UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
UNITED STATES OF AMERICA
v. Criminal Action No. 18-359-4 (JDB)
THOMAS KENNEDY MCCORMICK,
Defendant.
MEMORANDUM OPINION
Thomas McCormick was indicted on December 4, 2018, on seven counts of Racketeer
Influenced Corrupt Organization conspiracy in violation of 18 U.S.C. § 1962(d), conspiracy to
commit bank and wire fraud in violation of 18 U.S.C. § 1349, and aggravated identity theft in
violation of 18 U.S.C. § 1028A. The government alleges that McCormick, under the alias “fubar,”
engaged in a variety of illegal activities on Darkode, an invitation-only online forum that facilitated
the sale of malware and other illicit goods and services. Before the Court is McCormick’s motion
to suppress evidence obtained pursuant to a December 2013 search warrant or, alternatively, to
hold a hearing pursuant to Franks v. Delaware, 438 U.S. 154 (1978), about information omitted
from the application for that warrant. Defs.’ Mot. to Suppress or, in the Alternative, Request for
a Franks Hr’g (“Def.’s Mot.”) [ECF No. 27] at 5–15. The government opposes the motion.
Gov’t’s Opp’n to Def.’s Mot. to Suppress (“Gov’t’s Opp’n”) [ECF No. 28]. For the reasons that
follow, the motion is denied.
I. FACTUAL BACKGROUND
An online user operating under the moniker “fubar” came to the FBI’s attention in 2009
for allegedly coding, advertising, and selling malware. Aff. of Special Agent David Hitchcock in
Supp. of an Appl. for a Search Warrant (“Hitchcock Aff.”), Ex. 2 to Gov’t’s Opp’n [ECF No. 28-
2] ¶¶ 6–17. In January 2010, fubar allegedly sold malware used to harvest banking credentials to
an undercover FBI agent. Id. ¶¶ 11–14. By August 2010, the FBI had traced online activity of
fubar to McCormick’s parents’ home address in Cambridge, Massachusetts, where the teenaged
McCormick then resided, but FBI agents did not immediately identify McCormick as residing at
that address. See Aug. 5, 2010, FBI communication, Ex. 3 to Def.’s Mot. [ECF No. 27-3] at 1–2.
At the time, FBI investigators explained that fubar might not appear in law enforcement databases
because he “may be in high school and not hav[e] a significant credit history.” Id. at 2–3. FBI
agents finally matched McCormick to his online moniker fubar in January 2011, shortly after
McCormick’s eighteenth birthday. See FBI email, Ex. 2 to Def.’s Mot. [ECF No. 27-2] at 1–2.
In the months that followed, McCormick finished high school and moved away to college.
In early December 2013—almost three years after first identifying McCormick as “fubar” and
about a month after McCormick turned twenty-one—the FBI sought a search warrant to search
McCormick’s college dorm room for evidence related to his online activities. Search Warrant, Ex.
1 to Gov’t’s Opp’n [ECF No. 28-1] at 1. FBI Special Agent David Hitchcock submitted an
affidavit in support of the warrant application. See Hitchcock Aff. In addition to outlining the
January 2010 controlled buy of malware from fubar, the affidavit explained that the FBI had
obtained records in 2012 and 2013 from Google, Microsoft (McCormick’s employer during a
summer internship), and other sources that corroborated the connection between McCormick and
fubar. Hitchcock Aff. ¶¶ 11–14, 17a–d. Information obtained from a confidential informant in
the Darkode community had also provided evidence that fubar continued to participate in Darkode
forums and had logged in as a Darkode administrator as recently as September 10, 2013. Id. ¶ 7–
9. Pen trap information obtained in early 2013 from McCormick’s university further showed that
he had continued to access his fubar Darkode account from the university. Id. ¶ 17c, 17e. The
2
affidavit does not mention that FBI agents made the connection between fubar and McCormick as
early as January 2011. See id.
A magistrate judge issued the search warrant on December 4, 2013. Search Warrant at 1.
The FBI executed the search warrant on December 5, 2013, recovering a laptop computer, tablet,
smartphone, several external storage devices, and some papers. Id. at 2.
McCormick alleges that “the only rational explanation” for the years-long delay between
identifying McCormick and seeking the search warrant “was to ‘run the clock’ until [he] turned
twenty-one years old and thus would no longer have the protections of juvenile status.” Def.’s
Mot. at 15. Accordingly, McCormick argues that probable cause was lacking for the warrant
because the information supporting the warrant was stale, and that, in the alternative, a Franks
hearing is necessary “to investigate why the agents failed to provide material information in the
search warrant application, namely the fact that they had identified Mr. McCormick as their suspect
nearly three years prior to the date of application.” Id. at 1–2.
