In my opinion, Marcus Hutchins will spend the next 10 years of his life working for the NSA and reverse engineering malware built by the Chinese. Unless MI5 has other plans.
On Wednesday, 22-year-old Marcus Hutchins -- also known as MalwareTech -- was arrested in Las Vegas for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice.
The charges relate to alleged conduct occurring between July 2014 and July 2015.
According to an indictment provided to CNN Tech, Hutchins created the malware and shared it online.
> "I've spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we've been trying to get in contact with Marcus for 18 hours and nobody knows where he's been taken," the person added. "We still don't know why Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."
What the hell? How does something like this even happen? Surely they can't just take somebody away and keep it a secret?
"Hutchins, who is indicted with another un-named co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendent Marcus Hutchins created the Kronos malware,”"
This is common even in routine police arrests. People can disappear for hours or even days[0][1]. It's hard to believe but well documented. Ask any criminal attorney.
Actually, once he is booked into jail, he will be the responsibility of the US Marshals. It's very odd that if he were arrested yesterday, that he would still be in custody at the FBI office. The FBI itself does not have detention facilities...they have holding cells that are supposed to be used for a few hours during processing and interrogation.
It sounds like he was arrested in Henderson (a suburb of Vegas), kept overnight in that city's detention facility, then brought to the Las Vegas FBI field office today. He will probably see a judge for a detention hearing today or tomorrow, and if he is not granted bail will then be put in jail at the Clark County Detention Center in downtown Las Vegas, at which time he will be in the custody of US Marshals.
First, being in the news does not necessitate something actually being newsworthy. Between celebrity gossip, the latest fads, and shallow exchanges between career politicians that impact no one and everybody will forget a couple of days later, a very small part of the news is actually newsworthy.
Second, something happening routinely does not mean it's necessarily not worth reporting. Especially for things that happen routinely but shouldn't -- and whose routine re-emergence invokes outrage. The shooting of a black person walking/driving around by cops is very much a routine affair (as they have been 100s of incidents), but it continues to get media coverage and rightly so.
FYI, if you've committed any form of cybercrime in the previous 3 years (edit: the statute of limitations is 5 years for most federal computer crimes, as pointed out below), you should avoid such conferences in the US for exactly this reason. You probably aren't as smart as you think, and there may be a sealed arrest warrant for you.
The FBI waits for these kinds of conferences to do exactly what they did here. Another Las Vegas DEF CON victim was Dmitry Sklyarov [1]. They won't bother with all of the problems associated with international arrest warrants and extradition if they know you're coming to them.
I stand corrected. It is three years for many federal crimes, but since the CFAA has no specific statute of limitations, you are correct that crimes prosecuted under it use the default number, which is 5 years. On a side note, if you are an international person visiting the US, you do not want to be arrested for a federal crime in Las Vegas...if you think you may be arrested, visit somewhere else. There is no automatic right to bail in the federal system, and the District Court in Las Vegas is notorious for ruling that most non-US defendants are flight risks. That means, at a minimum, you will go through a month-long transfer process (that goes through Oklahoma, regardless of your destination) to get to wherever your federal warrant was actually issued before you are likely to be granted bail.
Or may be DEFCON should stop hosting their conference in the US. It used to be a game “Spot the Fed”, now the jokes on them “Spot the hacker” . Because DEFCON is a fishing ground for Feds.
Half the people have some day done something which in a generic way is "against US interests" (from a false name on Facebook to competing against a US corp to starting a petition or a secure app). I personally don't go to US conferences or visit US customers, simply because of TSA (same for Japan and China; Europe has a better track record). If you have a choice, it's not really giving the world a service to choose the USA land to organize a conf, as it will exclude many, many people.
Using a false name on facebook is against their ToS, is it not? There was a story within the last week about how violating ToS is arguably a felony in the US.
The story was actually from 2013, but yeah, the DOJ tries to pass that theory. Fortunately the Ninth and Fourth Circuits have already shown they won't play ball, but there are other courts.
...do they care? Is there a correlation between committing crimes and, for example, being on the no-fly-list? The TSA doesn't wait for a crime to interrogate you, send you back, download or bug your phone, and I'll eat my hat if they never planted child pornography on someone's phone to accuse them of a crime. If a CIA/NSA clerk once flagged you as a "person of interest" (and 3rd degree phone relationship with a criminal is enough), they'll find a good reason to accuse you.
No good deed goes unpunished. But why is DefCon still in the US? I think the creators of the conference might want to seriously think about holding it somewhere that isn't so hostile to pretty much everyone who attends.
