GCHQ knew FBI was planning to arrest WannaCry’s ‘accidental hero’ before he travelled to the USA

Graham Cluley

Gchq thumb

GCHQ knew FBI was planning to arrest WannaCry's 'accidental hero' before he travelled to the USA

The Sunday Times reported this weekend:

GCHQ was aware that a British IT expert who stopped a cyber-attack against the NHS was under investigation by the FBI before he travelled to America and was arrested for alleged cyber-offences, The Sunday Times can reveal.

Officials at the intelligence agency knew that Marcus Hutchins, from Devon, who was hailed as a hero for helping the NHS, would be walking into a trap when he flew to the US in July for a cyber-conference.

Malware researcher Hutchins was arrested as he attempted to fly home to the UK, following the DEF CON conference in Las Vegas. He has pleaded not guilty to charges related to the Kronos banking malware, and is currently stuck in the United States awaiting trial.

It’s ironic that GCHQ knew about the US intelligence agency’s interest in Hutchins, as just a few months ago it was widely reported that he was actually helping GCHQ’s National Cyber Security Centre to combat further attacks.

Should we be stunned that GCHQ didn’t tip Hutchins (aka MalwareTech) off that the FBI considered a person of considerable interest? No, of course not. I wouldn’t expect them to act any differently.

Anyone familiar with the cases of Gary McKinnon and Lauri Love will know that the United States has had faced enormous difficulty extraditing suspected hackers from the UK in the past.

Recent history has proven that attempts to extradite suspected malicious hackers from the UK are not guaranteed to succeed, and can go on for years.

With that in mind, it may be no wonder that the FBI chose to wait until Hutchins was on American soil before arresting him.

All of which raises the question of – why did they allow him to spend a week attending security conferences in Las Vegas?

Was it because, out of the goodness of their heart, the FBI felt Marcus Hutchins deserved some party time?

Or was it because they thought it sensible to wait until most of the information security/hacking community had left Las Vegas before apprehending someone many consider a hero?

One thing is clear. The US authorities saved themselves an awful lot of paperwork and legal expense arresting their suspect on their own soil rather than trying to extradite him from the UK.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “GCHQ knew FBI was planning to arrest WannaCry’s ‘accidental hero’ before he travelled to the USA”

  1. …and GCHQ's ideal is to be able to say "we complied fully with the law" while finding (indeed generating via complacent and malleable politicians) loopholes to enable them to do exactly what they want. Law is, for GCHQ, an irritating challenge to be circumvented. GCHQ have only done what their US masters require.

    1. @IanH
      It's not necessary that the US be GCHQ's "master" for these events to be accurate. Having been told that the FBI intended to nick him, they *obviously* couldn't tip him off, for reasons that a couple of seconds' thought will make obvious.

      1. That's true – you're right
        Then again, they would not have tipped off GCHQ unless they could trust GCHQ to do what was convenient for the US rather than what would have been just for an untried British citizen not afforded due UK-US extradition proceedings, farcically asymmetric as these are when it comes to protection of UK citizens.
        US masters.

  2. Or maybe the FBI thought Hutchins would be tempted to get into some cyber related mischieves or otherwise, to help their case.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.