It’s been a bizarre few months for Marcus Hutchins. In May, the 22-year-old single-handedly thwarted a global ransomware attack, stopping the spread of malware that had crippled large parts of the NHS. Today he finds himself in a Las Vegas court, charged with six counts of spreading malware himself. As Hutchins is probably asking himself right now: what the hell’s going on?
Hutchins was, until Wednesday at least, the very epitome of the reluctant hero. He was on holiday from his day job at security firm Kryptos Logic on Friday 12th May when he started seeing reports of a massive malware attack on the news. “I picked a hell of a f***ing week to take off work,” he tweeted from his MalwareTech account shortly afterwards.
He was soon sat back at his desk, rooting through a sample of the Wannacry ransomware code when he spotted something interesting. The malware was querying an unregistered domain – or website address. Hutchins registered the address himself, inadvertently finding the so-called ‘kill switch’ for the malware. Any computer infected with WannaCry would attempt to visit the website, thus shutting itself down and preventing the malware from spreading further. Hutchins had saved companies worldwide from incalculable damage.
Soon, however, Hutchins found himself the subject of unwanted attention. The press were camped on his doorstep at his home in Devon, and his face was on the front page of The Daily Mail, along with a picture of his house. This is a man who had just thwarted an international criminal gang. He’d prefer they didn’t know where he lived. “I knew 5 minutes of fame would be horrible but honestly I misjudge [sic] just how horrible,” he tweeted at the time. “British tabloids are super invasive.” He fled the country for a few days to let the fuss die down.
Not leaving Las Vegas
Hutchins soon returned to his day job, which is how he found himself in Las Vegas this week, attending the Black Hat and Def Con cyber-security conferences. His Twitter account reveals him going about his everyday life: moaning about the Las Vegas heat, showing off a new pair shoes his boss had bought him, and whingeing about priority boarding at the airport. He issues his final tweet at around 7:30pm on Wednesday evening, just before he was due to board the flight. Except he doesn’t get on.
Friends first raise the alarm when he doesn’t start tweeting via the in-plane Wi-Fi, like he normally does. The concern is amplified when his mother calls a friend to report her son didn’t arrive in London on Thursday morning as expected. Friends begin checking with the authorities, and one discovers that he’s being held at the Henderson Detention Center in Nevada.
An eight-page indictment emerges. A grand jury has charged Hutchins with conspiring with an unnamed other to create, transmit, advertise and sell the Kronos malware – a piece of malware that was used to steal bank login details from people’s computers. There are a number of specific charges, including offering to sell the trojan for $3,000 on an internet forum in August 2014, and several subsequent attempts to do likewise. If found guilty, US legal experts say he potentially faces decades in jail.
Surely some mistake? That’s the theory of fellow British security researcher Kevin Beaumont, who’s been defending Hutchins on Twitter. He’s tweeted screenshots showing a text file hidden inside the Kronos malware, which actually credits someone called “cvorksxy” with writing the malware.
This is Kronos builder, it looks like the US justice system has made a huge mistake. pic.twitter.com/2WGQVjFgED
— Kevin Beaumont (@GossiTheDog) August 3, 2017
Sure, that proves nothing in itself. But if Hutchins was behind Kronos, he was certainly hiding in plain sight. On July 13 2014, Hutchins tweeted: “Anyone got a Kronos sample?”
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014
The indictment states that, on that very same day, “a video showing the functionality of the Kronos Banking trojan was posted to a publically available website. Defendant [unnamed] used the video to demonstrate how Kronos worked”. Have the US authorities confused someone sending a demo of Kronos to Hutchins with a conspiracy to spread the malware itself?
Hutchins is due to appear in court in Las Vegas later today and the expectation is he won’t be bailed. It may be some time before we get answers.
In the meantime, more than $140,000 worth of the ransoms paid during the Wannacry attack have just been removed from their online wallets. Something very odd is going on.
To read more about how Hutchins thwarted the WannaCry attack, buy this month’s PC Pro magazine.