Inside the ‘Dead‑Man Switch’: How a 55‑Year‑Old Engineer Sabotaged Eaton’s Servers

David Lu, a 55‑year‑old programmer from Houston, worked at Eaton Power Management from November 2007 until October 2019. During a 2019 corporate restructuring he was demoted and his server access rights were reduced.

Anticipating possible termination, on August 9, 2019 he wrote malicious Java code that, when executed, creates an infinite loop of non‑terminating threads that exhaust hardware resources, causing the target server to crash and preventing employee logins.

The code monitors Lu’s Microsoft Azure Active Directory (AAD) account. When the AAD account is disabled—effectively after his layoff on September 9, 2019—the code automatically activates, launching a destructive attack on Eaton’s employee systems.

The payload was named IsDLEnabledinAD, indicating whether Lu’s AAD account is enabled. He called the malicious program Hakai (Japanese for “destruction”) and another component Hunshui (Chinese for “sleep”).

Once triggered, thousands of Eaton employees were blocked from logging into the internal network, resulting in tens of thousands of dollars in losses. Eaton’s security team quickly traced the source code to an internal development server that only Lu could access.

Further investigation revealed that on the day he returned his company laptop, Lu deleted a large amount of encrypted data, attempted to remove Linux OS directories and two project codebases, and searched for methods to elevate privileges, delete files, and hide processes. He admitted responsibility on October 7, 2019 but denied intentional sabotage; he now faces up to ten years in prison.