FBI Arrests WannaCry Researcher for Kronos Banking Trojan Involvement | eWeek

WannaCry Researcher Arrested by the FBI for Kronos Malware Campaign

WannaCry Ransomware
Aug 3, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

On August 2, the FBI arrested well known security researcher Marcus Hutchins, who was involved in stopping the WannaCry ransomware outbreak, for allegedly being involved with the Kronos malware in 2014 and 2015. Hutchins age 22, is a U.K. national that is better known by his online alias MalwareTechBlog. He was headed home to the UK from Las Vegas, after attending the DefCon security conference. 

According to the indictment, the U.S. Department of Justice charged Hutchins and several co-conspirators with six counts of violating U.S. laws, between July 2014 and July 2015. The indictment as publicly posted has redacted the names of Hutchins’ co-conspirators. 

Among the charges, the indictment alleges that Hutchins created the Kronos malware. IBM’s Trusteer business unit first reported on the emergence of Kronos in July 2014. Kronos is a financial malware Trojan, designed to steal banking credentials from victims. In November 2015, security firm Proofpoint reported that the Kronos Trojan had evolved to take aim at Point-of-Sale (PoS) systems.

The Department of Justice also alleges in its indictment that Hutchins’ co-conspirators demonstrated how Kronos worked on a publicly available website in July 2014 and offered to sell Kronos for $3,000 in August 2014. In August 2015, the indictment alleges that Hutchins’ co-conspirators advertised the Kronos malware on the AlphaBay dark web forum.

After spending the week attending security conferences, Hutchins tweeted on August 1, the day before his arrest, that he was eager to get back to work, after spending the week in Las Vegas.

“I’m actually pretty excited to get back to work soon,” Hutchins wrote. “Haven’t touched a debugger in over a month now.”

Hutchins shot to international fame in mid-May for his efforts in helping to stop the WannaCry ransomware outbreak. The UK National Cyber Security Centre credited Hutchins with discovering the so-called “kill switch” that stopped the WannaCry ransomware from spreading. Hutchins discovered that WannaCry was reaching out to find a specific un-registered web domain to determine if it should continue spreading. Hutchins bought the kill switch domain, which resulted in slowing down the spread of the initial variants of the WannaCry malware.

Friends of Hutchins have defended him on Twitter as being on the right side of the security research world.

“I refuse to believe the charges against @MalwareTechBlog, not the MT I know at all,” Andrew Mabbitt, founder of Fidus Information security wrote. “He spent his career stopping malware, not writing it.”

eWEEK will continue to update this developing story.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.