back to article WannaCry-slayer Marcus Hutchins 'built Kronos banking trojan' – FBI

Marcus Hutchins, the British malware researcher who killed off the WannaCry ransomware outbreak, was arrested in Las Vegas on Wednesday on suspicion of being a malware writer himself. Hutchins, aka MalwareTechBlog on Twitter, was collared after attending the DEF CON hacking conference in Nevada, US, last week. FBI agents …

  1. Rafael Moslin

    Guess he upset a lot of bad guys stopping that attack...

    1. danR2

      bad guys...

      I haven't heard that many banksters were unduly inconvenienced.

    2. Anonymous Coward
      Anonymous Coward

      Or he is responsible for wannacry and panicked, and cooked up a story about finding the kill switch - that he coded...

      Sounds credible. He also posted diversionary post to Twitter about Kronos.....

      I wonder how many other "security researcher" aren't what they appear, pretty much every other day we have a story from another unknown "expert"

      1. Graham Dawson Silver badge

        Or - and I hate that the world has made me this cynical - wannacry was cooked up by the NSA or some other US TLA and now they're getting a biut of payback for it being shut down so quickly.

        The incompetence, malice and pettiness of US spy orgs all have precedent.

      2. streaky

        Sounds credible.

        It sounds fucking absurd honestly. Not to say it couldn't be true but it sounds absurd.

        1. Anonymous Coward
          Anonymous Coward

          Never underestimate the absurdity of the Universe.

          1. FromTheRoot

            An intesresting twist on what you said would be if the Earth turned out to be flat, hence no "Universe"

        2. FlamingDeath Silver badge

          Absurdity is not a measure of truth, as has been shown with the 9/11 commission, the Warren Commission, and many many other whitewashes in history.

          What AC is suggesting makes a lot of sense to me. If I were an arsonist, surely the best cover I could have is that of a firefighter?

          I'm not saying he is correct, just saying it sounds credible

          1. Anonymous Coward
            Anonymous Coward

            You haven't seen Backdraft?

            1. MyffyW Silver badge

              It's a measure of our paranoid times that one's instincts are to simultaneously doubt the integrity of the suspect, the law enforcement authorities and the medium through which news is communicated.

      3. Mark 85

        Sounds credible. He also posted diversionary post to Twitter about Kronos.....

        Might or might not be right. I remember the controversy when Kaspersky first popped up and the rumors because his AV was detecting new viruses that no one had ever seen before. Time will tell....

      4. roytrubshaw
        FAIL

        "Sounds credible."

        Sounds more like F.B.I. S.O.P. I.e. when investigating a highly technical crime, find the nearest foreign expert and arrest them.

      5. Anonymous Coward
        Anonymous Coward

        Seems more than just credible to me.

        He got the kicks from creating it.

        He got the publicity and hailed as an international hero from stopping it

        AND he got the ransom cash as well.

        What more could a cyber criminal want?

        1. Anonymous Coward
          Anonymous Coward

          AND he got the ransom cash as well.?

          he was soliciting ideas on twitter for giving the cash away to deserving causes...may even have done so in a less cynical world....

    3. Anonymous Coward
      Holmes

      After reading the indictment, I kind of wonder if he's in touch with Snowden, and they are trying to get at Snowden through him. Or someone similar to Snowden.

      Seems awfully easy to allege that people left digital footprints around the scene of a digital crime - especially a threat researcher whose JOB is to snoop around digital crimes. Of course his digital footprints are going to be all over digital crime scenes.

      Either that or they've got him dead to rights. One or the other. But even if he did the crime, I wouldn't be shocked to find that this is an attempt to get him to roll over on someone like Snowden who is a bigger fish for them.

      1. streaky

        Yeah, it's nothing to do with Snowden.

        1. Anonymous Coward
          Anonymous Coward

          re: Sounds credible.

          Thank fuck it takes more than that to convict.

        2. Anonymous Coward
          Holmes

          @streaky - "Yeah, it's nothing to do with Snowden."

          Yeah, you're right - they don't need more evidence or a new witness against Snowden. They just need Snowden himself.

      2. Anonymous Coward
        Anonymous Coward

        I wouldn't be shocked to find that this is an attempt to get him to roll over on someone like Snowden who is a bigger fish for them.

        Pardon my ignorance, but what is there to be had on Snowden? The world pretty much knowns what he had, and where he lives is also not so terribly protected that there would not be a way to get to him without too many problems.

        By the way, the way the Russian relationships are deteriorating I would pardon Snowden right now before the Russians decide to consider him a sufficiently useful source of information to "invite" his cooperation.

  2. bombastic bob Silver badge
    Unhappy

    no good deed goes unpunished

    and the corollary: it only takes one "AW, SHIT" to un-do a zillion "Atta Boy"s (that's how I remember the phrase from when I was in the Navy)

    1. PJF

      Re: no good deed goes unpunished

      Is the world going to heck?!

      That's twice in less than 12 hours that I've given B.Bob an up!

      1. John Brown (no body) Silver badge

        Re: no good deed goes unpunished

        "Is the world going to heck?!"

        No idea. Is that somewhere near hell?

    2. Prst. V.Jeltz Silver badge

      Re: no good deed goes unpunished

      one "AW, SHIT" to un-do a zillion "Atta Boy"s

      sounds like my career

      1. Florida1920

        Re: no good deed goes unpunished

        sounds like my career

        Join the club. I took over ownership of a popular site on Sunday. Atta-boy. Tonight I blew it up. Ooops. Fortunately, it's back up. Fortunately, it's doubtful the g-men noticed, and I'm far from home anyway. To really foul up in this business all you need is a laptop and wi-fi.

