                            UNITED STATES DISTRICT COURT
                            FOR THE DISTRICT OF COLUMBIA


  UNITED STATES OF AMERICA

                  v.                                     Criminal Action No. 18-359-4 (JDB)
  THOMAS KENNEDY MCCORMICK,
            Defendant.



                                  MEMORANDUM OPINION

       Thomas McCormick was indicted on December 4, 2018, on seven counts of Racketeer

Influenced Corrupt Organization conspiracy in violation of 18 U.S.C. § 1962(d), conspiracy to

commit bank and wire fraud in violation of 18 U.S.C. § 1349, and aggravated identity theft in

violation of 18 U.S.C. § 1028A. The government alleges that McCormick, under the alias “fubar,”

engaged in a variety of illegal activities on Darkode, an invitation-only online forum that facilitated

the sale of malware and other illicit goods and services. Before the Court is McCormick’s motion

to suppress evidence obtained pursuant to a December 2013 search warrant or, alternatively, to

hold a hearing pursuant to Franks v. Delaware, 438 U.S. 154 (1978), about information omitted

from the application for that warrant. Defs.’ Mot. to Suppress or, in the Alternative, Request for

a Franks Hr’g (“Def.’s Mot.”) [ECF No. 27] at 5–15. The government opposes the motion.

Gov’t’s Opp’n to Def.’s Mot. to Suppress (“Gov’t’s Opp’n”) [ECF No. 28]. For the reasons that

follow, the motion is denied.

       I.       FACTUAL BACKGROUND

       An online user operating under the moniker “fubar” came to the FBI’s attention in 2009

for allegedly coding, advertising, and selling malware. Aff. of Special Agent David Hitchcock in

Supp. of an Appl. for a Search Warrant (“Hitchcock Aff.”), Ex. 2 to Gov’t’s Opp’n [ECF No. 28-
2] ¶¶ 6–17. In January 2010, fubar allegedly sold malware used to harvest banking credentials to

an undercover FBI agent. Id. ¶¶ 11–14. By August 2010, the FBI had traced online activity of

fubar to McCormick’s parents’ home address in Cambridge, Massachusetts, where the teenaged

McCormick then resided, but FBI agents did not immediately identify McCormick as residing at

that address. See Aug. 5, 2010, FBI communication, Ex. 3 to Def.’s Mot. [ECF No. 27-3] at 1–2.

At the time, FBI investigators explained that fubar might not appear in law enforcement databases

because he “may be in high school and not hav[e] a significant credit history.” Id. at 2–3. FBI

agents finally matched McCormick to his online moniker fubar in January 2011, shortly after

McCormick’s eighteenth birthday. See FBI email, Ex. 2 to Def.’s Mot. [ECF No. 27-2] at 1–2.

       In the months that followed, McCormick finished high school and moved away to college.

In early December 2013—almost three years after first identifying McCormick as “fubar” and

about a month after McCormick turned twenty-one—the FBI sought a search warrant to search

McCormick’s college dorm room for evidence related to his online activities. Search Warrant, Ex.

1 to Gov’t’s Opp’n [ECF No. 28-1] at 1. FBI Special Agent David Hitchcock submitted an

affidavit in support of the warrant application. See Hitchcock Aff. In addition to outlining the

January 2010 controlled buy of malware from fubar, the affidavit explained that the FBI had

obtained records in 2012 and 2013 from Google, Microsoft (McCormick’s employer during a

summer internship), and other sources that corroborated the connection between McCormick and

fubar. Hitchcock Aff. ¶¶ 11–14, 17a–d. Information obtained from a confidential informant in

the Darkode community had also provided evidence that fubar continued to participate in Darkode

forums and had logged in as a Darkode administrator as recently as September 10, 2013. Id. ¶ 7–

9. Pen trap information obtained in early 2013 from McCormick’s university further showed that

he had continued to access his fubar Darkode account from the university. Id. ¶ 17c, 17e. The

                                                   2
affidavit does not mention that FBI agents made the connection between fubar and McCormick as

early as January 2011. See id.

       A magistrate judge issued the search warrant on December 4, 2013. Search Warrant at 1.

The FBI executed the search warrant on December 5, 2013, recovering a laptop computer, tablet,

smartphone, several external storage devices, and some papers. Id. at 2.

       McCormick alleges that “the only rational explanation” for the years-long delay between

identifying McCormick and seeking the search warrant “was to ‘run the clock’ until [he] turned

twenty-one years old and thus would no longer have the protections of juvenile status.” Def.’s

Mot. at 15. Accordingly, McCormick argues that probable cause was lacking for the warrant

because the information supporting the warrant was stale, and that, in the alternative, a Franks

hearing is necessary “to investigate why the agents failed to provide material information in the

search warrant application, namely the fact that they had identified Mr. McCormick as their suspect

nearly three years prior to the date of application.” Id. at 1–2.

