Hacker who helped end global cyberattack arrested in US
Marcus Hutchins, a young British computer security researcher credited with derailing a global cyberattack
in May, was arrested for allegedly creating and distributing malicious
software designed to collect bank-account passwords, US authorities said
on Thursday.
Hutchins was detained in Las Vegas on his way back to the UK from an annual gathering of hackers
and information security gurus. A grand jury indictment charged
Hutchins with creating and distributing malware known as the Kronos
banking Trojan.
Such malware infects web browsers, then captures usernames and
passwords when an unsuspecting user visits a bank or other trusted
location.
News of Hutchins' detention came as a shock to the cybersecurity
community. Many had rallied behind the researcher whose quick thinking
helped control the spread of the WannaCry attack that crippled thousands of computers last May.
The indictment, filed in a Wisconsin federal court last month,
alleges that Hutchins and another defendant - whose name is redacted -
conspired between July 2014 and July 2015 to advertise the availability
of the Kronos malware on internet forums, sell the malware and profit
from it. The indictment also accuses Hutchins of creating the malware.
Authorities said the malware was first made available in early 2014,
and "marketed and distributed through AlphaBay, a hidden service on the
Tor network." The US Department of Justice announced in July that the
AlphaBay "darknet" marketplace was shut down after an international law
enforcement effort.
A court hearing was scheduled for Hutchins on Thursday afternoon in Las Vegas. It was not immediately clear if he has a lawyer.
'Deeply concerned'
The Electronic Frontier Foundation, a San Francisco-based digital
rights group, said it was "deeply concerned" about Hutchins' arrest and
was attempting to reach him.
Hutchins recently attended Def Con, an annual cybersecurity
conference in Las Vegas that ended on Sunday. On Wednesday, Hutchins
made some routine comments on Twitter that suggested he was at an
airport getting ready to board a plane for a flight home. He never left
Nevada.
A Justice Department spokesman confirmed the 22-year-old Hutchins was
arrested on Wednesday in Las Vegas. Officer Rodrigo Pena, a police
spokesman in Henderson, near Las Vegas, said Hutchins spent the night in
federal custody in the city lockup.
Andrew Mabbitt, a British digital security specialist who had been
staying in Las Vegas with Hutchins, said he and his friends grew worried
when they got "radio silence" from Hutchins for hours. The worries
deepened when Hutchins' mother called to tell him the young researcher
hadn't made his flight home.
Mabbitt said he eventually found Hutchins' name on a detention centre
website. News of his indictment on Wednesday left colleagues scrambling
to understand what happened.
"We don't know the evidence the FBI has against him, however we do
have some circumstantial evidence that he was involved in that community
at the time," said computer security expert Rob Graham.
Malware prosecutions
The co-defendant allegedly advertised the malware online. Hutchins is accused of creating and transmitting the programme.
The problem with software creation is that often a programme includes
code written by multiple programmers. Prosecutors might need to prove
that Hutchins wrote code with specific targets.
"I've written code that other people have injected malware into,"
said Graham. "We know that large parts of Kronos were written by other
people."
One legal scholar who specialises in studying computer crime told AP
it's unusual, and problematic, for prosecutors to go after someone
simply for writing or selling malware - as opposed to using it to
further a crime.
"This is the first case I know of where the government is prosecuting
someone for creating or selling malware but not actually using it,"
said Orin Kerr, a law professor at George Washington University. Kerr
said it will be difficult to prove criminal intent.
"It's a constant issue in criminal law - the helping of people who
are committing a crime," Kerr said. "When is that itself a crime?"
Hutchins was hailed as a hero in May for finding and triggering a
"kill switch" for a WannaCry ransomware attack that was spreading wildly
around the world, locking away data on computers and demanding money
for its release.
Andrew Mabbitt, another security researcher who was with Hutchins in Las Vegas, said he did not believe the allegations.
"He spent his career stopping malware, not writing it," Mabbitt said on Twitter.
Source: News agencies
No comments
Your comments and Encouragement are welcome