He's selling the domain through an auction/resale service [1], so any question of "aiding and abetting" goes to them, not him. At the high end, these services have extensive anti-fraud and anti-money-laundering checks (speaking from personal experience working for a small registrar), so the question of direct liability is pretty well covered.
Otherwise, you end up with a world where anyone who comes into possession of a dangerous item is obligated to potentially keep it forever and force all of their descendants to keep it forever.
The keyword is "knowingly". He's clearly well aware of the security risks and is doing his best to keep it safe (including asking Microsoft to acquire it for 10% of the revenue they make in an hour).
Yes, you're right, that is the keyword. This article, and statements like the following make it perfectly clear that if he follows through on his threat he will be knowingly aiding criminals.
> O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.
A person can be reasonably confident that their immediate sale of an item is going to go to someone who will use it responsibly... while still worrying about its disposition five or ten years down the line. (Microsoft has already let this problem sit for 26 years, after all.) That still doesn't mean the person has any particular legal or moral responsibility to monitor their original customer indefinitely just because there's a future risk.
That is neither a threat nor proves that he knows anything about the buyer being a criminal. He's only worried about that possibility, which is a good thing considering he has been a good steward of the domain this whole time.