       II.     LEGAL STANDARD

       The Fourth Amendment protects “[t]he right of the people to be secure in their persons,

houses, papers, and effects, against unreasonable searches and seizures.” U.S. Const. amend. IV.

Law enforcement actions taken under a warrant are preferred to searches and seizures without one,

and “in a doubtful or marginal case a search under a warrant may be sustainable where without

one it would fall.” United States v. Ventresca, 380 U.S. 102, 106–07 (1965).

       For a valid warrant to issue, “[s]ufficient information must be presented to the magistrate

to allow that official to determine probable cause; his action cannot be a mere ratification of the

bare conclusions of others.” Illinois v. Gates, 462 U.S. 213, 239 (1983). However, the magistrate’s

task is not a technical one. “[T]he issuing magistrate is simply to make a practical, common-sense


                                                      3
decision whether, given all the circumstances set forth in the affidavit before him, . . . there is a

fair probability that contraband or evidence of a crime will be found in a particular place.” Id. at

238. The corresponding “duty of a reviewing court is simply to ensure that the magistrate had a

substantial basis for concluding that probable cause existed.” Id. at 238–39 (alterations and

citation omitted). Because “[r]easonable minds frequently may differ on the question whether a

particular affidavit establishes probable cause,” the Supreme Court has “accord[ed] ‘great

deference’ to a magistrate’s determination” even though that deference “is not boundless.” United

States v. Leon, 468 U.S. 897, 914 (1984) (quoting Spinelli v. United States, 393 U.S. 410, 419

(1969)).

       III.    MOTION TO SUPPRESS

       The first issue raised by McCormick is whether the December 2013 search warrant relied

on stale information that could not support a finding of probable cause. Def.’s Mot. 7–12.

       A warrant will lack adequate support—and hence be invalid—if the facts contained in its

supporting affidavit have “become stale by the passage of time.” Sgro v. United States, 287 U.S.

206, 215 (1932). For a valid search warrant to issue, law enforcement officers must offer “proof

. . . of facts so closely related to the time of the issue of the warrant as to justify a finding of

probable cause at that time.” Id. at 210. “Whether the proof meets this test must be determined

by the circumstances of each case,” id. at 210–11, and “different kinds of information go stale at

different rates,” United States v. Johnson, 437 F.3d 69, 72 (D.C. Cir. 2006). In determining the

“likelihood that the evidence sought is still in place,” courts consider

       the character of the crime (chance encounter in the night or regenerating
       conspiracy?), of the criminal (nomadic or entrenched?), of the thing to be seized
       (perishable and easily transferable or of enduring utility to its holder?), of the place
       to be searched (mere criminal forum of convenience or secure operational base?),
       etc.


                                                      4
United States v. Matthews, 753 F.3d 1321, 1325 (D.C. Cir. 2014) (quoting United States v. Bruner,

657 F.2d 1278, 1298 (D.C. Cir. 1981)).

        McCormick argues that the information in the affidavit was stale because it primarily

relates to offenses committed in 2010 when McCormick was in high school—approximately three

years before the search warrant issued. Def.’s Mot. at 9. During the interim, McCormick had

changed residences several times: from his family home, to college dorms, and to Seattle,

Washington, for a summer internship. Id. McCormick also notes that the transition between high

school and college is “a typical time to replace and update computer equipment,” which he in fact

did. Id. at 10. In failing to address these changes in his circumstances, McCormick asserts, “the

FBI assumed without any evidence that [he] was carrying years old computer equipment around

with him everywhere he went.” Id. at 11. In sum, McCormick argues that the long duration of

time that had passed between the alleged criminal conduct and the issuance of the search warrant,

combined with the well-understood obsolescence of computer equipment over time and several

changes in his residence, rendered it unreasonable for the magistrate to conclude that evidence of

the alleged conduct was likely to be found in McCormick’s dorm room.

       The government responds that the information in the affidavit was not stale. As to the type

of offense, the government notes that courts considering staleness have distinguished “the currency

of information supporting probable cause in the context of extended conspiracies” from that of

“single-incident crimes.” Gov’t’s Opp’n at 15 (quoting United States v. Webb, 255 F.3d 890, 905

(D.C. Cir. 2001)). The government argues that this case presents “a continuing offense and not a

single incident crime”—namely a long-term racketeering conspiracy offense centered around the

Darkode site for which McCormick was allegedly an administrator—and that it was reasonable to

believe that a search of his computers would reveal evidence of his involvement with that ongoing,

                                                    5
long-term conspiracy. Gov’t’s Opp’n at 15. As opposed to circumstances in which the evidence

sought is consumable, like drugs, the government also argues that “[s]taleness is even less of a

concern when records or documents are digital, because digital files remain on computers for

extensive periods of time.” Id. at 17.

