Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev
WannaCry ransomware killer due in court August 14
British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. He is now on his way to Milwaukee to face charges of selling malware online.
Hutchins, 23, who shot to fame after finding a way to kill off the WannaCry ransomware outbreak that crippled parts of Britain's National Health Service, was arrested last week just before he boarded a plane home to the UK from the US. He had been visiting Las Vegas for the BSides, Black Hat and DEF CON hacking conference season.
A Sin City court granted Hutchins bail of $30,000 on Friday. However, the decision came at 3.30pm local time, and his attorney wasn't able to make it to the bail office to pay the money before it closed at 4pm. As a result, Hutchins spent the weekend in jail – but has now posted bail.
The FBI has accused Hutchins of writing, updating and selling the Kronos banking trojan between 2014 and 2015. He and an unnamed associate alleged made a few thousand bucks selling the malware-as-a-service on dark web markets.
Hutchins was nabbed by the Feds on Wednesday, and was held for more than 24 hours at an FBI field office without access to a lawyer or any contact with his family before the Department of Justice announced he'd been arrested. In court, the FBI claimed that, during interrogation without an attorney present, Hutchins confessed to writing some malware code. Indeed, as a computer security expert, Hutchins, aka MalwareTechBlog on Twitter, has published harmless proof-of-concept malware source code on his website for research purposes.
The Brit is now making his way to Milwaukee, where the indictment that led to his arrest was filed on July 12. He is scheduled for his next court appearance on Monday, August 14, and is under onerous bail conditions – no internet access and being forced to wear a GPS tag and surrender his passport.
Hutchins denies any wrongdoing. He faces a possible 40 years in prison if found guilty.
"Cybercrime remains a top priority for the FBI," said special agent in charge Justin Tolomeo. "Cybercriminals cost our economy billions in losses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice."
Cops have screwed the infosec pooch
The technology community has rallied around Hutchins – a fundraising webpage has already gathered more than $12,000 in contributions to help foot his legal fees. Hutchins is a widely respected member of the UK security community and his arrest has sparked shock and a lot of anger.
"I am withdrawing from dealing with the NCSC [UK National Cyber Security Centre] and sharing all threat intelligence data and new techniques until this situation is resolved," said fellow UK researcher Kevin Beaumont.
"This includes through Cyber Security Information Sharing Partnership. Many of us in the cybersecurity community openly and privately share information about new methods of attacks to ensure the security for all, and I do not wish to place myself in danger."
Beaumont is not alone in this. Several researchers The Register has spoken to are also putting a hold on cooperating with law enforcement for the time being, while they see how this case develops.
The FBI's heavy-handed approach, and the continuing impasse over the Wassenaar Arrangement, have made researchers extremely leery about having anything to do with law enforcement, wrecking a concerted campaign by the authorities to woo more hackers into helping them keep the internet safer for all. ®