Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon
from the and-thank-you-for-your-service dept
Update: He's been indicted for his alleged role in creating a different malware, Kronos. More below.
As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn't registered -- so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it... and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn't very nice. Still, now it's known that Marcus Hutchens is MalwareTech, and people should be thanking him.
Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year... and got his second big "thank you." According to Motherboard, US authorities have detained him in an undisclosed location.
At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There's a second defendant, whose name and information is redacted (suggesting he hasn't been arrested just yet...) who then went out and appears to have promoted Kronos and tried to sell it.
So the specific charge includes:
MARCUS HUTCHINS, aka "Malwaretech" knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.
In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.
There's also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what's in there, the evidence isn't that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.
Needless to say this will be an interesting case to pay attention to.
On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: defcon, detained, fbi, malwaretech, marcus hutchens, wannacry
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Isn't it grand, the US has managed to slump all the way down into the same category as countries like North Korea. People vanishing into government black holes leaving their loved ones worried if they will ever see them again.
[ link to this | view in chronology ]
According to CNN, he is accused of being the creator of the Kronos trojan.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware- detained-in-us
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://money.cnn.com/2017/08/03/technology/culture/malwaretech-arrested-las-vegas-trojan/index.h tml
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
When was the AlphaBay takedown announced? July 20th? That could fit if the FBI got info from running AlphaBay for a while.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Take your pick from those options and others.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The indictment was issued before he arrived in the US, so they skipped an opportunity to arrest him at customs. Further according to the BBC he asked for a sample of Kronos after it was reported in the press.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
https://en.wikipedia.org/wiki/Janet_(airline)
[ link to this | view in chronology ]
Updated
[ link to this | view in chronology ]
Wait.... didn't they FBI buy things from companies that do just that? Like say that exploit they bought to open the iPhone? Do they arrest everyone related to these companies any time they set foot in the US?
[ link to this | view in chronology ]
Welcome to Galorndon Core
[ link to this | view in chronology ]
The headline there says "hackers withdraw £108,000 of bitcoin ransom". Ars has a story "WannaCry operator empties Bitcoin wallets". But where's the evidence for either claim? We saw money move, but it could have been the FBI that moved it; or someone who's not a hacker and not the operator but managed to get the private key (maybe they purchased some malware or hired a hacker, or just broke into a house and found it?).
It's also possible that it really was the operator who withdrew the money, and that's how they got caught. Mike, why do you hope it's a coincidence?
[ link to this | view in chronology ]
Thank the FSM he didn't create a NIT, hoard vulnerabilities in popular operating systems, develop new hacks & things.
I guess its only bad if your not a shadowy acronym who can't be bothered keeping your toys secure.
[ link to this | view in chronology ]
"Machin Shin" and the AC mentioning "Area 51" couldn't wait a couple hours for routine info to get out,
Yet I bet they label others "conspiracy kooks" for putting factual 2 and 2 together to get 4.
My reading of first version found The Masnick simply stating facts with only a hint of alarm. Yet at present it's firmed up on "anti-conspiracy" schtick: "Conspiracy? Just because wrote and sold malware? How could they possibly have common purpose?"
[ link to this | view in chronology ]
Professor Orin Kerr's "Tentative Thoughts"
“The Kronos indictment: Is it a crime to create and sell malware?”, by Orin Kerr, Volokh Conspiracy (Washington Post), Aug 3, 2017
Via Twitter.
(I expect that most Techdirt readers are familiar with Professor Kerr.)
[ link to this | view in chronology ]
Alphabay
As for the legality, I am pressed to find a solid legal use for malware that involved selling it on for profit. Like many criminal conspiracy cases, this one will get down to intent. If the "other guy" wasn't capable of writing the trojan himself, then the conspiracy is clear. Even a "writing for hire" situation is unlikely to excuse actively writing malware.
It's not a pretty case, no matter how you look at it!
[ link to this | view in chronology ]
FTFY
[ link to this | view in chronology ]