Marcus Hutchins, aka MalwareTech, the British security researcher who was credited with stopping the hard-hitting WannaCry ransomware worm that hit the UK’s NHS hard earlier this year, has been arrested in Las Vegas.
News that the 23-year-old, who found WannaCry’s hidden “kill switch”, had been detained by the US authorities as he attempted to return from the DEF CON hacking conference in Las Vegas came as a complete shock to the computer security industry.
In May, MalwareTech was portrayed as an “accidental hero” who determined that the WannaCry malware was connecting to an unregistered domain. He chose to register the domain, and WannaCry - fortuitously - stopped spreading.
MalwareTech received the praise of the National Cyber Security Centre (NCSC), part of the UK’s GCHQ intelligence agency, for his part in tackling WannaCry’s spread around the world.
The media went crazy, wanting to identify the young man who had saved the NHS, and it didn’t take long for them to name him as Marcus Hutchins, a young researcher based in South West England, working for a Los Angeles-based threat intelligence firm.
Hutchins made clear on social media that he was unhappy to be identified, seeming to prefer to work anonymously and arguing that his identity being made public could put him and loved ones in danger from the online criminals he worked against.
However, over time, Hutchins seems to have accepted that his fate - making multiple media appearances and seemingly growing to enjoy the spotlight and his new-found fame.
Now, Hutchins finds himself in the unwanted glare of the world again.
The Department of Justice has announced that it has charged Hutchins “for his role in creating and distributing the Kronos banking Trojan” - malware designed to drain online bank accounts.
In the indictment, Hutchins is charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavouring to intercept electronic communications, and one count of attempting to access a computer without authorisation.
The six-count indictment against Hutchins was filed on July 12, 2017, but only made public upon his arrest as he was preparing to leave Las Vegas to return to the UK.
The charges relate to alleged conduct occurring between July 2014 and July 2015, and further charges appear to involve the activities of another (as yet unnamed) individual.
The FBI says that it has been investigating the Kronos malware case for the last two years, but things appear to have sped up recently with the shutdown of the dark web marketplace AlphaBay in early July, where Kronos was allegedly listed and sold.
Of course, it’s right to presume that Hutchins is innocent unless later proven guilty. There is lots of speculation taking place online, and some amateur sleuths are hunting for “evidence” to support their suspicions one way or another.
Regardless of whether you are guilty or innocent, being held by law enforcement in a foreign country must be a chilling experience for any young man and his family.
What I can say is that if Hutchins is innocent, there will undoubtedly be many questions asked as to how the FBI could have got things so wrong, and the risk that damage will be done to the relationship between the computer security community and law enforcement.
If, on the other hand, Hutchins is found to be guilty…
Well… it’ll be one of the largest falls from hero to zero that the cybersecurity industry has ever seen. And we’ll all question what on earth he was thinking when he got on that plane to the United States.