II. LEGAL STANDARD
The Fourth Amendment protects “[t]he right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches and seizures.” U.S. Const. amend. IV.
Law enforcement actions taken under a warrant are preferred to searches and seizures without one,
and “in a doubtful or marginal case a search under a warrant may be sustainable where without
one it would fall.” United States v. Ventresca, 380 U.S. 102, 106–07 (1965).
For a valid warrant to issue, “[s]ufficient information must be presented to the magistrate
to allow that official to determine probable cause; his action cannot be a mere ratification of the
bare conclusions of others.” Illinois v. Gates, 462 U.S. 213, 239 (1983). However, the magistrate’s
task is not a technical one. “[T]he issuing magistrate is simply to make a practical, common-sense
3
decision whether, given all the circumstances set forth in the affidavit before him, . . . there is a
fair probability that contraband or evidence of a crime will be found in a particular place.” Id. at
238. The corresponding “duty of a reviewing court is simply to ensure that the magistrate had a
substantial basis for concluding that probable cause existed.” Id. at 238–39 (alterations and
citation omitted). Because “[r]easonable minds frequently may differ on the question whether a
particular affidavit establishes probable cause,” the Supreme Court has “accord[ed] ‘great
deference’ to a magistrate’s determination” even though that deference “is not boundless.” United
States v. Leon, 468 U.S. 897, 914 (1984) (quoting Spinelli v. United States, 393 U.S. 410, 419
(1969)).
III. MOTION TO SUPPRESS
The first issue raised by McCormick is whether the December 2013 search warrant relied
on stale information that could not support a finding of probable cause. Def.’s Mot. 7–12.
A warrant will lack adequate support—and hence be invalid—if the facts contained in its
supporting affidavit have “become stale by the passage of time.” Sgro v. United States, 287 U.S.
206, 215 (1932). For a valid search warrant to issue, law enforcement officers must offer “proof
. . . of facts so closely related to the time of the issue of the warrant as to justify a finding of
probable cause at that time.” Id. at 210. “Whether the proof meets this test must be determined
by the circumstances of each case,” id. at 210–11, and “different kinds of information go stale at
different rates,” United States v. Johnson, 437 F.3d 69, 72 (D.C. Cir. 2006). In determining the
“likelihood that the evidence sought is still in place,” courts consider
the character of the crime (chance encounter in the night or regenerating
conspiracy?), of the criminal (nomadic or entrenched?), of the thing to be seized
(perishable and easily transferable or of enduring utility to its holder?), of the place
to be searched (mere criminal forum of convenience or secure operational base?),
etc.
4
United States v. Matthews, 753 F.3d 1321, 1325 (D.C. Cir. 2014) (quoting United States v. Bruner,
657 F.2d 1278, 1298 (D.C. Cir. 1981)).
McCormick argues that the information in the affidavit was stale because it primarily
relates to offenses committed in 2010 when McCormick was in high school—approximately three
years before the search warrant issued. Def.’s Mot. at 9. During the interim, McCormick had
changed residences several times: from his family home, to college dorms, and to Seattle,
Washington, for a summer internship. Id. McCormick also notes that the transition between high
school and college is “a typical time to replace and update computer equipment,” which he in fact
did. Id. at 10. In failing to address these changes in his circumstances, McCormick asserts, “the
FBI assumed without any evidence that [he] was carrying years old computer equipment around
with him everywhere he went.” Id. at 11. In sum, McCormick argues that the long duration of
time that had passed between the alleged criminal conduct and the issuance of the search warrant,
combined with the well-understood obsolescence of computer equipment over time and several
changes in his residence, rendered it unreasonable for the magistrate to conclude that evidence of
the alleged conduct was likely to be found in McCormick’s dorm room.
The government responds that the information in the affidavit was not stale. As to the type
of offense, the government notes that courts considering staleness have distinguished “the currency
of information supporting probable cause in the context of extended conspiracies” from that of
“single-incident crimes.” Gov’t’s Opp’n at 15 (quoting United States v. Webb, 255 F.3d 890, 905
(D.C. Cir. 2001)). The government argues that this case presents “a continuing offense and not a
single incident crime”—namely a long-term racketeering conspiracy offense centered around the
Darkode site for which McCormick was allegedly an administrator—and that it was reasonable to
believe that a search of his computers would reveal evidence of his involvement with that ongoing,
5
long-term conspiracy. Gov’t’s Opp’n at 15. As opposed to circumstances in which the evidence
sought is consumable, like drugs, the government also argues that “[s]taleness is even less of a
concern when records or documents are digital, because digital files remain on computers for
extensive periods of time.” Id. at 17.