Having just attended DEF CON, I can say that I didn't get that vibe at all. The people who were there were very serious about the whole point of it all. I got a lot of value out of it as well.
The Chaos Communication Congress is already held annually in Germany, and is well-attended. There is absolutely an appetite for annual hacker/security conferences in the United States (and indeed we already have dozens that are held annually, of all sizes: DEF CON, BlackHat, B-Sides, SchmooCon, etc).
The sessions were all pretty much full. There were many, many people who were taking it seriously. I can't speak to how many people just goofed around the whole trip, as I wouldn't've seen them, but it seemed to be a minority.
Most of the attendees are US citizens. They will lose a lot if they move it. It's better to just host another one outside of the country (and I think there are already a bunch) for people that don't want to visit the US.
According to an indictment released by the US Department of Justice, Hutchins is accused of having helped to spread and maintain the banking trojan Kronos between 2014 and 2015"
Since he's only been in custody for less than 24 hours, and CNN already has the indictment, presumably the DOJ had his case before a grand jury awhile ago. Which implies that they did not do this on a whim.
Since CNN has the indictment, we'll all have it soon enough, and we'll get a look at the basis for the DOJ's claims.
Or, maybe, there's a legit good or bad reason that he is unreachable? But let's just jump to the conclusion that he was blackbagged and in a CIA black site.
How many security researchers have squeaky-clean records, though? In hindsight, gathering all of the hackers under one of the most sophisticated, militant, intelligence systems in the world, might not be a great idea.
We should have overwhelming confidence that people are detained for good reasons. Given US's track record, it is entirely reasonable to think that it's not the case, until demonstrated otherwise by proof brought forward by the agressor.
I may be totally off base here but IIRC, before he ran MalwareTech and was a whitehat, he participated (and was an op) in fairly "shady" IRC channels, with his oldest nick I can recall being `Ntoskrnl`, dedicated to malware and malware development which even had a person (Edit3: As pointed out in this thread, that person was `BetaMonkey/TouchMe`) who was selling a variant of a botnet drone client builder. Edit2: From one of the comments below in this thread, the network on which he was present (and was an IRC operator of) was `irc.voidptr.cz` or a variation of that, I could not recall the name of the network at first but when someone mentioned it, I instantly recognized it.
If he's who I think he is, I doubt his early background is that clean, despite him being a whitehat now. It is very much possible he is being held because of something related to that and not because of anything related to WannaCry. This was all before he even started running the MalwareTech blog, it's very much possible the FBI decided to look into his background or were already familiar with it prior to him arriving in or leaving the US.
That being said, it's possible that I'm mistaking him for someone else in which case I do apologize. I edited the post a bit, to clarify, the first paragraph to the best of my knowledge is certainly true, second one is based on my own speculation so take it with a grain of salt.
The grandparent is making a good point. It is entirely possible that the researcher is being prosecuted for something related to his past. It's not likely that he's being prosecuted for smuggling a small amount of drugs (for example), the FBI wouldn't be the one making the arrest.
Even if all the activities he has done in the past are completely legal the FBI could still try to wring him for them.
BetaMonkey/TouchMe was in fact the person I was referring to who was providing support for his botnet drone builder until he dissapeared with no trace at a later date. Just could not recall the nick at the time of making my original post.
I always assumed the two to be different people. The log shows the two of them talking at the same time, and I remember the two of them having very different attitudes in general.
I know TouchMe is malwaretech but would be inclined to assume that BetaMonkey isn't.
TouchMe was still a malware developer though, and apparently used to run voidptr before handing it over to BetaMonkey.
I was pretty sure TouchMe was BetaMonkey's new nick, I don't think it was Ntoskrnl (MalwareTech). From what I've heard TouchMe continued support of his drone's users until he dissapeared without a trace. This was so long ago and my memory isn't amazing.
If I was a bad man in the security profession who was certain he was anonymous, I'd point to someone else who was a security professional on twitter when I vanished too.
> This is all easily verifiable with google and archive.org.
Yes. And I've had a hostile fellow once upon a time put my RL info in the whois and post a bunch of shit on it. I generally give people the benefit of the doubt when its random online public stuff until they are convicted.
The internet "evidence" is way too flimsy to be considered reasonable standards of proof imho.
>I'm not trying to pick a fight here so just chill and move on. We aren't going to agree.
Yes, I'm sorry I didn't immediately realize that you were just trolling. If not, you might want to look at the parts of my post you decided not to quote.
