Marcus Hutchins Arrested – Guy Who Stopped “Wannacry”

This one has me bothered, but I’m not sure how much I ought to be.

The guy who found the “kill switch” in the “Wannacry” malware and potentially saved the world $Billions has been arrested by the FBI for “selling malware”. Now what isn’t clear is “to whom” and “for what purpose”.

This could be the moral equivalent of a master locksmith selling a pick kit to another locksmith, or it could be he sold it to a burglar. Who knows.

Since that isn’t known, and he’s been arrested anyway, the presumption must be that the US Government doesn’t care if you are working in the field of computer security and are a “good guy”, if you use or sell hacking ‘kit’ it gets you busted.

As a guy who worked in computer security, I can assure you it is essential for the “good guys” to get the ‘kit’ to understand it and defend against it. Now it looks like exchanging it with others gets you arrested.

There’s not a whole lot of good that can come out of this. One recent hero with skilz taken out of the White Hat pool, perhaps for past indiscretions or perhaps for just doing his job. How is this a good thing?

It has me wondering if I post an article saying, for example, “Do this byte shift with this code and you can take over a Windows Intel box”, am I now a criminal too? All I’ve done is show a risk to be closed, but is that exchanging “malware” and building “hacker tools”?

So guess what my behaviour, faced with that risk, will be? Right: STFU. Go dark. Take care of me and mine and screw everybody else, let them figure out how to protect themselves and what the risks are. So how is that helpful to others?

Also: Note to self – do NOT attend any hacker conferences in the USA. The USA is security guy hostile. Kiss off Las Vegas as a destination. At most, use foreign VPNs to have a telepresence from an untraceable location. In short, treat US Law Enforcement as Black Hats. Now that one really sticks in the craw as I’ve been on teams working with law enforcement against the real Black Hats.. but as of now, Law Enforcement must be treated as at least a Grey Hat, with suspicion, and only at a distance.

FBI Arrests Marcus Hutchins, Who Stopped WannaCry

Hutchins, aka “MalwareTech,” Accused of Creating Kronos Banking Malware

Mathew J. Schwartz (euroinfosec) • August 4, 2017

Many in the information security community have reacted with shock over the arrest of 23-year-old British citizen Marcus Hutchins, aka “MalwareTech.”

Hutchins was arrested Wednesday at the airport in Las Vegas by the FBI, as he attempted to return to Britain. He had been attending the annual Black Hat and Def Con information security conferences, although not presenting research at either event.

The arrest of Hutchins was an unexpected turn after he singlehandedly defused the WannaCry malware outbreak in May, after accidentally registering a domain name referenced in the malicious code. The move earned him folk hero status, not least because he’d apparently helped avert a ransomware disaster for Britain’s National Health Service. Hutchins, however, referred to himself as an “accidental hero” and said he’d preferred operating as an anonymous security researcher.

A six-count indictment, filed July 11, charged Hutchins and another, unnamed defendant – apparently based in Wisconsin – with various crimes associated with the Kronos banking Trojan.

The U.S. Department of Justice says in a statement: “Marcus Hutchins … a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan.”

Now it could be that Marcus was a Grey Hat who was working both sides of the fence. Creating malware and then profiting from defending against it. Or it could be that his “role” was that he sold copies to others for them to figure out how to defeat it, and the FBI just can’t make that fine a distinction. In my (limited) interactions with the FBI on cyber security, admittedly 30 years ago, I was not impressed. (Roughly: “We have a live attack in progress on a US Government Facility bouncing off our router. The attacker appears to be Russian.” met with “Oh, THE guy who handles that is on vacation, can he get back to you next week?” Really.) Hopefully they have improved a LOT since then.

he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015.” It adds that Kronos has been used to exfiltrate victims’ online banking credentials not just in the United States but also such countries as Canada, France, Germany, Poland, and the United Kingdom. In addition, it says the malware has been distributed via phishing campaigns, for example via the Kelihos botnet in late 2016.

