Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon

from the and-thank-you-for-your-service dept

Update: He's been indicted for his alleged role in creating a different malware, Kronos. More below.

As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn't registered -- so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it... and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn't very nice. Still, now it's known that Marcus Hutchens is MalwareTech, and people should be thanking him.

Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year... and got his second big "thank you." According to Motherboard, US authorities have detained him in an undisclosed location.

At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There's a second defendant, whose name and information is redacted (suggesting he hasn't been arrested just yet...) who then went out and appears to have promoted Kronos and tried to sell it.

So the specific charge includes:

MARCUS HUTCHINS, aka "Malwaretech" knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.

In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.

There's also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what's in there, the evidence isn't that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.

Needless to say this will be an interesting case to pay attention to.

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Nate Hoffelder, 3 Aug 2017 @ 11:42am

    Word on Twitter is that he is in the FBI field office in Las vegas.

    reply to this | link to this | view in chronology ]

  • identicon
    Machin Shin, 3 Aug 2017 @ 11:47am

    "Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."

    Isn't it grand, the US has managed to slump all the way down into the same category as countries like North Korea. People vanishing into government black holes leaving their loved ones worried if they will ever see them again.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 11:52am

    According to CNN, he is accused of being the creator of the Kronos trojan.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 11:53am

    "According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015."

    https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware- detained-in-us

    reply to this | link to this | view in chronology ]

  • identicon
    crashsuit, 3 Aug 2017 @ 11:55am

    Not sure if this is legit but I found a CNN article claiming it's in relation to some other malware he allegedly helped develop a few years ago.

    http://money.cnn.com/2017/08/03/technology/culture/malwaretech-arrested-las-vegas-trojan/index.h tml

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 12:17pm

    I say good job of the FBI to track him down. If he really did do it, then he deserves the punishment... one accidental good thing (no matter how great it turned out) does not make him immune to previous crimes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Aug 2017 @ 12:26pm

      Re:

      The real question is, if they has evidence before, why did they not apply for an extradition warrant? Is this a case of they imaged his electronics as he entered the US, and think they have found evidence of prior bad behavior?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Aug 2017 @ 12:54pm

        Re: Re:

        The indictment is dated July 12th, 2017.

        When was the AlphaBay takedown announced? July 20th? That could fit if the FBI got info from running AlphaBay for a while.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Aug 2017 @ 1:09pm

          Re: Re: Re:

          Why the wait to arrest him, or were they hoping he would meet with the suspected co-conspirator?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 3 Aug 2017 @ 1:19pm

            Re: Re: Re: Re:

            Lots of possibilities. Co-conspirators; Defcon was crazily crowded; He wasn't staying under his own name; They wanted a controlled location for the arrest; They lost track of him in the crowds and decided to just pick him up where they knew they could find him.

            Take your pick from those options and others.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 12:24pm

    Our keystone cops need a scapegoat.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 12:51pm

    There is ever popular "black site" Area 51 in the Las Vegas neighborhood... Maybe he took one of the Janet Air flights from from the airport over to there to take a "tour" at the facility.

    https://en.wikipedia.org/wiki/Janet_(airline)

    reply to this | link to this | view in chronology ]

  • icon
    Mike Masnick (profile), 3 Aug 2017 @ 1:09pm

    Updated

    We've added the indictment and made some revisions to the story to discuss the indictment.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 1:26pm

    "knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce."


    Wait.... didn't they FBI buy things from companies that do just that? Like say that exploit they bought to open the iPhone? Do they arrest everyone related to these companies any time they set foot in the US?

    reply to this | link to this | view in chronology ]

  • icon
    Unanimous Cow Herd (profile), 3 Aug 2017 @ 1:48pm

    Welcome to Galorndon Core

    erm... Fabulous Las Vegas

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 2:25pm

    On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...

    The headline there says "hackers withdraw £108,000 of bitcoin ransom". Ars has a story "WannaCry operator empties Bitcoin wallets". But where's the evidence for either claim? We saw money move, but it could have been the FBI that moved it; or someone who's not a hacker and not the operator but managed to get the private key (maybe they purchased some malware or hired a hacker, or just broke into a house and found it?).

    It's also possible that it really was the operator who withdrew the money, and that's how they got caught. Mike, why do you hope it's a coincidence?

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 3 Aug 2017 @ 2:34pm

    "accused of developing the Kronos malware that was a trojan"

    Thank the FSM he didn't create a NIT, hoard vulnerabilities in popular operating systems, develop new hacks & things.

    I guess its only bad if your not a shadowy acronym who can't be bothered keeping your toys secure.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 5:05pm

    "Machin Shin" and the AC mentioning "Area 51" couldn't wait a couple hours for routine info to get out,

    simply jumped to conclusions that this person had been officially disappeared.

    Yet I bet they label others "conspiracy kooks" for putting factual 2 and 2 together to get 4.

    My reading of first version found The Masnick simply stating facts with only a hint of alarm. Yet at present it's firmed up on "anti-conspiracy" schtick: "Conspiracy? Just because wrote and sold malware? How could they possibly have common purpose?"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2017 @ 9:36pm

    Professor Orin Kerr's "Tentative Thoughts"

    The Kronos indictment: Is it a crime to create and sell malware?”, by Orin Kerr, Volokh Conspiracy (Washington Post), Aug 3, 2017

    … an interesting legal question: Is it a crime to create and sell malware?

    Via Twitter.

    (I expect that most Techdirt readers are familiar with Professor Kerr.)

    reply to this | link to this | view in chronology ]

  • icon
    MyNameHere (profile), 4 Aug 2017 @ 6:17am

    Alphabay

    I think the under story on this one is that Alphabay was recently busted. The timing of this indictment seems to be pretty much in line with information that may have been gleaned from that site's transactions and postings.

    As for the legality, I am pressed to find a solid legal use for malware that involved selling it on for profit. Like many criminal conspiracy cases, this one will get down to intent. If the "other guy" wasn't capable of writing the trojan himself, then the conspiracy is clear. Even a "writing for hire" situation is unlikely to excuse actively writing malware.

    It's not a pretty case, no matter how you look at it!

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 4 Aug 2017 @ 4:00pm

    There's also a conspiracy charge tying all of this together, as always.

    FTFY

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.