Security researcher who stopped WannaCry, arrested and charged with creating Kronos banking Trojan

Hutchins detained by FBI as he returned to the UK from Black Hat security conference

Marcus Hutchins, the security researcher who stopped the WannaCry ransomware outbreak in May, has been arrested by the FBI as he tried to return to the UK after the Black Hat and Def Con security conferences in the US - and indicted "for his role in creating and distributing the Kronos banking Trojan", according to a statement tonight from the US Department of Justice (DoJ).

Hutchins, who works for works for security research outfit Kryptos Logic but is better known by his Twitter moniker @MalwareTechBlog, was arrested at the airport in Las Vegas as he sought to board a plane home.

The DoJ statement continued: "The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

The UK's National Cyber Security Centre is aware of the situation, according to the BBC, while a spokesman for the Foreign and Commonwealth Office told Computing: "We are in touch with local authorities in Las Vegas following reports of a British man being arrested."

The DoJ indictment is dated 12 July and claims that he created the Kronos banking Trojan and sold it over hacking internet forums, including the AlphaBay ‘dark web' market, which was shut down this summer.

Hutchins, 23, is a self-taught ‘white hat' hacker. Friends and acquaintances expressed surprise at the arrest and suggested that the FBI had made a colossal mistake.

Security architect Kevin Beaumont tweeted: "Kronos is a banking BOTNET. MalwareTech's business is *tracking* botnets," adding, "It looks like the US justice system has made a huge mistake."

Beaumont also pointed out that Kronos was a Russian banking botnet, and it's unlikely that Hutchins is as proficient in Russian as he is at computing. However, the indictment also includes a conspirator whose identity has been redacted in the indictment.

Mabbitt, meanwhile, tweeted: "I refuse to believe the charges against @MalwareTechBlog, not the MT [MalwareTech] I know at all. He spent his career stopping malware, not writing it."

However, the indictment is quite clear in its accusations: "Defendant Marcus Hutchins created the Kronos malware… [and] in or around August 2014, on an internet forum, [the] defendant… offered to sell the ‘Kronos Banking Trojan' for $3,000."

It adds that he also advertised the availability of the Kronos malware on the AlphaBay market forum in April 2015, and sold a version of the malware for $2,000 "in digital currency" in June 2015. It also accuses Hutchins of offering "cryptying [sic] services for Kronos".

The arrest was first reported by the tech news website Motherboard, which suggested that he was taken to the Henderson Detention Center for questioning, before being moved.

An acquaintance of Hutchins, Andrew Mabbitt, founder of Fidus Information Security, subsequently confirmed the arrest and added that he was trying to hire a lawyer on his behalf, after locating him at the FBI's Las Vegas, Nevada field office. The CEO of Kryptos Logic, Hutchins' employer, he noted, had "been as useful as a chocolate teapot".

Security researcher Hutchins had brought the WannaCry ransomware to a halt after registering the domain of a URL that the malware was programmed to contact. A rudimentary means of ascertaining whether it was being examined in a ‘sand box', the registration caused the ransomware to shut down.

Computing will update the story as new information comes in.

Computing's DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.