So first off, this is from 2014 / 2015. Was he a Black Hat then, and reformed? If so, does that buy him nothing? Can no Black Hat EVER consider moving to the White Hat side?

Or was it already in existence and “circulating”, and he just set up a side business selling copies of it of known quality to others “in the business” of defending? IF that is the case, does this mean EVER using a dark net site brands you a criminal? What “get out of jail free card” do I need when doing such explorations for my employers (or LEOs or other agencies…), hmmm? I’ve run a phone number scanning operation looking for modems at a block of phone numbers including Federal Offices. That’s technically a crime. I was doing it under the direction of law enforcement officers and after filing my security clearance papers with The Fed. But what proof do I need now to show I’m not a Black Hat? If I publish the (trivial) script to do that scan, am I going to be arrested?

There’s just way more questions here than answers.

Hutchins appeared Thursday before U.S. Judge Nancy Koppe. A federal public defender, Dan Coe, told the court that Hutchins “had cooperated with the government prior to being charged,” Reuters reports.

Koppe ordered Hutchins’ hearing to reconvene Friday, to give the defendant time to retain defense counsel; he was detained overnight.

So they bust the guy, he’s cooperative and answering their questions, THEN they charge him? Note To Self: NEVER EVER COOPERATE. Say only: “Lawyer please”….

Non-profit digital rights group Electronic Frontier Foundation said it was attempting to make contact with the detained information security researcher. “This is the sort of thing that concerns us a lot,” the organization said in a statement.

Hutchins is an employee of attacker intelligence and information sharing platform provider Kryptos Logic. Officials at the company, which has not made any public statements in relation to his arrest, could not be immediately reached for comment.

Some legal experts have expressed concern at Hutchins apparently having spoken to the FBI without a lawyer present.

Concern? Concern doesn’t even come close. The FBI has now raised a giant “DANGER DO NOT ENGAGE” sign over their entire organization.

Now the details on Kronos make it unlikely, IMHO, that this is the guy who created it. It is of Russian origin and the “seller” was going by another handle. To me, it is more likely the FBI offered a ‘deal’ to the wrong guy and he’s pinning the gig on Marcus.

Kronos Banking Trojan

The indictment accuses a co-defendant – who has not been named – of having advertised and sold the Kronos banking Trojan, at least once, for $2,000 via the AlphaBay darknet marketplace.

John Miller, senior manager of analysis at cybersecurity firm FirEye, says that his firm “observed Kronos being advertised on an established Russian cybercriminal forum by the actor ‘VinnyK’ in June 2014.” But it’s not clear if that actor might be the unnamed co-defendant.

Hutchins, meanwhile, has been accused of helping to create Kronos.

Numerous details relating to the case have yet to come to light. But many in the security community have reacted with surprise over the indictment of Hutchins on charges of creating malware, since his job is to track and investigate malware, and help others stop it. The indictment’s linking of Hutchins to the Kronos malware – heavily researched by the security community – also remains an open question.

“Kronos is a Russian banking trojan, for info,” says British security researcher Kevin Beaumont on Twitter. “It looks like the U.S. justice system has made a huge mistake.”

So did “VinnyK” sell this kit in 2014, a White Hat Marcus buys it, and now is getting burned? Or did Marcus just resell something already in circulation to other White Hats?

So Russian kit, sold on a Russian forum, by a guy with a different name, now a potential ‘co-defendant’ or maybe the Black Hat tossing Marcus under the bus; this makes Marcus a bad guy how?

The original article as several links in it to more info. BTW, Wannacry was asking $300 to recover your data. It would take at least $100 of time to restore a system instead of paying the ransom. Figure 10 Million computers would likely be hit (or way more…) at $100 each and you’ve got a $Billion of costs avoided. Just for that alone the guy ought to be given a Lifetime Free Pass.

