On Wednesday, a celebrated UK security researcher was stopped at the Las Vegas airport and taken into federal custody. According to law enforcement, Marcus Hutchins (better known as MalwareTech) was responsible for developing a major banking trojan — a serious allegation that could result in years of jail time. Hutchins most recently drew popular attention for his pivotal role in containing the WannaCry malware, a ransomware worm that locked up nearly 75,000 systems worldwide. Hutchins’ arrest came just days after he’d attended Defcon, the largest hacking conference in the world, where he had been riding high on his newfound reputation as a hero.
The allegations have stunned Hutchins’ friends and colleagues, but it’s still unclear how much evidence there is to support them. The indictment primarily focuses on a co-defendant whose name remains under seal, and the document throws very little light on Hutchins’ involvement. In the wake of the arrest, much of the security community has rallied to Hutchins’ defense, digging up circumstantial evidence surrounding the allegations. But the lack of information from the government combined with the unearthing of Hutchins’ less-than-savory activities as a teenager has thrown the community into a state of confusion.
White hat or black hat?
In the wake of the arrest, observers uncovered old IRC logs connected to Hutchins’ previous username. The logs paint the young Hutchins—who would have been about eighteen years old at the time—as a low-level black-hat hacker playing with bots and scripts. But although he implies pompously that he is involved with the market for malicious code, he never says explicitly that he sells any, nor are there any logs linking him to the banking trojan, Kronos.
The story of a young, immature black hat who turns legitimate over the years is hardly a new one. Kevin Mitnick, one of the earliest and most prominent targets of the Computer Fraud and Abuse Act, currently works as a security consultant. The idea that it’s natural for white hats to have started out as teenage black hats is prevalent in the community. The vague indictment and the unearthing of Hutchins’ past creates a kind of Rorschach blot for observers: in the absence of more facts, it’s just as easy to see Hutchins as a martyr as it is to see him as criminal.
“He wouldn't take any payment at the time.”
In the days since his arrest, the 23-year-old Hutchins has been shuttled between a series of federal facilities in Las Vegas. On Friday, Hutchins’ bail was set at $30,000, with the condition that he surrender his passports, remain on house arrest, and not use the internet. Hutchins remained in jail over the weekend, although his bond is expected to be paid on Monday. Friends have already launched a crowd-funding campaign to raise money for his legal defense. Hutchins’ public defender noted in an earlier hearing that he had “cooperated with the government prior to being charged,” although it’s unclear exactly what that cooperation entailed.
Among Hutchins’ friends, the primary reaction has been disbelief. While Hutchins first drew popular attention for his pivotal role in containing the WannaCry malware, he had been a beloved figure in the security community for years, known for his curiosity and talent. Rendition Security’s Jake Williams worked with Hutchins during the same period of time named in the indictment, and says he finds it difficult to believe the young researcher could have been coordinating a criminal enterprise during those months.
“We traded malware samples and research,” Williams told The Verge. “He helped out with an educational program I was working with by providing some code. He wouldn't take any payment at the time, which is incongruous with the charges levied now.”
“Nobody builds an entire malware suite from scratch.”
There’s little doubt that Kronos itself was malware. First spotted on Russian cybercrime forums in July 2014, the program was designed to harvest banking credentials — waiting until a target logged into a banking site and intercepting passwords in transit. Known as a banking trojan, that kind of malware has proven very popular among online criminals, and Kronos was far from the first or the largest. The program first emerged in the wake of the larger Zeus banking trojan, which authorities believe was as responsible for as much as $70 million in losses.
Kronos was widely cracked and re-distributed — and like most coding projects, it drew heavily on available code, making it difficult to tell exactly which elements Hutchins is believed to have developed. While broadly similar to Zeus, Kronos also drew on the leaked source code of a lesser-known program called Carberp, according to early Kaspersky research. It also included various desktop-sharing components that may have been originally developed for non-malicious use. If Hutchins was responsible for developing those systems, he may have coded together a malware component without knowing it.
“It's not clear which parts of Kronos he actually is accused of writing,” says Errata Security researcher Robert David Graham, who has worked on similar software components in the past. “Nobody builds an entire malware suite from scratch.”
The Indictment
Of course, this is all speculation, since the grand jury indictment is so thin on the details. The criminal complaint against Hutchins, which will present more detail on the charges, remains under seal. The only details the indictment provides are in Count 1, which alleges that Hutchins and his co-defendant engaged in a conspiracy to “knowingly cause the transmission” of code that would intentionally “cause damage without authorization” to over ten computers—a felony under the Computer Fraud and Abuse Act of 1986.
But that part of the indictment focuses mostly on overt acts by Hutchins’ co-defendant, whose name remains under seal. (“Overt acts” are facts necessary to support a conspiracy charge, and are meant to show the defendants’ participation in the conspiracy). Little is known at this time, but it may be an indication that the co-defendant is cooperating with the government, and has offered evidence of Hutchins’ involvement in the creation and sale of the Kronos malware.
Some see Hutchins as collateral damage in a larger prosecution
The indictment alleges that on July 2014, the co-defendant used a video on a “publicly available website” to show how to use the “Kronos Banking trojan.” The following month, the co-defendant offered to sell the trojan on a internet forum for $3,000. In April 2015, the co-defendant advertised the malware on AlphaBay—the dark web marketplace that was recently seized by federal law enforcement. In June of that year, the co-defendant sold the Kronos malware for approximately $2,000 “in digital currency” and in July, also offered “crypting” services for Kronos—services that would help conceal the trojan on computer systems.
