Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Technology

Case Against Marcus 'MalwareTech' Hutchins Gets 'Complex' Judge Waives 'Speedy Trial' as Defense Seeks Time to Review Evidence
Case Against Marcus 'MalwareTech' Hutchins Gets 'Complex'

Status update for the case against Marcus Hutchins: "complex."

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

On Wednesday, Hutchins' attorneys - Brian Klein and Marcia Hoffman - agreed with Assistant U.S. Attorney Michael Chmelar, who's prosecuting the case of alleged banking malware development and sale, that it should be designated as complex.

"The most interesting detail here is that independent testing may be required." 

As described in court minutes, Federal Magistrate Judge Nancy Joseph agreed as well. "Based on the information presented here, the nature of the charges, the nature and amount of the discovery, the fact that discovery is coming from multiple sources and the fact that some of the information may need independent testing/review, the court will designate this matter complex."

"United States v. Marcus Hutchins" court minutes, dated August 23.

That means that at least for this stage of the proceedings, the trial is exempt from the Speedy Trial Act, which requires that a defendant be brought to trial within 70 days of the date on which they were indicted or arraigned - whichever is later. Otherwise, the indictment must be dismissed.

Hutchins, 23, uses the handle MalwareTech online. He was arrested by the FBI last month in Las Vegas and charged with developing the Kronos banking Trojan. He faces up to 40 years in prison if convicted of all charges filed against him. Hutchins is the "accidental hero" who stopped WannaCry, after he registered a nonsensical domain that he found in the code (see WannaCry 'Accidental Hero' Denies FBI Charges).

Hutchins was arraigned August 14 at a federal court in Wisconsin, where he pleaded not guilty. Under speedy-trial guidelines, his trial would have had to begun by October 23.

The defense sought time to review evidence shared this week by prosecutors. "The parties agree that the case should be designated as complex," according to the court minutes. "Information is still being obtained from multiple sources. The issues are complex. The defendant requests 45-60 days in which to review the discovery."

The next date set by the court in relation to his case is October 13, when the defense and prosecution are due to submit a proposed schedule for the trial to the judge.

Evidence Includes Chats, Malware Samples

This week, prosecutors shared evidence with the defense, including statements made by Hutchins after he was arrested, as well as a CD containing two audio recordings from a county jail in Nevada where he was apparently detained by the FBI. "The government is awaiting a written transcript from the FBI," according to court minutes.

In addition, the government submitted to the court:

  • "150 pages of Jabber chats between the defendant and an individual (somewhat redacted);
  • Business records from Apple, Google and Yahoo;
  • Statements (350 pages) by the defendant from another internet forum, which were seized by the government in another district;
  • Three to four samples of malware;
  • A search warrant executed on a third party, which may contain some privileged information."

The indictment against Hutchins was filed in Wisconsin federal court, for as-yet-unknown reasons. The name of a co-defendant has been redacted from the indictment against him.

Hutchins' attorneys have objected to parts of the six-count indictment being redacted.

In a potential slipup, documents indexed online on PACER - short for Public Access to Court Online Records, which is a repository for documents related to U.S. federal court cases - this month referred to the case as "2:17-cr-00124-JPS-NJ All Defendants USA v. Tran et al."

In other words, the surname of Hutchins' co-defendant may be Tran.

Following his not-guilty plea, Hutchins was granted bail after posting a $30,000 bond and also allowed back online. He's allowed to travel between Milwaukee and Los Angeles, where his employer, Kryptos Logic, is based.

Prepare for Independent Testing

For a case involving a banking Trojan that's been tied to the Russian cybercrime underground and a seller nicknamed "VinnyK," and which will require extensive digital forensic analysis, "complex" may be an understatement.

"The most interesting detail here is that independent testing may be required," journalist Marcy Wheeler, who posts online as "emptywheel," says of the court minutes. "Probably - especially given researchers are already raising doubts - Hutchins' lawyers are going to get outside experts to check the government claims that the code sold in Kronos came from Hutchins," she adds (see Report: British Officials Knew of Marcus Hutchins Arrest).

It also remains to be seen how the government plans to prove that Hutchins wrote and sold the Kronos banking Trojan. And the government may need to submit more malware samples to bolster its claims. "At a minimum, the government needs three pieces of malware: Kronos before Hutchins allegedly updated it, Kronos after he did, and the version of Kronos that got sold," Wheeler says in her blog post.

"Apparently, the government hasn't decided how many versions they'll give the defense, she says. "And all that still leaves the question of victims; to prove that anything Hutchins did affected any Americans they might need more malware."

'Don't Talk About Your Case'

Hutchins, a British national, could not be reached for comment on the charges filed against him. Since being detained in the United States, he's continued to regularly document his life via Twitter. But he's also noted that his legal team vets all his tweets before it gets posted, and that he's prohibited from discussing the case.

"Daily life of someone who's just unwillingly moved out of parents house and to another country with no id or house would make a great blog," Hutchins wrote in a Sunday tweet from Los Angeles. "Unfortunately it probably overlaps with the rule of 'don't talk about your case.'"



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network