WannaCry researcher arrested for allegedly developing Kronos malware

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

A noted security researcher has been arrested by the FBI, as first reported by Motherboard. Marcus Hutchins (better known as MalwareTech) appears to have been stopped by the FBI yesterday afternoon as he prepared to board a flight from Las Vegas back to his home in London. Hutchins was in the US for the Black Hat and Defcon security conferences, although he did not present any research.

Hutchins was arrested for his role in “creating and distributing the Kronos banking trojan,” according to a federal indictment against him and an unnamed co-defendant. Kronos was a malware program that harvested online banking credentials and credit card data, first discovered in July 2014.

According to friends, the first clues came when Hutchins failed to text from the airport. “He was radio-silent before his flight which is very unusual,” one friend told The Verge, “and he wasn’t on the Wi-Fi on the plane.”

Hutchins’ most recent tweet was posted just after 4PM, shortly before he was due to board his flight home. He was expected to contact his mother when he arrived in London, but as of this afternoon, she still does not know his whereabouts. Hutchins’ friends have reported he is currently located in the FBI’s Las Vegas field office, although The Verge was unable to confirm his location.

Hutchins is best known for his role in combatting the WannaCry ransomware, which caused significant damage to the UK’s National Health Service and shut down nearly 75,000 computers worldwide. Examining the malware’s code, Hutchins discovered a domain that, when occupied, would prevent the program from infecting new machines. That so-called “Kill Switch” allowed Hutchins to effectively disable the malware just a day after it made headlines. Notably, the Bitcoin wallets associated with WannaCry were cashed out earlier today, although the movement does not appear related to the arrest.

The bulk of the evidence in the indictment concerns Hutchins’ unnamed co-defendant, who is believed to have provided instructions for using the malware on YouTube and listed it on various underground marketplace. Hutchins is charged only with creating the malware, and there is little indication of why agents believe he is responsible. Twitter activity indicates Hutchins may have been researching the Kronos malware during that period.

The timing of the arrest may have been related to the recent AlphaBay takedown. The indictment alleges that Kronos was listed and sold on AlphaBay, with the unnamed co-defendant advertising and maintaining the malware. The takedown left federal agents in possession of significant transaction records from the previously anonymous marketplace, which may have provided a new way to trace back Kronos’s creators.

Update 3:14PM: Updated with further detail from the indictment.


Hutchins is charged only with creating the malware, and there is little indication of why agents believe he is responsible.

So when a ‘traditional’ arms manufacturer has something of theirs misused that causes harm, they cannot be arrested or charged over it. Why is it now okay for the FBI to do it in the case of a ‘cyber’ weapon?

They argue that traditional arms can also be used to defend lives. Malware can only harm computer networks and not help them, hence the ‘mal’ part.

Well said.

But don’t security researchers develop and test things all the time that would be considered "Mal"ware if someone else were to get ahold of it? Isn’t that part of the point of security research?

Every researcher out there knows there’s a line you don’t cross when it come to research unless they want the FBI to come after them.

Interesting. A big part of software development is creating test that break your system or application. This helps you detect bugs, performance issues, and security loopholes. This is definitely a "grey" area, but how is malware any different from a legit test so long as you don’t exploit the security holes it finds?

If he was hired by a bank to test a system, then your argument make sense but he wasn’t.

What if he was hired by renowned security firms to test networks, but not specifically for any given financial institution as client?

Then he has the paperwork to prove it and wouldn’t be convicted.

At the very least, it’s enough to warrant more attention and suspicion, which may very well be what’s happening here. Not everyone the FBI arrests is charged, let alone, convicted of and punished for a crime. And, of course, just because we have no indication of wrongdoing from our end, doesn’t mean it hasn’t happened. I’m sure more details will develop

Because it’s illegal. Google Computer Fraud and Abuse Act.


Isn’t it possible that the creators of WannaCry would want to frame him for raining on their parade?

View All Comments
Back to top ↑