After Six Years, Two Pentesters Arrested in Iowa Receive $600,000 Settlement (desmoinesregister.com)
(Sunday February 08, 2026 @05:06PM (EditorDavid)
from the who-watches-the-watchmen dept.)
- Reference: 0180757864
- News link: https://it.slashdot.org/story/26/02/08/1933223/after-six-years-two-pentesters-arrested-in-iowa-receive-600000-settlement
- Source link: https://www.desmoinesregister.com/story/news/local/dallas-county/2026/01/28/dallas-county-security-testers-settlement/88365019007/
"They were crouched down like turkeys peeking over the balcony," the county sheriff [1]told Ars Technica . A half hour past midnight, they were skulking through a courthouse in Iowa's Dallas County on September 11 "carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs." More deputies arrived...
> Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building.
But Sheriff Chad Leonard had the men arrested on felony third-degree burglary charges (later reduced to misdemeanor trespassing charges). He told them that while the state government may have wanted to test security, "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."
More than six years later, [2]the Des Moines Register reports :
> Dallas County is paying $600,000 to two men who sued after they were arrested in 2019 while testing courthouse security for Iowa's Judicial Branch, their lawyer says.
>
> Gary DeMercurio and Justin Wynn were arrested Sept. 11, 2019, after breaking into the Dallas County Courthouse. They spent about 20 hours in jail and were charged with burglary and possession of burglary tools, though the charges were later dropped. The men were employees of Colorado-based cybersecurity firm Coalfire Labs, with whom state judicial officials had contracted to perform an analysis of the state court system's security. Judicial officials [3]apologized and faced legislative scrutiny for how they had conducted the security test.
>
> But even though the burglary charges against DeMercurio and Wynn were dropped, their attorney previously said having a felony arrest on their records made seeking employment difficult. Now the two men are to receive a total of $600,000 as a settlement for their lawsuit, which has been [4]transferred between state and federal courts since they first [5]filed it in July 2021 in Dallas County. The case had been scheduled to go to trial Monday, Jan. 26 until the parties notified the court Jan. 23 of the impending deal...
>
> "The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest," DeMercurio said in a statement. "What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building...."
>
> "This incident didn't make anyone safer," Wynn said. "It sent a chilling message to security professionals nationwide that helping government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it."
County Attorney Matt Schultz said dismissing the charges was the decision of his predecessor, according to the newspaper, and that he believed the sheriff did nothing wrong.
"I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
[1] https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/
[2] https://www.desmoinesregister.com/story/news/local/dallas-county/2026/01/28/dallas-county-security-testers-settlement/88365019007/
[3] https://www.desmoinesregister.com/story/news/crime-and-courts/2019/10/04/iowa-supreme-court-justice-cady-apologizes-courthouse-break-ins-senate-polk-dallas-burglary-ia-cyber/3864938002/
[4] https://www.desmoinesregister.com/story/news/crime-and-courts/2023/09/29/iowa-sheriff-qualified-immunity-arresting-courthouse-security-testers/70991439007/
[5] https://www.desmoinesregister.com/story/news/crime-and-courts/2021/08/01/arrested-coalfire-security-testers-2019-file-dallas-county-iowa-courthouse-lawsuit/5431611001/
> Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building.
But Sheriff Chad Leonard had the men arrested on felony third-degree burglary charges (later reduced to misdemeanor trespassing charges). He told them that while the state government may have wanted to test security, "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."
More than six years later, [2]the Des Moines Register reports :
> Dallas County is paying $600,000 to two men who sued after they were arrested in 2019 while testing courthouse security for Iowa's Judicial Branch, their lawyer says.
>
> Gary DeMercurio and Justin Wynn were arrested Sept. 11, 2019, after breaking into the Dallas County Courthouse. They spent about 20 hours in jail and were charged with burglary and possession of burglary tools, though the charges were later dropped. The men were employees of Colorado-based cybersecurity firm Coalfire Labs, with whom state judicial officials had contracted to perform an analysis of the state court system's security. Judicial officials [3]apologized and faced legislative scrutiny for how they had conducted the security test.
>
> But even though the burglary charges against DeMercurio and Wynn were dropped, their attorney previously said having a felony arrest on their records made seeking employment difficult. Now the two men are to receive a total of $600,000 as a settlement for their lawsuit, which has been [4]transferred between state and federal courts since they first [5]filed it in July 2021 in Dallas County. The case had been scheduled to go to trial Monday, Jan. 26 until the parties notified the court Jan. 23 of the impending deal...
>
> "The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest," DeMercurio said in a statement. "What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building...."
>
> "This incident didn't make anyone safer," Wynn said. "It sent a chilling message to security professionals nationwide that helping government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it."
County Attorney Matt Schultz said dismissing the charges was the decision of his predecessor, according to the newspaper, and that he believed the sheriff did nothing wrong.
