Marcus Hutchins Pleads Not Guilty to Charges Related to Kronos Malware
Cybersecurity researcher Marcus Hutchins pleaded not guilty in Las Vegas federal court to charges relating to creating and selling banking malware called Kronos (see FBI Arrests Marcus Hutchins, Who Stopped WannaCry).
See Also: How the New World of Digital Banking is Transforming Fraud Detection
“He’s refuting the allegations; he’s pleading not guilty,” Hutchins’ attorney, Adrian Lobo said on Friday outside the Lloyd D. George Federal Courthouse in Las Vegas.
A six-count indictment filed in Wisconsin federal court on July 11 charged Hutchins and an unnamed defendant with creating, distributing and profiting from the Kronos banking Trojan between July 2014 and July 2015.
Some in the security community think the FBI may have confused his legitimate research activities with criminal behavior.
Hutchins, who also uses the online handle MalwareTech, was already catapulted into the limelight in May, after he spent $10 to register a domain name he’d spotted in the code for the WannaCry malware. By doing so, he defused the global malware outbreak, and reluctantly accepted the moniker of “accidental hero.” But according to experts’ conservative estimates, Hutchins’ actions prevented tens of millions of PCs from being cryptolocked and averted a potential disaster for Britain’s National Health Service, amongst others.
In a surprise turn, however, he’s now been arrested by the FBI on malware-related charges.
“I can’t comment on the actual, substantive charges, because at this point, all I have is an indictment; I haven’t even been able to talk to my client about the substance of the case right now,” Lobo said. “All we’re concerned about is getting him out of custody so we can have a meaningful conversation.”
Hutchins was arrested by the FBI on Wednesday. He first appeared before U.S. Judge Nancy Koppe on Thursday, with his public defender telling the court that he’d cooperated with the FBI after being arrested. The judge ordered Hutchins’ hearing to reconvene the next day to give him time to retain private counsel.
Hutchins, who was visiting Las Vegas to attend the annual Black Hat and Def Con information security conferences, was arrested at the airport in Las Vegas as he attempted to fly back to the United Kingdom.
Lobo said Hutchins was surprised by the allegations against him.
Conditional Bail Set
The judge on Friday ordered Hutchins to be released on conditional bail with a $30,000 cash bond. Conditions include Hutchins remaining in Las Vegas or Wisconsin, wearing a GPS tracking device and not using the internet.
Lobo said the required funds were available, having been raised from “a variety of sources,” but said there had been insufficient time to pay the bail before offices closed Friday, leading to Hutchins having to spend the weekend in jail.
But she said her client would be released from custody on Monday. Lobo also said she had shared dozens of letters of support that Hutchins had received from friends and colleagues, many of which highlighted his role in helping to stop WannaCry.
Hutchins’ efforts earned him folk hero status, as well as a $10,000 reward from bug bounty program HackerOne, which rewards the efforts of “ethical hackers.” Hutchins, however, lamented losing his online anonymity. He also promised to donate the reward money to charity, including to support information security students who couldn’t afford textbooks.
For his WannaCry efforts, Hutchins – who on Twitter seemed to discuss pizza second only to cybersecurity concerns – also received a year’s free supply of pizza from Just Eat, a British food and delivery service. That reward he kept.
Federal Prosecutor Sought to Block Bail
In court, prosecutor Dan Cowhig said that Hutchins had been identified as part of an undercover law enforcement operation aimed at the darknet marketplace AlphaBay after officers purchased malware from him and an unnamed co-defendant, Sky News reports.
In court on Friday, Cowhig argued that Hutchins posed a danger to the public because he’d attended a gun range and fired a number of weapons while visiting Las Vegas. He said that it’s illegal for foreign nationals to use a firearm on U.S. soil.
Lobo, however, dismissed the prosecutor’s claims as “garbage,” telling reporters that the gun range had verified Hutchins’ age via his U.K. passport. She said that if anyone should be investigated for this alleged violation of federal law, it was the gun range, which markets itself heavily to tourists and allowed Hutchins to fire the weapons.
Hutchins Will Go to Wisconsin
On Tuesday, Hutchins is due to go to Wisconsin, where he’s been ordered to appear in federal court, and where it’s expected that he’ll enter formal pleas in the case. Lobo said her client will continue to deny all of the charges filed against him.
The Department of Justice has said that the FBI cyber squad in Milwaukee led the investigation that resulted in the indictment against Hutchins and his unnamed co-defendant.
Beyond that, however, Lobo said it’s not clear why the case is based out of Wisconsin. Aside from what’s in the indictment, “at this point, we don’t even know what the allegations are,” she said.
Hutchins is a remote employee of U.S.-based attacker intelligence and information sharing platform provider Kryptos Logic, which has not made any public statements in relation to his arrest. Officials at the company did not respond to a request for comment.
Information Security Community: Shock
Many members of the information security community remain shocked by Hutchins’ arrest.
Ryan Kalember, senior vice president at cybersecurity firm Proofpoint, which worked Hutchins in May to blunt the WannaCry attack, suspects that the FBI is incorrectly reading Hutchins’ alleged activities on AlphaBay.
Kalember tells the Wall Street Journal that he “thinks it’s just normal researcher activity, probably to gain cred on the forums, that the FBI is confusing with real cybercriminal activity.”
While that might seem unusual to observers outside of the cybersecurity field, information security experts say that law enforcement agencies rely heavily on private security researchers to help them identify internet-enabled criminal activities and amass related evidence (see Cybercrime Battle: Next Steps).
“MalwareTech’s business and job is around finding, reversing and analyzing malicious software (malware) and finding the techniques used,” writes British security researcher Kevin Beaumont, aka GossiTheDog n a blog post.
“This includes monitoring ‘dark web’ websites, where covert identifies are used to gain access – as is common across the security industry. His data around botnets is sold to organizations, including law enforcement, around the world,” Beaumont adds.
Two security researchers – Tarah Wheeler and Andrew Mabbitt, of Fidus Security – have set up a funding page, linked to an escrow account, that can be used to donate to Hutchins’ legal fees.
Mabbitt, who said he will be picking up Hutchins from court on Monday, also attempted to correct what he said was erroneous reporting relating to the luxury cars and pricey accommodation Hutchins enjoyed while he was in Las Vegas, saying that it had been provided by others, or for free.
An update on @MalwareTechBlog and some clarification on misreported facts. pic.twitter.com/6CHlexapoE
— Andrew Mabbitt (@MabbsSec) August 5, 2017
Non-profit digital rights group Electronic Frontier Foundation is also involved in Hutchins’ defense, his supporters say. A spokesman for EFF couldn’t be immediately reached for comment.