Even better -- Here's someone @'ing TouchMyMalware and then MalwareTechBlog replying "Thanks for the tweet, also my new twitter handle is @MalwareTechBlog"
That just looks like standard IRC bantz though. Do you know if he was actually trying to sell/weaponize the malware he was developing? (I assume he was, given the indictment, but can't hurt to ask.)
Betamonkey was someone different. The reason he disappeared without a trace was that he was so bad at PHP that people got sent to prison (his support site was owned by a whitehat and all the customer information was harvested and distributed to law enforcement)[0].
Touchme/Marcus was a close friend of his though, one of his first articles on the site that eventually became malwaretech.com was an attempt to disprove the claim that betamonkey's malware was banking malware. This had gotten him banned from selling on hackforums, his main source of customers at the time. You have to read the article on the way back machine, for some reason he deleted it from his site later on [1].
If I were betamonkey I would be sweating pretty hard right now, his malware is also still being used and Marcus will be looking hard for someone else to drag under the bus.
> For anyone still into IRC, MalwareTech has partnered with sigterm.no to launch a new IRC network. It’s still fairly new so don’t expect an instant response, but everyone is welcome (socializing or just asking for help).
> For all we know, this detention is completely unrelated to WannaCry.
No everyone has already determined 'wow he did a good deed' and 'us law enforcement bad'.
The fact is he is linked to this event and a person of interest who they want to get more info from. As such it makes total sense they would detain him for some questioning searches and so on.
If you are someone who stops a crime you will also get questioned by the police. For all they know you are covering your own tracks and had a role in the crime. This is almost a cliche in movies and tv.
> If you are someone who stops a crime you will also get questioned by the police. For all they know you are covering your own tracks and had a role in the crime. This is almost a cliche in movies and tv.
Yup. Law enforcement is not obliged to assume his innocence.
I understand your point of view, but I don't share it.
First, asking questions doesn't require to detain people.
Second, that person is not an American citizen. Unless he committed crimes on the American soil, which might be the case, handling foreign visitors like that is puzzling to say the least.
Everyone's determined 'us law enforcement bad' because it doesn't matter what crime he may or may not have committed. He was arrested in the US, which means he may be tortured or murdered, and if he's sentenced he almost certainly will be tortured through means such as prisoner assaults, permanent solitary confinement or abuse, or god knows what else. And heaven forbid he's sent to a military prison. He will never come out again.
If you believe the USA is so terrible then push for sanctions against them. Its better than wringing your hands anytime one of our longtime allies decides to arrest a alleged criminal.
UK's National Cyber Security Centre on MalwareTech's arrest:
"We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further."
Reading the indictment, it seems like his partner ratted him out. Curious though, the indictment seems to list the redacted partner as doing most of the incriminating things (posting a video demonstration, advertising the sale on AlphaBay, etc), it merely accused Marcus as being the author and co-conspirator.
I wonder if his partner/friend got caught, and plea bargained to turn state's evidence against Marcus.
> I wonder if his partner/friend got caught, and plea bargained to turn state's evidence against Marcus.
I always wonder a bit about how often these things end up like Rubin Carter, with the guilty party turning state's evidence against someone less guilty or entirely innocent. I mean... one presumes there's more evidence generated by being more involved with the crime, as in this case. If you catch whoever is most identifiable and turn them, there ought to be a lot of cases where you're starting with the worst player and cutting them a deal.
Makes me wonder if he was involved with criminal intentions - maybe they produced it together as a research project, then the partner decided to sell it? It would explain why he wanted a sample of his own software, if it wasn't just a cover.
Based on the number of people who are absolutely certain he wouldn't be involved, the circumstantial evidence suggesting he wasn't, and the lack of any solid evidence that he is, I think the smart bet to place is on this being Swatting.
In other words, AlphaBay goes down, FBI analyses information and determines Mr. Redacted was responsible for Kronos. They arrest him, and in interrogation, he decides to blame someone else for anything they can't actually prove is him directly.
Maybe this is the reason he did not appreciate people revealing his identity online (basically DOXing him for fun, some journalist did it if I recall correctly). It really sucks when somebody that is trying to do well (stopping the WannaCry Ransomware as he did) is detained, even though we don't know more details at this points, this hits him rather personally and probably not for the good, I am very sorry for him and I hope he gets out soon and that all is well.
They're surprisingly clever, to arrest after DefCon. Typical stupid USA LEOs would arrest ASAP, so the unjust detention could be a cause célèbre hyped up by half the talks.
