Marcus Hutchins, the British WannaCry Hero, Could Face 40 Years in a US Prison
Marcus Hutchins, the 23-year-old security expert could face over four decades in a US prison, after the FBI arrested him while he was on board a flight to his home in London. The US government has indicted him for creating and advertising Kronos, a banking trojan, between July 2014 and July 2015.
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014
MalwareTech (Hutchins) faces six charges of helping to create, spread and maintain Kronos
Designed to steal financial details, Kronos was first spotted in 2014 when it was being advertised on Russian forums for as much as $7,000. The indictment claims that MalwareTech created the Kronos banking trojan and charges him of six counts of helping to create, spread and maintain the trojan:
- Conspiracy to violate the Computer Fraud and Abuse Act;
- Three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices;
- A count of wiretapping;
- And a count of violating the Computer Fraud and Abuse Act through accomplice liability – basically, aiding and abetting a hacking crime.
Better known as MalwareTech in the infosec community, the security researcher was in the country for the Black Hat and Defcon conferences in Law Vegas. According to his friends, he was arrested at Las Vegas’s McCarran International Airport on Wednesday afternoon after he had checked into his flight.
Priority boarding so you can add to the time you’re sat on a plane that is nowhere near ready to fly ????
— MalwareTech (@MalwareTechBlog) August 2, 2017
Feds have said that the arrest is not linked to the WannaCry ransomware case, in which MalwareTech played an almost heroic role, putting an abrupt stop to its growth. It is likely that the latest takedown of AlphaBay dark net marketplace helped law enforcement connect Kronos to Hutchins. His indictment claims that he had advertised Kronos on AlphaBay.
Hutchins is now due to appear in court later today where he could plead not guilty and get out on bail. However, legal experts believe he will probably be refused bail since he is a foreign national and could be considered a flight risk.
“The maximum statutory sentence he could face is decades, roughly 40 years,” Tor Ekeland, a US lawyer, said while talking to the Telegraph. “Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is.”
If he, however, pleads guilty, he could get a shorter sentence of five to ten years.
Criminals behind WannaCry just emptied their bitcoin wallets
Hutchins rose to fame in May this year when he inadvertently put a stop to the WannaCry ransomware that had crippled nearly 300,000 machines, including NHS systems. He was awarded $10,000 for his efforts, which he had donated to charity.
Whether proven guilty or not, the move to arrest a security researcher who was in the country for attending a conference and has previously helped the law enforcement at the risk of leaking his identity is going to affect any future collaboration of the white hat community with the US government.
I hope whatever the Feds think @MalwareTechBlog did was worth burning their good-will in the white hat community.
— ra6bit (@ra6bit) August 3, 2017
Critics warn that the arrest will send a bad message to the cybersecurity community. “They’ve sent a really bad message that even if you help the US Government stop a worldwide major malware attack and save people millions of dollars and potentially saved lives, you could be arrested because someone you supposedly associated with supposedly sold malware for $2,000,” Ekeland added.
FBI needs to explain this asap! Allowing this to happen in secret causes major harm to US infosec circles. Unbelievable chilling effects.
— Chris Vickery (@VickerySec) August 3, 2017
However, the indictment doesn’t mean that the FBI has all the proof as legal experts believe that the charges are very thin. Department of Justice also reminded the public that the “indictment contains only charges and is not evidence of guilt.” “The defendant is presumed innocent and is entitled to a fair trial at which the government has the burden of proving guilt beyond a reasonable doubt.”
All of this is happening at a time when WannaCry culprits have been emptying their bitcoin wallets. Over $140,000 that was raised in ransom was withdrawn from the three associated bitcoin wallets this week. It is still unknown who withdrew the money.