Marcus Hutchins -- The Guy Who Stopped Wannacry -- Pleads Guilty To Conspiracy Charges

from the enjoy-your-hollow-victory,-DOJ dept

Almost two years after Marcus Hutchins, a.k.a. MalwareTech, was detained by the FBI at the airport as he left a security conference in Las Vegas, the government finally has finally gotten its man.

Charges were stacked and restacked over the past couple of years, as the government brought pressure to bear on Hutchins, who maintained his innocence right up to the point he signed the plea agreement [PDF]. Faced with possibility of spending several years in jail -- and evidence of his past, somewhat shadier exploits continuing to surface -- the man who saved the world from the Wannacry ransomware has pleaded guilty to two conspiracy charges. This means the government will be dropping the other eight charges against Hutchins, which will hopefully keep the researcher from spending several years in jail.

The defendant voluntarily agrees to plead guilty to Counts One and Two of the superseding indictment.

The defendant acknowledges, understands, and agrees that he is, in fact, guilty of the offenses described in paragraph 4. The parties acknowledge and understand that if this case were to proceed to trial, the government would be able to prove the facts in Attachment A, as well as the facts set forth in Counts One and Two of the superseding indictment, beyond a reasonable doubt. The defendant admits that these facts are true and correct and establish his guilt beyond a reasonable doubt. The information in Attachment A is provided for the purpose of setting forth a factual basis for the plea of guilty. It is not a full recitation of the defendant's knowledge of, or participation in, the offenses.

The agreement says both counts carry a possible five-year sentence each, but it seems unlikely it will ask the judge to depart upward from the guidelines. Marcy Wheeler's back-of-the-envelope math puts this at about six months per charge, given Hutchins' lack of criminal history. It may end up being more than that if the DOJ pitches something longer as some twisted form of payback for Hutchins exercising his right to defend himself against criminal charges. That's not exactly unheard of.

Hutchins has also posted a short message at his personal website, admitting guilt and apologizing for the damage he may have caused.

As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.

Hutchins' plea brings an end to a dubious DOJ prosecution -- one that makes the unproven assertion that creating and selling malware is a criminal act, whether or not Hutchins himself engaged in illegal acts using this malware. And it only further blurs the lines security researchers operate in, increasing the chance that research -- which often includes the creation and deployment of malware -- will be treated as criminal activity.

Filed Under: conspiracy, doj, fbi, guilty plea, malware, malwaretech, marcu hutchins, wannacry

MalwareTech Prosecution Appears To Be Falling Apart As Gov't Plays Keep Away With Documents Requested By Defense

from the piling-up-fatal-errors? dept

Marcus Hutchins, a.k.a. MalwareTech, went from internet hero (following his inadvertent shutdown of the WannaCry ransomware) to federal government detainee in a surprisingly short amount of time. Three months after saving the world from rampaging malware built on NSA exploits, Hutchins was arrested at the Las Vegas airport as he waited for his flight home to the UK.

When the indictment was published, many people noted the charges didn't seem to be backed by much evidence. The government accused Hutchins of creating and selling the Kronos malware, but the offered very little to support this claim. While it's true much of the evidence against Hutchins will be produced in court, the indictment appeared to be stretching legal definitions of certain computer crimes to their limits.

The government's case appears to be weak and reliant on dubious legal theories. It's not even 100% clear that creating and selling malware is an illegal act in and of itself. The charges the government brought rely heavily on proving Hutchins constructed malware with the intent to cause damage to computers. This isn't so easily proven, especially when the government itself is buying malware to deploy for its own purposes and has yet to bring charges against any of the vendors it buys from. Anyone selling exploits to governments could be said to be creating malware with intent to cause harm. That it's a government, rather than an individual, causing the harm shouldn't make any difference -- at least not if the government wants to claim selling of malware alone is a federal offense.

The case appears to be even weaker now that more paperwork has been filed by both parties. If the government has a lot of evidence to use against Hutchins, it has yet to present it to Hutchins' lawyers. What's detailed in the motion to compel recently filed by Hutchins' defense team shows the government is either playing keep-away with crucial information or simply does not have much evidence on hand.

Marcy Wheeler digs into the motion to compel [PDF] and notes it appears to show the government's case is incredibly weak. And if sketchy, minimal evidence doesn't undo the government's case, the actions of the FBI agents involved might.

First, there are some questions about the circumstances surrounding Hutchins' detainment at the Las Vegas airport. As the motion points out, there's a good chance Hutchins was in no condition to consent to an interrogation, having been up late the night before drinking and celebrating the wrap-up of the conferences he had attended.

