The Sunday Times reported this weekend:
GCHQ was aware that a British IT expert who stopped a cyber-attack against the NHS was under investigation by the FBI before he travelled to America and was arrested for alleged cyber-offences, The Sunday Times can reveal.
Officials at the intelligence agency knew that Marcus Hutchins, from Devon, who was hailed as a hero for helping the NHS, would be walking into a trap when he flew to the US in July for a cyber-conference.
Malware researcher Hutchins was arrested as he attempted to fly home to the UK, following the DEF CON conference in Las Vegas. He has pleaded not guilty to charges related to the Kronos banking malware, and is currently stuck in the United States awaiting trial.
It’s ironic that GCHQ knew about the US intelligence agency’s interest in Hutchins, as just a few months ago it was widely reported that he was actually helping GCHQ’s National Cyber Security Centre to combat further attacks.
Should we be stunned that GCHQ didn’t tip Hutchins (aka MalwareTech) off that the FBI considered a person of considerable interest? No, of course not. I wouldn’t expect them to act any differently.
Recent history has proven that attempts to extradite suspected malicious hackers from the UK are not guaranteed to succeed, and can go on for years.
With that in mind, it may be no wonder that the FBI chose to wait until Hutchins was on American soil before arresting him.
All of which raises the question of - why did they allow him to spend a week attending security conferences in Las Vegas?
Was it because, out of the goodness of their heart, the FBI felt Marcus Hutchins deserved some party time?
Or was it because they thought it sensible to wait until most of the information security/hacking community had left Las Vegas before apprehending someone many consider a hero?
One thing is clear. The US authorities saved themselves an awful lot of paperwork and legal expense arresting their suspect on their own soil rather than trying to extradite him from the UK.