On Wednesday, the FBI arrested Marcus Hutchins, a 23-year-old security researcher from the U.K. best known for helping to stop the WannaCry global outbreak, at DEF CON. Authorities have Hutchins under custody over allegedly creating and spreading Kronos, a malware targeting banking information.
U.S. law enforcement has declined to comment and U.K. agencies say they are aware of the situation and helping the family sort this through. The Department of Justice has released an indictment that says Hutchins, aka MalwareTech, is detained on six different counts related to hacking and illegal cyber activities.
The detention of the computer enthusiast coincided with the withdrawal of all the money in the Bitcoin wallets associated with the WannaCry scheme. Experts and the media are not sure the two events are related, and they don’t know either whether Hutchins is truly guilty or not.
— Joseph Cox (@josephfcox) August 3, 2017
What is Kronos and why is Hutchins being charged over it?
Kronos is a malware that rose to prominence between 2014 and 2015 as a hacking tool to get banking account information and credentials from unsuspecting users.
Hackers hid Kronos streams in common attachment files like Microsoft Word documents and such, making it particularly stealthy when compared to others of its kind. People interested in using the malware to obtain the info they wanted usually hired a hacker’s services through dark net markets.
It is inferred that the recent takedown of AlphaBay and Hansa by a global operation was the source of the arrest. When authorities captured AlphaBay’s administrator, they were also able to get direct access to the servers and planted backdoors to gather as much intelligence as they could.
Marcus Hutchins, who runs a cyber security blog called MalwareTech and is employed by the Los Angeles firm Kryptos Logic, managed to find a “kill switch” within WannaCry’s code that allowed him to disable instances of the malware single-handedly and provided the key to shutting down the entire operation.
Authorities may have confused MalwareTech’s activities
Hutchins actions did not go unnoticed, and he was hailed as a hero by the community for stopping a threat that could have potentially reached tens of millions of computers but affected roughly 1 million.
Upon learning about the indictment, Ryan Kalember of Proofpoint, a cyber security firm based in Sunnyvale, California, said the FBI might have followed false leads in the arrest of MalwareTech.
“Lots of researchers like to log in crimeware tools and interfaces and play around,” Kalamber said. He further alleged the Bureau could be mistaking research for control over Kronos infrastructure, and that he wasn’t sure agents could tell the difference between the two instances.
MalwareTech tweeted in mid-June a request for a Kronos sample, which many have pointed out as either illogical (based on the DOJ counts) or a cover supposing the charges are true.
An unnamed co-defendant has been charged along with Hutchins, and only he is known to be under the custody of the FBI at an unknown law enforcement facility in the U.S. His family has not been able to contact him and he was last known to be at the Henderson Detention Center in Nevada.