The defense needs all communications and materials related to the surveillance and arrest of Mr. Hutchins to help establish that his post-arrest statements were involuntary and in violation of Miranda. The defense intends to argue that the government coerced Mr. Hutchins, who was sleep-deprived and intoxicated, to talk. As such, his decision to speak with the agents was not knowing, intelligent, and made in full awareness of the nature of the right given up and the consequences of giving up that right, as the law requires. Coleman v. Hardy, 690 F.3d 811, 815 (7th Cir. 2012).

The Seventh Circuit recognizes that intoxication is relevant to the voluntariness—legally, in terms of a statement’s admissibility, and factually, in terms of the weight to be given to an admissible statement—of post-arrest statements. See, e.g., United States v. Carson, 582 F.3d 827, 833 (7th Cir. 2009). The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest.

Note the mention of the Miranda warning. This poses its own problems for a couple of reasons. As the motion points out, it's unclear how (or when) [or if] Hutchins was Mirandized. The FBI could have given Hutchins the actual Miranda warning, which makes it clear arrestees have both the right to remain silent and the right to an attorney. Or the agents could have decided the UK version was more applicable for the British citizen. This version does not guarantee the right to an attorney and notes remaining silent can be used against you in court.

Given the fact Hutchins is being prosecuted in the US, it's likely agents would have given him the American version. But there's no way to tell which version Hutchins received because the FBI's recording of the interrogation doesn't contain any recording of a Miranda warning being delivered.

After Mr. Hutchins was taken into custody, two law enforcement agents interviewed him at the airport. The memorandum of that interview generically states: “After being advised of the identity of the interviewing Agents, the nature of the interview and being advised of his rights, HUTCHINS provided the following information . . .” A lengthy portion of Mr. Hutchins’ interview with the agents was audio recorded. Importantly, however, the agents did not record the part of the interview in which they purportedly advised of him of his Miranda rights, answered any questions he might have had, and had him sign a Miranda waiver form.

If the government plans to introduce the interrogation recording as evidence, the lack of a recorded Miranda warning or signed Miranda waiver should weigh against the admissibility of any incriminating statements Hutchins might have made. Combine that with Hutchins' alleged mental state (exhausted, intoxicated) at the time of the questioning and the FBI may have proactively destroyed a substantial amount of first-hand testimony.

The motion to compel goes on to point out there's plenty of information the government has yet to turn over to the defense. Hutchins' defense still hasn't seen anything related to his alleged co-conspirator (who still remains at large) -- not even the information the government apparently received as the result of an MLAT (Mutual Legal Assistance Treaty) request sent to the co-conspirator's home country.

The defense also wants more info on the FBI's witness known only as "Randy." The government is trying to have it both ways here. "Randy" appears to be a witness, but the government has downgraded "Randy" to a mere "tipster" to avoid turning any info over on "Randy" to the defense. Informant confidentiality can be maintained under some circumstances, but not if the government is hoping to use this informant as a witness.

Here, the government’s refusal to disclose even the identity of “Randy’s” attorney is apparently the result of miscategorizing an important witness as a mere tipster. “Randy” is a cooperating witness, one whose provision of information to law enforcement was facilitated by consideration—proffer immunity, at the least—from the government. This circumstance alone weighs against continuing confidentiality because “Randy” surely knows his cooperation will be revealed…

The defense expects “Randy” to testify at trial because he is alleged to have had extensive online chats with Mr. Hutchins around the time of the purported crimes in which Mr. Hutchins discussed his purported criminal activity. Any communications and materials relating to “Randy” are therefore material to defense preparations.

Wheeler speculates the hide-and-seek nature of the government's handling of "Randy"-related material has something to do with "Randy's" possible lack of usefulness. Hence the last-minute downgrade of "Randy's" stature and the ongoing refusal to produce documents.

I’m guessing if the government were required to put “Randy” on the stand they’d contemplate dismissing the charges against Hutchins immediately. I’m guessing the government now realizes “Randy” took them for a ride — perhaps an enormous one. And given how easy it is to reconstitute chat logs — but here, it’s not even clear “Randy” has the chat logs, but just claimed to have been a part of them, in an effort to incriminate him — I’m guessing this part of the case against Hutchins won’t hold up.

The defense is also seeking discovery of the grand jury instructions. As noted earlier in this post, the government set a high bar for itself, offering up charges that require it to prove intent to harm, rather than simply the creation and distribution of malware. As the government appears to have only limited evidence related to proof of intent, it may have secured the indictment by glossing over the "intent" part of the charges. If the instructions were insufficiently clear, the indictment itself might be in trouble.

