Although the three men believed to be behind the Mariposa botnet were recently identified and arrested by Spanish authorities, it looks like they may avoid serving any jail time for their online trespasses. Spain's cybercrime laws are quite weak at the moment.

According to Brian Krebs, Captain Cesar Lorenzana, who works for the Spanish Civil Guard, explained that prison sentences typically aren't associated with deeds committed from behind a keyboard. Plus, some things simply aren't against the law.

"In Spain, it is not a crime to own and operate a botnet or distribute malware," he said. "So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now."

Furthermore, Krebs wrote, "[T]he men are all free on their own recognizance. . . . [T]hey are free to hoover up as much stolen data as they please, as the Mariposa working group has not yet been able to shutter the Web sites that served as the repository for personal and financial data stolen from people whose systems were ensnared by the bot."

The good news is that Spain is trying to modernize its laws, so even if the Mariposa's authors get off this time, they (and/or other cybercriminals) shouldn't be in the clear forever.