Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.
According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.
The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.
Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendant Marcus Hutchins created the Kronos malware,” the indictment, filed on behalf of the eastern district court of Wisconsin, alleges.
Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.
The security researcher became an accidental hero in May when he registered a website, which he had found deep in the code of the ransomware outbreak that was wreaking havoc around the world, including disrupting operations at more than a third of NHS trusts and bodies.
The site, it turned out, acted as a kill switch for the malware, which stopped infecting new computers if it saw that the URL had been registered.
When WannaCry first appeared, in early May, it spread rapidly, infecting hundreds of thousands of computers worldwide in less than a day, encrypting their hard drives and asking for a ransom of $300 in bitcoin to receive the decryption key. It moved particularly quickly through corporate networks thanks to its reuse of security exploit, called EternalBlue, first discovered by the NSA before being stolen and leaked by an allegedly Russian-linked hacking group called The Shadow Brokers.
Both US and UK intelligence agencies later linked the malware outbreak to North Korean state actors, who have become bolder in recent years at using cyberattacks to raise revenue for the sanction-laden state.
Hutchins was reportedly briefly held in the Henderson Detention Center in Nevada on Thursday, before being transferred to another facility.
A Henderson police spokesman confirmed that the local jail had detained Hutchins at the request of the FBI, but declined to comment further. According to Andrew Mabbitt, a British security researcher who travelled to Nevada with Hutchins, he is being held by the FBI in the agency’s Las Vegas field office.
Hutchins was recently given a special recognition award at cybersecurity celebration SC Awards Europe for halting the WannaCry malware. The malware ended up affecting more than 1m computers, but without Hutchins’ apparent intervention, experts estimate that it could have infected 10-15m.
Hutchins’ employer, cybersecurity firm Kryptos Logic, had been working closely with the US authorities to help them investigate the WannaCry malware. Hutchins handed over information on the kill switch to the FBI the day after he discovered it, and the chief executive of the firm, Salim Neino, testified in from of the US House of Representatives Committee on Science, Space Technology the following month.
“The largest success, though incomplete, was the ability for the FBI and NCSC of the United Kingdom to aggregate and disseminate the information Kryptos Logic provided so that affected organizations could respond,” Neino told the committee.
Hours after Hutchins was arrested by the FBI, more than £100,000 ($130,000) of the bitcoin ransom taken by the creators of WannaCry was moved within the bitcoin network for the first time since the outbreak. There is nothing to suggest the withdrawal, which appears to have moved the coins into a “mixer”, a digital money-laundering system, is connected to the arrest of Hutchins.