Wheeler suggests now might be the time for government to cut its losses and give Hutchins back his freedom. But, as she notes, the government prefers to double-down when on hole-digging in these situations. If the government is realizing its case against Hutchins is bullshit, it may dig in and impede discovery efforts just to make the accused pay for daring to fight back.

Filed Under: doj, evidence, fbi, kronos, malware, malwaretech, marcus hutchins

GCHQ Knew FBI Wanted To Arrest MalwareTech, Let Him Fly To The US To Be Arrested There

from the so-much-for-those-'flight-risk'-fears dept

It looks like the UK found an easy way to avoid another lengthy extradition battle. Its intelligence agency, GCHQ, knew something security research Marcus Hutchins didn't -- and certainly didn't feel obliged to tell him. Not only that, but it let a criminal suspect fly out of the country with zero pre-flight vetting. (Caution: registration wall ahead.)

Officials at the intelligence agency knew that Marcus Hutchins, from Devon, who was hailed as a hero for helping the NHS, would be walking into a trap when he flew to the US in July for a cyber-conference.

Hutchins’s arrest by the FBI on August 2 while he was returning from Las Vegas freed the British government from the “headache of an extradition battle” with their closest ally, say sources familiar with the case.

Certainly no one expected GCHQ to give Hutchins a heads-up on the legal troubles awaiting him on the other side of the pond, but there's something a bit mean-spirited about allowing a UK citizen to walk into custody in another country. And as for the "headache," too bad. That's just part of the deal when you make promises to other countries you'll ship them your citizens to face an uphill battle in an unfamiliar judicial system while facing charges for laws that may not apply the same way -- or as harshly -- at home.

This is even more disconcerting when it was Hutchins who was instrumental in killing off the WannaCry ransomware that wreaked havoc pretty much everywhere earlier this year. In gratitude for his efforts, a few publications outed the person behind the "MalwareTech" pseudonym, which probably made it a bit easier to tie Hutchins to various online personas.

As Marcy Wheeler pointed out on Twitter, it works out pretty well for the UK. It gets to outsource its prosecutions to a nation where punishments for malicious hacking are much, much higher. It also gets to dodge the publicity black eye of handing over its (inadvertent) WannaCry hero to the feds and their threat of a few decades in jail. It also suggests the Five Eyes partnership is paying off in questionable ways and, sooner or later, it's going to be an American citizen walking into the same sort of trap overseas.

Filed Under: doj, extradition, fbi, gchq, malwaretech, marcus hutchins, uk

The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird

from the why-is-that-illegal? dept

So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the "evidence" didn't seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let's work off of his analysis.

The crux of the indictment is that Hutchins and the unnamed "co-conspirator" worked together to create and sell malware, leading Kerr to ask the fairly obvious question:

This raises an interesting legal question: Is it a crime to create and sell malware?

After all, as many others pointed out, there are lots of folks out there who build and sell malware of one kind or another -- and, indeed, the US government is often a large purchaser of malware sold by others. Kerr's initial gut reaction was more or less the same as mine: that the actual amount of evidence in the indictment is pretty minimal, though obviously they may have a lot more that just hasn't been shared yet (or they may turn up more).

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

From there, Kerr digs into each of the charges. The first is "conspiracy." This one struck my layman's mind as somewhat odd. Two people working together does not a conspiracy make. Kerr similarly calls it "odd" and notes that for this charge to work, the government has to argue that selling malware is the same as using malware to damage a computer. And that seems... difficult. Kerr points out that there are two conditions that must be met for this to work:

First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don’t appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It’s not obvious that Hutchins and X cared what the buyer did with the malware after so long as they paid. If Hutchins and X didn’t care what the buyer did with the malware, it’s hard to see how they could have a purpose to impair the availability or integrity of a computer.

Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware and the malware damages the machine. Here, though, the government’s theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.

That second point is especially interesting to me. We've seen more and more attempts to charge "intermediaries" with crimes based on actions of third party users of their tools (the Megaupload case being one big example). And that seems like a very dangerous path to go down. One of the reasons why we talk about "intermediary liability protections" on Techdirt so much is that they're so important on a basic "blame the person who actually did the wrong" spectrum. It's not the intermediary, it's the user. Go after the user, even if that's more difficult. Here, the DOJ seems to be going after the intermediary. Because.

The next three charges are all similar, and I didn't quite get them at first, but Kerr explains. They're making use of 18 U.S.C 2512 which Kerr describes as, "a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices." Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a "device" under the law, and argues that may be difficult as well.

In Potter v. Havlice, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling “Activity Monitor,” which was billed as “an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online.” After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that “Activity Monitor is not a device as contemplated by Section 2512.”

