Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development

WannaCry 'Accidental Hero' Denies FBI Charges

Marcus Hutchins to Plead Not Guilty to Charges Related to Kronos Malware
WannaCry 'Accidental Hero' Denies FBI Charges
Lloyd D. George Federal Courthouse in Las Vegas. (Photo: Time Anchor via Flickr/CC)

Cybersecurity researcher Marcus Hutchins willl plead not guilty in federal court to charges relating to creating and selling banking malware called Kronos (see FBI Arrests Marcus Hutchins, Who Stopped WannaCry).

See Also: Close the Gapz in Your Security Strategy

"He's refuting the allegations; he's pleading not guilty," Hutchins' attorney, Adrian Lobo said on Friday outside the Lloyd D. George Federal Courthouse in Las Vegas.

A six-count indictment filed in Wisconsin federal court on July 11 charged Hutchins and an unnamed defendant with creating, distributing and profiting from the Kronos banking Trojan between July 2014 and July 2015.

Some in the security community think the FBI may have confused his legitimate research activities with criminal behavior.

Hutchins, who also uses the online handle MalwareTech, was already catapulted into the limelight in May, after he spent $10 to register a domain name he'd spotted in the code for the WannaCry malware. By doing so, he defused the global malware outbreak, and reluctantly accepted the moniker of "accidental hero." But according to experts' conservative estimates, Hutchins' actions prevented tens of millions of PCs from being cryptolocked and averted a potential disaster for Britain's National Health Service, amongst others.

In a surprise turn, however, he's now been arrested by the FBI on malware-related charges.

"I can't comment on the actual, substantive charges, because at this point, all I have is an indictment; I haven't even been able to talk to my client about the substance of the case right now," Lobo said. "All we're concerned about is getting him out of custody so we can have a meaningful conversation."

Adrian Lobo, an attorney for Marcus Hutchins, speaking August 4 outside Las Vegas federal court. (Source: Christy Wilcox)

Hutchins was arrested by the FBI on Wednesday. He first appeared before U.S. Judge Nancy Koppe on Thursday, with his public defender telling the court that he'd cooperated with the FBI after being arrested. The judge ordered Hutchins' hearing to reconvene the next day to give him time to retain private counsel.

Hutchins, who was visiting Las Vegas to attend the annual Black Hat and Def Con information security conferences, was arrested at the airport in Las Vegas as he attempted to fly back to the United Kingdom.

Lobo said Hutchins was surprised by the allegations against him.

Conditional Bail Set

The judge on Friday ordered Hutchins to be released on conditional bail with a $30,000 cash bond. Conditions include Hutchins remaining in Las Vegas or Wisconsin, wearing a GPS tracking device and not using the internet.

Lobo said the required funds were available, having been raised from "a variety of sources," but said there had been insufficient time to pay the bail before offices closed Friday, leading to Hutchins having to spend the weekend in jail.

But she said her client would be released from custody on Monday. Lobo also said she had shared dozens of letters of support that Hutchins had received from friends and colleagues, many of which highlighted his role in helping to stop WannaCry.

Hutchins' efforts earned him folk hero status, as well as a $10,000 reward from bug bounty program HackerOne, which rewards the efforts of "ethical hackers." Hutchins, however, lamented losing his online anonymity. He also promised to donate the reward money to charity, including to support information security students who couldn't afford textbooks.

For his WannaCry efforts, Hutchins - who on Twitter seemed to discuss pizza second only to cybersecurity concerns - also received a year's free supply of pizza from Just Eat, a British food and delivery service. That reward he kept.

Federal Prosecutor Sought to Block Bail

In court, prosecutor Dan Cowhig said that Hutchins had been identified as part of an undercover law enforcement operation aimed at the darknet marketplace AlphaBay after officers purchased malware from him and an unnamed co-defendant, Sky News reports.

In court on Friday, Cowhig argued that Hutchins posed a danger to the public because he'd attended a gun range and fired a number of weapons while visiting Las Vegas. He said that it's illegal for foreign nationals to use a firearm on U.S. soil.

Lobo, however, dismissed the prosecutor's claims as "garbage," telling reporters that the gun range had verified Hutchins' age via his U.K. passport. She said that if anyone should be investigated for this alleged violation of federal law, it was the gun range, which markets itself heavily to tourists and allowed Hutchins to fire the weapons.

Hutchins Will Go to Wisconsin

On Tuesday, Hutchins is due to go to Wisconsin, where he's been ordered to appear in federal court, and where it's expected that he'll enter formal pleas in the case. Lobo said her client will continue to deny all of the charges filed against him.

The Department of Justice has said that the FBI cyber squad in Milwaukee led the investigation that resulted in the indictment against Hutchins and his unnamed co-defendant.

Beyond that, however, Lobo said it's not clear why the case is based out of Wisconsin. Aside from what's in the indictment, "at this point, we don't even know what the allegations are," she said.

Hutchins is a remote employee of U.S.-based attacker intelligence and information sharing platform provider Kryptos Logic, which has not made any public statements in relation to his arrest. Officials at the company did not respond to a request for comment.

Information Security Community: Shock

Based on the charges, some security researchers have questioned whether Hutchins may have been tempted to try and design and sell his own banking malware, as the indictment suggests.

But many members of the information security community who know him remain shocked by Hutchins' arrest.

This latter camp thinks Hutchins' actions were "just normal researcher activity, probably to gain cred on the forums, that the FBI is confusing with real cybercriminal activity," Ryan Kalember, senior vice president at cybersecurity firm Proofpoint, which worked Hutchins in May to blunt the WannaCry attack, tells the Wall Street Journal.

While that might seem unusual to observers outside of the cybersecurity field, information security experts say that law enforcement agencies rely heavily on private security researchers to help them identify internet-enabled criminal activities and amass related evidence (see Cybercrime Battle: Next Steps).

"MalwareTech's business and job is around finding, reversing and analyzing malicious software (malware) and finding the techniques used," writes British security researcher Kevin Beaumont, aka GossiTheDog, said in a blog post.

"This includes monitoring 'dark web' websites, where covert identifies are used to gain access - as is common across the security industry. His data around botnets is sold to organizations, including law enforcement, around the world," Beaumont adds.

MalwareTech - before he was unmasked as being Marcus Hutchins - told the BBC in May how he accidentally disabled WannaCrypt infections seen to date.

Two security researchers - Tarah Wheeler and Andrew Mabbitt, of Fidus Security - have set up a funding page, linked to an escrow account, that can be used to donate to Hutchins' legal fees.

Mabbitt, who said he will be picking up Hutchins from court on Monday, also attempted to correct what he said was erroneous reporting relating to the luxury cars and pricey accommodation Hutchins enjoyed while he was in Las Vegas, saying that it had been provided by others, or for free.

Non-profit digital rights group Electronic Frontier Foundation is also involved in Hutchins' defense, his supporters say. A spokesman for EFF couldn't be immediately reached for comment.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.