Just three short months ago, security researcher Marcus Hutchins entered the pantheon of hacker heroes for stopping the WannaCry ransomware attack that ripped through the internet and paralyzed hundreds of thousands of computers. Now he’s been arrested and charged with involvement in another mass hacking scheme—this time on the wrong side.
Yesterday authorities detained 22-year-old Hutchins after the Defcon hacker conference in Las Vegas as he attempted to fly home to the UK, where he works as a researcher for the security firm Kryptos Logic. Upon his arrest, the Department of Justice unsealed an indictment against Hutchins, charging that he created the Kronos banking trojan, a widespread piece of malware used to steal banking credentials for fraud. He’s accused of intentionally creating that banking malware for criminal use, as well as being part of a conspiracy to sell it for $3,000 between 2014 and 2015 on cybercrime market sites such as the now-defunct AlphaBay dark web market.
But the short, eight-page indictment against Hutchins, a rising star in the hacker world, has already raised questions and skepticism in both legal and cybersecurity circles. Orin Kerr, a law professor at George Washington University who has written extensively about cybersecurity and hacking cases, says that based on the indictment alone, the charges look like “a stretch.” Although the indictment claims Hutchins wrote the Kronos malware, nothing in the document illustrates that Hutchins possessed actual intent for the malware he allegedly created to be used in the criminal “conspiracy” he’s accused of.
“It’s not a crime to create malware. It’s not a crime to sell malware. It’s a crime to sell malware with the intent to further someone else’s crime.” Kerr says. “This story alone doesn’t really fit. There’s got to be more to it, or it’s going to run into legal problems.”
The news of Hutchins’ arrest also shocked Defcon attendees and the wider cybersecurity community, in which Hutchins is a widely admired figure for his technical knowledge and his key actions to neuter the WannaCry epidemic in May. As Hutchins analyzed that catastrophic ransomware worm within its first hours of spreading, he noticed that it was connected to a nonexistent web domain, perhaps as a kind of test of whether it was running in a software simulation. Hutchins, who at the time was more widely known by his pseudonym MalwareTech or MalwareTechBlog, registered that domain and was surprised to find that it immediately caused WannaCry to stop spreading.