Selling malware is not legal in the US, but they're not selling The Malware. The laptop was sold as an artwork project with the 6 most iconic malware, all in a live environment. The device was sold Air-gapped.
Airgapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008), Windows XP SP3, 6 pieces of malware, power cord, restart script, malware
Terms of sale:
The sale of malware for operational purposes is illegal in the United States. As a buyer you recognize that this work represents a potential security hazard. By submitting a bid you agree and acknowledge that you’re purchasing this work as a piece of art or for academic reasons, and have no intention of disseminating any malware. Upon the conclusion of this auction and before the artwork is shipped, the computer’s internet capabilities and available ports will be functionally disabled.
ILOVEYOU
The ILOVEYOU virus, distributed via email and file sharing, affected 500,000+ systems and caused $15B in damages total, with $5.5B in damages being caused in the first week.
MyDoom
MyDoom, potentially commissioned by Russian e-mail spammers, was one of the fastest spreading worms. It's projected that this virus caused $38B in damages.
SoBig
SoBig was a worm and trojan that circulated through emails as viral spam. This piece of malware could copy files, email itself to others, and could damage computer software/hardware. This piece of malware caused $37B in damages and affected hundreds of thousands of PCs.
WannaCry
WannaCry was an extremely virulent ransomware cryptoworm that also set up backdoors on systems. The attack affected 200,000+ computers across 150 countries, and caused the NHS $100M in damages with further totals accumulating close to $4B.
DarkTequila
A sophisticated and evasive piece of malware that targeted users mainly in Latin America, DarkTequila stole bank credentials and corporate data even while offline. DarkTequila costed millions in damages across many users.
BlackEnergy
BlackEnergy 2 uses sophisticated rootkit/process-injection techniques, robust encryption, and a modular architecture known as a "dropper". BlackEnergy was used in a cyberattack that prompted a large-scale blackout in Ukraine in December 2015.
According to ArtNet, the project cost around $10,000 to bring to fruition with the bulk of the expenses chalked up to taking measures to ensure the computer was completely air-gapped. While making sure that a computer is never connected online should be a relatively cheap procedure, if not free, we’ll take their word for it. [..]
[..] Jonathan Kaftzan, a Deep Instinct spokesperson told Gizmodo the company does not know the identity of the winner, but the company is amazed at the price. He clarified that since all the malware in the computer is old, there is “no chance that it would cause any harm” as available virus protection safeguard against these threats.