> "White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.
The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.
And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.
So, to make an analogy representing your position:
Watch the video of this horrendous deadly baseball bat attack. Baseball players do not bludgeon people to death with bats all the time. Therefore, baseball players should never worry that they might be falsely accused of an attack. Oh, and the crime was horrible, so that means the evidence must be pretty good. Q.E.D.
That's not analogous as the Bat was not developed for Bludgeoning. This was software designed to steal money / cause issues regardless of whom sold it. I don't know anyone in infosec that regularly creates fully functional and marketable platforms. It's also different than exploit proof of concepts, as again, this is designed to steal.
We don't know that he created the malware. He is accused of creating it. How hard is it to understand the difference between being accused and being guilty? It's been explained to death here that they are not the same thing.
You are suggesting he spent time and energy to build a proof of concept whose explicit task was to demonstrate banking theft from browsers, and he chose to never release it but keep it secret, and a friend decided to sell it on the dark web?
And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?
None of that sounds particularly implausible, to be honest. People build proof-of-concepts for their own amusement. If there's no unique vulnerability to be patched, there's no value to releasing it. People share things with their friends, who are sometimes unscrupulous. And if I found out that software I wrote was being used maliciously, I'm not so sure that my first email would be to the FBI either - especially after this.
The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.
The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.
And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.