Hacker who helped stop global cyberattack arrested in U.S.
LAS VEGAS >> Marcus Hutchins, a young British researcher credited with derailing a global cyberattack in May, was arrested for allegedly creating and distributing malicious software designed to collect bank-account passwords, U.S. authorities said today.
Hutchins was detained in Las Vegas on his way back to Britain from an annual gathering of hackers and information security gurus. A grand jury indictment charged Hutchins with creating and distributing malware known as the Kronos banking Trojan.
Such malware infects web browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location.
News of Hutchins’ detention came as a shock to the cybersecurity community. Many had rallied behind the researcher whose quick thinking helped control the spread of the WannaCry attack that crippled thousands of computers last May.
The indictment, filed in a Wisconsin federal court last month, alleges that Hutchins and another defendant — whose name is redacted — conspired from July 2014 and July 2015 to advertise the availability of the Kronos malware on internet forums, sell the malware and make money off it. The indictment also accuses Hutchins of creating the malware.
Authorities said the malware was first made available in early 2014, and “marketed and distributed through AlphaBay, a hidden service on the Tor network.” The U.S. Department of Justice announced in July that the AlphaBay “darknet” marketplace was shut down after an international law enforcement effort.
Don't miss out on what's happening!
Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!
A court hearing was scheduled for Hutchins on this afternoon in Las Vegas. It was not immediately clear if he has a lawyer.
The Electronic Frontier Foundation, a San Francisco-based digital rights group, said it was “deeply concerned” about Hutchins’ arrest and was attempting to reach him.
Hutchins recently attended Def Con, an annual cybersecurity conference in Las Vegas that ended Sunday. On Wednesday, Hutchins made some routine comments on Twitter that suggested he was at an airport getting ready to board a plane for a flight home. He never left Nevada.
A Justice Department spokesman confirmed the 22-year-old Hutchins was arrested Wednesday in Las Vegas. Officer Rodrigo Pena, a police spokesman in Henderson, near Las Vegas, said Hutchins spent the night in federal custody in the city lockup.
Andrew Mabbitt, a British digital security specialist who had been staying in Las Vegas with Hutchins, said he and his friends grew worried when they got “radio silence” from Hutchins for hours. The worries deepened when Hutchins’ mother called to tell him the young researcher hadn’t made his flight home.
Mabbitt said he eventually found Hutchins’ name on a detention center website.
One legal scholar who specializes in studying computer crime said it’s unusual, and problematic, for prosecutors to go after someone simply for writing or selling malware — as opposed to using it to further a crime.
“This is the first case I know of where the government is prosecuting someone for creating or selling malware but not actually using it,” said Orin Kerr, a law professor at George Washington University. Kerr said it will be difficult to prove criminal intent.
“It’s a constant issue in criminal law — the helping of people who are committing a crime,” Kerr said. “When is that itself a crime?”
Associated Press writer Raphael Satter in Paris contributed to this report.