Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon

from the and-thank-you-for-your-service dept

Thu, Aug 3rd 2017 11:20am — Mike Masnick

Update: He's been indicted for his alleged role in creating a different malware, Kronos. More below.

As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn't registered -- so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it... and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn't very nice. Still, now it's known that Marcus Hutchens is MalwareTech, and people should be thanking him.

Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year... and got his second big "thank you." According to Motherboard, US authorities have detained him in an undisclosed location.

~~At the time of writing it is not clear what charges, if any, Hutchins may face.~~ According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There's a second defendant, whose name and information is redacted (suggesting he hasn't been arrested just yet...) who then went out and appears to have promoted Kronos and tried to sell it.

So the specific charge includes:

MARCUS HUTCHINS, aka "Malwaretech" knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.

In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.

There's also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what's in there, the evidence isn't that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.

Needless to say this will be an interesting case to pay attention to.

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: defcon, detained, fbi, malwaretech, marcus hutchens, wannacry

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Nate Hoffelder, 3 Aug 2017 @ 11:42am

Word on Twitter is that he is in the FBI field office in Las vegas.
[ link to this | view in chronology ]
Machin Shin, 3 Aug 2017 @ 11:47am

"Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."

Isn't it grand, the US has managed to slump all the way down into the same category as countries like North Korea. People vanishing into government black holes leaving their loved ones worried if they will ever see them again.
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 11:52am

According to CNN, he is accused of being the creator of the Kronos trojan.
[ link to this | view in chronology ]
- Anonymous Coward, 3 Aug 2017 @ 4:42pm
  
  Re:
  How convenient.
  [ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 11:53am

"According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015."

https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware- detained-in-us
[ link to this | view in chronology ]
Shawn (profile), 3 Aug 2017 @ 11:54am

Indictment https://www.documentcloud.org/documents/3912524-Kronos-Indictment-R.html
[ link to this | view in chronology ]
crashsuit, 3 Aug 2017 @ 11:55am

Not sure if this is legit but I found a CNN article claiming it's in relation to some other malware he allegedly helped develop a few years ago.

http://money.cnn.com/2017/08/03/technology/culture/malwaretech-arrested-las-vegas-trojan/index.h tml
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 12:17pm

I say good job of the FBI to track him down. If he really did do it, then he deserves the punishment... one accidental good thing (no matter how great it turned out) does not make him immune to previous crimes.
[ link to this | view in chronology ]
- Anonymous Coward, 3 Aug 2017 @ 12:26pm
  
  Re:
  The real question is, if they has evidence before, why did they not apply for an extradition warrant? Is this a case of they imaged his electronics as he entered the US, and think they have found evidence of prior bad behavior?
  [ link to this | view in chronology ]
  - Anonymous Coward, 3 Aug 2017 @ 12:54pm
    
    Re: Re:
    The indictment is dated July 12th, 2017.
    
    When was the AlphaBay takedown announced? July 20th? That could fit if the FBI got info from running AlphaBay for a while.
    [ link to this | view in chronology ]
    - Anonymous Coward, 3 Aug 2017 @ 1:09pm
      
      Re: Re: Re:
      Why the wait to arrest him, or were they hoping he would meet with the suspected co-conspirator?
      [ link to this | view in chronology ]
      - Anonymous Coward, 3 Aug 2017 @ 1:19pm
        
        Re: Re: Re: Re:
        Lots of possibilities. Co-conspirators; Defcon was crazily crowded; He wasn't staying under his own name; They wanted a controlled location for the arrest; They lost track of him in the crowds and decided to just pick him up where they knew they could find him.
        