The German news has a bit different take on things, as they usually seem to do.

Arrest of ‘WannaCry’ buster Marcus Hutchins raises concern

Marcus Hutchins is credited for single-handedly stopping the WannaCry cyber attack in May, which affected computers in over 150 countries. He was detained by law enforcers before returning to London.

The 23-year-old security researcher Marcus Hutchins, who uses the online handle “MalwareTech”, was detained Thursday as he boarded a flight from Los Angeles back to the United Kingdom.

An indictment was issued against Hutchins and an unnamed co-defendant on July 12 in US District Court in the Eastern District of Wisconsin. Hutchins is accused of creating the Kronos malware, then advertising, distributing and profiting from it in activities between July 2014 and July 2015, according to the court.

So which is it: Did he write it, or was it a Russian kit?

Hutchins, who works for LA-based firm Kryptos Logic, was in Las Vegas around the time of the DEF CON and Black Hat hacking conferences, but didn’t plan to attend, according to The Outline. Hutchins and several acquaintances rented first-rate sports cars, held parties at their lavish apartment and went to a shooting range.

Hey, sounds like a typical conference in Vegas ;-)
What, you though everyone stayed in their rooms all day?

The case against Hutchins:

Orin Kerr, a professor of law at George Washington University, told the Associated Press news agency that it remains a consistent problem in legal circles when malware is only created and sold – and not for greater crimes. “This is the first case I know of where the government is prosecuting someone for creating or selling malware but not actually using it,” he noted.

Kerr also wrote a lengthy explanation in a Washington Post op-ed about the challenges for the Justice Department in presenting a robust legal case for creating and selling malware. “My sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges,” he wrote.

There are a whole bunch of Professors who ought to be crapping their pants about now if making ‘malware’ becomes a crime in its own right. The common pattern is someone finds a bug, builds and exploit, then tells all the White Hats and provides sample code. That is, by definition “building and distributing malware”. BUT, if that is forbidden, it doesn’t stop malware from happening, it stops the FIX and PATCH from happening. It leaves the door wide open for the Black Hats to exploit with no ability for the White Hats to know, or fix it.


Kronos malware downloaded from email attachments left victims’ systems vulnerable to theft of banking and credit card credentials, which could have been used to siphon money from bank accounts.

The indictment alleges that the unidentified co-defendant advertised the Kronos malware on AlphaBay, a dark web marketplace
that international authorities took offline last month. Investigators said the site allowed anonymous users to facilitate global trade in drugs, firearms, hacking tools and other illicit goods.

The Justice Department said Kronos was used to steal banking systems credentials in Canada, Germany, Poland, France, the United Kingdom and other countries.

Within the cyber security community, Hutchins was heralded as a folk hero for his apparent role in stopping the WannaCry attack, which infected hundreds of thousands of computers and caused disruptions at car factories, hospitals, shops and schools in more than 150 countries.

So someone else sold it… yet Marcus is getting the ‘take down’? Sure smells to me like a ‘deal’ cut by someone in the nutcracker to get the screws backed off. What better than to get reduced heat AND toss a White Hat under the bus too…

One would need to know that actual relationship between Marcus and “the co-defendant” to know if criminal intent existed for Marcus, or was he just sharing some ‘kit’ with a fellow White Hat who turned out to be more Grey Hat?

So much more information needed than is available. I’m reserving judgment until more is known, but my preliminary leaning is that this is a case of Legal Overreach (not quite on a par with Waco, but getting there…) with FBI Hot Dogs trying to make a name for themselves and impress the boss, while not “getting it” about how computer security culture and methods work and are distributed. We MUST engage with The Dark Side to find out what they are doing and what kit is about to hit us. We MUST share known hacks, cracks and ‘kit’ to propagate “sources and methods” faster than the Bad Guys. Hell, I’ve got a program for the Pi that is specifically designed to crack into WiFi Hot Spots. Disney had a team dispatched to roam the entire park and property looking for clandestine Hot Spots just to assure their own gear was secure against known attacks. Was the whole Disney Computer Security Team made criminals by getting and deploying that “Tiger Team” gear? If defending your own gear becomes a criminal act, the result is not going to be pretty.

