It’s the fastest fall from grace in hacking history.
A 23-year-old U.K. man hailed as an Internet hero just two months ago for single-handedly halting the destructive WannaCry cyber attack is now behind bars, accused by the FBI of creating and selling a different piece of malware designed to let hackers loot consumers’ bank accounts.
Marcus Hutchins, known online as MalwareTech, was arrested at Las Vegas’ McCarran International Airport on Wednesday, on his way home from the DefCon computer-security conference. He had a preliminary court appearance Thursday, and is set for a bail hearing Friday afternoon before federal Magistrate Judge Nancy Koppe.
A professional computer-security researcher, Hutchins gained mainstream fame in May during the WannaCry outbreak. As the ransomware was ripping through computers in at least 74 countries, crippling some hospitals, utilities, businesses, and government agencies, Hutchins noticed a mysterious dot-com domain name—a web address—coded into the worm. He checked domain-name records and saw that this address had been left unregistered, making it available to anyone. He purchased the domain himself at NameCheap.com for $10.69, and pointed it at a “sinkhole” server he ran in Los Angeles, hoping to gather information on the malware.
It turned out that the domain name was a kind of kill switch, and once it was activated, WannaCry immediately stopped spreading. An attack that was expected to hit millions of machines and cause chaos around the world was nipped in the bud, “completely by accident,” he said at the time.
The WannaCry incident turned Hutchins into an international cybercelebrity overnight. Reporters showed up at his door and interviewed his neighbors, and he began grudgingly consenting to television interviews. Hutchins’ boss at the Los Angeles-based computer-security firm Kryptos Logic was invited to testify about WannaCry before a House subcommittee. When Hutchins flew into Las Vegas for the annual DefCon hackers convention last week, an endless number of friends and colleagues and fans had already offered to buy him a drink.
But when Hutchins returned to the Las Vegas airport Wednesday for his flight home, the FBI was waiting. After his arrest, federal prosecutors in Milwaukee unsealed a six-count indictment, dated July 12, charging Hutchins and an unnamed partner with conspiracy, wiretapping, distributing an illegal eavesdropping device, and violations of the Computer Fraud and Abuse Act. The indictment claims that for at least a year, beginning July 2014, Hutchins was leading a double life, fighting computer crime in public, while privately creating a notorious piece of malware called Kronos.
Kronos is one of a breed of malware called a “banking Trojan” designed to nestle in a victim’s machine and intercept their online banking sessions, so hackers can issue funds transfers and loot the account. More than just software, it’s part of a growing trend toward “crimeware-as-a-service”—a complete package for anyone who wants to start stealing money online. “It comes with dynamic command and control infrastructure, updates, all kinds of other things,” says Ryan Kalember, senior vice president at the security firm Proofpoint. “It appears to have first shown up in Russian-language forums.”
The indictment claims Hutchins was the author and maintainer of the code, while an unnamed co-conspirator marketed it in a YouTube video and in posts on darkweb crime forums, including the recently busted AlphaBay. The pair allegedly sold the malware for $2,000 or $3,000 a copy, though Kronos is known to have gone for as much as $7,000.
Hutchins couldn’t be reached for comment in custody, and the federal public defender representing him in Las Vegas wasn’t available after hours Thursday. But some who’ve worked with Hutchins are convinced the FBI made a mistake. “I know Marcus,” wrote Kevin Beaumont, a Liverpool security architect, on Twitter. “He has a business which fights against exactly this (bot malware), it’s all he does. He feeds that info to U.S. law enforcement… The DoJ has seriously fucked up.”
If the indictment is a result of a mix-up, it’s conceivable that Hutchins’ sinkhole server—the one he used to kill WannaCry—is what got him in trouble. For over a year, Hutchins has been re-registering expired domain names previously used by hackers. He directs them to his sinkhole, and monitors the incoming connections to track the malware in the wild. Hutchins told The Daily Beast last May that his domains number “in the thousands.”
If FBI agents saw Kronos connecting to Hutchkins’ sinkhole, they might conclude he was the mastermind behind the malware. The Daily Beast checked the registration records for 65 domain names previously used by Kronos, and found that about a dozen have been taken over for known or obvious research sinkholes, but none are clearly Hutchins’.
Another theory in the mistaken-identity column is that Hutchins was participating in criminal forums to gather intelligence on his adversaries. “A lot of what researchers do is very difficult to distinguish from criminal activity, because they’re trying to gain credibility with cybercriminals,” says Proofpoint’s Kalember, who’s reserving judgment on the charges. “And even organizations like the FBI can’t always tell the difference in a way that is reliable.”
Either scenario would be remarkable, and possibly unprecedented. Misidentification and false leads happen all the time in cybercrime investigations—undercover FBI and Secret Service agents have been known to open case files on one another—but the mix-ups tend to get ironed out well before an indictment.
The case was investigated by the Milwaukee FBI field office, which has handled other high-profile computer-crime cases, included the 2010 bust of a local man who was running a hacker marketplace called Darkode. The suspect, Daniel Placek, rolled over, and he worked with the Milwaukee agents for five years before he was sentenced to probation in 2015.
Now reformed and working as a network and security consultant, Placek told The Daily Beast he didn’t work on the Hutchins investigation. “I am as surprised as anyone,” he said. But even he doesn’t dismiss the possibility that his former FBI associates made a mistake with Hutchins.
“I don’t know if this is still true, but as of a few years ago the FBI seemed to have a policy of rotating their agents through the various divisions,” Placek said. “Many of the agents I encountered who were currently assigned to cybercrime were previously in other ‘specialties’ and did not have a computer-science background… The primary investigative avenue was almost always financial, not technical—‘follow the money.’”
For the moment, there’s nothing but a terse indictment to weigh against Hutchins’ public career as a malware investigator and The Man Who Saved the Internet. Aside from the charges, only one artifact has so far surfaced to link Hutchins to Kronos. It’s a July 2014 tweet, in which Hutchins asks his peers for a sample of the malware he’s accused of creating.