WannaCry cyber attack hero Marcus Hutchins charged with creating banking malware

According to federal investigators, in 2014 and 2015, Marcus Hutchins wrote the Kronos malware, advertised it for sale in online hacker forums and split thousands of dollars in profits with at least one other defendant. BLOOMBERG

SAN FRANCISCO (Bloomberg) - A self-taught computer-security researcher, credited with stopping a devastating cyber attack that crippled British hospitals in May, was arrested on charges that he created malware used to hack banking systems in Canada and Europe, the United States said.

Marcus Hutchins, who started blogging under the pseudonym MalwareTech when he was a teenager, was arrested on Wednesday in Las Vegas, the Justice Department said in a statement.

Court documents unsealed on Thursday showed he was indicted in July on several charges of computer misconduct relating to the creation and distribution of the Kronos banking Trojan, a type of malicious programme that steals usernames and passwords for banking websites from infected machines.

"We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further," the UK National Cyber Security Centre said in a statement.

Hutchins' arrest came as a shock to the cyber security industry, which was coming off its biggest week of the year at the Black Hat and Def Con conferences in Las Vegas, which Hutchins had attended.

Among white-hat security researchers, who hack technologies to find ways to fix them, Hutchins was a hero. They hailed his quick thinking in neutralising the WannaCry ransomware just hours into a fast-spreading attack in May that threatened not just computer systems but also potentially lives.

WannaCry infected about 300,000 computers in 150 countries, locking users out unless they paid a ransom in bitcoin. Victims included the UK's National Health Service, whose hospitals were disrupted, as well as FedEx Corp, Nissan Motor and Renault.

Hutchins found a clever way to stop the attack by registering an Internet domain that served as a "kill switch" for the malware, a secret that was hidden in its code.

Eva Galperin, director of cyber security for the Electronic Frontier Foundation (EFF), said the San Francisco-based legal advocacy group is trying to reach out to Hutchins.

The Kronos link

"The EFF is deeply concerned about the arrest of Marcus Hutchins," said Jeanne Carstensen, a spokesman for the group. "We are looking into the matter, and are reaching out to Hutchins."

According to federal investigators, in 2014 and 2015, more than a year before the WannaCry outbreak, Hutchins wrote the Kronos malware, advertised it for sale in online hacker forums and split thousands of dollars in profits with at least one other defendant, whose name was redacted in the indictment.

While Kronos is one of many widely used forms of banking Trojans, Hutchins is accused of being a supplier, and not actually hacking people's computers to install the malware.

Tor Ekeland, a US attorney who specialises in cyber crime, told the BBC on Friday that Hutchins faces six felony charges, with up to 40 years in jail.

"It seems to be suggesting that writing software of this type is a felony, which is highly problematic for the information software industry as a whole," he said.

The arrest appears linked to the FBI's shutdown of a notorious online criminal marketplace called AlphaBay, where Hutchins is accused of selling the Kronos malware. The Justice Department announced late last month that it had dismantled the site, which it said had 200,000 users and 40,000 sellers.

The site had hundreds of thousands of listings for drugs, guns, fake IDs and hacker tools. The alleged founder, a 26-year-old Canadian living in Thailand named Alexandre Cazes, was found dead in his jail cell shortly after his arrest, in an apparent suicide.

The language in the indictment and timing of the allegations suggest that federal investigators used information they learnt in the probe of AlphaBay to build the case against Hutchins, who became a reluctant celebrity after news outlets published his real name - "doxing" in hacker parlance - following his WannaCry intervention.

His arrest coincides with a conclusion of sorts for the WannaCry attacks. On Thursday, three bitcoin wallets linked to the malware were emptied out, with the tokens divided into smaller amounts and sent to other bitcoin addresses. The wallets held a combined 52 BTC, or about US$140,000 (S$190,600).

Join ST's Telegram channel and get the latest breaking news delivered to you.