Marcus Hutchins faces new charges over malware creation and lying to the FBI

Marcus Hutchins, the security researcher who stopped the WannaCry outbreak last year and was later arrested in the US following his attendance at a security conference, is to face new charges alleging that he was behind a second malware tool and that he lied to the FBI.

The latest charges claim that Hutchins was responsible for coding the UPAS Kit malware, adding that he sold the code to an associate with the alias VinnyK who, the prosecutors claim, was located in Wisconsin. It was subsequently advertised on Russian cyber crime forums as "an advanced rootkit" similar to SpyEye and Zeus, written in C++.

Among the ten counts, it is also claimed that Hutchins lied to the FBI under questioning following his arrest in August. Hutchins has already suggested that he was not in a fit state to be questioned when he was arrested.

Hutchins, also known as MalwareTech, has described the charges as "bullshit". He tweeted: "Spend months and $100k+ fighting this case, then they go and reset the clock by adding even more bullshit charges like ‘lying to the FBI'."

However, the new charges are not only outside the usual five-year statute of limitations, Hutchins would have been a minor - under 18 - at the time.

In a blog post, civil liberties journalist Marcy Wheeler, who tweets under the moniker @emptywheel, described the new charges as an attempt by the FBI to rescue a flailing case.

"When last we checked in on the MalwareTech (Marcus Hutchins) case, both FBI agents involved in his arrest had shown different kinds of unreliability on the stand and in their written assertions…

"Hutchins' defence had raised a slew of legal challenges that, together, showed the government stretching to use wiretapping and CFAA [Computer Fraud and Abuse Act] statutes to encompass writing code so as to include Hutchins in the charges.

"It looked like the magistrate in the case, Nancy Joseph, might start throwing out some of the government's more expansive legal theories."

Wheeler adds that VinnyK, who is the source of the FBI's claims, is nevertheless not facing charges of any kind. He was intercepted by the organisation when he unknowingly sold copies of Kronos to an FBI agent.

The charges of lying to the FBI, meanwhile, relate to his denials about knowing that code that he had written had been incorporated into the Kronos malware, over which he was arrested in August.

Hutchins, meanwhile, has renewed his request for contributions to his legal defence fund, with the new charges effectively enabling the FBI to prosecute him a second time round.

His lawyer, meanwhile, described the new charges as "meritless", adding: "It only serves to highlight the prosecution's serious flaws. We expect [Hutchins] to be vindicated and then he can return to keeping us all safe from malicious software."