Yes, I’ll be watching this one closely.

Subscribe to feed


About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , . Bookmark the permalink.

10 Responses to Marcus Hutchins Arrested – Guy Who Stopped “Wannacry”

  1. pouncer says:

    The FBI was _ looking for _ Imran Awan but got this guy, too, by mistake.

  2. Another Ian says:

    Doesn’t sound like the FBI has come very far from “The Cuckoo’s Egg”

  3. E.M.Smith says:

    A review of Kronos from the original 2014 date

    Not seeing how to tell it’s Russian vs UK or USA origin hosted via Russian server. At this point, could still go either way.

    Despite the accusatory title, this article claims to show a tweet in which Hutchins asks if anyone has a sample of Kronos.

    Looks legit, but who knows.

    I can see a scenario where some folks are looking at Zeus, Hutchins writes some example better exploit code, someone ELSE incorporates that into Kronos and sells it… then he gets a sample and sees his code. Now, years later, the FBI asks if he wrote any of the Kronos code and he says yes, seing as it is the truth and he was exploited. Clink! Go the FBI cuffs… not caring about details…

  4. beththeserf says:

    Who watches the Watcher ?

  5. beththeserf says:

    The Closed State… The Deep State …The Expanding State?
    A serf.

  6. tom0mason says:

    I note this from Hackernews (From: —

    “Hutchins was also charged with five other counts, including wiretapping and violating Computer Fraud and Abuse Act.
    If convicted, Hutchins faces a maximum of 40 years in jail.
    Hutchins’ supporters believe that he is innocent and claims a tweet from July 2014 proves he could not have written the malware. In the tweet, Hutchins was himself asking for a Kronos sample. ”

    Five other counts?

    Not much else in this thin piece but then again there appears to be very little happening till Monday…
    … and from his lawyer there’s

  7. M Simon says:

    The FBI doesn’t want its back doors fixed.

  8. philjourdan says:

    @M. Simon – or the NSA, and since they cannot arrest, they worked through the FBI.

    @E.M. – ON your experience with the FBI – similar to mine with any federal agency. The Employees are place holders. The work is done by the beltway bandits.

  9. tom0mason says:

    Shaun Waterman at Cyberscoop…

    The arrest of security researcher Marcus Hutchins is troubling members of multiple threat information sharing groups who once counted Hutchins as an ally, but now worry that he could have recorded and shared their sensitive work.

    CyberScoop viewed several conversations among threat intel groups that played out in closed chatrooms and email threads. The concern voiced by members of several groups is that Hutchins — who was arrested by the FBI last week and charged with allegedly creating a banking trojan that was sold on dark web marketplace AlphaBay — could have sent sensitive information from the groups to people associated with the cybercrime underground.
    While also working with GCHQ’s National Cyber Security Centre (NCSC), Hutchins was a member of at least three cyberthreat information sharing groups, …One such group that Hutchins was involved with focused on the WannaCry ransomware variant; another was interested in tracking popular variants of crimeware. …
    The NCSC did not respond to a request for comment.

    Experts believe the current legal proceeding against Hutchins could open the door for a bevy of new prosecutions against other information security professionals that reverse engineer malware.
    The charges against Hutchins date back to between 2014 and 2015.

    So it’s all put-off till until August 14 but the cyber community is rattled about this.

  10. E.M.Smith says:


    Until his status is resolved AND it is made clear that White Hats can test vulnerabilities, share exploits, and demonstrate methods, I’ll be highly reluctant to do any security work requiring those things ( which is pretty much most of it other than installing a commercial package, where their staff did those things… likely now in a non US jusisdiction)…

Comments are closed.