The Court concludes that the information contained in the supporting affidavit was not
impermissibly stale. First, the character of the alleged criminal conduct supports a finding of
probable cause. See Matthews, 753 F.3d at 1325. FBI agents investigated McCormick with the
belief that he was involved in an organized, long-term, international conspiracy, and hence it was
more likely that his computer would continue to contain evidence of this ongoing conduct in
December 2013. The recent login activity from the university campus, corroborated by the
confidential informant and pen trap information, supported a conclusion that McCormick
continued to be actively engaged with activities on the Darkode site and thus that evidence of
criminal conduct was still likely to be found in his dorm room. 1
In addition, “the thing to be seized”—namely, computer hardware and digital files—are
nonperishable and durable over time. Matthews, 753 F.3d at 1325. Notwithstanding the time that
had passed since some of the earliest alleged conduct, the affiant explained that computer files can
1
McCormick also argues that the information derived from the confidential informant in 2012 and 2013 fails
to support a finding of probable cause because there “are no allegations in the warrant application that during
[McCormick’s] intermittent log-ins [to Darkode in 2012 and 2013 he] was undertaking any unlawful activity.” Def.’s
Mot. at 11. To the contrary, he argues, some of the conduct alleged by the informant included McCormick writing in
a Darkode forum that he no longer “d[id] ransomware”—in other words, disclaiming ongoing criminal activity. Id.
He explains that he “did log in as an administrator [in 2013], [but] he did so because logging in was required to browse
the site and instant message with his friends.” Id. Because the more recent acts alleged in the affidavit did not amount
to allegations of new criminal conduct, McCormick argues that this information does not support probable cause for
the search warrant or otherwise revive older, stale information. Id. at 9–11.
This argument misses the point. A magistrate is not required to find that the target of a search warrant
recently committed a crime, but only that contraband or evidence of illegal conduct will be found in a particular place.
Thus, even if McCormick’s logins to Darkode in 2012 and 2013 ultimately have an innocent explanation, he still
demonstrated a long-term pattern of logging into a digital black marketplace in the role of an administrator, which
made it more likely that evidence of McCormick’s (or his co-conspirators’) illicit conduct on Darkode would be found
on McCormick’s computer in his dorm room. The magistrate could have reasonably considered this conduct—
alongside other facts alleged in Hitchcock’s affidavit—as supporting probable cause to issue the warrant.
6
be recovered years after being written, downloaded, or viewed because these files can be stored at
little or no cost, are often transferred to a new computer even if the old computer is replaced, and
can be recovered on a storage device even when they have been deleted unless overwritten with
new data. Hitchcock Aff. ¶¶ 26a–b. Further, it is reasonable to believe that a person who writes
valuable code—whether benevolent or malicious—would keep a copy of that code because of its
“enduring utility.” Matthews, 753 F.3d at 1325. The characteristics of the defendant and the place
to be searched also support a finding of probable cause. The alleged crimes were conducted
through McCormick’s computer, and McCormick was an “entrenched” college student operating
out of his “secure operational base,” see id.—that is, a dorm room where he lived, kept his
computer and other belongings, and accessed the Internet. This contrasts with a case in which the
locus of alleged criminal conduct was somewhere other than a defendant’s place of residence.
In sum, the characteristics of the crime, the defendant, the things to be seized, and the place
to be searched all support the conclusion that the information asserted in the affidavit supporting
the warrant application was not impermissibly stale, and the magistrate judge had sufficient
information to reasonably conclude that “the illegal activity, contraband, or evidence of the same
was ‘probably’ on the premises described in the warrant”—McCormick’s dorm room—at the time
the warrant issued. Id. at 1324. Because the search warrant issued on probable cause, it is valid,
and the fruits of the search will not be suppressed.
IV. REQUEST FOR A FRANKS HEARING
McCormick next raises the affidavit’s failure to note that the FBI had identified fubar as
McCormick no later than January 2011. McCormick argues that this omission was material to the
probable cause determination and amounted to “reckless disregard for the truth.” Def.’s Mot. at
7
12 (quoting Franks, 438 U.S. at 155). Accordingly, he requests a Franks hearing to investigate the
omission.
