On August 2, the FBI arrested well known security researcher Marcus Hutchins, who was involved in stopping the WannaCry ransomware outbreak, for allegedly being involved with the Kronos malware in 2014 and 2015. Hutchins age 22, is a U.K. national that is better known by his online alias MalwareTechBlog. He was headed home to the UK from Las Vegas, after attending the DefCon security conference.
According to the indictment, the U.S. Department of Justice charged Hutchins and several co-conspirators with six counts of violating U.S. laws, between July 2014 and July 2015. The indictment as publicly posted has redacted the names of Hutchins’ co-conspirators.
Among the charges, the indictment alleges that Hutchins created the Kronos malware. IBM’s Trusteer business unit first reported on the emergence of Kronos in July 2014. Kronos is a financial malware Trojan, designed to steal banking credentials from victims. In November 2015, security firm Proofpoint reported that the Kronos Trojan had evolved to take aim at Point-of-Sale (PoS) systems.
The Department of Justice also alleges in its indictment that Hutchins’ co-conspirators demonstrated how Kronos worked on a publicly available website in July 2014 and offered to sell Kronos for $3,000 in August 2014. In August 2015, the indictment alleges that Hutchins’ co-conspirators advertised the Kronos malware on the AlphaBay dark web forum.
After spending the week attending security conferences, Hutchins tweeted on August 1, the day before his arrest, that he was eager to get back to work, after spending the week in Las Vegas.
“I’m actually pretty excited to get back to work soon,” Hutchins wrote. “Haven’t touched a debugger in over a month now.”
Hutchins shot to international fame in mid-May for his efforts in helping to stop the WannaCry ransomware outbreak. The UK National Cyber Security Centre credited Hutchins with discovering the so-called “kill switch” that stopped the WannaCry ransomware from spreading. Hutchins discovered that WannaCry was reaching out to find a specific un-registered web domain to determine if it should continue spreading. Hutchins bought the kill switch domain, which resulted in slowing down the spread of the initial variants of the WannaCry malware.
Friends of Hutchins have defended him on Twitter as being on the right side of the security research world.
“I refuse to believe the charges against @MalwareTechBlog, not the MT I know at all,” Andrew Mabbitt, founder of Fidus Information security wrote. “He spent his career stopping malware, not writing it.”
eWEEK will continue to update this developing story.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.