I would draw the line at the malware author helping users of it use stolen data: https://github.com/Blank-c/Blank-Grabber/issues/359

That's how they nailed the nanocore author. He didn't just write a RAT, he supported it.

Lots of these issues don't mention hacking their own devices but rather someone else's (and some are from obvious script kiddies). I don't think the claim of being an educational purpose tool really holds merit in this case.

I would understand the first definition if not for the fact that these pieces of software under the topic really don't have any legitimate usage in my opinion. Unless you're explicitly making the argument that the code is the important part (& should be kept on GitHub for the purpose of disseminating the programming methods used to create it, despite their purpose), I just think that GH is being used as a 'download link' if not an aggregator for projects like these. And, they're used for the express purpose of infecting other machines, presumably of people who are none the wiser

I would argue that pretty much any type of malware can at the very least be used legitimately in penetration testing, and probably is.

Sure, but I would be willing to make the argument that the net benefit you'd get from the maybe one or two people willing to genuinely examine the project's internals is hugely outnumbered by the measurably thousands who want to ruin someone's life

I don't work in the sector, but my imagination always figured that those one-or-two people would not-infrequently happen to be those (possibly actual r7) devs that write metasploit modules to arm all-colored hats.

You don't need to steal crypto wallets and credit card info in a pentest because it's a crime. Unless you argue some companies store crypto wallets and credit card info that belong to the company on computers and that is why all these people are writing stealers? Lol

Is it a crime to steal a crypto wallet. Razzlekhan and hubby were convicted of money laundering with the latter also being charged with hacking BitFinex.

Crypto has financial value, taking something of value that belongs to others is theft.

I'm not sure the legal system is ready for charging for crypto "theft". What if the unimaginable happens and there's a private key collision that results in two owners ... If they both use the account without noticing the other but one eventually closes the account, is that still theft?

It's pretty clear when an account or computer is hacked and yet neither razz or hubby were charged with theft ... Hubby essentially got convicted of tax evasion like a '30s gangster.

You'd be surprised. The law isn't rigid like computer code . The intent and mindset of the defendant is all that gets prosecuted. If you can convince the jury the perp intended to gain money by accessing that information, it could be a spreadsheet for all they care. It is both theft and a violation of CFAA.

IANAL

But you can include such attacks, to see if it really works. But sure, that is more of a theoretical point.

But breaking the law can never be part of the rules of engagement when the company doesn't have authority to give you permission to do something (take an employees financial property).

Company laptops can also have discord or (more rarely) crypto accounts and a succesful(or unseccesful) pentesting would be taking them over.