It has been like this for decades, and it’s a hell of a way to live. I’m guessing no one understands this more than a UK-based hacker named Marcus Hutchins, also known online and in the press as “MalwareTech.” Hutchins never wanted anyone to know his name; he was just the guy who noticed that the eejits behind WannaCry forgot to register a domain that acted as a “kill switch” on the nasty, fast-spreading ransomware. He then spent the next few days helping people get out from under a ransom scheme that had hospitals locked up (threatening lives).
Hutchins wanted to keep his identity secret, he told press, because he was fearful of the retaliations he might face for shutting down WannaCry. To his own outrage and dismay, his name and personal details were discovered and published by UK tabloids The Sun, The Daily Mail, and The Mirror. The man hailed as the “NHS hero” tweeted, “I always thought I’d be doxed by skids (people in hacking forums), but turns out Journalists are 100x better at doxing.”
If that was a rude awakening to Hutchins, then what came next was surely a shock to the system from which he may never recover. In July and early August, he was in the US to attend the Black Hat and DEF CON security conferences — a week-plus junket of hacking and security events, trainings, talks, and parties where it’s more or less a given that those working in the field are required to attend.
As Hutchins boarded the plane to fly home to the UK last Wednesday afternoon, he was arrested and detained in Las Vegas along with another researcher. He was taken to a detention center and then moved to an FBI field office. US prosecutors slapped Hutchins with a grand jury indictment, alleging that between July 2014 and July 2015 he helped make and distribute the Kronos banking trojan.
“Defendant MARCUS HUTCHINS created the Kronos malware,” the indictment states.
Hutchins was temporarily cut off from the outside world while he was held; there was a period of about a day in which he could not be reached. He didn’t have a lawyer for 48 hours. His friends and family panicked. Infosec Twitter lost its mind (and would continue to for quite some time, and for some very good reasons, which we’ll get to in a minute). Attorneys who represent hackers were on it like lightning finds the unlucky kid on a golf course during a storm. While Hutchins settled into a Las Vegas jail for the weekend, his friends rallied to pull together an online donation page for legal funds.
In a bizarre coincidence, the same day of Hutchins’ arrest, the Bitcoin wallet holding WannaCry’s ransomware funds was emptied.
As the federal indictment document hit the internet, the world learned that the 23-year-old researcher is facing six counts and up to 40 years for allegedly creating, spreading, and maintaining Kronos. The banking trojan is as nasty as it is clever.
According to ThreatPost, Kronos harvested banking credentials using “Web injects made for every major browser to modify legitimate banking websites.” Then when you log in to your bank, “the web injects look for additional information from the victim, details that are generally not required upon log-in such as ATM PINs or personal information to help with security questions.” Kronos came with a built-in security system that fights off other trojans, as well as updates for those who purchased and ran the trojan — it was a black market product with a price tag of $2K (at the time-period the indictment covers).
To be clear: We have no idea if Hutchins actually has anything to do with Kronos or not. Hutchins denies wrongdoing and is pleading not guilty. Monday he was out on bail and scheduled for transfer to a Milwaukee, Wisconsin courtroom to face charges early Tuesday morning; that appearance has been postponed until August 14th (next Monday).
Hutchins is not allowed to use the internet, his passport has been confiscated, and his movements are tracked. According to researcher and friend of Hutchins, Kevin Beaumont, “He is not allowed to communicate with the co-defendant named in the case. That name is blacked out on the indictment. Neither Marcus’ lawyer nor Marcus know who the co-defendant is.”
When the public found out Hutchins had been nabbed by the FBI, saying that press and infosec had lost its collective mind in several directions would’ve been an understatement. Part of that had to do with the shock and implications of the case and its situation. Though part of the hysteria could’ve been attributed to the fact that very little actual news came out of this year’s two big domestic hacking conferences, which mainstream and corporate press had thrown more money and people at than ever before.
Quantity over quality in coverage in cybersecurity journalism is the worst it’s been, Def Con is a magnifier, and Hutchins once again just happened to be the ant under their looking glass. Every reporter in the world wrote a story on it. Some of them were baseless character attacks, because clickbait is, as clickbait does, I guess.
None of which helped anything that was going on in the infosec world. Many rallied to support and defend Hutchins with legal fundraising and letters to the judge. Those letters countering impressions left by press of Hutchins’ guilt, while those close to the situation published information crucial to anyone following the case, showing a situation far less black and white. Even Orin Kerr explored the question in the Washington Post asking, The Kronos indictment: Is it a crime to create and sell malware?
Unfortunately, online infosec and press chatter also erupted into ugly infighting, limelight-chasing, and posturing. Hutchins’ online life has been combed over and picked apart by people with good intentions, simple curiosity, as well as those seeking negative attention.
The case has shaken up security research communities — and for a lot of good reasons. People who write, reverse, and research malware are scared and angry. Some are proudly proclaiming they write code and are unafraid of sudden arrest, others comment, I do too, and I’m afraid. Again. Because it’s easy to say “my code can be used for anything outside my control, good and bad” it’s just as easy for authorities to condemn you on the same principles.
What happens with Hutchins will be watched closely by everyone. It’s going to set serious precedents for vulnerability research and affect the lives of everyone who writes and reverses malware, in and out of the US.
US attorney Tor Ekeland told press that regardless, what has happened with Hutchins created shockwaves that destabilize relationship-building between the US government and hackers. “There are major implications for cyber security,” he said. “By doing this they’ve made the internet less safe because nobody in their right mind is likely to help the US Government stop attacks now.”
There is a chilling effect here that will leave its mark on every researcher. Commenter Doctor Syntax accurately summarized the vibe saying, “The one bit of solid evidence that’s emerged seems to be that he wrote an explanatory post about some code which was then sent to a Github repository and subsequently incorporated in the trojan. If that’s what the FBI mean by writing malware then I’m sure a lot of people who’ve published code on Github … answered questions on Stackexchange, and the like should avoid visiting the US.”
Infosec is thinking about all of this right now. They’re thinking about how fragile their lives are, and just how much is out of their control, no matter how hard they fight for understanding and legitimacy. They’re also thinking that a trip to DEF CON can end with being abducted by the FBI, cut off from the world, and facing the end of their lives as free people — with no warning, and for crimes they may not have done.
It’s a shadow that can consume you if you’re not careful.