        Take your pick from those options and others.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 3 Aug 2017 @ 3:40pm
        
        Re: Re: Re: Re: Re:
        The indictment was issued before he arrived in the US, so they skipped an opportunity to arrest him at customs. Further according to the BBC he asked for a sample of Kronos after it was reported in the press.
        [ link to this | view in chronology ]
        
        JoeCool (profile), 3 Aug 2017 @ 5:21pm
        
        Re: Re: Re: Re: Re: Re:
        Why would he ask for a sample of a trojan if he helped develop it? Sounds fishy to me...
        [ link to this | view in chronology ]
        
        Wendy Cockcroft, 4 Aug 2017 @ 6:00am
        
        Re: Re: Re: Re: Re: Re: Re:
        Indeed. Is this YET ANOTHER attempt to shoot the messenger — or are they trying to turn him into a snitch?
        [ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 12:24pm

Our keystone cops need a scapegoat.
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 12:51pm

There is ever popular "black site" Area 51 in the Las Vegas neighborhood... Maybe he took one of the Janet Air flights from from the airport over to there to take a "tour" at the facility.

https://en.wikipedia.org/wiki/Janet_(airline)
[ link to this | view in chronology ]
Mike Masnick (profile), 3 Aug 2017 @ 1:09pm

Updated
We've added the indictment and made some revisions to the story to discuss the indictment.
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 1:26pm

"knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce."

Wait.... didn't they FBI buy things from companies that do just that? Like say that exploit they bought to open the iPhone? Do they arrest everyone related to these companies any time they set foot in the US?
[ link to this | view in chronology ]
Unanimous Cow Herd (profile), 3 Aug 2017 @ 1:48pm

Welcome to Galorndon Core
erm... Fabulous Las Vegas
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 2:25pm

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...

The headline there says "hackers withdraw £108,000 of bitcoin ransom". Ars has a story "WannaCry operator empties Bitcoin wallets". But where's the evidence for either claim? We saw money move, but it could have been the FBI that moved it; or someone who's not a hacker and not the operator but managed to get the private key (maybe they purchased some malware or hired a hacker, or just broke into a house and found it?).

It's also possible that it really was the operator who withdrew the money, and that's how they got caught. Mike, why do you hope it's a coincidence?
[ link to this | view in chronology ]
That Anonymous Coward (profile), 3 Aug 2017 @ 2:34pm

"accused of developing the Kronos malware that was a trojan"

Thank the FSM he didn't create a NIT, hoard vulnerabilities in popular operating systems, develop new hacks & things.

I guess its only bad if your not a shadowy acronym who can't be bothered keeping your toys secure.
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 5:05pm

"Machin Shin" and the AC mentioning "Area 51" couldn't wait a couple hours for routine info to get out,
simply jumped to conclusions that this person had been officially disappeared.

Yet I bet they label others "conspiracy kooks" for putting factual 2 and 2 together to get 4.

My reading of first version found The Masnick simply stating facts with only a hint of alarm. Yet at present it's firmed up on "anti-conspiracy" schtick: "Conspiracy? Just because wrote and sold malware? How could they possibly have common purpose?"
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2017 @ 9:36pm

Professor Orin Kerr's "Tentative Thoughts"
“The Kronos indictment: Is it a crime to create and sell malware?”, by Orin Kerr, Volokh Conspiracy (Washington Post), Aug 3, 2017

… an interesting legal question: Is it a crime to create and sell malware?

Via Twitter.

(I expect that most Techdirt readers are familiar with Professor Kerr.)
[ link to this | view in chronology ]
MyNameHere (profile), 4 Aug 2017 @ 6:17am

Alphabay
I think the under story on this one is that Alphabay was recently busted. The timing of this indictment seems to be pretty much in line with information that may have been gleaned from that site's transactions and postings.

As for the legality, I am pressed to find a solid legal use for malware that involved selling it on for profit. Like many criminal conspiracy cases, this one will get down to intent. If the "other guy" wasn't capable of writing the trojan himself, then the conspiracy is clear. Even a "writing for hire" situation is unlikely to excuse actively writing malware.

It's not a pretty case, no matter how you look at it!
[ link to this | view in chronology ]
Rekrul, 4 Aug 2017 @ 4:00pm

There's also a conspiracy charge tying all of this together, as always.

FTFY
[ link to this | view in chronology ]