Las Vegas sign

FBI arrest of Marcus Hutchins (@MalwareTechBlog) has chilling effect

The curious case of Marcus Hutchins—the British malware researcher arrested in Las Vegas last week—has gotten information security practitioners up in arms (or seriously worried). The 23-year-old is accused of writing a banking Trojan three years ago and conspiring to profit from it.

Hutchins, a.k.a. MalwareTech, was that guy outed by the press for finding the WannaCry kill switch. He has a solid white-hat reputation in infosec circles, so there’s widespread disbelief of the allegations. And also some concern over lack of process: Officers waited until he was on his way home before arresting him, then held him secretly for 48 hours with no access to a lawyer.

After all this, who would ever travel internationally to Black Hat, DEF CON, BSides, or other US infosec meetings? In this week’s Security Blogwatch, we feel the cold from the chilling effect, and uncover clues to the identity of Hutchins' alleged co-conspirator.

State of Security Operations 2017

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  ElectroBOOM go boom

What’s the story so far? Ken Ritter and Ivan Moreno report the arraignment [is] postponed:

Attorneys and advocates for Marcus Hutchins, 23, of Ilfracombe, England [was bailed] Monday from a jail in … rural Pahrump … southern Nevada. … The judge who on Friday set Hutchins' bail at $30,000 … said Hutchins would have to stay at a federal halfway house or under house arrest in Las Vegas with an ankle monitor. [She] ordered him to surrender his passport … and not use any device that has access to the internet.

He was arrested Aug. 2 in Las Vegas … at McCarran International Airport on his way home from … Def Con. … He did not enter a plea at Friday's hearing to six federal charges.

He is accused of creating and distributing malicious software called Kronos designed to steal banking passwords … distributing and advertising an electronic communication interception device, attempting to intercept electronic communications, and trying to access a computer without authorization. He could face decades in federal prison.

Hutchins has support in the information-security community, where some call him a principled, ethical hacker. … Hutchins was credited with helping in May to curb the spread of WannaCry.

Anything else we should know? That AP story could be twinned with Iain Thomson, who says Hutchins [is] free for now:

He is now on his way to Milwaukee to face charges. … He and an unnamed associate allegedly made a few thousand bucks selling the malware-as-a-service on dark web markets.

[He] was held for more than 24 hours at an FBI field office without access to a lawyer or any contact with his family. … The FBI claimed that, during interrogation without an attorney present, Hutchins confessed to writing some malware code.

Hutchins denies any wrongdoing. … Hutchins is a widely respected member of the UK security community and his arrest has sparked shock and … anger.

O RLY? Kevin “@gossithedog” Beaumont fills in the blanks regarding Marcus Hutchins aka MalwareTech:

Marcus is a leading voice in the UK cybersecurity scene, and indeed worked with the UK Government … on stopping WannaCry. … He is an incredibly valuable asset to the UK. … I have been in a state of shock since I found out about the arrest.

He did not have a lawyer for the first 48 hours. During this time he was in the custody of the FBI. … When his arrest had been established, he was moved location 10 minutes before visiting was allowed.

Neither Marcus’ lawyer nor Marcus know who the co-defendant is. … A crowdfunding campaign for legal fees is now live.

Day-um. Daniel “@danielroydalton” Dalton doubles down: [You’re fired —Ed.]

This unwarranted and sudden arrest is causing an uproar in the community—and prompts questions of people’s security on US soil. … A bold and coordinated move from the FBI shows the ever-growing reach of the US administration, especially when considering Marcus is a British national.

The sealed indictment calling for Hutchins’ arrest was issued on July 11th. [But he] had been in the US for over 12 days … by the time of his arrest. … It’s clear there are some underhanded elements of cunning in the nature and timing of the arrest.

The unqualified detaining of a non-dangerous and non-US national who has not been proven guilty … and a complete restriction from the outside world … all reeks of foul play. [The] message that comes in loud-and-clear [is] you’re not on an even playing field while on US soil.

As far as we can make out, the FBI case centers on an allegation that Hutchins wrote and sold some of Kronos’s source code. Here’s @doctorshekel:

How delicious that the FBI sees no problem buying illegal malware from Hacking Team in Italy, but we are supposed to cheer for them now

The code may have been in the form of Hutchins’ proof-of-concept exploit. Or so says Doctor Syntax:

The one bit of solid evidence that's emerged seems to be that he wrote an explanatory post about some code which was then sent to a Github repository and subsequently incorporated in the trojan. If that's what the FBI mean by writing malware then I'm sure a lot of people who've pubished code on Github … answered questions on Stackexchange, and the like should avoid visiting the US.

If this ever gets to court it'll be interesting to hear a comparison between his contribution to Kronos and the NSA's contribution to Wannacry. I'm sure the defence would want to raise it.

[“Interesting,” in this context, being a British word meaning “intensely, hilariously fascinating.”]

Similarly, @Max_Hallam smiles a simile: [Facepalm—Ed.]

It's like trying to prosecute a knife-maker for a stabbing committed by one of their customers.

Anyway, who made the FBI the world police? Sionyn Foulkes “@Un1v3rs4L” Jones‏ wants to know:

If it's true, his crimes were committed in Britain not America. They should have made a complaint to British authorities.

And what about that unnamed co-conspirator? Thomas Fox-Brewster adds 2+2:

Searching across the web for the dealer's activity, it was apparent he'd tried to sell Kronos [and] set up a YouTube guide on how to run Kronos, not dissimilar to one described in the U.S. indictment.

The name VinnyK is of interest. … The earliest known post on [Exploit.in] relating to Kronos is from VinnyK and is in Russian, dating back to June 10 2014. … VinnyK was selling the malware for $3,000 back then. A month later, he was showing off how well Kronos fared against anti-virus systems.

But somewhere along the line, certain deals went sour. [A] customer claimed to have been ripped off. [VinnyK] was eventually banned from the space.

[I] was also able to obtain a copy of an advertisement for Kronos placed by VinnyK on AlphaBay. … The indictment claimed an unnamed party tried to sell Kronos on AlphaBay on or around April 29 2015, matching the date on the ad. … VinnyK was the dealer, making it highly likely he's the censored individual in the government charges.

But wait. What’s all this about guns? Here’s Pierre Mathjes:

The only thing that’s certain [for the moment] is that there are tremendously weak allegations held against him for writing and selling malware. The fact that law enforcement tries to keep him locked up [because] of shooting guns at a tourist-attraction-advertised shooting range makes this case even more stupid.

There’s a reason why it’s currently considered unsafe to travel to the U.S. as a malware researcher/cyber crime tech.

What else is there to say? Simple: Simon “@e_forensic” Smith says he’s just speechless:

I'm just speechless. I'm more driven to the cybercrime intent and [the] link between the attention and conversion from hero to criminal.

There [are] perfectly good ethical hackers out there, but there are … criminals hidden amongst [them]. It's easy to spot if you know the signs. Not many do and this poses a major threat.

Crime is crime. Simple.

Jealousy causes people to make mistakes. Big mistakes.


The moral of the story? Assuming Hutchins is innocent, what next for other legitimate security researchers? If the FBI and DoJ are now criminalizing every white hat who creates a PoC, they risk marginalizing the US’s role in infosec.

And finally …

Don’t try this at home, kids

(nor any of these)

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

State of Security Operations 2017

Image source: Joao Carlos Medau (cc:by)

Topics: Security