WannaCry-slayer Marcus Hutchins 'built Kronos banking trojan' – FBI

Shock as Brit cuffed in Vegas – now he's accused of developing account-draining nasty

Marcus Hutchins
Free and loading in Las Vegas ... Hutchins in happier times – last week, in fact (Source: NorthSec)

Marcus Hutchins, the British malware researcher who killed off the WannaCry ransomware outbreak, was arrested in Las Vegas on Wednesday on suspicion of being a malware writer himself.

Hutchins, aka MalwareTechBlog on Twitter, was collared after attending the DEF CON hacking conference in Nevada, US, last week. FBI agents nabbed the 23-year-old at Sin City's airport yesterday as he was preparing to fly back home to Blighty after a summer break of fast cars, gun ranges, and hacker parties.

According to a grand jury indictment distributed today by US prosecutors, Hutchins is accused of crafting, sharing, and masterminding the Kronos bank-account-raiding Trojan between July 2014 and July 2015.

The heavily redacted court document alleges Hutchins is the creator of Kronos, and updated the code in February 2015 with a co-conspirator, who made a helpful video on how to use the malware. Soon after this article was published, the original YouTube vid was removed. A copy is embedded below.

Youtube Video

The partner is also accused of advertising the Kronos nasty on hacker forums, selling at least one copy for around $2,000, and offering to sell another to a third party for $3,000. The US government also claims that on June 11, 2015, Hutchins himself intentionally sold attack code in America.

The six-count indictment was filed in the Eastern District of Wisconsin on July 12 of this year. Hutchins' accused conspirator has had his or her name and details redacted. This will either be because the Feds have yet to collar the suspect, or that the person has turned informer and the agents are looking to protect their sources.

Kronos was an evolution of the infamous Zeus malware, which silently infected PCs and pillaged victims' online bank accounts around the world. Crooks would buy copies of Kronos, spread it across the internet via spam or booby-trapped downloads, and then pocket the cash siphoned from infected victims. It was reportedly selling for $7,000 apiece and advertised itself as being able to:

  • Rip people's online banking credentials from Internet Explorer, Firefox and Chrome on Windows machines.
  • Fend off rival Trojans and avoid detection using a 32- or 64-bit rootkit.
  • Bypass antivirus and unspecified sandboxing.
  • Establish encrypted command and control communications.

The way the malware was packaged was also quite advanced. For a $1,000 deposit, criminals could try a version of it out before buying, and its operators offered a host of add-on modules and support services.

Strangely, Hutchins tweeted the following on July 13, 2014 – the same day the above video was posted, adding a further twist to the plot. Why would he ask for samples of Kronos, malware he is accused of developing?

The long arm of the law

Hutchins is – of course – presumed innocent until proven guilty. And don't forget that grand juries are indictment-issuing machines, so the fact that one has been produced isn't proof of any wrongdoing. His friends have been quick to defend him, saying he is a virus researcher, not a virus developer. There appears to be nothing concrete, as yet, that links Hutchins to the Russian-language forum posts that advertised Kronos back in 2014.

However, if these allegations are true then it's a stunning fall from grace. Mere months ago, he was hailed as a hero for discovering and activating what was effectively a kill switch in ransomware that crippled the UK's NHS and numerous companies around the world.

The manner of his arrest is also interesting. While Britain has an extremely favorable extradition treaty with the US – thanks to Tony Blair bending over backwards to accommodate his buddy George Bush – it appears the Feds decided not to go that route.

Instead they let him come to them, and chose to arrest him at the end of his stay, when his electronic equipment would have been packed full of information he had gleaned during his visit. An airport is also a controlled environment in which to collar a suspect.

It's speculated Hutchins, a reverse engineer who worked remotely for California-based Kryptos Logic, was nabbed in conjunction with the Feds shutting down the dark-web souk Alphabay, where Kronos was once sold, in early July. That operation may have helped investigators unmask the Trojan's masters, alleged to be the Brit resident and citizen.

Hutchins now faces an extended stay in the US, and he is right now being held at the FBI field office in Las Vegas. He is due to be arraigned in the next couple of hours. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017