Rebecca C. Lutzko United States Attorney for the Northern District of Ohio | U.S. Attorney for the Northern District of Ohio
A Chinese national, Davis Lu, has been sentenced to four years in prison for deploying destructive computer code on the network of his former employer, a global company based in Beachwood, Ohio. The sentencing was handed down by U.S. District Judge Pamela A. Barker on August 21, following Lu’s conviction in March for intentionally damaging protected computers.
Lu, 55, had lived in Houston and was legally authorized to work in the United States. In addition to his prison term, he will serve three years of supervised release after imprisonment. The amount of restitution is yet to be determined.
“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions. The Criminal Division is committed to identifying and prosecuting those who attack U.S. companies, whether from within or without, to hold them responsible for their actions.”
According to court documents and evidence presented at trial, Lu worked as a software developer at the company from November 2007 until October 2019. After a corporate realignment reduced his responsibilities and system access in 2018, Lu began sabotaging systems. By August 4, 2019, he had introduced malicious code that caused system crashes and prevented user logins by creating “infinite loops.” He also developed code that deleted coworker profiles and implemented a “kill switch” designed to lock out all users if his name was removed from the directory.
The kill switch was triggered on September 9, 2019—after Lu’s termination—when his credentials were disabled. This action affected thousands of users globally. Investigators found that Lu named one malware program “Hakai,” meaning “destruction” in Japanese, and another “HunShui,” meaning “sleep” or “lethargy” in Chinese.
On the day he was instructed to return his company laptop, Lu deleted encrypted data and executed commands making it unrecoverable by forensic software. His internet search history indicated he researched ways to escalate privileges and delete files rapidly.
“The extreme chaos caused by just one person who used his creative mind and technical talents to thwart his employer’s business operations was not only disruptive – it was criminal. Those who weaponize their knowledge to inflict damage will be held accountable,” said U.S. Attorney David M. Toepfer for the Northern District of Ohio. “We would like acknowledge and thank the FBI Cleveland Division for their incredible expertise in investigating computer crimes to bring criminals like Mr. Lu to justice.”
Assistant Director Brett Leatherman of the FBI’s Cyber Division stated: "The FBI works relentlessly every day to ensure that cyber actors who deploy malicious code and harm American businesses face the consequences of their actions... This case also underscores the importance of identifying insider threats early and highlights the need for proactive engagement with your local FBI field office to mitigate risks and prevent further harm.”
FBI Cleveland Special Agent in Charge Greg Nelsen added: “Davis Lu was intent on inflicting widescale damage to his employer with reckless disregard... We will continue defend the homeland and its American businesses to identify and investigate cyber criminals who seek to harm companies, and we will bring them to justice.”
Senior Counsel Candina S. Heath from the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS), along with Assistant United States Attorneys Daniel J. Riedl and Brian S. Deckert for the Northern District of Ohio prosecuted this case.
The Department of Justice’s CCIPS collaborates with domestic and international law enforcement agencies as well as private sector partners when investigating cybercrime cases; since 2020 it has secured convictions against more than 180 cybercriminals while recovering over $350 million for victims.