  3. danR2

    Also Wannacry?

    I've read the indictment, and it looks solid. It would be odd for a dedicated hacker-for-money to stumble over just the solution to another criminal exploit, let alone play 'save-the-day' hero. At least I can't recollect the like.

    1. MattPi

      Re: Also Wannacry?

      "I've read the indictment, and it looks solid. It would be odd for a dedicated hacker-for-money to stumble over just the solution to another criminal exploit, let alone play 'save-the-day' hero. At least I can't recollect the like."

      If I remember one of the interviews, he was investigating it and noticed it tried to contact a domain that didn't exist (as a measure for the malware to detect if there was a transparent proxy on the network watching it). He registered the domain to see what would happen and somewhat accidentally killed off the spread because all the new copies now thought they were being watched and shut down.

      That seems like a pretty normal thing to do for someone who enjoys reverse-engineering code, or a way for a dedicated black hat to learn new tricks and keep up with the technology.

      1. danR2

        Re: Also Wannacry?

        '...he was investigating it' reminds me of the time I stole a pocketknife from the store, buried it in the public right-of-way beside the road, and then went and told my mother about the knife I 'found'. She gave me an instantaneous, level-gazed, 'cool story' "Where did you get that knife, Danny?" reply and I was quickly sent off to return it to the store. With an apology.

        1. Graham Dawson Silver badge

          Re: Also Wannacry?

          He's a security consultant. It's quite literally his job to "investigate" malware. Unless you were a retail theft prevention consultant, your childhood escapade isn't remotely comparable.

          1. Ian Johnston Silver badge

            Re: Also Wannacry?

            "He's a security consultant"

            With qualifications and clients and professional indemnity insurance Or is he a "consultant" like every dopey sloane with a camera is a "photographer"?

        2. I3N
          Angel

          Re: Also Wannacry?

          Timmy Turner: Uhh ... Internet

      2. Blotto Silver badge

        Re: Also Wannacry?

        If he's a security guy and noticed it trying to get to a non existent domain he must have seen it do a dns lookup. The easiest and quickest way to determine what it would do would be to add an entry in his host file and point the domain to a webserver in his own LAN, not go to the lengths of paying for and registering a domain with an odd name then create an internet facing webserver and point the domain at it. Turns a 5 min job into a few hours at minimum and at some cost. If after testing in the home lab he discovered it rendered the attack null then great buy the domain, put your sever on it and tell the world.

        There is something a little off with this.

        1. Anonymous Coward
          Anonymous Coward

          Re: Also Wannacry?

          Or ...

          You see it is trying to contact this oddly-named domain, so you check to see who that belongs to and discover it is unregistered.

          Do you a) snap it up yourself because that might be fun / useful / lucrative or b) just leave it for someone else to find ?

          And if you pick a) why not then use the real-world domain and capture all the traffic to it and not just whatever you have locally active (if you have anything locally active) is sending?

          It doesn't seem all that off to me.

        2. Midnight

          Re: Also Wannacry?

          "There is something a little off with this."

          There sure is. I think you should look at changing the vendor you purchase domain names from, as it really shouldn't take "a few hours minimum" to sign in to a control panel, type or paste in a domain name, check the box that says "Yes please put this domain on the same domain name servers I always use" and then push a button to buy it. It's a five minute job at most, and that includes typing your password wrong four times and swearing a bit before you turn Caps Lock back off. And if you're concerned about the cost, which is less than the price of buying warm drinks for the entire team one time, you can typically 'return' the domain a few days later and end up paying nothing.

          What you may be missing is that checking in with a mysteriously named domain is a fairly common technique for malware to use, and that it is not unusual to take control of expired, unregistered or cancelled domains to 'sinkhole' them, effectively shutting down an entire botnet by not only removing its central command and control facility but also redirecting the C&C traffic to a friendly site where you can keeps tabs on botnet infections and activity. The value isn't just in stopping a single infection on your local network, but also in seeing what every other infected host in the world is doing, so taking a few minutes to register a domain and point it to your existing sinkhole server is a reasonable thing to do.

          This is exactly what MalwareTech described in his original write-up of WannaCrypt ( https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html ), and he includes some data he was able to collect on global and regional infection rates through the sinkholed domain.

          It may seem odd if you're not familiar with modern botnet hunting, but what MalwareTech did wasn't that unusual.

          1. Blotto Silver badge
            Paris Hilton

            Re: Also Wannacry?

            All that vs editing a host file entry and spinning up a vm in a sand boxed environment?

            Ok

    2. Anonymous Coward
      Anonymous Coward

      Re: Also Wannacry?

      Hacking Muchausen By Proxy

    3. streaky

      Re: Also Wannacry?

      I've read the indictment, and it looks solid

      Me too, it looks like a list of claims and zero evidence. Given how clueless US agencies are I'm more prepared to believe his friends who says it's mistaken identity - plus how stupid would you have to be..

      1. GrapeBunch

        Re: Also Wannacry?

        I upvoted you, but I'm not sure. "clueless" ... "stupid" ... it could just be a nefarious way to get something they really want. And if the dates are right, they knew they wanted it before the Las Vegas convention, but after Marcus became an accidental hero. They'll certainly be looking for other things in any electronic equipment he might have been carrying (didn't we all agree last month not to carry equipment to USA?), or if there's no data, they could add it. His safest option was to have not been carrying any equipment.

        So, are there any safe countries in which to reside--and be a hacker not employed by a government? Perhaps Russia, but maybe not, if you are the wrong flavour.

        1. streaky

          Re: Also Wannacry?

          didn't we all agree last month not to carry equipment to USA?

          We did indeed.

          Re: stupid. I meant him - if you'd pulled that then decided to pootle about in the US at a hacker con you're just asking for threats of 10 lifetimes unless you confess.

          It sounds unlikely. If you do this sort of thing you wouldn't be stupid enough to draw attention to yourself with either the malware cited or with wannacry, You just wouldn't. Unless you're a world class moron.

      2. waldo kitty
        Holmes

        Re: Also Wannacry?

        "Given how clueless US agencies are [...]"

        ummm... remember, all this so-called evidence is given to a/the Grand Jury... they are the ones that say "yay or nay" on these things... these folks are common every day john and jane does who likely don't have the first clue about these things to start with... just talk with some random on the street and see what kind of answers you get for the most common computer, internet and security related topics... clueless? yeah, to say the least... the GJ is definitely not a jury of peers... if this case goes to trial, it is highly doubtful that the court will even be able to find any true peers, peers that fully know and understand the aspects of so-called hacking and computer/internet security...

      3. mrobaer

        Re: Also Wannacry?

        The indictment is just the final result, you know, what happened *after* the jurors heard testimony and were presented with (apparently) sufficient evidence to indict on those charges.

      4. Aodhhan

        Re: Also Wannacry?

        Grand juries aren't a bunch of idiots. These are professionals with doctorate degrees who look at what evidence has been gathered so far to make a decision on prosecution.

        The fact he's being held without bond is quite telling in itself... with monitoring technology today, this is rarely done even if there is a slight flight risk. Likely there is information and damages from this along with other items which have yet to be released and will likely have a closely monitored and quiet discovery process.

        While he is innocent until proven guilty, it doesn't look good for him. What floors me, is the amount of people who come out defending him with very little knowledge of it. I wonder how liberal they'd be if he was responsible in any way of draining their bank account.

        There are plenty of sick self-absorbed individuals who will write or in this case modify malware, let it run it's course, then come in and play hero of the day.

    4. Anonymous Coward
      Anonymous Coward

      I've read the indictment, and it looks solid.

      And if so, why don't arrest him on entry, instead of waiting for him to leave? To access any data it may have collected, or people met at DefCon?

      1. Prst. V.Jeltz Silver badge

        Re: I've read the indictment, and it looks solid.

        "And if so, why don't arrest him on entry, "

        I think you answered your own question , as did the article

      2. Anonymous Coward
        Anonymous Coward

        Re: I've read the indictment, and it looks solid.

        well reading his tweets for the last few days he had his wallet stolen including credit card in Las Vegas and commented that he wasn't sure why they only took a wallet with little cash and left the phones. Perhaps they needed access to his credit card data before arresting him? Just a thought.

    5. Dan 55 Silver badge

      Re: Also Wannacry?

      The indictment has no evidence whatsoever, which is what's important. At the it reads like the Brexit white paper before starting negotiations.

      There is a real chance that years of this guy's life could be wasted in the US.

      1. This post has been deleted by its author

        1. GovAge

          Re: Also Wannacry?

          Well Googled :). The 323 million that is.

      2. JohnG

        Re: Also Wannacry?

        "There is a real chance that years of this guy's life could be wasted in the US."

        I predict he will be offered a plea bargain and threatened with years on remand, away from his homeland, his home and his family, if he doesnt comply. (As I understand it, he has not yet had access to a lawyer or contact with his family, so I guess the bullying is in progress). If they win, the FBI can then claim to have solved a major international crime by pinning it on johnny foreigner.

    6. Anonymous Coward
      Anonymous Coward

      Re: Also Wannacry?

      I've read the indictment, and it looks solid. It would be odd for a dedicated hacker-for-money to stumble over just the solution to another criminal exploit, let alone play 'save-the-day' hero. At least I can't recollect the like.

      Err, no. Those are statements, assertions. Until there is evidence to prove such assertions they are but noise, and the guy remains innocent until formally convicted by a judge.

      Or, in other words, you can't judge this from the accusations. You need the facts and their context. It could be that the FBI simply found his IP address when he was researching malware and is trying to make this into all the evidence they need for a conviction, it could be that someone is seeking to deflect a crime onto him to get a reduced sentence themselves (which again requires solid evidence).

      Until we see the actual facts that underpin this case, there should be no other assumption than innocence. That's how it works.

      1. Bluto Nash

        Re: Also Wannacry?

        Until we see the actual facts that underpin this case, there should be no other assumption than innocence. That's how it works.

        That's how it's supposed to work. YMMV

    7. Anonymous Coward
      Anonymous Coward

      Re: Also Wannacry?

      Why would it be odd? Security hackers find stuff that shouldn't be there all the time, that's their job. Mark Russinovich found the Sony rootkit way back when. That came about from him purchasing a Sony music CD with it on.

      1. Anonymous Coward
        Anonymous Coward

        Re: Also Wannacry?

        Thats what the outward story looked like at the time. Scratch below the surface, and its far more deliberate, Russinovich worked for Microsoft, who were battling with Sony and need the internet to start hating them. Cue shill, who "bought a CD" a blog post, and an army of Microsoft viral marketing hate..

        If you believe this was an accidental discovery, then I have some magic beans to sell you....

  4. ashley.harrison

    He was probably asking for a sample because he was trying to figure it out and reverse engineer it so it could be stopped. He does that shit for a living!

    1. danR2

      Apparently he does other thing for a living as well.

      Yes. It just happened to be him. What I'm insinuating is a development from my presumption of the solidity of the indictment, which I've read at length.

      1. Graham Dawson Silver badge

        Re: Apparently he does other thing for a living as well.

        The indictment is a statement of charges. It doesn't contain evidence - indictments don't deal with evidence, but merely claims of unlawful activity. As such it's about as solid as a politician's promise.

        1. CrazyOldCatMan Silver badge

          Re: Apparently he does other thing for a living as well.

          solid as a politician's promise

          And we know where politician promises come from. Especially the ones generated after eating a Phal curry from "Honest Abduls Curry House" where only mystery meat is used..

      2. Doctor Syntax Silver badge

        Re: Apparently he does other thing for a living as well.

        "What I'm insinuating is a development from my presumption of the solidity of the indictment, which I've read at length."

        Did your reading include any evidence? I didn't see any. We don't know why he's been fingered as the author of Kronos and until we do we can't work out whether it's a sensible chain of reasoning or has any supporting evidence. Until we get those details I'll carry on wondering why someone with that high a profile would go anywhere near the US if he actually the author of a banking trojan.

        1. Anonymous Coward
          Anonymous Coward

          Re: Apparently he does other thing for a living as well.

          Until we get those details I'll carry on wondering why someone with that high a profile would go anywhere near the US if he actually the author of a banking trojan.

          Yes, until any actual facts arrive it looks more like attempted forced enlisting - maybe his normal consultancy fees were a tad too high for the FBI? This way they don't need to apply for a H1B either..

        2. Gordon Pryra

          Re: Apparently he does other thing for a living as well.

          " I'll carry on wondering why someone with that high a profile would go anywhere near the US if he actually the author of a banking trojan."

          Hes only 20 odd, still immortal...

      3. Anonymous Coward
        Anonymous Coward

        Re: Apparently he does other thing for a living as well.

        What I'm insinuating is a development from my presumption of the solidity of the indictment, which I've read at length.

        Yes, lovely long words. That still doesn't mean you have a clue - there isn't a single FACT in there. Until such time as there is evidence supplied to stands up to close scrutiny, the chap is to be deemed innocent.

      4. Doctor Syntax Silver badge

        Re: Apparently he does other thing for a living as well.

        "the indictment, which I've read at length."

        If you think that the few pages of the indictment constitute "at length" you should avoid going near bookshops. The shock might be too much.

        1. Fred Flintstone Gold badge

          Re: Apparently he does other thing for a living as well.

          If you think that the few pages of the indictment constitute "at length" you should avoid going near bookshops. The shock might be too much.

          It's for this sort of sarcasm I come here. Wonderful.

          :)

    2. From the States

      Or else he was trying to throw the dogs off the track.

      He could have done that to make it look like it wasn't him or to see if others had figured it out.

      Whatever the case, one hopes if he is truly innocent, he is found not guilty and vice-versa.

      1. JLV

        Re: Or else he was trying to throw the dogs off the track.

        >vice-versa

        Agree. I'd also add that, if he is innocent, I hope he gets cleared relatively quickly and doesn't suffer huge financial losses and stress defending his innocence. That's probably an unrealistic hope, but still.

        On the positive side, he has enough profile and goodwil that his trial will receive a lot of attention. If the G-men have a case they'll have to make it in full and won't be able to cut corners.

        Remember though that Kronos itself is not a prank hack, like defacing whitehouse.gov or whatever. Whoever built it, whether Marcus or not, should burn. And that's another reason the FBI needs to make an airtight case: if an innocent man gets jailed, the real criminal gets away.

      2. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    At some point we'll find out that Wannacry was written by a covert NSA group that was using it to fund other illegal ops and this is just their form of payback.

    1. tom dial Silver badge

      I expect better quality than WannaCry from my NSA.

      1. streaky

        I expect better quality than WannaCry from my NSA.

        The NSA hires people who don't know that printers watermark documents, I think you expect too much..

        1. tom dial Silver badge

          Incorrect in part. NSA hires contractors whose employees sometimes are untrustworthy, careless, and possibly clueless. In addition to Reality Leigh Winner, there also is the example of Harold Martin III, who is charged with taking home a half terabyte or so of classified program code. Neither provides a basis to disparage the code of what Martin took or that released through Shadow Brokers.

          The WannaCry code, by various reports, was not well thought out including, but not limited to, the "kill switch."

    2. phuzz Silver badge

      Well, Wannacry was written using some of the NSA exploits that had leaked earlier, so you're at least half right.

  6. Anonymous Coward
    Anonymous Coward

    "I've read the indictment"

    I have too, and it seems they may have thought that the accounts malwarertech (probably the bad guy) and malwarertechblog (the good guy) were the same, somehow.

    1. waldo kitty
      Holmes

      Re: "I've read the indictment"

      "it seems they may have thought that the accounts malwarertech (probably the bad guy) and malwarertechblog (the good guy) were the same, somehow."

      ummm... they are... MalwareTech is a GoodGuy<tm> and MalwareTechBlog is his twitter account for his blog... same guy, two different twitter accounts... depending on what you want in your feed, you follow one or the other or both...

  7. Anonymous Coward
    Anonymous Coward

    Tin foil hat time.

    He stopped a virus from decimating the nhs which all along was the plan so it could be run by corporations.

  8. Anonymous Coward
    Anonymous Coward

    This is how US justice works; they collar someone for a crime and then offer a deal on sentencing if they agree to plead guilty & testify against one or more "bigger" fish - irrespective of the guilt of said pescatorial victims. Benefits to everyone involved, other than any collateral damagees, but hey, eggs & omelettes..

    1. Anonymous Coward
      Anonymous Coward

      >This is how US justice works

      And the US military. "Oops, we managed to kill 60 people at a wedding. But one of them might have been a terrerrist, honest!".

      Or, as someone somewhat earlier said "Caedite eos. Novit enim Dominus qui sunt eius."

  9. OliP

    Innocent or guilty, he's pretty fucked being on that side of the pond.

    I wish him fair representation

    1. Anonymous Coward
      Anonymous Coward

      I'm sure Bubba will help him adapt to prison life.

      1. Amorous Cowherder
        Facepalm

        "I'm sure Bubba will help him adapt to prison life."

        Ha ha, yeah 'cos prison rape is just so damn funny!

        1. Anonymous Coward
          Anonymous Coward

          Ha ha, yeah 'cos prison rape is just so damn funny!

          It is to Bubba..

          You really need your humour settings tuned to this forum.

          1. Rich 11

            I think you're the one in dire need of recalibration.

            1. Prst. V.Jeltz Silver badge

              da ja vu!

              Havent we had this exact discussion before?

              <clickety>

              Yup

              1. Sir Runcible Spoon
                FAIL

                Re: da ja vu!

                Apart from the sheer crudity of the attempted humour (plus it's age) I think you'll find most people here won't find this amusing since many of us work in the field and the thought "but for the grace of God, there go I" springs to mind.

                Even with all my security clearances I'm going nowhere near the US - who knows what they might conjure up just for shits and giggles. If there were any way to object and get legal representation etc. then it might be worth a risk - but this is the country where the Police are routinely stealing from tourists to fund their military hardware purchases and training.

                Fuck No, thankyou very much.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: da ja vu!

                  Even with all my security clearances I'm going nowhere near the US - who knows what they might conjure up just for shits and giggles.

                  It is exactly BECAUSE of my security clearances, rights of access and other fun things I've been up to that I will no longer consider any visit to the US. I take my duty of confidentiality very seriously, and because I know way to much about direct and indirect intercept there is no way I will place myself in a position where a border guard with a Hitler complex would steal data off me or try to plant anything subversive.

                  On the plus side, I must give them full marks for innovation. Surrounding the country with a ring of idiots as a barrier is not a bad idea, it keeps them both employed and out of the way.

                  It's just a shame they put one in the White House too :(.

              2. Anonymous Coward
                Anonymous Coward

                Re: da ja vu!

                Havent we had this exact discussion before?

                Yes, I had to look it up as well. I like to change sides every so often, just to keep things interesting.

                Although I don't think rape is funny in any context (not just in prison), I think that no executive would worry about a jail time if it was the sort of locked down executive suite it is in some countries - they're used to be in an office anyway. However, the potential of being placed with an intimidating inmate who prefers a bit more direct physical benefits package is more likely to worry them.

                So, do I like prison rape? No. Do I like suggesting it may happen to keep the fear potential of incarceration at a useful level? Oh yes. I want people who are thinking about inflicting misery on millions for personal gain from their high rise office to fear getting shipped to a place where dropping their soap in the shower is really not a good idea, so they they don't. There are still too many getting away with that as it stands.

  10. cysec

    Framed

    I think he's been framed by the authors of wannacry...... wait I forgot it was the feds own 'stolen' software that led to wannacry..maybe that's what pissed them off....the feds better have their facts right...

    1. Anonymous Coward
      Anonymous Coward

      Re: Framed

      Yes, I was wondering too if he was framed. On the other hand, there were a number of reports that he wasn't exactly happy with the attention that accompanied his accidental killing off of Wannacry.

      I personally thought it stupid to broadcast the "mistake" made with the code because that made it certain that "feature" would be removed in the next iteration), but it could be his personal aversion to publicity that tipped off the Feds to take a look at him.

      In that case I'm in trouble too - I don't like being in the news either, that's what got me into privacy in the first place. I work with a number of people who know the price of fame and you can keep it as far as I'm concerned.

  11. Scoured Frisbee

    Serious question - is it illegal to sell exploit software? I mean, I wouldn't want to be the buyer, but for some reason I thought the sale of such stuff was actually legal.

    1. patrickstar

      The problem in this case (and the other similar cases that have been prosecuted) is that it was sold specifically for looting bank accounts. You could presumably build software with most if not all functionality identical without any crime being committed if done differently.

    2. monty75

      No idea about US law but here in the UK you could be prosecuted under section 3A of the Computer Misuse Act 1990 if you know or suspect that the exploit is to be used in the commission of an offence http://www.legislation.gov.uk/ukpga/1990/18/section/3A

    3. Doctor Syntax Silver badge

      "is it illegal to sell exploit software?."

      Conspiracy charges would cover it if all else failed.

      1. CrazyOldCatMan Silver badge

        Conspiracy charges would cover it if all else failed.

        Or tax fraud. If it's good enough for Al Capone..

        1. Sir Runcible Spoon

          In America you apparently only have to glance at the person committing a crime to be generously provided with the same kind of jail sentence.

          I don't recall what the fucked up legislation is called, but it's apparently there to fill all the privately owned bank accounts prisons.

          1. waldo kitty
            Holmes

            In America you apparently only have to glance at the person committing a crime to be generously provided with the same kind of jail sentence.

            if you know what they are doing and you don't report it, you can be considered an accessory...

            I don't recall what the fucked up legislation is called, but it's apparently there to fill all the privately owned bank accounts prisons.

            the term you are looking for is "accessory after the fact" and it requires that you know that "the act" was illegal and you didn't report it...

            there is also "accessory before the fact" which means that you knew about the act to be committed and you didn't report it... this one may also carry additional conspiracy charges if you participated...

            1. Anonymous Coward
              Anonymous Coward

              Hang on - you didn't mention "accessory to the actual act in progress". So the bit in between is OK?

              :)

    4. cyclical

      There is an in-depth analysis by the Washington Post here - https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/08/03/the-kronos-indictment-it-a-crime-to-create-and-sell-malware/?utm_term=.9b4ed7645cea

      tldr version; possible, but they have to prove a lot of things that are hard to prove, i.e was Krono a 'device' capable of 'wiretapping', and a bunch of 'intent' type things.

    5. Anonymous Coward
      Anonymous Coward

      In the UK you could fall foul of the Computer Misuse Act Section 3A 'Making, supplying or obtaining articles' with prison sentences of up to 2 years or a fine.

  12. a_yank_lurker

    What's that aroma?

    Something does not pass the smell test. But I cannot quite get the feel for what it is. Given the feral's propensity for hunting scalps and other slimy antics, I would not be surprised they are not after a pound of flesh from the first convenient target they can find.

    1. Vladimir Plouzhnikov

      Re: What's that aroma?

      Oh, you have a serious problem with ferals down there? Awww...

      1. a_yank_lurker

        Re: What's that aroma?

        yes

    2. Anonymous Coward
      Anonymous Coward

      Re: What's that aroma?

      I don't know. Despite all the noise I'm still inclined to believe that the FBI does at least its homework. Local cops, yes, I can see them playing stupid games but the FBI is supposed to be a better class of law enforcement.

      They have an indictment which suggests there is data somewhere, but the whole purpose of taking him in is to see if their data indeed matches the facts. I just hope they're still man enough to admit they got it wrong if they find the guy was framed, because that's quite viable in the security world.

  13. Anonymous Coward
    Anonymous Coward

    Porn in the woods

    Did he find it or did he place it?

    We'll probably never really know.

  14. Amorous Cowherder

    Hmmm....

    I think it's a natural human instinct to want to see the downfall of a hero, sad but true facet of human nature is jealousy. We can speculate all we wish but in the end it's up a court of law of decide, hopefully in a fair and just way although this will be held in the US and the only way to secure a fair trial is to have very deep pockets.

    I suspect, as another poster as said, this guy probably isn't guilty of much but has grubby fingers from poking in too many pies and the US gov wants to use him to nail some bigger fish, the only way to do that is to hold him long enough to pin something minor on him and get him to squeal a little. He'll probably end up with the equivalent of some 18 month suspended sentence and sent on his way in a year or two with a proviso to never enter the US again.

  15. Winkypop Silver badge
    Coat

    Possibility of US prison?

    That'd make anyone WannaCry!

    I'll get my prison-issue coat.

    1. TRT Silver badge

      Re: Possibility of US prison?

      Putting the penitentiary into pen test.

      1. Anonymous Coward
        Anonymous Coward

        Re: Possibility of US prison?

        Ask Bubba.

  16. Steve Davies 3 Silver badge

    This will end in one of two ways

    1) He spends the next 300+ years locked up in so fed rathole

    2) He spends the rest of his life helping the Feds write super unbreakable Wannacry/Kronos stuff.

    The Feds will throw the book at him at the start and then his legal team (more likely a wet behind the ears public defender) will do a deal to get to 2).

    There is a moral to this but it contains so many sweary words that I'd get banned for posting it.

    Quite why he went to the USA in the first place is beyond me.

  17. John Smith 19 Gold badge
    Coat

    Clearly guity as charged under the "All-furriners-are-up-to-something-cause-there-furrin" Act

    Which is surely going through Con-gress as we speak. *

    As others have point out where is the evidence?

    *As soon as its sponsors run it through the clever backronym generator package they've just bought.

  18. Arachnoid
    Thumb Up

    Sounds like an FBI Honey trap to me........

    Invite them to DEF CON ,collect evidence from other attendees then arrest the perp on the way out.......

  19. Anonymous Coward
    Anonymous Coward

    Let's say for a minute he did write the kronos banking trojan.

    Would he really go to America?

    Would he really make himself known with regards to wannacry?

    Would he work in the industry he does?

    Also, as he is a foreigner why did they file in court to arrest him? I thought we had zero rights in America.

    1. DasWezel
      Facepalm

      "Would he really make himself known with regards to wannacry?"

      Let's be honest, he didn't. He got doxed by the Daily Torygraph. (https://esist.tech/2017/05/15/doxing-the-hero-who-stopped-wannacry-was-irresponsible-and-dumb/)

      Who incidentally released this gem today with no sense of irony whatosever (http://www.telegraph.co.uk/news/2017/05/14/revealed-22-year-old-expert-saved-world-ransomware-virus-lives/)

      Bastards.

  20. nuked
    Trollface

    FTFY

    thanks to Tony Blair bending over backwards forwards

  21. Anonymous Coward
    Anonymous Coward

    What's the delay?

    The guy's been in custody for over twenty four hours - why hasn't Simon Baron-Cohen "diagnosed" Asperger's yet?

    1. Anonymous Coward
      Anonymous Coward

      Re: What's the delay?

      He's too busy looking at your fuckwit syndrome.

      1. Anonymous Coward
        Anonymous Coward

        Re: What's the delay?

        Bless. Have you seen that he now "diagnoses" murderers and not just hackers?

        http://www.southwalesargus.co.uk/news/14950783.USK_MURDER_TRIAL__Accused__has_Asperger___s_syndrome_/

        Because, not content with giving the impression that everybody with Asperger's is a paranoid hacker, he's now apparently happy to give the impression that they are all potential murderers as well.

      2. Anonymous Coward
        Anonymous Coward

        Re: What's the delay?

        If "fuckwit syndrome" existed, you can bet that there would be a psychologist somewhere ready to diagnose it in return for a defence lawyer's cheque.

  22. Anonymous Coward
    Anonymous Coward

    I think its def mistaken identity. But its also possible they want to try and force him to work for them (I've probably been watching to many Hollywood movies). Leaving it till the end of Black Hat in the hope they can get info from the conference from him.

    1. phuzz Silver badge

      If they wanted him to work for them, they could have just waited until he got home to the UK and had GCHQ go round and have a quiet word (maybe commenting on how nice his mum's house is, and what a shame it would be if it was repossessed).

      Or maybe that's the second part of the plan. The FBI scares him, and then when he eventually does get home, our security services have a quiet word, deploring the heavy-handedness of the cousins, and coincidentally offering him a job...

      1. Anonymous Coward
        Anonymous Coward

        @phuzz

        phuzz wrote: "If they wanted him to work for them, they could have just waited until he got home to the UK and had GCHQ go round and have a quiet word (maybe commenting on how nice his mum's house is, and what a shame it would be if it was repossessed)."

        But according to the Bloody Stupid Telegraph, (who doxxed him in the first place), under headline "IT expert who saved the world from ransomware virus is working with GCHQ to prevent repeat" claims he was already working with GCHQ ...

        FWIW - I wonder if he would have quietly & safely returned to England had it not been for the Bloody Stupid Telegraph's Bloody Stupidity ... thanks to 'DasWezel" above for the excellent link, worth repeating https://esist.tech/2017/05/15/doxing-the-hero-who-stopped-wannacry-was-irresponsible-and-dumb/

        I have not read the indictment, as this article also has excellent analysis, IMHO

        https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/08/03/the-kronos-indictment-it-a-crime-to-create-and-sell-malware/?utm_term=.30c89d671f12

        1. Doctor Syntax Silver badge

          Re: @phuzz

          "I have not read the indictment, as this article also has excellent analysis, IMHO"

          That analysis seems to be written on the lines of "assuming he can't prove he didn't do it this is the best line of defence". If he didn't do it I'm sure he wouldn't want to be forced to rely on that as it would pretty well end his career.

  23. Slx

    Proportionality ...

    It’s a very strange case and the allegations do not seem to fit, when you consider his public spirit motivated shut down of WannaCry. I suppose we will start to hear the detail of the allegations in the coming days

    My major concern is that if someone is convicted of something like this in the USA, the sentences are usually absolutely disproportionate and you can expect something that carries insane amounts of prison time, in what is one of the harshest regimes in the developed world.

    It’s a very strange world at times!

    Whatever happens, I hope he’s getting good legal support and backup from the UK Foreign Office and that they have not just capitulated to whatever it is the US asked for, based on the UK government’s desperation for a trade deal after shooting themselves in booth feet with Brexit.

    1. RealBigAl

      Re: Proportionality ...

      "I hope he’s getting good legal support and backup from the UK Foreign Office and that they have not just capitulated to whatever it is the US asked for, based on the UK government’s desperation for a trade deal after shooting themselves in both feet with Brexit."

      This'll be the best joke of the day, and it's early in the day.

    2. Boris the Cockroach Silver badge
      Big Brother

      Re: Proportionality ...

      The reason for the huge sentences in the US are 2 fold

      1. Is to get the perp to squeal in return for a reduced sentence

      2. because the US still relies on the for profit prison industry to supply it with cheap labour... why else would over 2 million people be locked up in the 'free' USA

      1. Doctor Syntax Silver badge

        Re: Proportionality ...

        "1. Is to get the perp to squeal in return for a reduced sentence"

        s/perp/accused/

  24. werdsmith Silver badge

    I would fear that people are discouraged from actually working actively against malware, as it becomes to hot to touch lest you get the finger pointed at you.

  25. Mark M.

    Arrested on way home?

    I'm willing to bet here that he upset someone with senior fed connections at some point during the DEFCON and they told a pile of wild porkies to the FBI in order to ruin Hutchins' day and reputation. Why else would he be charged before he left the USA and not when he set foot on US soil.

    1. BrianW

      Re: Arrested on way home?

      "Why else would he be charged before he left the USA and not when he set foot on US soil."

      So they could surveil him and get to know all of his contacts in the USA that were at Defcon.

