Skip to main content

WannaCry researcher arrested for allegedly developing Kronos malware

WannaCry researcher arrested for allegedly developing Kronos malware

Share this story

A noted security researcher has been arrested by the FBI, as first reported by Motherboard. Marcus Hutchins (better known as MalwareTech) appears to have been stopped by the FBI yesterday afternoon as he prepared to board a flight from Las Vegas back to his home in London. Hutchins was in the US for the Black Hat and Defcon security conferences, although he did not present any research.

Hutchins was arrested for his role in “creating and distributing the Kronos banking trojan,” according to a federal indictment against him and an unnamed co-defendant. Kronos was a malware program that harvested online banking credentials and credit card data, first discovered in July 2014.

According to friends, the first clues came when Hutchins failed to text from the airport. “He was radio-silent before his flight which is very unusual,” one friend told The Verge, “and he wasn’t on the Wi-Fi on the plane.”

“He was radio-silent before his flight which is very unusual.”

Hutchins’ most recent tweet was posted just after 4PM, shortly before he was due to board his flight home. He was expected to contact his mother when he arrived in London, but as of this afternoon, she still does not know his whereabouts. Hutchins’ friends have reported he is currently located in the FBI’s Las Vegas field office, although The Verge was unable to confirm his location.

Hutchins is best known for his role in combatting the WannaCry ransomware, which caused significant damage to the UK’s National Health Service and shut down nearly 75,000 computers worldwide. Examining the malware’s code, Hutchins discovered a domain that, when occupied, would prevent the program from infecting new machines. That so-called “Kill Switch” allowed Hutchins to effectively disable the malware just a day after it made headlines. Notably, the Bitcoin wallets associated with WannaCry were cashed out earlier today, although the movement does not appear related to the arrest.

The bulk of the evidence in the indictment concerns Hutchins’ unnamed co-defendant, who is believed to have provided instructions for using the malware on YouTube and listed it on various underground marketplace. Hutchins is charged only with creating the malware, and there is little indication of why agents believe he is responsible. Twitter activity indicates Hutchins may have been researching the Kronos malware during that period.

The timing of the arrest may have been related to the recent AlphaBay takedown. The indictment alleges that Kronos was listed and sold on AlphaBay, with the unnamed co-defendant advertising and maintaining the malware. The takedown left federal agents in possession of significant transaction records from the previously anonymous marketplace, which may have provided a new way to trace back Kronos’s creators.

Update 3:14PM: Updated with further detail from the indictment.