Remember the reluctant WannaCry hero from just over a year ago?
A young man from the UK, known at the time to most people simply as @MalwareTechBlog, registered an internet domain name that was used by WannaCry as a signal to halt its attack.
If the ransomware was able to connect to a specific, weirdly named server, it would let you off and not scramble your files.
If the connection failed (which it inevitably did before the relevant domain name existed), then the ransomware attack went ahead
In short: registering and activating the domain programmed into the virus acted as a sort of kill-switch, turning @MalwareTechBlog into something of a crimefighting cyberhero.
At first, @MalwareTechBlog kept himself out of the limelight, but by the time he went to Las Vegas in August 2017 to attend the massive DEF CON hacker convention, his identity was out: Marcus Hutchins.
Worse still, Hutchins found rather abruptly that he was, as they say, “already known to the police” – indeed, he was arrested at Las Vegas airport shortly before his intended return to the UK, accused of the creation and distribution of banking malware known as Kronos.
Since then, Hutchins pleaded not guilty and was released on bail; he had to stay in the US, of course, but was apparently allowed to carry on working for his US employer while awaiting trial.
A turn for the worse
Sadly for our erstwhile cyberhero, things took a turn for the worse earlier this week when one MARCUS HUTCHINS, aka “Malwaretech”, aka “firstname.lastname@example.org” was hit with new accusations.
There are ten new charges in the latest indictment, many of them following a similar formula claiming that Hutchins:
intentionally disseminated and aided and abetted the dissemination by electronic means any advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foriegn commerce.
US investigators now allege that Hutchins is connected with another malware toolkit called UPAS Kit, allegedly advertised as a “modular HTTP bot” for stealing data.
According to law enforcement, UPAS went after personal information such as PINs, payment card numbers, social security numbers, and more.
“He fibbed,” says the FBI
Additionally, the FBI is now charging Hutchins with making a false statement when he was arrested last year.
Apparently, Hutchins admitted to writing the code that ended up inside the Kronos malware, but not to fashioning it into live malware himself.
He claims to have realised his code had been put to use by cybercrooks only after he analysed the Kronos malware himself in 2016.
The FBI says that’s a load of rot, insisting that:
in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHINS made multiple statements […] in which [he] he acknowledged his role in developing Kronos.
As far as we can tell, some of these charges relate to activities that would have taken place before Hutchins was 18, and some after that, when he was legally an adult.
What happens next?
So far, these are all allegations that US law enforcement seems to think it can prove beyond reasonable doubt…
…but quite what happened, and whether Hutchins is a hero, a villain, or perhaps even a bit of both, may well take some time to emerge through the American courts.
What to do?
By the way – without being drawn on the likely outcome of this case – if you’re a technically inclined youngster who’s tempted to flirt with the Dark Side to see what cybercrime is like, we vigorously urge you not to!
You’ll find any number of open source and community programming projects where your help will be welcomed and where you can cut your teeth publicly – and any of these will leave you with experience you can proudly declare on your CV (resume) later in life.
At the very best, dabbling in cybercriminality will leave you wondering if and when a future employer might find out and be much less than impressed.