         The Court concludes that the information contained in the supporting affidavit was not

impermissibly stale. First, the character of the alleged criminal conduct supports a finding of

probable cause. See Matthews, 753 F.3d at 1325. FBI agents investigated McCormick with the

belief that he was involved in an organized, long-term, international conspiracy, and hence it was

more likely that his computer would continue to contain evidence of this ongoing conduct in

December 2013. The recent login activity from the university campus, corroborated by the

confidential informant and pen trap information, supported a conclusion that McCormick

continued to be actively engaged with activities on the Darkode site and thus that evidence of

criminal conduct was still likely to be found in his dorm room. 1

         In addition, “the thing to be seized”—namely, computer hardware and digital files—are

nonperishable and durable over time. Matthews, 753 F.3d at 1325. Notwithstanding the time that

had passed since some of the earliest alleged conduct, the affiant explained that computer files can


          1
            McCormick also argues that the information derived from the confidential informant in 2012 and 2013 fails
to support a finding of probable cause because there “are no allegations in the warrant application that during
[McCormick’s] intermittent log-ins [to Darkode in 2012 and 2013 he] was undertaking any unlawful activity.” Def.’s
Mot. at 11. To the contrary, he argues, some of the conduct alleged by the informant included McCormick writing in
a Darkode forum that he no longer “d[id] ransomware”—in other words, disclaiming ongoing criminal activity. Id.
He explains that he “did log in as an administrator [in 2013], [but] he did so because logging in was required to browse
the site and instant message with his friends.” Id. Because the more recent acts alleged in the affidavit did not amount
to allegations of new criminal conduct, McCormick argues that this information does not support probable cause for
the search warrant or otherwise revive older, stale information. Id. at 9–11.
          This argument misses the point. A magistrate is not required to find that the target of a search warrant
recently committed a crime, but only that contraband or evidence of illegal conduct will be found in a particular place.
Thus, even if McCormick’s logins to Darkode in 2012 and 2013 ultimately have an innocent explanation, he still
demonstrated a long-term pattern of logging into a digital black marketplace in the role of an administrator, which
made it more likely that evidence of McCormick’s (or his co-conspirators’) illicit conduct on Darkode would be found
on McCormick’s computer in his dorm room. The magistrate could have reasonably considered this conduct—
alongside other facts alleged in Hitchcock’s affidavit—as supporting probable cause to issue the warrant.
                                                               6
be recovered years after being written, downloaded, or viewed because these files can be stored at

little or no cost, are often transferred to a new computer even if the old computer is replaced, and

can be recovered on a storage device even when they have been deleted unless overwritten with

new data. Hitchcock Aff. ¶¶ 26a–b. Further, it is reasonable to believe that a person who writes

valuable code—whether benevolent or malicious—would keep a copy of that code because of its

“enduring utility.” Matthews, 753 F.3d at 1325. The characteristics of the defendant and the place

to be searched also support a finding of probable cause. The alleged crimes were conducted

through McCormick’s computer, and McCormick was an “entrenched” college student operating

out of his “secure operational base,” see id.—that is, a dorm room where he lived, kept his

computer and other belongings, and accessed the Internet. This contrasts with a case in which the

locus of alleged criminal conduct was somewhere other than a defendant’s place of residence.

       In sum, the characteristics of the crime, the defendant, the things to be seized, and the place

to be searched all support the conclusion that the information asserted in the affidavit supporting

the warrant application was not impermissibly stale, and the magistrate judge had sufficient

information to reasonably conclude that “the illegal activity, contraband, or evidence of the same

was ‘probably’ on the premises described in the warrant”—McCormick’s dorm room—at the time

the warrant issued. Id. at 1324. Because the search warrant issued on probable cause, it is valid,

and the fruits of the search will not be suppressed.

       IV.     REQUEST FOR A FRANKS HEARING

       McCormick next raises the affidavit’s failure to note that the FBI had identified fubar as

McCormick no later than January 2011. McCormick argues that this omission was material to the

probable cause determination and amounted to “reckless disregard for the truth.” Def.’s Mot. at




                                                       7
12 (quoting Franks, 438 U.S. at 155). Accordingly, he requests a Franks hearing to investigate the

omission.

