Marcus Hutchins, the 23-year-old UK researcher who found the kill-switch domain in the WannaCry ransomware code and registered it, preventing the malware to wreak even more chaos than it did, has been arrested in Las Vegas on Wednesday.
Hutchins, who’s more known by his MalwareTechBlog handle on Twitter, was apprehended by the FBI as he was preparing to board the plane to return home. Before that, he spent more than a week in Vegas with friends and socialising with other security researchers who were in town for the DEF CON hacking conference.
The arrest came as shock to the wider infosec community, and was initially confirmed by Andrew Mabbitt, Hutchins’ friend and the founder of Fidus Information Security, who traveled with him to Vegas.
Another confirmation came when an indictment filed with the US District Court, Eastern District of Wisconsin, was made public. According to it, Hutchins was arrested “for his role in creating and distributing the Kronos banking Trojan.”
“In the indictment, Hutchins was charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization. The alleged conduct for which Hutchins was arrested occurred between in or around July 2014 and July 2015,” the US Attorney for the Eastern District of Wisconsin stated in a press release.
“Publically available information for the Kronos banking Trojan indicates that it was first made available through certain internet forums in early 2014, and marketed and distributed through AlphaBay, a hidden service on the Tor network. On July 20, 2017, the Department of Justice announced that the Alphabay marketplace was shuttered through an international law enforcement effort led by the United States.”
The indictment names one other defendant, who allegedly helped sell the Kronos malware, but that person’s name has been redacted. This might mean that the person has yet to be arrested, or that they’ve already been arrested and will possibly be set loose as an informant.
Mabbitt has been working with Electronic Frontier Foundation staff lawyers on finding legal representation for Hutchins.
In the meantime, many in the infosec community have expressed their doubts about Hutchins ever having been a “black hat,” and noted that many things mentioned in the indictment can be a result of active security research.
As an interesting sidenote, the entirety of the money extorted through the use of the WannaCry ransomware was moved to several other bitcoin addresses on the exact day Hutchins was arrested. It is currently unknown whether the two events are connected.