In that long list of overt acts, Hutchins is only accused of creating the Kronos software in 2014, and then updating the software later in 2015, after his unnamed co-defendant began to sell the malware.
As a result, some see Hutchins as collateral damage in a larger prosecution against a still-anonymous malware vendor. As Tor Ekeland, a defense attorney who frequently takes on Computer Fraud and Abuse Act cases, put it on Twitter, “[The Department of Justice] just arrested the guy who helped stop Wannacry because someone he allegedly worked with made $2,000 from the sale of malware.”
FBI agents took AlphaBay offline seven days before the indictment against Hutchins
The prosecution is being brought in the eastern district of Wisconsin, a jurisdiction that is not particularly well-known for policing high-profile hacking cases—a possible indication that the mysterious co-defendant resides in Wisconsin. The mention of AlphaBay in the indictment also suggests that the co-defendant was swept up during the investigation into the marketplace that was made public last month. FBI agents took AlphaBay offline on July 4th, just seven days before the indictment against Hutchins and his co-defendant was filed under seal.
The co-defendant could have also been caught up in an investigation into the Zeus malware (the earlier variant of Kronos). In 2010, the FBI arrested 10 people in connection with Zeus, with dozens of other figures suspected of involvement. Posts on Hutchins’ blog show he was researching Zeus variants in late 2013, including variants compiled from the Carberp source code. The research was public and there seems to have been no effort to delete the posts after the fact.
Oddly, the list of overt acts in count 1 doesn’t specifically allege that Hutchins took a cut of the profits or sold the software directly, even though counts 2 and 4 in the indictment charge both Hutchins and his co-defendant with having advertised and sold a wiretapping device. (Although the Kronos software does log credentials, it’s not clear that from a legal standpoint, it counts as a “device.”)
In short, the indictment throws very little light on Hutchins’ involvement. Even if all of the specific allegations are taken as true, Hutchins could plausibly be a hapless creator whose code was sold with very little input from him— maybe even without any financial compensation. He could also, just as plausibly, be a sophisticated cybercriminal who profited off malware.
The Young Marcus Hutchins
In July 2014, around the time the indictment says his co-defendant began to sell the malware, Hutchins posted to Twitter asking if anyone had a sample of Kronos. Some say that since Hutchins was researching Kronos, it would make it unlikely that he had written it. But it’s just as possible that Hutchins read IBM’s initial report on the malware, wondered whether Kronos was the software he himself had written, and sought out a sample to test his hypothesis. Less likely—but still possible—is the hypothesis that he tweeted out a request for a Kronos sample to cover his tracks and give himself plausible deniability at the time.
Various people have also dug up old IRC logs, still available via the Internet Archive, connected to his previous username, TouchMe. The IRC logs depict Hutchins, who would have been about eighteen years old, as a low-level black-hat playing around with pieces of malicious code. But although he makes bragging references to the malware market, he never says in so many words that he actually sells bots.
[16:14] <TouchMe> if your bot is good
[16:14] <TouchMe> people will buy it
[16:14] <TouchMe> you don't need a 20mb image with stupid fucking colors
Some in the security community have sought to minimize Hutchins’s early activities as mere youthful indiscretions. “MalwareTech had some fun when he was younger, we all did,” one security researcher wrote on Twitter. “Doesn't mean he actually wrote the Kronos bot.”
While some are pointing to a tweet from 2013 to cast doubt on the reliability of the IRC logs and the identification of Hutchins as TouchMe, a person using the pseudonym of IPostYourInfo has claimed that they knew Hutchins through IRC. On Friday they published a blogpost containing fairly detailed and dense circumstantial evidence that links the TouchMe from those logs to Marcus Hutchins himself. But although IPostYourInfo links Hutchins to some unsavory behavior, they don’t allege that Hutchins wrote Kronos. And although they suspect that Hutchins peddled malware, they didn’t think at the time he actually wrote it himself.
“I would have expected him to be involved in selling betabot [a different piece of malware], not having the initiative and drive to code his own malware,” wrote IPostYourInfo.
A New Challenge to the CFAA
Even if Hutchins were directly involved in developing the code for Kronos, the legal case against him is far from airtight. Orin Kerr, a former federal prosecutor and a professor at George Washington University School of Law, thinks that prosecutors will face an uphill battle. Four of the six counts stem from an anti-wiretapping statute, the applicability of which, Kerr says, is questionable. And since Hutchins isn’t accused of using the tools himself, the charge on the basis of conspiracy to commit computer fraud and abuse is also shaky.
Despite those issues, prosecutors haven’t had trouble pinning similar charges on defendants faced with similar facts in the past. One recent example was the 2015 Blackshades case, which targeted a spyware-for-hire program. It’s common for malware developers to outsource actual hacking to smaller players, with new malware being marketed, analyzed and eventually pirated and reverse-engineered by the competition. As law enforcement takes on more cybercrime cases, the focus has shifted from botnets and distributors to the developers themselves, who often command a larger share of the profits. If these laws are, as Kerr theorizes, not suited to malware-developer prosecutions, it raises the question of how exactly prosecutors are expected to stem the tide of hacking in a time when the world has never been more dependent on interconnected, vulnerable computer systems.
Since most of these malware-developer cases have pled out instead of going to trial, the legal objections that Kerr has raised are untested. Few of those prosecutions have had to face a robust legal defense. Even with the security community in a confused uproar, Hutchins continues to be a very popular figure, and a legal fundraising effort is said to be under way. If Hutchins fights the charges, this could very well be the case that changes how malware development is prosecuted in the United States.