Buckeye Reporter

A Chinese national has been sentenced to four years in prison for intentionally damaging the computer systems of his former employer, a global corporation headquartered in Beachwood, Ohio. Davis Lu, 55, who lived in Houston and was legally authorized to work in the United States, was convicted by a federal jury in March for deploying destructive computer code on the company’s network. U.S. District Judge Pamela A. Barker issued the sentence on August 21. In addition to imprisonment, Lu will serve three years of supervised release. The amount of restitution will be determined later.

According to court records and trial evidence, Lu worked as a software developer for the company from November 2007 until October 2019. After his responsibilities and system access were reduced following a corporate realignment in 2018, he began sabotaging company systems. On August 4, 2019, Lu introduced malicious code that caused server crashes and blocked user logins by creating “infinite loops.” He also deleted coworker profiles and implemented a “kill switch” designed to lock out all users if his name was removed from the directory.

The kill switch was triggered on September 9, 2019—after Lu was terminated and his credentials disabled—impacting thousands of users worldwide. The program responsible for this disruption was named “IsDLEnabledinAD,” an abbreviation for “Is Davis Lu enabled in Active Directory.” Investigators found that he named other malware programs “Hakai” (Japanese for “destruction”) and “HunShui” (Chinese for “sleep” or “lethargy”). On his last day at work, Lu deleted encrypted data and executed commands making recovery impossible.

Evidence showed that Lu researched ways to escalate privileges, hide processes, and rapidly delete files before launching these attacks. The company reported losses totaling hundreds of thousands of dollars as a result.

“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions. The Criminal Division is committed to identifying and prosecuting those who attack U.S. companies, whether from within or without, to hold them responsible for their actions.”

“The extreme chaos caused by just one person who used his creative mind and technical talents to thwart his employer’s business operations was not only disruptive – it was criminal. Those who weaponize their knowledge to inflict damage will be held accountable,” said U.S. Attorney David M. Toepfer for the Northern District of Ohio. “We would like acknowledge and thank the FBI Cleveland Division for their incredible expertise in investigating computer crimes to bring criminals like Mr. Lu to justice.”

"The FBI works relentlessly every day to ensure that cyber actors who deploy malicious code and harm American businesses face the consequences of their actions,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “I am proud of the FBI cyber team’s work which led to today’s sentencing and hope it sends a strong message to others who may consider engaging in similar unlawful activities. This case also underscores the importance of identifying insider threats early and highlights the need for proactive engagement with your local FBI field office to mitigate risks and prevent further harm.”

“Davis Lu was intent on inflicting widescale damage to his employer with reckless disregard,” said FBI Cleveland Special Agent in Charge Greg Nelsen. “The FBI is committed to protecting businesses from cyber intrusions and crippling threats to their companies, not only from unknown attackers, but also when the criminal is a once-trusted employee whose skill and intellect was used for malicious purposes. We will continue defend the homeland and its American businesses to identify and investigate cyber criminals who seek to harm companies, and we will bring them to justice.”

Senior Counsel Candina S. Heath from DOJ's Computer Crime & Intellectual Property Section (CCIPS), along with Assistant United States Attorneys Daniel J. Riedl and Brian S. Deckert from the Northern District of Ohio prosecuted this case.

The Department of Justice's CCIPS investigates cybercrime with both domestic law enforcement agencies as well as international partners; since 2020 it has obtained convictions against more than 180 cybercriminals while securing over $350 million returned through court orders.