Obviously I won't condone everything they do, and internal corruption remains an issue (as we've seen with Bitcoin..), but US LE - at least at the federal level - is certainly not stupid. They have a level of strategic, tactical and technical intelligence that is objectively pretty impressive especially compared to where they were at, say, 20 years ago WRT computer security. That said, it certainly doesn't hurt that some of the highest-profile criminal "masterminds" of the past 3-5 years have had fairly sloppy opsec.
I completely agree with you. I'm pretty sure Marcus isn't either from the sound of it. Just a bit freaked out by our government's tactics and sharing a memory.
I mean. He he wrote a book about it. About how he used the identities of children who died while living across state lines because no record of death goes back to the originating state.
And how he used those identities and stole credit cards to survive being chased by the FBI.
There is an annual security focused convention going on this week called "Defcon" that many security focused engineers typically attend. Since wannacry was a big thing that happened between this year's con and last year's con, and because Hutchins is a security researcher, I'm sure he was invited to attend if not give a talk.
I know that he was going to a conference, but I wonder why anyone bothers to travel here for simple tourism anymore. It seems awfully unnecessarily risky.
It's not clear to me why he should've expected arrest. He didn't write the virus, he shut it down. The arrest makes no sense. It's not a reasonable thing to have expected.
There's almost zero chance that he was arrested for stopping Wannacry. I'd guess a 23-year old in that business has a history of "less-than-white-hat" activities...
That's an interesting position to be in. If you're legit now but you have some past event which might be uncovered, do you approach the DOJ (through a lawyer, of course) to turn yourself in and try to cut a deal, maybe probation and free consulting services for TLAs for a few years, or do you just hope it never comes to light?
Then again, any deal probably means informing on friends and acquaintances of that period and scene. You could try to contact some of them and see if you could go forward together, but then you're setting yourself up for a prisoner's dilemma situation.
The bitcoin ransom wallets for WannaCry were just emptied today as well. What was the time difference between these two events? It seems possible that Hutchins could have had control of the wallets and fed seized the coins.
> for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice.
> The charges relate to alleged conduct occurring between July 2014 and July 2015.
======
They are awfully quiet about the charges.
> It is not clear why Hutchins has been arrested or if he will face charges in the US. The US Marshals office confirmed it was the FBI who arrested Hutchins.
Source: OP
and on motherboard.vice.com
> The friend told Motherboard they "tried to visit him as soon as the detention centre opened but he had already been transferred out." Motherboard granted the source anonymity due to privacy concerns.
> "I've spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we've been trying to get in contact with Marcus for 18 hours and nobody knows where he's been taken," the person added. "We still don't know why Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."
This is utter nonsense. He didn't stop Wannacry. The Wannacry devs stopped Wannacry, if he didn't grab the domain it'd have been picked up by some other TI firm within minutes or hours.
If Newton had not discovered and articulated his 3 laws of motion when he did someone else WOULD have in the decades that followed. Is it an error to say Newton was the first to discover his laws of motion? By this definition how can anything be attributed to anyone?
Do you attribute a car bombing to the person that set up the bomb or the guy that inevitably turned on the car and set off the bomb?
In this case WannaCry creators built a system that would inevitably be triggered within a few hours from the malware going live.
I think it is meaningless to attribute the WannaCry killswitch to him instead of the authors. If he hadn't registered the domain some other threat intelligence firm would've done it moments later.
Why are people in this thread so outraged without knowing any of the facts? For all we know there might be a legitimate charge on which he was arrested.
As per him being untraceable, if he was not read his rights then the FBI just jeopardized their own case. If no one knows where he is, it's more likely that it's what Marcus wants at the moment rather than what the FBI wants.
He could call his attorney have him release a statement right? Are you saying he is being denied access to a lawyer? Because that's a very serious charge and it would very silly of the FBI. IDK if I were arrested I would pray that the police abuse their power and deny me access to an attorney.
You have to be assigned a free public defender by court, requiring a hearing, before you have one to call. That makes it impractical to use one when you are detained without being brought before a magistrate, even if you have the opportunity to make a phone call.
They don't just give them out when you get arrested. Often you have to file paperwork, prove you're indigent, and prove you made an effort to hire an attorney.
Moreover, most public defenders are overworked. They will do their job (hopefully), but they are not your secretary. (I'm sure most will make those phone calls, out of being a decent human being, not because it's their job)
Would you? Would you like them to detain you unjustly for your entire life for example?
Personally, I'd prefer the state to act within the bounds of Justice.
