Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon
from the and-thank-you-for-your-service dept
Update: He’s been indicted for his alleged role in creating a different malware, Kronos. More below.
As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn’t registered — so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it… and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn’t very nice. Still, now it’s known that Marcus Hutchens is MalwareTech, and people should be thanking him.
Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year… and got his second big “thank you.” According to Motherboard, US authorities have detained him in an undisclosed location.
At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There’s a second defendant, whose name and information is redacted (suggesting he hasn’t been arrested just yet…) who then went out and appears to have promoted Kronos and tried to sell it.
So the specific charge includes:
MARCUS HUTCHINS, aka “Malwaretech” knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.
In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.
There’s also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what’s in there, the evidence isn’t that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.
Needless to say this will be an interesting case to pay attention to.
On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning…
Filed Under: defcon, detained, fbi, malwaretech, marcus hutchens, wannacry
Comments on “Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon”
Word on Twitter is that he is in the FBI field office in Las vegas.
“Marcus has been arrested and now we have no idea where in the US he’s been taken to and we’re extremely concerned for his welfare.”
Isn’t it grand, the US has managed to slump all the way down into the same category as countries like North Korea. People vanishing into government black holes leaving their loved ones worried if they will ever see them again.
According to CNN, he is accused of being the creator of the Kronos trojan.
Re: Re:
How convenient.
“According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.”
https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us
Indictment https://www.documentcloud.org/documents/3912524-Kronos-Indictment-R.html
Not sure if this is legit but I found a CNN article claiming it’s in relation to some other malware he allegedly helped develop a few years ago.
http://money.cnn.com/2017/08/03/technology/culture/malwaretech-arrested-las-vegas-trojan/index.html
I say good job of the FBI to track him down. If he really did do it, then he deserves the punishment… one accidental good thing (no matter how great it turned out) does not make him immune to previous crimes.
Re: Re:
The real question is, if they has evidence before, why did they not apply for an extradition warrant? Is this a case of they imaged his electronics as he entered the US, and think they have found evidence of prior bad behavior?
Re: Re: Re:
The indictment is dated July 12th, 2017.
When was the AlphaBay takedown announced? July 20th? That could fit if the FBI got info from running AlphaBay for a while.
Re: Re: Re: Re:
Why the wait to arrest him, or were they hoping he would meet with the suspected co-conspirator?
Re: Re: Re:2 Re:
Lots of possibilities. Co-conspirators; Defcon was crazily crowded; He wasn’t staying under his own name; They wanted a controlled location for the arrest; They lost track of him in the crowds and decided to just pick him up where they knew they could find him.
Take your pick from those options and others.
Re: Re: Re:3 Re:
The indictment was issued before he arrived in the US, so they skipped an opportunity to arrest him at customs. Further according to the BBC he asked for a sample of Kronos after it was reported in the press.
Re: Re: Re:4 Re:
Why would he ask for a sample of a trojan if he helped develop it? Sounds fishy to me…
Re: Re: Re:5 Re:
Indeed. Is this YET ANOTHER attempt to shoot the messenger — or are they trying to turn him into a snitch?
Our keystone cops need a scapegoat.
There is ever popular “black site” Area 51 in the Las Vegas neighborhood… Maybe he took one of the Janet Air flights from from the airport over to there to take a “tour” at the facility.
https://en.wikipedia.org/wiki/Janet_(airline)
Updated
We’ve added the indictment and made some revisions to the story to discuss the indictment.
“knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.”
Wait…. didn’t they FBI buy things from companies that do just that? Like say that exploit they bought to open the iPhone? Do they arrest everyone related to these companies any time they set foot in the US?
Welcome to Galorndon Core
erm… Fabulous Las Vegas
The headline there says "hackers withdraw £108,000 of bitcoin ransom". Ars has a story "WannaCry operator empties Bitcoin wallets". But where’s the evidence for either claim? We saw money move, but it could have been the FBI that moved it; or someone who’s not a hacker and not the operator but managed to get the private key (maybe they purchased some malware or hired a hacker, or just broke into a house and found it?).
It’s also possible that it really was the operator who withdrew the money, and that’s how they got caught. Mike, why do you hope it’s a coincidence?
“accused of developing the Kronos malware that was a trojan”
Thank the FSM he didn’t create a NIT, hoard vulnerabilities in popular operating systems, develop new hacks & things.
I guess its only bad if your not a shadowy acronym who can’t be bothered keeping your toys secure.
"Machin Shin" and the AC mentioning "Area 51" couldn't wait a couple hours for routine info to get out,
simply jumped to conclusions that this person had been officially disappeared.
Yet I bet they label others “conspiracy kooks” for putting factual 2 and 2 together to get 4.
My reading of first version found The Masnick simply stating facts with only a hint of alarm. Yet at present it’s firmed up on “anti-conspiracy” schtick: “Conspiracy? Just because wrote and sold malware? How could they possibly have common purpose?”
Professor Orin Kerr's "Tentative Thoughts"
“The Kronos indictment: Is it a crime to create and sell malware?”, by Orin Kerr, Volokh Conspiracy (Washington Post), Aug 3, 2017
Via Twitter.
(I expect that most Techdirt readers are familiar with Professor Kerr.)
Alphabay
I think the under story on this one is that Alphabay was recently busted. The timing of this indictment seems to be pretty much in line with information that may have been gleaned from that site’s transactions and postings.
As for the legality, I am pressed to find a solid legal use for malware that involved selling it on for profit. Like many criminal conspiracy cases, this one will get down to intent. If the “other guy” wasn’t capable of writing the trojan himself, then the conspiracy is clear. Even a “writing for hire” situation is unlikely to excuse actively writing malware.
It’s not a pretty case, no matter how you look at it!
FTFY