UPDATED 8:15 a.m. Friday with press release from the Department of Justice.
Marcus Hutchins, the English security researcher who single-handedly stopped the WannaCry ransomware worm in May, was arrested last night (Aug. 2) by the FBI in Las Vegas as he was about to board a plane back to the U.K.
A grand-jury federal indictment released by the Department of Justice accuses Hutchins, 23, of developing the Kronos banking Trojan, which is unrelated to WannaCry. Hutchins and a co-defendant whose name was redacted in the indictment are accused of selling and distributing the banking Trojan in online criminal forums.
Hutchins, who as of May lived with his parents, works remotely for Kryptos Logic, a Los Angeles information-security firm. He had been in Las Vegas for the annual Black Hat and DEF CON security conferences, where he rented exotic sports cars, shot machine guns at a shooting range, met with journalists, lost his wallet and spent a night sleeping in a hotel lobby.
MORE: What to Do If You're Infected by Ransomware
Accused of coding malware
The indictment, issued July 12 in U.S. District Court in the Eastern District of Wisconsin (which includes Milwaukee and Green Bay), lists six counts against Hutchins and the unnamed co-defendant, including "to knowingly cause the transmission of a program" that would "intentionally cause damage without authorization to 10 or more protected computers."
The indictment also alleges that Hutchins "created the Kronos malware," and that on July 13, 2014, "a video showing the functionality of the 'Kronos banking Trojan' was posted to a publicly available website." That video, which the indictment alleges was posted by Hutchins' unnamed co-defendant, was on YouTube until this afternoon (Aug. 3).
On that same date, Hutchins tweeted "Anyone got a kronos sample?"
Two days earlier, Trusteer, an Israeli security firm now owned by IBM, had announced the discovery of Kronos on a Russian cybercrime forum, and malware researchers were eager to get their hands on a copy.
The indictment goes on to allege that the unnamed co-defendant tried to sell the Kronos malware in August 2014; that Hutchins and the co-defendant updated the Kronos malware in January 2015; that the co-defendant advertised the Kronos malware on the dark-web AlphaBay Market in April 2015; that the co-defendant sold a version of Kronos in June 2015 "for approximately $2,000 in digital currency"; and that the co-defendant in July 2015 offered "crypting" services that would encrypt some of the malware's activities to evade detection by security software.
Last month, AlphaBay Market was suddenly shut down after its alleged creator and operator, a 26-year-old Canadian, was arrested in Thailand and died in a Bangkok jail cell. The indictment of Hutchins and his co-defendant was issued on July 11, two days before the announcement that AlphaBay had been shuttered.
Most of the activities related to the Kronos malware appear to be solely attributed to Hutchins' co-defendant; Hutchins himself is accused only of developing and updating the malware.
On his blog, Hutchins said that he did indeed create simple malware for research purposes, and released some of the code. Such activity is not unusual for legitimate malware researchers.
On his YouTube page, Hutchins demonstrated how several kinds of malware operated; again, that is not unusual.
It is possible that something that Hutchins coded made its way into legitimate malware, without his participation or knowledge. It could also be that an online criminal with a grudge may be falsely accusing Hutchins of similar activities.
"My reading of the indictment is that @MalwareTechBlog wrote some code, but everything else was done by the other guy," tweeted Rob Graham, co-founder of Errata Security in Atlanta, today (Aug. 3).
"It's not a crime to create malware. It's not a crime to sell malware," law professor Orin Kerr told Wired today. "It's a crime to sell malware with the intent to further someone else's crime. This story alone doesn't really fit."
Possible past misdeeds
Until Hutchins was unmasked by London tabloids following the WannaCry outbreak, he had enjoyed a prolific but pseudonymous life under the name MalwareTech, which he still uses today.
However, an online discussion at the developer forum YCombinator tied Hutchins to an older online handle, TouchMe, that had apparently offered to code malware in 2013, when Hutchins would have been 18 or 19.
TouchMe was the username of the author of a blog called TouchMyMalware, which, like MalwareTechBlog, researched malware from a white-hat perspective. There was also an associated Twitter account, which was later cleaned out and now directs readers to MalwareTechBlog.
All the public postings made by TouchMe and TouchMyMalware concern malware research, and the author doesn't appear to be doing anything illegal. Even the alleged offer to code malware may have been part of research.
"He may have posed as a malware author on underground forums," tweeted malware researcher Martijn Grootjen, a frequent correspondent of Hutchins on Twitter, today. "Many white hat researchers do that. Not easy to prove innocence this way."
Hutchins accidentally stopped the WannaCry outbreak on May 12 when he tried to "sinkhole" one of the ransomware worm's command-and-control servers.
The ransomware was hardcoded to receive instructions from a specific web domain, which Hutchins found was unregistered. After he registered the domain and began operating a server on it to capture traffic from WannaCry, the ransomware suddenly stopped infecting Hutchins' test machines.
It turned out that WannaCry had a built-in "kill switch," possibly to prevent its discovery by malware researchers, who often perform research on isolated virtual machines that mimic the entire internet without actually being connected to it.
UPDATE: The U.S. Attorney for the Eastern District of Wisconsin issued a press release concerning the case, but it doesn't say much that's new, other than that the investigation was led by an FBI cybercrime task force in Milwaukee.
Also, we forgot to credit Joseph Cox of VICE Motherboard for breaking this story. Apologies and kudos.
It turned out that WannaCry had a built-in "kill switch," possibly to prevent its discovery by malware researchers, who often perform research on isolated virtual machines that mimic the entire internet without actually being connected to it."
So the hardcoded domain was a decoy that serves as the kill-switch if someone attempts to register and receive traffic from it?
Has anyone heard of TALPIOT ?