When the US government kidnaps non US-citizens they don't give you the chance to call your lawyer. You get stripped, beaten, sodomised and sedated. If you're lucky you get released after a few months of torture.
>Khalid El-Masri (born June 29, 1963) is a German and Lebanese citizen who was mistakenly abducted by the Macedonian police in 2003, and handed over to the U.S. Central Intelligence Agency (CIA). While in CIA custody, he was flown to Afghanistan, where he was held at a black site and routinely interrogated, beaten, strip-searched, sodomized, and subjected to other cruel forms of inhumane and degrading treatment and torture. After El-Masri held hunger strikes, and was detained for four months in the "Salt Pit," the CIA finally admitted his arrest and torture were a mistake and released him
"interrogated, beaten, strip-searched, sodomized, and subjected to other cruel forms of inhumane and degrading treatment and torture"... so exactly like hanging out with my ex.
Is it fraud if you declare a wrong birthday on your bank account? Don't they get that information from your documents, instead of relying on you to answer it?
Why are people in this thread so outraged without knowing any of the facts? For all we know there might be a legitimate charge on which he was arrested.
Because US law enforcement have consciously chosen, over the past couple of decades, to engage in activities that make them "the bad guy". It's just abductive inference and a simple bayesian prior at this point. Nobody is reaching any absolute conclusions yet, but a highly plausible explanation, until such time as other facts become available, is over-reach / malicious behavior by the FBI and their cronies.
US law enforcement would be horrifically, jaw-droppingly corrupt if 20% of arrests were "malicious." But even then, 80% of arrests would be non-malicious, so a very strong prior that a given arrest is malicious would be completely unreasonable.
"US law enforcement is the bad guy, therefore any given choice they make is probably evil" is fiction-logic. It works in movies, not in real life.
80% of arrests would be non-malicious, so a very strong prior that a given arrest is malicious would be completely unreasonable.
Sure, but we're not talking about a randomly selected item here. Looking at US arrests w/r/t "cybercrime" and given the history of overly broad interpretations of the CFAA and what-not, I think it's a lot less clear than you are suggesting.
"US law enforcement is the bad guy, therefore any given choice they make is probably evil" is fiction-logic. It works in movies, not in real life.
We're not talking about "logic" (as in "deductive logic") here... w're talking about the kind of fuzzy reasoning, based on abduction and bayesian inference, that human beings use in the face of limited information... and with an understanding that you revise your position as new information is acquired.
Indeed. If he didnt get permission to stop WanaCry, then he violated the CFAA.
No, a "crime" is not good justification of a different crime.
I wish I was making this stuff up, but thank overly-broad '80s laws regarding "access", "permission", and that sort of language which weaponizes EULAs.
> Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.
Basically supplying a disassembler to someone who then uses it for a crime is itself possibly covered for example.
It's the possibly that's the problem, when you can't tell if an offence has actually been committed you leave it open for abuse.
As much as this article contains very little information,this sounds very much like something the US will do.
Whenever someone has to be the butt of some global joke .....somehow the US has to be the one to step up. Taking someone into custody for 18 hours without giving the family or press any information. How different is this from Iran or North Korea?
Two things could've happened here IMO. They asked for the domain to turned over to them and were politely refused, or they're about to punish an accidental hero for white hat work/previous black hat work not related to WannaCry
Who’s to say he didn’t call his family? The linked article cites a “close personal friend” who has been in contact. The fact they didn’t give a heads up to random reporters and Twitter users after arresting someone isn’t scandalous.
In Iran and NK detention without rights is an institutionalized practice. In US if you deny them a phone call immediately, you just threw away your own case.
The first article is about Peter Sunde. Another TPB founder, Gottfrid Svartholm Warg was treated even worse, being held in solitary confinement for months before his trial. Which sadly happens way too often.
He found the address in the source code of the ransomware, any researcher could have found it. He even said himself that when he found it in the source code and saw it was unregistered he registered it to see what would happen. As it turned out it stopped infections from occurring.
Not to say that he isnt the malware writer but your use of quote marks makes me think you have no idea about what happened and havent looked into it, just made some "wild assumptions".
The firm he works for literally pays him to track size and scale of malware outbreaks. Whats the best way to do that? Look for domains the malware attempts to communicate with and register them, pointing them at the firm's sinkhole server. From there the server can generate reports on how many connections it gets and from where.
He did what he would of done to any malware once he found an unregistered domain, he registered it. He didn't realise the malware was using that domain as a killswitch.
