Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon
from the and-thank-you-for-your-service dept
Update: He’s been indicted for his alleged role in creating a different malware, Kronos. More below.
As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn’t registered — so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it… and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn’t very nice. Still, now it’s known that Marcus Hutchens is MalwareTech, and people should be thanking him.
Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year… and got his second big “thank you.” According to Motherboard, US authorities have detained him in an undisclosed location.
At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There’s a second defendant, whose name and information is redacted (suggesting he hasn’t been arrested just yet…) who then went out and appears to have promoted Kronos and tried to sell it.
So the specific charge includes:
MARCUS HUTCHINS, aka “Malwaretech” knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.
In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.
There’s also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what’s in there, the evidence isn’t that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.
Needless to say this will be an interesting case to pay attention to.
On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning…