Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.
According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.
The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.
[...] Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.
Grauniad source: Briton who stopped WannaCry attack arrested over separate malware claims
Also covered by the BBC: NHS cyber-defender Marcus Hutchins charged in US.
Update: Detention quickly turned to arrest and indictment. Also at NPR, Motherboard, and the L.A. Times.
Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
(Score: 0) by Anonymous Coward on Friday August 04 2017, @06:11PM (8 children)
The claim that Hutchins spotted a hidden kill switch in WannaCry always sounded fishy. Perhaps he had some other familiarity with that code.
(Score: 4, Insightful) by Anonymous Coward on Friday August 04 2017, @06:31PM (5 children)
AFAIK, the claim wasn't that he spotted it, but that he accidentally activated it. Apparently, he registered the domain that WannaCry was pinging which somehow stopped it from working. You don't need any familiarity with the code to run Wireshark and register a domain.
(Score: 2, Interesting) by Anonymous Coward on Friday August 04 2017, @07:05PM (4 children)
You don't need familiarity. But knowing more about the code than you let on would certainly help you be first to register the domain, emerge as a internet security hero, and rake in some business.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @07:34PM (3 children)
If you wanted to make money out of the security gig, why would you say, you oopsed into it?
Seems counter productive.
Doesn't really sell your skills to say "I was messing about with it and it fell apart, lol”
(Score: 0) by Anonymous Coward on Friday August 04 2017, @07:56PM (1 child)
Because you had to act fast to get the domain, which didn't leave time to plausibly deconstruct the code. The main goal is to get your name in the news.
(Score: 2) by frojack on Friday August 04 2017, @10:22PM
You don't have to deconstruct the code, you just have to know wireshark.
I imagine he might have an extensive tool set since this is what he did for a living.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @08:17PM
If this was "legitimate" malware, why did the authors include such a dumb kill switch? You would use public-key cryptography and keep the private key secret.
(Score: 3, Insightful) by FakeBeldin on Friday August 04 2017, @09:12PM (1 child)
Perhaps </wild speculation>, but that has nothing to do with why he was detained.
He was detained in suspicion of connection to a banking trojan (Kronos).
Just to be clear: WannaCry was ransomware. Ransomware is not a banking trojan.
I also saw (can't find link now) a comment by a security chap stating that some of the things a security guy fighting malware would do in the normal course of events could look a lot like being a bad guy to someone not seeing the whole picture. For example, asking for a sample of a piece of malware -- kind of essential if you want to analyse it for weaknesses,... or if you want to buy it.
(Score: 1, Interesting) by Anonymous Coward on Friday August 04 2017, @09:49PM
Sure, it's all speculation. But it's also strange that so many WannaCry bitcoins moved [cointelegraph.com] right after Hutchins' arrest. If you read the grand jury indictment [npr.org], it seems like the feds nailed someone else for Kronos, and he/she is pointing the finger at Hutchins as the author. Hero syndrome [wikipedia.org] is a thing.