When a defendant “makes a substantial preliminary showing that a false statement
knowingly and intentionally, or with reckless disregard for the truth, was included by the affiant
in the warrant affidavit, and if the allegedly false statement is necessary to the finding of probable
cause, the Fourth Amendment requires that a hearing be held at the defendant’s request.” Franks,
438 U.S. at 155–56. The Franks standard also applies to material omissions. See United States v.
Spencer, 530 F.3d 1003, 1008 (D.C. Cir. 2008). “[A] defendant seeking to obtain a Franks hearing
must show that (1) the affidavit contained false statements or omitted certain facts; (2) the false
statements or omitted facts were material to the finding of probable cause; and (3) the false
statements or omissions were made knowingly and intentionally, or with reckless disregard for the
truth.” United States v. Ali, 870 F. Supp. 2d 10, 27 (D.D.C. 2012) (citing United States v.
Becton, 601 F.3d 588, 594 (D.C. Cir. 2010); Spencer, 530 F.3d at 1007).
McCormick argues that the affiant’s failure “to disclose that [fubar’s] identity was
uncovered years prior to the application for the search warrant,” along with selective inclusion of
other information that made it seem like the FBI had only recently identified McCormick,
constituted a material omission that likely misled the magistrate issuing the warrant. Def.’s Mot.
at 12–14. McCormick states that “[a] reviewing magistrate would presumably want to know when
the subject of a search warrant was first identified and the reasons for the subsequent delay in
requesting such a warrant.” Id. at 14. McCormick also alleges that the government officers
omitted this information with at least reckless disregard for the truth in order to “run the clock”
until McCormick “turned twenty-one years old and thus would no longer have the protections of
juvenile status.” Id. at 12, 15. Further, McCormick alleges that the affiant “focus[ed] on subpoena
8
returns in 2013 . . . [to] create[] the illusion of ‘fresh’ evidence to support the probable cause
[inquiry] and to suggest that the investigation was proceeding with an appropriate sense of
urgency” when it was not. Def.’s Reply to Gov’t’s Opp’n [ECF No. 31] at 10.
The government claims that the omission was not material to the allegations in the
application for the search warrant and had no effect on the magistrate’s probable cause
determination. Gov’t’s Opp’n at 9. Even if FBI investigators made the connection in January
2011 between fubar, McCormick’s parents’ address, and McCormick, the government contends
that more investigative work remained to be done, as it was the government’s burden not just to
show that McCormick used the alias fubar or that McCormick had logged in as fubar from his
parents’ home address in 2010, but also that “McCormick was in possession of incriminating
digital evidence” in December 2013 and that such evidence would be found in his university dorm
room. Id. at 12. “The affiant selected specific information relevant to establish probable cause to
seize particular items of digital and computer evidence,” and the government contends that the
January 2011 identification was omitted because it was not required for this purpose. Id. at 13.
The government also argues that a request for a Franks hearing should be denied where, as here,
there has been no “substantial preliminary showing that the challenged statement or omission was
essential to the magistrate’s finding of probable cause.” Id.
The Court concludes that the omitted facts were not material to the finding of probable
cause. “[O]mitted facts are only material if their inclusion in the affidavit would defeat probable
cause,” or, put differently, if “their recitation would have tipped the balance against a finding of
probable cause.” Ali, 870 F. Supp. 2d at 27 (internal quotation marks omitted) (quoting Spencer,
530 F.3d at 1007; United States v. Davis, 617 F.2d 677, 694 (D.C. Cir. 1976)). Here, the timing
of the government’s identification of McCormick as fubar, in itself, would not have weighed in
9
the magistrate’s determination of whether, given all the circumstances, there was “a fair probability
that contraband or evidence of a crime [would] be found” in McCormick’s dorm room in
December 2013. Gates, 462 U.S. at 238. When the FBI knew McCormick was fubar is not
pertinent to whether he might have evidence in his dorm room. The omitted information—that
FBI officers identified fubar as likely being McCormick in 2011, when he lived at home with his
parents, as opposed to in 2013 or at any other time—is simply irrelevant to the question whether
evidence of a crime or other contraband would be located in McCormick’s dorm room in
December 2013. 2 With or without this information, “the magistrate had a substantial basis for
concluding that probable cause existed.” Gates, 462 U.S. at 238–39 (internal quotations marks
omitted). The inclusion of information about the FBI’s identification of McCormick in January
2011, then, would not have tipped the balance against finding probable cause, so the omission of
the information was not material and a Franks hearing is not required.
* * *
McCormick’s motion to suppress evidence recovered from the December 2013 search
warrant and, in the alternative, for a Franks hearing is denied. A separate order will issue on this
date.
/s/
JOHN D. BATES
United States District Judge
Dated: August 6, 2019
2
McCormick has raised discrete legal challenges related to the government’s delay in this case through
separate motions. This opinion considers the delay only as it applies to the motion to suppress or for a Franks hearing.
10