The arrest of Marcus Hutchins, better known as Malware Tech, has left the tech community feeling bruised and confused.
Hutchins, the 23-year-old Brit, hailed as a cyber-hero by the UK press was responsible for stopping the WannaCy ransomware attack that scythed through the National Health Service’s IT infrastructure is in trouble with law enforcement in the US.
A grand jury in Wisconsin indicted Hitchins for his alleged involvement in the creation and spread of a banking trojan known as Kronos. As a result, he was arrested by the FBI in Las Vegas while attending the DefCon, one of the largest and oldest conferences for hackers and IT security professionals. He is accused of 6 offences related to being part of a conspiracy that resulted in the Kronos malware being used to steal banking log in information, between 2014 to 2015. He has pled not guilty to all the charges.
Personal friends are very concerned for MalwareTech's safety; have very little info on what is happening. FBI investigation; yet to comment
— Joseph Cox (@josephfcox) August 3, 2017
Hutchins, a Malware researcher, describes himself as an “Accidental Hero”. As a Malware researcher his business is all about finding, analysing and mitigating malicious software. Somewhat obviously researchers have a very valid need monitor the illicit sites, often on the dark web, where malicious code and techniques are shared and discussed.
Kronos first popped up for sale online on one such dubious site, a Russian forum, in 2014. It offered multiple methods for evading detection and it was written to be hard to analyse. It even came with a trial period for potential buyers before they committed to spending the some £5,000 being asked for a purchase.
Kronos is clearly a threat, and one that remains active. It has been implicated in the loss of thousands of Dollars, Pounds and Euros from the accounts on unsuspecting victims that have unwittingly allowed the Trojan to infect their computers, often via innocuous looking email attachments.
But the idea that a white hat hacker, one involved in challenging and mitigating threats like the one posed by Kronos is raising questions from security researchers about the basis for the indictment and arrest.
Comment from the UK's National Cyber Security Centre on MalwareTech's arrest, for what it's worth pic.twitter.com/8xeGKW6Amr
— Joseph Cox (@josephfcox) August 3, 2017
The most pressing question so far has been around the timeline of events, not least because Hutchins himself requested a sample of Kronos to analyse, two weeks after its initial release. But it isn’t the only one.
Security processionals who know Hutchins well have leapt to his defence. Fidus Information Security co-founder Andrew Mabbitt refused to believe that the charges were true, and that they didn’t fit with the Marcus Hutchins he knew “at all”. He said “He spent his career stopping malware, not writing it.”. He wasn’t alone. In court, where he was granted conditional bail with a £23,000 bond, he was supported with 12 letters of recommendation.
The reaction from the security and technology community has however been one of concern. Both for Hutchins and for the chilling effect that the arrests of researchers has on work around malicious software.
Tor Ekeland a a New York based lawyer with deep experience in technology, computer security and hacking issues told The Associated Press that the facts in the indictment fail to show intent.
“This is a very, very problematic prosecution to my mind, and I think it’s bizarre that the United States government has chosen to prosecute somebody who’s arguably their hero in the WannaCry malware attack and potentially saved lives and thousands, hundreds of thousands, if not millions, of dollars over the sale of alleged malware for two thousand dollars,”
He also highlighted the issues that this case could raise for researchers and the security community, “This is just bizarre, it creates a disincentive for anybody in the information security industry to cooperate with the government.”
Leave a Comment
Your email address will not be published. Required fields are marked with *