Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon

from the and-thank-you-for-your-service dept

Update: He’s been indicted for his alleged role in creating a different malware, Kronos. More below.

As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn’t registered — so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it… and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn’t very nice. Still, now it’s known that Marcus Hutchens is MalwareTech, and people should be thanking him.

Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year… and got his second big “thank you.” According to Motherboard, US authorities have detained him in an undisclosed location.

At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There’s a second defendant, whose name and information is redacted (suggesting he hasn’t been arrested just yet…) who then went out and appears to have promoted Kronos and tried to sell it.

So the specific charge includes:

MARCUS HUTCHINS, aka “Malwaretech” knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.

In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.

There’s also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what’s in there, the evidence isn’t that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.

Needless to say this will be an interesting case to pay attention to.

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning…

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon”

Subscribe: RSS Leave a comment
26 Comments
Machin Shin says:

“Marcus has been arrested and now we have no idea where in the US he’s been taken to and we’re extremely concerned for his welfare.”

Isn’t it grand, the US has managed to slump all the way down into the same category as countries like North Korea. People vanishing into government black holes leaving their loved ones worried if they will ever see them again.

Anonymous Coward says:

Re: Re: Re:2 Re:

Lots of possibilities. Co-conspirators; Defcon was crazily crowded; He wasn’t staying under his own name; They wanted a controlled location for the arrest; They lost track of him in the crowds and decided to just pick him up where they knew they could find him.

Take your pick from those options and others.

Anonymous Coward says:

“knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.”

Wait…. didn’t they FBI buy things from companies that do just that? Like say that exploit they bought to open the iPhone? Do they arrest everyone related to these companies any time they set foot in the US?

Anonymous Coward says:

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning…

The headline there says "hackers withdraw £108,000 of bitcoin ransom". Ars has a story "WannaCry operator empties Bitcoin wallets". But where’s the evidence for either claim? We saw money move, but it could have been the FBI that moved it; or someone who’s not a hacker and not the operator but managed to get the private key (maybe they purchased some malware or hired a hacker, or just broke into a house and found it?).

It’s also possible that it really was the operator who withdrew the money, and that’s how they got caught. Mike, why do you hope it’s a coincidence?

Anonymous Coward says:

"Machin Shin" and the AC mentioning "Area 51" couldn't wait a couple hours for routine info to get out,

simply jumped to conclusions that this person had been officially disappeared.

Yet I bet they label others “conspiracy kooks” for putting factual 2 and 2 together to get 4.

My reading of first version found The Masnick simply stating facts with only a hint of alarm. Yet at present it’s firmed up on “anti-conspiracy” schtick: “Conspiracy? Just because wrote and sold malware? How could they possibly have common purpose?”

MyNameHere (profile) says:

Alphabay

I think the under story on this one is that Alphabay was recently busted. The timing of this indictment seems to be pretty much in line with information that may have been gleaned from that site’s transactions and postings.

As for the legality, I am pressed to find a solid legal use for malware that involved selling it on for profit. Like many criminal conspiracy cases, this one will get down to intent. If the “other guy” wasn’t capable of writing the trojan himself, then the conspiracy is clear. Even a “writing for hire” situation is unlikely to excuse actively writing malware.

It’s not a pretty case, no matter how you look at it!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...