       When a defendant “makes a substantial preliminary showing that a false statement

knowingly and intentionally, or with reckless disregard for the truth, was included by the affiant

in the warrant affidavit, and if the allegedly false statement is necessary to the finding of probable

cause, the Fourth Amendment requires that a hearing be held at the defendant’s request.” Franks,

438 U.S. at 155–56. The Franks standard also applies to material omissions. See United States v.

Spencer, 530 F.3d 1003, 1008 (D.C. Cir. 2008). “[A] defendant seeking to obtain a Franks hearing

must show that (1) the affidavit contained false statements or omitted certain facts; (2) the false

statements or omitted facts were material to the finding of probable cause; and (3) the false

statements or omissions were made knowingly and intentionally, or with reckless disregard for the

truth.” United States v. Ali, 870 F. Supp. 2d 10, 27 (D.D.C. 2012) (citing United States v.

Becton, 601 F.3d 588, 594 (D.C. Cir. 2010); Spencer, 530 F.3d at 1007).

       McCormick argues that the affiant’s failure “to disclose that [fubar’s] identity was

uncovered years prior to the application for the search warrant,” along with selective inclusion of

other information that made it seem like the FBI had only recently identified McCormick,

constituted a material omission that likely misled the magistrate issuing the warrant. Def.’s Mot.

at 12–14. McCormick states that “[a] reviewing magistrate would presumably want to know when

the subject of a search warrant was first identified and the reasons for the subsequent delay in

requesting such a warrant.” Id. at 14. McCormick also alleges that the government officers

omitted this information with at least reckless disregard for the truth in order to “run the clock”

until McCormick “turned twenty-one years old and thus would no longer have the protections of

juvenile status.” Id. at 12, 15. Further, McCormick alleges that the affiant “focus[ed] on subpoena

                                                      8
returns in 2013 . . . [to] create[] the illusion of ‘fresh’ evidence to support the probable cause

[inquiry] and to suggest that the investigation was proceeding with an appropriate sense of

urgency” when it was not. Def.’s Reply to Gov’t’s Opp’n [ECF No. 31] at 10.

       The government claims that the omission was not material to the allegations in the

application for the search warrant and had no effect on the magistrate’s probable cause

determination. Gov’t’s Opp’n at 9. Even if FBI investigators made the connection in January

2011 between fubar, McCormick’s parents’ address, and McCormick, the government contends

that more investigative work remained to be done, as it was the government’s burden not just to

show that McCormick used the alias fubar or that McCormick had logged in as fubar from his

parents’ home address in 2010, but also that “McCormick was in possession of incriminating

digital evidence” in December 2013 and that such evidence would be found in his university dorm

room. Id. at 12. “The affiant selected specific information relevant to establish probable cause to

seize particular items of digital and computer evidence,” and the government contends that the

January 2011 identification was omitted because it was not required for this purpose. Id. at 13.

The government also argues that a request for a Franks hearing should be denied where, as here,

there has been no “substantial preliminary showing that the challenged statement or omission was

essential to the magistrate’s finding of probable cause.” Id.

       The Court concludes that the omitted facts were not material to the finding of probable

cause. “[O]mitted facts are only material if their inclusion in the affidavit would defeat probable

cause,” or, put differently, if “their recitation would have tipped the balance against a finding of

probable cause.” Ali, 870 F. Supp. 2d at 27 (internal quotation marks omitted) (quoting Spencer,

530 F.3d at 1007; United States v. Davis, 617 F.2d 677, 694 (D.C. Cir. 1976)). Here, the timing

of the government’s identification of McCormick as fubar, in itself, would not have weighed in

                                                     9
the magistrate’s determination of whether, given all the circumstances, there was “a fair probability

that contraband or evidence of a crime [would] be found” in McCormick’s dorm room in

December 2013. Gates, 462 U.S. at 238. When the FBI knew McCormick was fubar is not

pertinent to whether he might have evidence in his dorm room. The omitted information—that

FBI officers identified fubar as likely being McCormick in 2011, when he lived at home with his

parents, as opposed to in 2013 or at any other time—is simply irrelevant to the question whether

evidence of a crime or other contraband would be located in McCormick’s dorm room in

December 2013. 2 With or without this information, “the magistrate had a substantial basis for

concluding that probable cause existed.” Gates, 462 U.S. at 238–39 (internal quotations marks

omitted). The inclusion of information about the FBI’s identification of McCormick in January

2011, then, would not have tipped the balance against finding probable cause, so the omission of

the information was not material and a Franks hearing is not required.

                                                  *        *        *

         McCormick’s motion to suppress evidence recovered from the December 2013 search

warrant and, in the alternative, for a Franks hearing is denied. A separate order will issue on this

date.

                                                                                        /s/
                                                                             JOHN D. BATES
                                                                        United States District Judge
Dated: August 6, 2019




         2
          McCormick has raised discrete legal challenges related to the government’s delay in this case through
separate motions. This opinion considers the delay only as it applies to the motion to suppress or for a Franks hearing.
                                                               10
