Following his March 2025 conviction for intentionally damaging protected computers, a Chinese national, Davis Lu, was sentenced to four years in federal prison and three years of supervised release. Lu wrote and deployed malicious code, including a "kill switch," on his Ohio-based employer's network. The code locked out thousands of users and caused hundreds of thousands of dollars in losses.
The "kill switch" was designed to automatically trigger if Lu's Active Directory account was disabled, and it activated when he was placed on leave and told to return his laptop on September 09, 2019. This immediately prevented access across the company's global systems.
According to related summaries and coverage of the U.S. Justice Department's press statements, Lu had worked as a software developer at the company since 2007 and began planting sabotage code after a 2018 corporate realignment reduced his role and access. He introduced scripts that created infinite loops to crash or hang servers, blocked legitimate logins, and deleted coworkers' profile files.
Lu named the kill switch "IsDLEnabledinAD," short for "Is Davis Lu enabled in Active Directory," making its activation conditioned his own status in the directory, which turned the mechanism into a retaliatory access lockout upon any personnel action affecting his account.
Investigators and prosecutors pointed to Lu's internet searches on his final day of access, showing research into escalating privileges, hiding processes, and rapidly deleting files, indicating his intent to obstruct remediation and complicate incident response by his coworkers and administrators.
Reporting tied the victim to Eaton Corporation, a power management company headquartered in Ohio, and emphasized the operational impact across thousands of users worldwide when the kill switch fired during his suspension in September 2019.
The case was framed by the Justice Department as a serious insider threat incident where trusted technical access was weaponized to sabotage company networks. Officials highlighted both the damage and the broader lesson for organizations to detect and mitigate insider risks proactively in collaboration with law enforcement.
Source: https://www.justice.gov/opa/pr/chinese-national-who-deployed-kill-switch-code-employers-network-sentenced-four-years-prison
Commentary
The criminal conduct described above is typically charged under the federal Computer Fraud and Abuse Act as intentional damage to a protected computer because the perpetrator used authorized access to plant destructive code that sabotaged an employer's systems affecting interstate commerce and caused significant loss.
DOJ characterizes these cases as malicious insider sabotage leveraging privileged access to disrupt networks and deny services. Courts have imposed prison terms and supervised release when evidence shows deliberate code-based lockouts, server crashes, and substantial financial impact.
In contemporary treatment, a "protected computer" includes private-sector systems used in, or affecting, interstate or foreign commerce, bringing these retaliatory sabotages squarely within federal jurisdiction when the damage and operational reach meet statutory thresholds.
Preventing this kind of loss requires managing both legal exposure and technical risk.
DOJ and federal guidance emphasize that organizations should detect anomalous human behavior early, integrate HR, legal, and security signals, and respond in a way that protects privacy while intervening before grievances escalate into sabotage.
Privileged access should be time-bound and continuously monitored, and most users should be classified as least privileged by default.
Finally, governance and culture can reduce motive and opportunity. Regular insider-risk awareness training, confidential reporting channels, and supportive interventions for employees exhibiting stressors or anomalous behavior can help prevent insider attacks.
Additional Sources: https://www.odni.gov/files/NCSC/documents/nittf/20180209-CERT-Common-Sense-Guide-Fifth-Edition.pdf and https://www.dni.gov/files/NCSC/documents/nittf/20240926_Insider-Threat-Mitigation-for-US-Critical-Infrastructure.pdf
