FBI Arrests Marcus Hutchins, Who Stopped WannaCryHutchins, aka "MalwareTech," Accused of Creating Kronos Banking Malware
Many in the information security community have reacted with shock over the arrest of 23-year-old British citizen Marcus Hutchins, aka "MalwareTech."
See Also: Threat Briefing: Ransomware
Hutchins was arrested Wednesday at the airport in Las Vegas by the FBI, as he attempted to return to Britain. He had been attending the annual Black Hat and Def Con information security conferences, although not presenting research at either event.
On Friday, Hutchins' attorney indicated he planned to enter a not guilty plea.
The arrest of Hutchins was an unexpected turn after he singlehandedly defused the WannaCry malware outbreak in May, after accidentally registering a domain name referenced in the malicious code. The move earned him folk hero status, not least because he'd apparently helped avert a ransomware disaster for Britain's National Health Service. Hutchins, however, referred to himself as an "accidental hero" and said he'd preferred operating as an anonymous security researcher.
A six-count indictment, filed July 11, charged Hutchins and another, unnamed defendant - apparently based in Wisconsin - with various crimes associated with the Kronos banking Trojan.
The U.S. Department of Justice says in a statement: "Marcus Hutchins ... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan."
The Justice Department says the case was investigated by the Milwaukee-based FBI cyber squad and that "the charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015." It adds that Kronos has been used to exfiltrate victims' online banking credentials not just in the United States but also such countries as Canada, France, Germany, Poland, and the United Kingdom. In addition, it says the malware has been distributed via phishing campaigns, for example via the Kelihos botnet in late 2016.
British authorities have confirmed Hutchins' arrest. "We are aware a U.K. national has been arrested but it's a matter for the authorities in the U.S.," a spokesman for Britain's National Crime Agency tells Information Security Media Group.
"We are in contact with the local authorities in Las Vegas following the arrest of a British man, and are providing support to his family," a spokeswoman for the British Foreign Office tells ISMG.
Hutchins appeared Thursday before U.S. Judge Nancy Koppe. A federal public defender, Dan Coe, told the court that Hutchins "had cooperated with the government prior to being charged," Reuters reports.
Koppe ordered Hutchins' hearing to reconvene Friday, to give the defendant time to retain defense counsel; he was detained overnight.
Non-profit digital rights group Electronic Frontier Foundation said it was attempting to make contact with the detained information security researcher. "This is the sort of thing that concerns us a lot," the organization said in a statement.
Hutchins is an employee of attacker intelligence and information sharing platform provider Kryptos Logic. Officials at the company, which has not made any public statements in relation to his arrest, could not be immediately reached for comment.
Some legal experts have expressed concern at Hutchins apparently having spoken to the FBI without a lawyer present.
His mother, Janet Hutchins, tells the BBC that it is "hugely unlikely" that the charges are valid, given that her son has spent "enormous amounts of time and even his free time" battling malware.
A regular on Twitter, Hutchins' tweets abruptly ceased on Wednesday.
News of Hutchins' arrest was first reported by the security site Motherboard.
Kronos Banking Trojan
The indictment accuses a co-defendant - who has not been named - of having advertised and sold the Kronos banking Trojan, at least once, for $2,000 via the AlphaBay darknet marketplace.
John Miller, senior manager of analysis at cybersecurity firm FirEye, says that his firm "observed Kronos being advertised on an established Russian cybercriminal forum by the actor 'VinnyK' in June 2014." But it's not clear if that actor might be the unnamed co-defendant.
Hutchins, meanwhile, has been accused of helping to create Kronos.
Numerous details relating to the case have yet to come to light. But many in the security community have reacted with surprise over the indictment of Hutchins on charges of creating malware, since his job is to track and investigate malware, and help others stop it. The indictment's linking of Hutchins to the Kronos malware - heavily researched by the security community - also remains an open question.
"Kronos is a Russian banking trojan, for info," says British security researcher Kevin Beaumont on Twitter. "It looks like the U.S. justice system has made a huge mistake."
Kronos is a banking BOTNET. MalwareTech's business is *tracking* botnets.— Kevin Beaumont (@GossiTheDog) August 3, 2017
Kronos was first spotted in 2014, when IBM found the attack toolkit for sale on Russian underground forums. The malware is designed to intercept and exfiltrate details relating to victims' online bank accounts. Such information would typically then be used by cybercriminals to drain bank accounts, and stolen data might also be resold on darknet marketplaces.
Shortly after the discovery of Kronos, Hutchins appears to have begun researching the malware, as on July 13, 2014, he requested a sample. Such requests are not uncommon for security researchers who study malware, to help them analyze how it works, as well as how it might be tracked and blocked.
Anyone got a kronos sample?— MalwareTech (@MalwareTechBlog) July 13, 2014
In his spare time, in fact, Hutchins built and maintained a site devoted to tracking botnets built from malware-infected PCs.
Indictment Cites AlphaBay
The indictment may be based in part on information obtained via the recent takedown of the darknet marketplace AlphaBay, which advertised everything from counterfeit items and stolen payment card data to drugs and malware.
The shuttering of AlphaBay occurred on July 5, the same day that suspected AlphaBay mastermind, Alexandre Cazes, 26, was arrested at his home in Thailand.
In a raid on Cazes' residence that also involved the FBI, law enforcement agents successfully seized Cazes' laptop in an open and unencrypted state, no doubt enabling them to amass evidence on AlphaBay's vendors and buyers. Cazes later died in a Thai jail cell, apparently after taking his own life (see One Simple Error Led to AlphaBay Admin's Downfall).
Security experts say Hutchins may very well have represented himself as a malware author to others, on underground forums. Many white hat - aka "good guy" - security researchers often do so, in part to trick the "bad guys" into sharing virus samples, says Martijn Grooten, a security researcher and the editor of Virus Bulletin, on Twitter.
He'll may have posed as a malware author on underground forums. Many white hat researchers do that. Not easy to prove innocence this way.— Martijn Grooten (@martijn_grooten) August 3, 2017
Attorneys Skeptical of Charges
Based on the indictment, some cybersecurity attorneys have questioned the prosecutorial logic behind the charges against Hutchins, and warned of the stifling effect that it could have on information security research.
"I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution," attorney Tor Ekeland told BBC Radio 4's Today show. Ekeland says the charges filed against Hutchins carry a statutory maximum sentence of 40 years in prison.
Attorney Orin Kerr, an expert on criminal procedure and computer crime law, says the case "raises an interesting legal question: Is it a crime to create and sell malware?"
In terms of Hutchins and his alleged actions, Kerr says it's not clear that the case would succeed, in part because the government would have to prove that Hutchins and his co-defendant created and sold malware with the intent to cause damage to a computer or compromise data. "Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive," he writes in the Washington Post.
"The indictment is pretty bare bones, and we don't have all the facts or even what the government thinks are the facts," he writes. "So while we can't say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case."