Hutchins, aka “MalwareTech,” Accused of Creating Kronos Banking Malware
Many in the information security community have reacted with shock over the arrest of 23-year-old British citizen Marcus Hutchins, aka “MalwareTech.”
See Also: How the New World of Digital Banking is Transforming Fraud Detection
Hutchins was arrested Wednesday at the airport in Las Vegas by the FBI, as he attempted to return to Britain. He had been attending the annual Black Hat and Def Con information security conferences, although not presenting research at either event.
The arrest of Hutchins was an unexpected turn after he singlehandedly defused the WannaCry malware outbreak in May, after accidentally registering a domain name referenced in the malicious code. The move earned him the folk hero status, not least because he’d apparently helped avert a ransomware disaster for Britain’s National Health Service. Hutchins, however, referred to himself as an “accidental hero” and said he’d preferred operating as an anonymous security researcher.
A six-count indictment, filed July 11, charged Hutchins and another, unnamed defendant – apparently based in Wisconsin – with various crimes associated with advertising and selling the Kronos banking Trojan.
The U.S. Department of Justice says in a statement: “Marcus Hutchins … a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan.”
The Justice Department says the case was investigated by the Milwaukee-based FBI cyber squad. “The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015,” it adds.
British authorities say they’re aware of his arrest. “We are aware a U.K. national has been arrested but it’s a matter for the authorities in the U.S.,” a spokesman for Britain’s National Crime Agency says in a statement.
“We are in contact with the local authorities in Las Vegas following the arrest of a British man, and are providing support to his family,” a spokesman for the British Foreign Office tells Information Security Media Group.
Hutchins appeared Thursday before U.S. Judge Nancy Koppe. A federal public defender, Dan Coe, told the court that Hutchins “had cooperated with the government prior to being charged,” Reuters reports.
Koppe ordered Hutchins’ hearing to reconvene Friday, to give the defendant time to retain defense counsel; he was detained overnight.
Non-profit digital rights group Electronic Frontier Foundation said it was attempting to make contact with the detained information security researcher. “This is the sort of thing that concerns us a lot,” the organization said in a statement.
Hutchins is an employee of attacker intelligence and information sharing platform provider Kryptos Logic. Officials at the company, which has not made any public statements in relation to the arrest, could not be immediately reached for comment.
Some legal experts have expressed concern at Hutchins apparently having spoken to the FBI without a lawyer present.
His mother, Janet Hutchins, tells the BBC that it is “hugely unlikely” that the charges are valid, given that her son has spent “enormous amounts of time and even his free time” battling malware.
A regular on Twitter, Hutchins’ tweets abruptly ceased on Wednesday.
News of Hutchins’ arrest was first reported by the security site Motherboard.
Kronos Banking Trojan
The indictment accuses a co-defendant – who has not been named – of having advertised and sold the Kronos banking Trojan, at least once, for $2,000 via the AlphaBay darknet marketplace.
Hutchins, meanwhile, has been accused of helping to create Kronos.
Numerous details relating to the case have yet to come to light. But many in the security community have reacted with surprise over the indictment of Hutchins on charges of creating malware, since his job is to track and investigate malware, and help others stop it. The indictment’s linking of Hutchins to the Kronos malware – heavily researched by the security community – also remains an open question.
That’s because Kronos was first spotted in 2014, when IBM found the attack toolkit for sale on Russian underground forums. The malware is designed to intercept and exfiltrate details relating to victims’ online bank accounts. Such information would typically then be used by the cybercrime gang to drain bank accounts, or the data might be resold on darknet marketplaces.
“Kronos is a Russian banking trojan, for info,” British security researcher Kevin Beaumont on Twitter. “It looks like the U.S. justice system has made a huge mistake.”
Kronos is a banking BOTNET. MalwareTech’s business is *tracking* botnets.
— Kevin Beaumont (@GossiTheDog) August 3, 2017
Shortly after security firms announced the discovery of Kronos, Hutchins on July 13, 2014, requested a sample of the malware. Such requests are not uncommon for security researchers who study malware, to help them analyze how it works, as well as how it might be tracked and blocked.
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014
In his spare time, in fact, Hutchins built and maintained a site devoted to tracking malware infections.
Indictment Cites AlphaBay
The indictment may be based in part on information obtained via the recent takedown of the darknet marketplace AlphaBay, which advertised everything from counterfeit items and stolen payment card data to drugs and malware.
The shuttering of AlphaBay occurred on July 5, the same day that suspected AlphaBay mastermind, Alexandre Cazes, 26, was arrested at his home in Thailand.
In a raid on Cazes’ residence that also involved the FBI, law enforcement agents successfully seized Cazes’ laptop in an open and unencrypted state, no doubt enabling them to amass evidence. Cazes later died in a Thai jail cell, apparently after taking his own life (see One Simple Error Led to AlphaBay Admin’s Downfall).
Security experts say Hutchins may very well have represented himself as a malware author to others, via underground forums, as many white hat – aka “good guy” – security researchers often do, in part to obtain virus samples, says Martijn Grooten, a security researcher and the editor of Virus Bulletin, on Twitter.
He’ll may have posed as a malware author on underground forums. Many white hat researchers do that. Not easy to prove innocence this way.
— Martijn Grooten (@martijn_grooten) August 3, 2017
Attorneys Skeptical of Charges
Cybersecurity attorneys have questioned the prosecutorial logic behind the charges against Hutchins, however, and warned of the stifling effect that it could have on information security research.
“I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution,” attorney Tor Ekeland told BBC Radio 4’s Today show on Friday. Ekeland says the charges filed against Hutchins carry a statutory maximum sentence of 40 years in prison.
In terms of Hutchins and his potential role, Kerr also says it’s not clear that the case would succeed, in part because the government would have to prove that Hutchins and his co-defendant created and sold malware with the intent to cause damage a computer or compromise data. “Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive,” he writes in the Washington Post.
“The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts,” he writes. “So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case.”