"I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
[1] https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/
[2] https://www.desmoinesregister.com/story/news/local/dallas-county/2026/01/28/dallas-county-security-testers-settlement/88365019007/
[3] https://www.desmoinesregister.com/story/news/crime-and-courts/2019/10/04/iowa-supreme-court-justice-cady-apologizes-courthouse-break-ins-senate-polk-dallas-burglary-ia-cyber/3864938002/
[4] https://www.desmoinesregister.com/story/news/crime-and-courts/2023/09/29/iowa-sheriff-qualified-immunity-arresting-courthouse-security-testers/70991439007/
[5] https://www.desmoinesregister.com/story/news/crime-and-courts/2021/08/01/arrested-coalfire-security-testers-2019-file-dallas-county-iowa-courthouse-lawsuit/5431611001/
Dupe (sorta). Listen to their own words (Score:4, Informative)
by gardyloo ( 512791 )
[1]https://darknetdiaries.com/epi... [darknetdiaries.com]
[1] https://darknetdiaries.com/episode/59/
This story again? But sheriff is still a moron (Score:2)
by haruchai ( 17472 )
original /. post - [1]https://it.slashdot.org/story/... [slashdot.org]
[1] https://it.slashdot.org/story/26/01/29/2147207/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security
Re: (Score:2)
by GooberPyle ( 9014301 )
Nothing happens to Sheriff Chad Leonard and the taxpayers pay.
jobs should not be allowed to look at arrest on th (Score:2)
by Joe_Dragon ( 2206452 )
jobs should not be allowed to look at arrest on their records even more so when cases dropped / not guilty
Prosecute what? (Score:3)
He will "prosecute to the fullest extent of the law" legal, authorized pentesting?? How's that going to work?
Re: (Score:2)
Poorly, presumably.
Re: Prosecute what? (Score:5, Informative)
Not to mention, the Sheriff (and, for that matter, the new proesecutor) doesn't seem to realize that counties are subagencies of the state they are in, and the state government absolutely does have the power to authorize access to the county's buildings.
It doesn't work the way the federal/state distinction does, where each level of governmeent derives its power from a different source. Counties have -only- the authority explicitly delegated to them by the states they are part of.
Of course, State and Local Government is mysftifyingly one of the least popular elective courses taught at most law schools, let alone criminal justice programs, so no big surprise there.
Re: (Score:2)
> I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law.
And it will, but next time it will be real hackers, since you are clueless about security.
Re: Prosecute what? (Score:2)
Seems pretty stupid to double down on pissing off people who are effectively godlike wizards who can eat your entire lifes data with ketchup before breakfast
but you may need to talk in the way that an jury c (Score:2)
but you may need to talk in the way that an jury can understand
Re: Prosecute what? (Score:4, Interesting)
And it's actually more straightforward with courts. The systems for courts are regulated at the state level, even for county and municipal courts, at least in my state. That means pretty strict compliance with state-level rules and regulations and authorization by state-level officials for things like auditing and inspection. If a lower court fails to comply, that state entity can compel that lower level jurisdiction to install an entirely segregated computer network entirely air-gapped to the local entity's LAN, meaning that court employees would have to shuttle data between their local org's PC and the court PC, with the court PC connected to a court access switch and court firewalling router with a court private network link back to state resources. And historically they've been very behind the times, still using friggin' T1 lines in the 2020s, where 1.544Mb will cost as much as a 10Gb metro ethernet circuit.
State courts allow local entities to have court PCs that can be on the local org's network with connectivity back to court resources without that special air-gapped network only if the local org accepts auditing and building that connection out to specifications. Pen testing is not an unreasonable thing to do, and if it's too easy to break into the building to gain access to PCs or network equipment and too easy to get onto the court's network then there's going to be a problem.
Re: Prosecute what? (Score:1)
I can imagine Dallas County's IT staff will be reading these comments. They should all find employment elsewhere and leave on the same day. Why would you work for a government who prosecutes you for doing your job as instructed? That's insane
Re: (Score:2)
Current administration policy seems to be shoot first ... I was going to say ask questions later, but not really. More along the lines of postmortem character assassination to justify excessive force.
Re:Prosecute what? (Score:5, Informative)
Worth noting that Sheriff is an elected position and has no obligation to even know the law, as Republican Chad Leonard definitely proved he didn't.
Re: (Score:2)
Why in the holy fuck is a judicial position at all an elected one?
These officials should be following the law, not following the whimsical needs of an electorate. There is no way anyone from the lowest police officer to the highest judge should be held to an electorates position on anything.
The electorate should be able to vote the people in to change the laws, they shouldnt be able to vote people in who enforce the laws. Enforcement of the law should be entirely blind - if the electorate want a law to no
Re: (Score:2, Insightful)
MAGA is gonna MAGA and they'll be wrong every single time.
ding someone for going out/over/off scope but the (Score:2)
ding someone for going out/over/off scope but the scope is changed / written by non tech staff so it's not that clear on all part.
Re: (Score:2)
"If you continue to behave lawfully, we will continue to arrest you!"
alrightie then.
Re: (Score:3)
From what I've read, it may not have been properly authorized, and that's the problem. Someone in government did authorize it, just the dispute was it the right government agency that authorized it. As an analogy, if the owner of an office building authorizes an intrusion attempt, that doesn't give you the authority automatically to intrude on particular businesses in that building, and obviously vice versa. Now, I can speak to the actual circumstance, mostly because it never went to court to actually de
Re: (Score:2)
> From what I've read, it may not have been properly authorized, and that's the problem. Someone in government did authorize it, just the dispute was it the right government agency that authorized it. As an analogy, if the owner of an office building authorizes an intrusion attempt, that doesn't give you the authority automatically to intrude on particular businesses in that building, and obviously vice versa. Now, I can speak to the actual circumstance, mostly because it never went to court to actually determine that, but that's the issue at hand.
That's a weak analogy. County governments are delegated responsibility by the state. So in the corporate world, this is the criminal equivalent of Alphabet CEO Sundar Pichai authorizing a pentest and YouTube's lawyers suing the pentesters even after being shown the paperwork, solely because their CEO didn't sign the paperwork.
Re: (Score:2)
The way it worked here. The fullest extent of the law is that charges get dropped and people get a settlement payment.