A Kentucky man has pleaded guilty to federal charges he developed, marketed, and provided technical support for a "remote access trojan," or RAT—that is, software he knew customers used illegally to take control of other people’s computers.

Colton Grubbs used the handle "KFC Watermelon" to advertise the LuminosityLink administrative tool on Hackforums[dot]net, federal prosecutors alleged in an indictment filed last month. The indictment said the tool provided a variety of malicious capabilities including the ability for purchasers to control others’ computers, surreptitiously record users’ activities, and to view their files, login credentials, and personal information. Prosecutors said the defendant also used the hacker forum and a website located at luminosity[dot]link to teach users how to conceal their identities and prevent antivirus programs from detecting the tool.

On Monday, Grubbs signed a plea agreement admitting that from 2015 to 2017 he designed LuminosityLink and sold it for $40 apiece to more than 6,000 individuals, knowing that some of them were using it maliciously. Grubbs previously claimed the software was a legitimate tool for system administrators, but in Monday’s plea agreement he admitted he knew some customers were using it to control computers without owners’ knowledge or permission. The document, signed by Grubbs, stated:

Defendant's marketing emphasized these malicious features of LuminosityLink, including that it could be remotely installed without notification, record the keys that a victim pressed on their keyboard, surveil victims using their computer cameras and microphones, view and download the computer's files, steal names and passwords used to access websites, mine and earn virtual currency using victim computers and electricity, use victim computers to launch DDoS attacks against other computers, and prevent anti-malware software from detecting and removing LuminosityLink.

Grubbs also admitted he sent customers private messages that answered their questions about accessing and controlling victim computers without authorization. He also admitted to using Hackforums[dot]net to assemble a team of at least 19 people to support the remote access trojan and recruit affiliates to sell it. He said he collected payments through the PayPal and Stripe services and through Bitcoin.

Clean your room

The defendant admitted that during an FBI raid on his apartment last week, he called an associate and told him, “Clean your room.” Grubbs also said he took a variety of other steps to conceal his illegal activities. According to the document:

Defendant gave his laptop to his roommate and asked that it be concealed in the roommate's car. Defendant concealed a debit card associated with his bitcoin account in his kitchen cabinet. Defendant concealed a phone storing his bitcoin information in his roommate's closet. Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses.

In all, Grubbs pleaded guilty to three of the 10 counts in last month’s indictment, including invasion of privacy, causing loss of at least $5,000 to protected computers, and conspiracy. Federal sentencing guidelines call for a maximum of 25 years and fines of $750,000.

The case is reminiscent of one brought against Taylor Huddleston, the maker of the NanoCore remote access trojan. After initially claiming it was a legitimate tool, Huddleston last year admitted he knew customers were using it to steal passwords, surreptitiously turn on webcams, and conduct other unlawful actions on infected computers. In February, Huddleston was sentenced to three years.