Probably depends on criminal code a country. Mine does (EU country):
> Section 231 Obtaining and Possession of Access Device and Computer System Passwords and other such Data
> (1) Whoever with the intent to commit a criminal offence of Breach of secrecy of correspondence [...] or a criminal offence of Unauthorised access to computer systems and information media [...] produces, puts into circulation, imports, exports, transits, offers, provides, sells, or otherwise makes available, obtains for him/herself or for another, or handles
> a) a device or its component, process, instrument or any other means, including a computer programme designed or adapted for unauthorised access to electronic
communications networks, computer system or a part thereof, or
> b) a computer password, access code, data, process or any other similar means by which it is possible to gain access to a computer system or a part thereof,
shall be sentenced .. (1 year as an individual, 3 years as a member of a organized group)
> Section 231 Obtaining and Possession of Access Device and Computer System Passwords and other such Data
> (1) Whoever with the intent to commit a criminal offence of Breach of secrecy of correspondence [...] or a criminal offence of Unauthorised access to computer systems and information media [...] produces, puts into circulation, imports, exports, transits, offers, provides, sells, or otherwise makes available, obtains for him/herself or for another, or handles
> a) a device or its component, process, instrument or any other means, including a computer programme designed or adapted for unauthorised access to electronic communications networks, computer system or a part thereof, or
> b) a computer password, access code, data, process or any other similar means by which it is possible to gain access to a computer system or a part thereof,
shall be sentenced .. (1 year as an individual, 3 years as a member of a organized group)