A federal jury in Cleveland, US has convicted a former software developer from Houston for deliberately disrupting the computer systems of his former employer. The 55-year-old developer, named Davis Lu, was charged with embedding malicious software into the network of an Ohio-based company, where he had been employed for nearly 12 years until October 2019.
According to court documents and trial evidence, Lu’s actions were a response to a corporate restructuring in 2018 that reduced his job responsibilities and system access. In a retaliatory move, Lu introduced harmful code designed to destabilise the company’s computer systems. By August 2019, he had executed malicious scripts that created “infinite loops,” overwhelming server resources by continuously generating new threads that lacked proper termination protocols. These actions led to severe system outages and prevented employees from accessing their accounts.
Retaliatory acts following corporate restructuring
In addition to causing system crashes, Lu deleted colleagues’ profile data and implemented a sophisticated “kill switch” mechanism. This digital trap was set to lock out all users if their own account credentials were disabled within the company’s active directory. Named “IsDLEnabledinAD,” this kill switch automatically triggered upon Lu’s termination on 9 September 2019, affecting thousands of users worldwide.
Further examination revealed that on his final day of employment, the developer deleted encrypted data from his company-issued laptop. An investigation into his internet activity showed that he had researched advanced techniques for escalating system privileges, hiding processes, and deleting files quickly. These searches suggested an intention to hinder recovery efforts by his colleagues and maintenance teams.
The targeted company was identified as Eaton Corporation, a global entity specialising in providing power management solutions across various industries, including electrical, hydraulic, and mechanical sectors. The US Department of Justice (DOJ) reported that Lu’s sabotage resulted in financial damages totalling hundreds of thousands of dollars.
Lu has been found guilty of intentionally causing damage to protected computer systems and faces a maximum sentence of 10 years in prison. His sentencing date remains undecided as it awaits determination by a federal district court judge who will consider US Sentencing Guidelines along with other statutory factors.
The announcement of Lu’s conviction was made by officials from the DOJ’s criminal division and the FBI Cleveland Field Office. The FBI’s Cleveland office led the investigation into the case. The prosecution is being managed by Senior Counsel Candina S. Heath from the criminal division’s computer crime and intellectual property section, along with Assistant US Attorneys Daniel J. Riedl and Brian S. Deckert from the Northern District of Ohio.
“Sadly, Davis Lu used his education, experience, and skill to purposely harm and hinder not only his employer and their ability to safely conduct business but also stifle thousands of users worldwide,” said FBI Special Agent in Charge Greg Nelsen. “The FBI and its cadre of exceptionally qualified agents and analysts will continue to identify, find, and investigate individuals who seek to carry out deliberate and destructive actions against businesses or organisations for retaliatory or malicious purposes.”
Read more: FBI takes down ‘Radar/Dispossessor’ ransomware group, 43 companies targeted worldwide
