From Hero to Potential Zero

Marcus Hutchins, a security researcher who also goes by the name MalwareTech, made headlines in May as the person who discovered, almost accidentally, the inbuilt killswitch in the WannaCry ransomware which caught the world unawares. Fast forward to August and the same person hailed as a hero who prevented a further 10 million systems been infected by WannaCry was arrested in Las Vegas during the DefCon one of the largest hacking conferences in the world. At his bail hearing on Friday, he initially pleaded not guilty and was granted bail of 30,000 USD. Hutchins still had to spend the weekend in Jail as his lawyers could not pay the bail in time. Hutchins has to wear a GPS locating tag and is not to communicate his co-accused who is as of yet unnamed. Hutchins has been accused of creating and maintaining the Kronos banking Trojan and can face up to 20 years in jail if convicted.

The arrival of Kronos

Kronos was first detected in July 2014 and was last active in 2016. Initially, Kronos was offered on the Russian underground with a 7000 USD price tag. Kronos is commonly referred to as banking Trojan which steals credentials and identifying information from protected computers. This practically means that Kronos would steal banking details in order to commit fraudulent transactions. Later versions of Kronos could add extra forms to online banking websites which would prompt victims to enter in PIN codes related to the victims banking accounts.

malwaretech Marcus Hutchins photo

Photograph: Chris Ratcliffe

Kronos interested researchers not only because of its code but also on the business side of the offering. Malware as a Service (MaaS) is not new but Kronos differed in a key respect. Where most malware advertised for sale normally totals at a few hundred dollars, initial offerings of Kronos asked for 7000 dollars with later sales asking over 3000 dollars. In the sales pitch Kronos was available in 32 bit and 64 bit; could successfully by-pass anti-virus software and could by-pass sandboxes; and worked on Chrome, Fire Fox, and Internet Explorer. Added to this the customer would enjoy a lifetime license and access to later versions and bug corrections. To sweeten the deal customers would have full access to the command and control server and customers could pay in a variety of cryptocurrencies to suit their pocket.

The Indictment

The Indictment primarily focusses on Hutchins’s co-accused, who is as of yet unnamed. Details are few and far between and no discernible evidence has been made available to the public as the charges are still under seal. The State Prosecutors have gone on record to state that Hutchins admitted to them that he created and maintained the banking Trojan in question. In court, the prosecution stated, “He admitted he was the author of the code of Kronos malware and indicated he sold it.” and that he should be denied bail as he is a “danger to the public”. Not much can be read into the prosecution’s case at the moment as they argued against bail as a matter of course.

Hutchins’s defence attorney, Adrian Lobo, intends to fight the case and is convinced of Hutchins’s innocence, listing his work in combatting cyber-attacks in support of her claim.

The Prosecutions uphill legal battle

Orin Kerr, a former state prosecutor and a professor at the George Washington School of Law, believes that the prosecution has it all to do. This is due in part to there been no evidence of Hutchins using the advertised malware himself and trying to convict Hutchins of conspiracy is a long shot. Another factor to consider is that most cases involving hackers are pled out with prosecutors providing a plea bargain to the accused with the accused pleading guilty. Very rarely are these cases concluded in court. If Hutchins maintains his innocence the case will go the full distance with prosecutors facing a robust defence, something rarely encountered in situations similar to this. Whatever the outcome of the criminal case, this case has the potential to set out the legal framework for trying cyber criminals in the future and given the long reach of the US Department of Justice, this case will be closely followed not only by Hutchins’ supporters and contractors but other law enforcement bodies around the globe.

malwaretech twitter account

White Hat or Black Hat

According to the Department of Justice, old IRC logs surfaced which indicate that Hutchins in his youth was responsible for more malicious activity than defending networks against hackers. This, however, is no new phenomena, many researchers started out exploring malicious bots and doing what many teenagers do best, misbehaving that is. Hutchins past as amateur black hat in his youth is neither here nor there. Depending on one’s prejudices would determine Hutchins’s innocence or guilt. As the Department of Justice still has large portions of the evidence under lock and key so only assumptions can be made as to his guilt, and it is now largely in the court's hands.

In July 2014, Hutchins went to Twitter to ask if anyone had a sample of Kronos. This request can be seen by some as an admission of guilt while other interpret it as him wanting a sample for research purposes as researchers do. Those more inclined to conspiracy theories might see the Twitter admission as a way to cover up his tracks by giving himself plausible deniability.

The war on cyber crime

With the recent closure and seizure of servers owned by AlphaBay and the arrest of one of the minds behind BTCe on fraud and money laundering charges can be seen as a definite scaling up on the war against cyber criminals. As researchers often tread a very fine line between right and wrong. In order to gain intelligence on malware, this line needs to be tread. Prosecutors across the globe need to be sure that they are targeting the criminals and not those looking to be the first line of defence when an attack occurs. Whether Hutchins is guilty or not is for the courts to decide. While many have come to his support, if the case and accusations are seen as spurious far more will come to his support resulting in a rather embarrassing time for the prosecution.