  26. NWOSecurity

    Marcus Hutchinson indictment

    Hi Guys,

    The actual indictment is here guys for those that are interested.

    https://www.documentcloud.org/documents/3912520-Marcus-Hutchinson-Indictment.html

    1. John G Imrie

      Re: Marcus Hutchinson indictment

      Interesting, Is is usual to redact the name of the foreperson of the grand jury who has drawn up the charges?

      1. Anonymous Coward
        Anonymous Coward

        Re: Marcus Hutchinson indictment

        Jury members identities might be kept secret for the duration of the case to avoid influences on the jury .

        I suspect in the case of high profile IT related cases, the might be a concern at doxing or general harassment - as opposed to bribery or threats -among other things

  27. RealBigAl

    What it's most likely to do is discourage non U.S. domiciles from attending security conferences in the U.S.

    Maybe that's the plan.

  28. Citizen99

    UK-US extradition

    " The manner of his arrest is also interesting. While Britain has an extremely favorable extradition treaty with the US – thanks to Tony Blair bending over backwards to accommodate his buddy George Bush – it appears the Feds decided not to go that route. "

    Perhaps because Theresa May (Home Secretary at the time) grew some balls and refused to extradite McKinnon (I think it was) (?)

  29. Tom Paine
    Unhappy

    Hutchins is – of course – presumed innocent until proven guilty.

    As @GrahamCluley pointed out -- it's "innocent UNLESS proved guilty".

    The only other thing I'll say is that this news makes me sad, and that I wouldn't wish the US legal system on anyone Well, apart from the Trump regime.

  30. Anonymous Coward
    Anonymous Coward

    Really ?

    If he did write the code then he's clearly not very good at it.

    AC because there's too many hackers out there to get you.

  31. ukgnome

    I guess this is what happens when you interrupt a CIA operation

  32. Anonymous Coward
    Anonymous Coward

    Could be a new hiring tecnique

    Get jailed or join our team. I remember from a tech news just a few years ago that powerful 3-letter-agencies are scouting talented malware writers and debuggers at black hat conferences. Maybe filing a case first to their prospective new hire would force the geek to join their secretive org without any package and benefits negotiations.

    1. Anonymous Coward
      Anonymous Coward

      The spy who got wet?

      Could this be a twist on "The spy who came in from the cold"?

  33. Anonymous Coward
    Anonymous Coward

    dont employ lionel hutz

    He needs to watch out for the old ruse of signing something that says he is innocent of being not guilty.

  34. Seven_Spades

    What are his chances of getting bail?

  35. This post has been deleted by its author

  36. JJKing
    Black Helicopters

    US law enforcement would never wrongly go after someone.

    @ac Thank fuck it takes more than that to convict.

    Maybe you should ask Aaron Swartz about that.....

    RIP Aaron.

  37. OliP

    its incredible you still call it a justice system over there

    we treat animals better....

    1. Jamie Jones Silver badge

      careful....

      Don't get complacent. Our governments in the UK would do most of this given half a chance.

      Don't forget all our internet comms are now logged without warrant, and we have more cctv per person than the usa...

  38. CaitlinBestler

    Why not wait and extradite?

    What was so urgent that they had to arrest him at the airport?

    Did they have any reason to doubt that Britain would extradite him after they issued a

    throoughly vetted indictment?

    This at the minimum suggests to me that the prosecutors are not confident in their case.

  39. Claptrap314 Silver badge

    Would it make sense to arrest him right before BlackHat or after? If you do it before, the arrest becomes a major topic of conversation at the conference. And there's already a serious long spoon relationship there.

    Do you try him in the US or Britain? I seriously doubt that the FBI would proceed without a significant back-channel discussion with their equivalents. That depends on several things. Where are the witnesses? Which legal environment is better (for the prosecution)? Which team has evidence that they can disclose without compromising important secrets? Of course, if the real goal is simply to roll the guy, then certainly he can expect a warm reception when he returns home.

    You only receive a public defender if you convince a judge that you lack the means to hire your own attorney. (Source: I've seen judges make that determination.) Unless they froze his bank accounts, that won't be an issue. And if they DID, there will be a gofundme that will do just fine.

    I certainly agree that it is entirely possible that this is some sort of petulant behavior on behalf of one of our TLAs, or someone well-connected to them. OTOH, this case is going to have the attention of the entire security research industry. Thirty years ago, the five eyes probably could have blown this off. Not any more.

    My wild speculation? If he strongly protests his innocence, then there will be a very large group of highly experienced and talented people looking to demonstrate that innocence by figuring out who the actual author is. And whoever succeeds gets a significant career boost. And makes the FBI look like chumps. The FBI knows this.

    I expect that the FBI really believes that they have him. It's one thing to have a technically adversarial relationship with the security community. It's another to go to war.

  40. Anonymous Coward
    Anonymous Coward

    What a laugh...

    I like the line in this story that alleges that Blighty willingly extradites crims to the U.S. Nothing could be further from the truth. In fact the real truth is that the UK is a sanctuary for digital crimes and Blighty is unwilling to extradite these digital crims to the U.S. as history has demonstrated.

    It has been known for years that some so called "white hats" who fight digital crime during their day job may be found wearing a "black hat" when not at work to create malware. IMNHO this is akin to a "bad cop" who violates the law. Any rogue "white hat" that violates law should receive double the normal punishment for tarnishing their trade/industry rep while committing a crime or multiple crimes. If Hutchins is guilty of the alleged crimes, he'd get a slap on the wrist at the most in Blighty instead of 20+ years in prison and massive fines and mandated repayment to those who's funds were stolen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like