When Marcus Hutchins appears in court in Milwaukee on Monday, it will be almost three months to the day since the young British cybersecurity researcher halted the spread of a malicious software that crippled the UK’s National Health Service as well as companies such as FedEx and Telefonica.
In the days that followed, Hutchins was heralded an “accidental hero” over his discovery of the “kill switch” that stopped the WannaCry ransomware and worked with GCHQ’s National Cyber Security Center (NCSC) to mitigate the threat.
It has been a precipitous fall from grace for the 23-year-old, who now finds himself battling allegations of his involvement in a separate piece of malware called Kronos, which targeted bank accounts, charges which could result in 40-year prison sentence.
The cybersecurity community, however, has rallied behind Hutchins, with many experts expressing disbelief that he would have knowingly been involved in a criminal conspiracy. The case is also driving a wedge between governments and the independent cybersecurity experts they often rely on, with one pledging that he will no longer collaborate with law enforcement.
Jake Williams, a malware researcher who had worked on a project with Hutchins in 2015, at around the time he’s accused of creating and selling Kronos, says the case “doesn’t add up”. Williams said Hutchins helped him put together a higher education program focused on malware, but refused to accept payment for the hours he worked on it.
“I have a hard time picturing him refusing money for work from me but at the same time taking money for illegal activities.” He added: “He’s a good guy. I met him face-to-face for the first time in Vegas last year and he struck me as genuine.”
Hutchins was was arrested and detained in Las Vegas last week during the annual Def Con hacking conference. He was released on bail earlier this week, facing six counts of hacking-related charges for activity that allegedly took place between 2014 and 2015. US prosecutors say Hutchins admitted to police that he wrote malware code, but his attorney said he planned to plead not guilty.
Hutchins, who lives with his family in a seaside town in Devon, England, is a popular member of the security community and known as a skilled and curious researcher who spent his teenage years writing software as a hobby and running a tech blog.
His current employer, LA-based Kryptos Logic, hired him a year ago after being impressed by his approach to finding, reverse-engineering and analysing malicious software to understand the techniques used.
When he was given a $10,000 reward by HackerOne for his role in stopping WannaCry, he donated it to charity. Friends have set up a crowdfunding campaign to raise money for legal fees.
So far the US Department of Justice hasn’t provided much evidence against Hutchins as the indictment is vague and the full complaint remains sealed. What is known is that it relates to the Kronos banking trojan, a type of malware disguised as legitimate software, which was designed to harvest banking credentials to let its user steal money with ease.
The indictment also describes an unnamed co-defendant (indicating he or she may still at large) who allegedly advertised the malware for sale on an online marketplace, Alphabay, and sold it two months later. US and European police eventually seized servers for the marketplace, which was shut down on 20 July. The case against Hutchins stems from that seizure.
Williams questions why, if Hutchins were the mastermind behind Kronos, he would have traveled to the United States, known for its harsh sentencing regime, after AlphaBay was seized. “I know criminals do dumb stuff but that just bothers me,” he said. “The whole thing stinks.”
As with most software, Kronos incorporated portions of code from other available tools including banking trojan Zeus, malware package that attempts to steal confidential information such as bank details from the compromised computer, and botnet creation kit Carberp. Some of the components of Kronos may have been originally developed for non-malicious purposes. This makes it hard to determine which parts of the malware, if any, Hutchins could be responsible for, despite the government’s allegations that he was its sole creator.
Even if Hutchins did create or adapt the Kronos malware, prosecutors have to show he sold malware with the intent to further someone else’s crime. Otherwise they run the risk of criminalizing the act of writing some kinds of software.
“If that’s the case half the industry is screwed,” said Tor Ekeland, a computer crime and technology lawyer who has extensive experience with the Computer Fraud and Abuse Act, the law under which Hutchins was detained. “Gun manufacturers are not usually criminally prosecuted by the DoJ for manufacturing and selling a gun that was then used in a murder,” he added.
Other researchers have pored over five-year-old chat logs connected to Hutchins’ previous username, and painted a picture of a teenage Hutchins presenting himself as a malicious “black hat” hacker.
However, many malware researchers create accounts under pseudonyms on darknet hacking forums to gain trust of criminals so they can gather intelligence about threats. This means that the actions of a researcher studying malware can look very similar to those of a criminal in charge of it.
“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure. Lots of researchers like to log in to crimeware tools and interfaces and play around,” said Ryan Kalember, a researcher from security firm Proofpoint.
Ekeland and Williams are among the security experts who believe Hutchins’ arrest will discourage other researchers from collaborating with governments. “It’s created a sense of mistrust,” Williams said.
British cybersecurity researcher Kevin Beaumont announced in a blog post that he would no longer share cyberthreat intelligence data with the UK government until Hutchins’ situation is resolved.
“Many of us in the cyber security community openly and privately share information about new methods of attacks to ensure the security for all, and I do not wish to place myself in danger,” Beaumont wrote.
“Whatever else he may have done, this guy saved hundreds of thousands if not millions of dollars of loss in the US – and over the world by stopping WannaCry,” Ekeland added. “The indictment sends a message: if you help the government shut down malware, the reward is you will be arrested.”