps prove and what it does not prove. That is where judgment starts.

Test Yourself Next

Use the quiz when you want to check whether you can map a real dispute to the right case before you cite it:

• Take the Landmark Cases quiz