Section 2512 makes the manufacture and/or trafficking of “any electronic, mechanical, or other device” illegal. The phrase “electronic, mechanical, or other device” is defined in 18 U.S.C. § 2510(5) to generally mean “any device or apparatus which can be used to intercept a wire, oral, or electronic communication….” Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.

Also, the definition of the word “device” does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines “device” as “a piece of equipment or a mechanism designed to serve a special purpose or perform a special function.” Activity Monitor alone is not a piece of equipmentor a mechanism.

So... that's going to make this interesting. Of course, then there's the further question of whether or not the malware itself is really intercepting communications. Either way, this feels like a way to try to twist a law targeting older technology to pretend that it applies to a very different kind of technology. I know this happens semi-frequently, but it always troubles me. You get bad results this way, because the technology that was originally being regulated, and what it's now being used against, are very different, and should be treated differently. But when you try to shove something like malware into laws created to stop wiretapping devices... you end up with bad results, where rulings can be made about something being "bad" without realizing the wider reverberations it may have.

And, finally, there's a CFAA claim, because if there's a criminal case that could be summarized as "behaving badly on a computer" you have to expect an eventual CFAA claim.

This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, they need to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party’s intentional act of sending the malware was required for that to happen.

Again... this seems quite difficult to actually show, though perhaps there's more evidence that the DOJ hasn't yet revealed.

In the meantime, others are insisting that the DOJ has the wrong guy. A friend and colleague of Hutchins, Kevin Beaumont, insisted that the DOJ is simply wrong, and that Marcus has more or less dedicated his life to fighting malware, not creating it:

On top of that, the BBC spotted the fact that Marcus asked on Twitter if anyone had a sample of Kronos after it first was discovered:

Now, of course, that alone is not evidence of much. After all, if he really had created it, why not tweet something like that to make sure people think he hadn't? But, still, it is worth pointing out, along with multiple other folks saying that they simply don't believe Hutchins would have been behind the malware, let alone the broader legal question of whether or not making and selling malware is even illegal in the first place.

Filed Under: cfaa, conspiracy, doj, indictment, kronos, malware, malwaretech, marcus hutchins, orin kerr, selling malware

Guy Who Accidentally Stopped WannaCry Ransomware Detained After Defcon

from the and-thank-you-for-your-service dept

Update: He's been indicted for his alleged role in creating a different malware, Kronos. More below.

As you may recall, earlier this year, when the WannaCry ransomware was spreading like wildfire, it was accidentally stopped by a security researcher in the UK who was (mostly) known only by the pseudonym MalwareTech. He wrote about the whole experience after having tweeted about it earlier. Basically he spotted the domain that WannaCry was pinging and saw that it wasn't registered -- so he registered it, if just to track the spread of the malware. But, that process actually stopped WannaCry from spreading due to the way the ransomware was designed. The story of someone accidentally stopping a massive malware breakout was a good one and it was widely covered by the press. MalwareTech got lots of good press out of it... and as a thank you, at least one UK publication doxxed him and revealed his name, his age, some of his social media photos and even what he liked to eat. That wasn't very nice. Still, now it's known that Marcus Hutchens is MalwareTech, and people should be thanking him.

Anyway, like many security folks and hackers, MalwareTech made his way to Defcon and Black Hat this year... and got his second big "thank you." According to Motherboard, US authorities have detained him in an undisclosed location.

At the time of writing it is not clear what charges, if any, Hutchins may face. According to the now public indictment, Hutchins is accused of developing the Kronos malware that was a trojan that targeted banks. There's a second defendant, whose name and information is redacted (suggesting he hasn't been arrested just yet...) who then went out and appears to have promoted Kronos and tried to sell it.

So the specific charge includes:

MARCUS HUTCHINS, aka "Malwaretech" knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.

In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.

There's also a conspiracy charge tying all of this together. As always, an indictment is just one side of the story, and at least from what's in there, the evidence isn't that strong (there may be a lot more evidence to come). There appears to be a lot more evidence against the other, unnamed, defendant who tried to sell Kronos. The only thing they say about Hutchins, really, is that he wrote it, and then the indictment tries to make it a conspiracy, claiming he conspired with the other defendant who tried to sell Kronos.

Needless to say this will be an interesting case to pay attention to.

On a separate note, in what hopefully is just a coincidence, the Bitcoin addresses that were connected to WannaCry (where they asked victims to send Bitcoins to decrypt their computers) were drained of all their money this morning...

Filed Under: defcon, detained, fbi, malwaretech, marcus hutchens, wannacry