Marcus Hutchins, the “accidental hero” who helped curb the spread of the WannaCry ransomware attack that struck the UK’s NHS hard in May, pleaded not guilty in a Milwaukee court yesterday to charges related to a separate piece of malware, named Kronos.
Hutchins, who goes by the moniker “MalwareTech” online, was arrested in Las Vegas earlier this month, as he attempted to return from the DEF CON hacking conference.
The 23-year-old’s arrest, and claims that he might have been involved with the creation of the Kronos banking malware, shocked the infosecurity community, many of whom have questioned whether the FBI has put a strong enough case together to pursue Hutchins, and why it does not appear to have found any US-based victims of the malware.
The part played by Hutchins’ unnamed co-defendant, who law enforcement allegedly purchased a copy of the Kronos banking trojan from via the now defunct dark web AlphaBay marketplace, and appears to play a larger role in the indictment against Hutchins, also remains uncertain.
At the earlier court hearing in Las Vegas (transcript here), prosecutors said:
“In his interview following his arrest, Mr Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another.”
That’s curious wording: “…admitted that he was the author of the code that became the Kronos malware”. That’s not the same as admitting being the author of the Kronos banking malware. Questions may inevitably be asked as to whether the writing of software code can be directly linked to crimes later allegedly committed with assistance from the code.
And although the authorities claim that they will present evidence of chat logs from 2014 where Hutchins allegedly discusses with his unnamed co-defendant splitting the proceeds of the “sale of the Kronos banking trojan through his associate” we will have to see whether a clear link can be made between the security researcher and any crime.
While he awaits trial, Hutchins is required to stay in the United States and wear a GPS tracker. He has been allowed back online, and is for now basing himself in Los Angeles, home of his employer Kryptos Logic, where he hopes to continue working as a security researcher.
i'm still on trial, still not allowed to go home, still on house arrest; but now i am allowed online. Will get my computers back soon.
— MalwareTech (@MalwareTechBlog) August 14, 2017
Get the popcorn folks, this one is going to run for a while… Either the FBI have made an enormous screw-up of their investigation of the Kronos malware, or a young man – hailed as a hero by many – made some very dumb decisions a few years ago.
For further discussion on this story, make sure to listen to this episode of the “Smashing Security” podcast: