A widely celebrated cybersecurity researcher was indicted on charges of developing software that has stolen banking credentials from an untold number of people, prosecutors said Thursday.
Marcus Hutchins, 22, who works for the Los Angeles security firm Kryptos Logic, was praised in May for his role in slowing the spread of ransomware called WannaCry that was locking files on computers around the world.
But federal prosecutors say that Hutchins, at least at one point in his career, had malicious intent. In a July 12 indictment unsealed this week, Hutchins is described as having created, maintained and marketed the Kronos banking Trojan from July 2014 to July 2015.
The program — often distributed through document attachments in phishing emails — monitors consumers’ online browsing and leads them to fraudulent websites designed to look like legitimate banking services. Kronos then harvests usernames, passwords and other information from unsuspecting consumers. Sellers described Kronos as capable of evading antivirus software and snooping on the latest versions of Chrome, Firefox and Internet Explorer.
The FBI quietly arrested him Wednesday as the British resident prepared to fly out of Las Vegas, the site of Defcon, one of the computer security industry’s biggest conferences. Hutchins’ initial appearance in U.S. District Court in Las Vegas was postponed to Friday afternoon, according to Trisha Young, a spokeswoman for the U.S Attorney’s office.
The allegations from a two-year FBI investigation point to one of the cybersecurity sector’s most distinctive traits: the revolving door between those trying to stop attacks and those launching them.
People often transition between hacking with malicious intent and working as well-meaning investigators. The mischievous work of the past can be an asset to companies and law enforcement agencies looking to get an edge on new waves of criminals. But it also can mar the reputation of the burgeoning industry.
The blurred roles of cybersecurity workers led to a fierce debate on social media Thursday among hackers and researchers. Hutchins’ defenders said law enforcement may have misinterpreted actions Hutchins took to find a way to protect against Kronos. Other industry insiders pointed to a trail of clues on Russian forums potentially implicating Hutchins.
Although in the real world, people and actions are not necessarily binary. The real world has a lot of grey.— Brian Greer (@Tekneek) August 3, 2017
In an interview with the Los Angeles Times in June, Kryptos Logic Chief Executive Salim Neino said he hired Hutchins in 2016 after discovering the surfer and computer hobbyist’s blog. Since 2013, Hutchins has written a couple of times almost every month about new viruses and attacks, though never about Kronos.
Neino called Hutchins’ skill and ethics impressive and put him in charge of a division at the small firm. Kryptos Logic acknowledged a request for comment Thursday but didn’t provide a statement.
Hutchins, who lives in England, was on vacation in May when WannaCry, a self-replicating worm, sped across the Internet, hijacking Windows machines. It locked files and demanded $300 to $600 for their release.
But Hutchins jumped online and by chance, he has said, found a way to effectively throw Kryptos Logic’s servers into the path of the oncoming attack. The tactic acted like a temporary kill switch, giving computer technicians enough time to inoculate their systems from becoming infected.
Hutchins’ effort led to collaboration with British authorities and others in the cybersecurity research community. Though a prominent blogger, his identity hadn’t been widely known until British tabloids revealed his name during the WannaCry incident.
Kryptos Logic’s Neino told Congress that Hutchins’ actions spared an estimated minimum of 10 million computers from infection. Hutchins drew an offer of year’s worth of free pizza from a British food-delivery service as well as praise and a bounty from the security industry. Hutchins said he would donate his financial reward to charities.
The indictment — handed down by a grand jury in the Eastern District of Wisconsin — redacts the name of a second defendant, who is accused of helping advertise, sell and update the Kronos malware. The undisclosed defendant posted a video explaining how hackers could infect computers with Kronos and also offered to sell the program for $3,000 on hacking forums, according to court documents.
Kronos was first made available online in early 2014, including on AlphaBay, a secret marketplace for buying drugs and other illicit items. Last month, the Justice Department seized AlphaBay, which could be accessed only through a special Internet browser that scrambles traffic.
Hutchins may have been unmasked during the AlphaBay investigation. When federal agents took down the service, they came into possession of its electronic records and may have been able to trace who was behind Kronos’ creation.
In a Twitter post last year, Hutchins pointed to AlphaBay as a place to buy cannabis. After the website’s shutdown, he wrote in a separate tweet, “They took a website offline, who cares?”
Hutchins also had posted on Twitter about Kronos, asking followers June 13, 2014, whether “anyone got” a sample of the program for research purposes.
Three days earlier, the undisclosed defendant conspiring with Hutchins had sold a copy of Kronos for $2,000 worth of digital currency, prosecutors say.
Kronos went on to affect consumers in Canada, Germany, Poland, France and the United Kingdom, among other countries, the Justice Department said.
Orin Kerr, a professor of criminal procedure and computer crime law at George Washington Law School, said prosecutors will be required to show for some of the charges “an intent to further the crime.” Prosecutors will have to show that Hutchins knew that the software would be used to aid in a crime. The act of selling malware alone in itself isn’t a crime, Kerr said.
5:10 p.m.: This article was updated to reflect that Hutchins scheduled court appearance was postponed.
3:30 p.m.: This article was updated with additional commentary from cybersecurity experts.
2 p.m.: This article was updated with additional details from the indictment and Hutchins’ past.
This article was originally published at 12:30 p.m.