Ah the Irony: WannaCry Defender Arrested on Hacking Charges

Written by

Some hats are white, some are black and some are a mix of the two. The researcher that halted May’s crippling WannaCry ransomware campaign by uncovering a kill switch for the code could be of the grey persuasion: He has been picked up by the FBI in Las Vegas for financial cybercrime.

Marcus Hutchins, a 22-year-old British cyber-researcher that goes by “MalwareTech,” appeared to have saved the day back in May when he uncovered a way to implement a kill switch within the now-infamous WannaCry ransomware, which allowed for its immediate containment and earned him immediate kudos from the defense community.

It appears that his time amidst the laurels has come to an end, for now. According to an indictment filed in a US district court in Wisconsin, Hutchins has been arrested (just days after hacking conferences Black Hat and DEF CON wrapped up in Sin City) for allegedly authoring the Kronos banking trojan. The document says that he allegedly spent a year, between July 2014 and July 2015, stealing account credentials and credit-card details while also advertising and distributing the code on the Dark Web. At one point, he allegedly asked for $7,000 for the source code—an outsized sum given the market rate at the time.

There is a second, unnamed defendant in the indictment, but no further details are given.

Hutchins would have been 19 at the time, so, if true, perhaps the alleged Kronos outing was merely a youthful mistake before he came to the light. Nonetheless, MalwareTech will need to answer to US authorities for his actions if convicted.

By all accounts, he was completely blindsided by the detainment. A source close to Hutchins told Infosecurity that there had been “no indication at all from law enforcement” about his arrest, and it was “completely out of the blue”.

With Hutchins taken by surprise and caught in a foreign country's legal system, his close friend, Andrew Mabbit, has vowed to help him. The Fidus Information Security founder tweeted, “I'm working on getting a lawyer for @MalwareTechBlog as he has no legal representation and no visitors. I'll be crowdfunding legal fees soon.”

While the US has iron-clad law that provides for court-appointed legal representation in any criminal case where the defendant has none, or can’t afford it, some called for the UK embassy to get involved as well.

One supporter tweeted: “There has been no proof of legal assistance being given. The uk embassy's job is to ensure he gets it.”

Despite these concerns, it’s unlikely that the British government will intervene. "We are aware a UK national has been arrested but it's a matter for the authorities in the US," a spokesperson for the UK's National Crime Agency told Motherboard, which first reported the arrest.

What’s hot on Infosecurity Magazine?