Fired Developer Sentenced to Four Years for Using Kill-Switch Malware as Revenge

A Chinese software developer has been jailed in the United States after planting malicious code in the employer’s computer systems, causing a complete shutdown.

Revenge turns into prison time

A Chinese software developer has been sentenced to four years in federal prison after he installed a “kill-switch” in the corporate network of his former employer. The attack crippled company systems worldwide in 2019.

According to the US Department of Justice, Davis (David) Lu, 55, from Houston, Texas, planted malicious code inside Eaton Corporation’s systems after he was demoted and eventually suspended from his job.

From demotion to sabotage

Court documents showed that Lu’s issues with the company began in 2018, when Eaton changed his responsibilities. In retaliation, Lu used his developer access to insert malicious Java code into the production environment.

His methods included:

• Infinite loops that caused servers to crash by exhausting resources.
• Profile deletions on Active Directory accounts belonging to colleagues.
• A “kill switch” logic bomb coded under the name “IsDLEnabledinAD” — shorthand for “Is Davis Lu enabled in Active Directory?”.

The kill switch was built in such a way that it would automatically activate if Lu’s access was revoked. When Eaton fired him on Sept. 9, 2019, and disabled his corporate account, the malware detonated.

The result was immediate: thousands of employees worldwide were locked out of systems, critical servers crashed, and operations suffered hundreds of thousands of dollars in damages.

Caught by hubris

“On the day he was directed to turn in his company laptop, Lu deleted encrypted data,” said the Department of Justice in a press release. “His internet search history revealed he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct the efforts of his co-workers to resolve the system disruptions. Lu’s employer suffered hundreds of thousands of dollars in losses as a result of his actions.”

The conspicuous name of his malware, directly referencing his own Active Directory account, provided prosecutors with what one cybersecurity analyst called “a digital smoking gun.” Lu was arrested in October 2019.

In March 2025, a federal jury convicted him of intentionally damaging protected computers. He was sentenced to four years in prison followed by three years of supervised release.