Just three short months ago, security researcher Marcus Hutchins entered the pantheon of hacker heroes for stopping the WannaCry ransomware attack that ripped through the internet and paralyzed hundreds of thousands of computers. Now he's been arrested and charged with involvement in another mass hacking scheme—this time on the wrong side.
Yesterday authorities detained 22-year-old Hutchins after the Defcon hacker conference in Las Vegas as he attempted to fly home to the UK, where he works as a researcher for the security firm Kryptos Logic. Upon his arrest, the Department of Justice unsealed an indictment against Hutchins, charging that he created the Kronos banking trojan, a widespread piece of malware used to steal banking credentials for fraud. He's accused of intentionally creating that banking malware for criminal use, as well as being part of a conspiracy to sell it for $3,000 between 2014 and 2015 on cybercrime market sites such as the now-defunct AlphaBay dark web market.
But the short, eight-page indictment against Hutchins, a rising star in the hacker world, has already raised questions and skepticism in both legal and cybersecurity circles. Orin Kerr, a law professor at George Washington University who has written extensively about cybersecurity and hacking cases, says that based on the indictment alone, the charges look like "a stretch." Although the indictment claims Hutchins wrote the Kronos malware, nothing in the document illustrates that Hutchins possessed actual intent for the malware he allegedly created to be used in the criminal "conspiracy" he's accused of.
"It’s not a crime to create malware. It’s not a crime to sell malware. It’s a crime to sell malware with the intent to further someone else’s crime." Kerr says. "This story alone doesn’t really fit. There's got to be more to it, or it’s going to run into legal problems."
The news of Hutchins' arrest also shocked Defcon attendees and the wider cybersecurity community, in which Hutchins is a widely admired figure for his technical knowledge and his key actions to neuter the WannaCry epidemic in May. As Hutchins analyzed that catastrophic ransomware worm within its first hours of spreading, he noticed that it was connected to a nonexistent web domain, perhaps as a kind of test of whether it was running in a software simulation. Hutchins, who at the time was more widely known by his pseudonym MalwareTech or MalwareTechBlog, registered that domain and was surprised to find that it immediately caused WannaCry to stop spreading.
That quick work earned him immediate celebrity but also led some members of the media to track down his real name, though it's unclear whether that exposure helped law enforcement connect him to Kronos. Indications of his Kronos involvement could also have come in last month's FBI and Europol seizure of AlphaBay servers.
Hutchins isn't the only member of the malware "conspiracy" named in the indictment against him. It accuses another person, whose name is redacted from the document, of doing what seems to be the majority of the legwork to distribute Kronos, including listing the malware for sale on criminal forums, creating a video advertisement that showed how it worked, and offering so-called "crypting" services meant to hide the malware from detection. The indictment also accuses Hutchins of helping update the malware in February 2015, at least six months after it first went on sale—the only hint that he may have worked on it after it was being actively used for criminal actions.
Kronos gained attention in the security community in the summer of 2014, in part for its moderately hefty price tag: One Russian forum set the price tag at $7,000. IBM's security researchers at the time posted a translation of the Russian-language advertisement for the malware on a cybercriminal market, which promised that the code was "equipped with the tools to give you successful banking actions." Kronos was designed to not only function as a keylogger, collecting users' credentials from web banking interfaces, but also to alter banks' web pages in any major browser to add fields for additional information, like PIN codes, it would then transmit to a remote server. And it promised it would bypass any of the "sandbox" protections designed to isolate apps from interference and even protect the data it collected from being hijacked by other trojans on the same machine.
In a statement on Thursday, the Department of Justice noted that Kronos malware "presents an ongoing threat to privacy and security" and had been loaded onto victims' machines by the Kelihos botnet, a massive collection of hijacked machines whose Russian owner the FBI arrested in April.
Some associates of Hutchins also defended him Thursday on Twitter, even arguing that he has worked directly with US law enforcement. "I know Marcus. He has a business which fights against exactly this (bot malware), it's all he does. He feeds that info to US law enforcement," wrote Kevin Beaumont, a UK-based security architect. "The DoJ has seriously fucked up."
Another well-known researcher for security firm Rendition Infosec, Jake Williams, said he'd worked with Hutchins multiple times since 2013, met him in person at last year's Defcon, and shared malware samples. At one point in 2014, Williams says Hutchins refused his offer of payment for help on an educational project. Even when Hutchins was awarded a $10,000 "bug bounty" from security firm HackerOne for his work on stopping WannaCry, he gave it away to charity. "I have pretty good black hat radar," Williams wrote to WIRED, using the term "black hat" to mean a criminal hacker. "It NEVER went off when talking to him or exchanging stuff with him."
For the moment, neither the FBI nor the Department of Justice is commenting further on Hutchins' case beyond the DOJ's statement and the facts of the indictment. A spokesperson for the Electronic Frontier Foundation, which often offers legal representation to embattled hackers, wrote in a statement to WIRED that it's "deeply concerned" about Hutchins' arrest and are reaching out to him.
WIRED will continue to update this developing story. In the meantime, here's the full indictment against Hutchins.
