Is Malwaretech, aka Marcus Hutchins, innocent?
The FBI says Hutchins wrote the code for the Kronos banking Trojan, which harvests banking credentials by intercepting passwords in transit, and that's why they arrested him last week at Las Vegas airport. Without seeing all the evidence from both sides, it's impossible to know.
According to prosecutor Dan Cowhig. Hutchins admitted to creating the software in a police interview. As you would expect, Hutchins' lawyer Adrian Lobo said her client was innocent – and so does his mum, his friends and many in the industry who've set up a crowdfunding site for his defence. He is expected to deny all six charges against him. If convicted, he could face up to 40 years in a US jail.
The FBI clearly know more about the case than I do, but at the risk of being contradicted by future revelations, I'd suggest Hutchins could at least partly be a victim of the lack of clarity surrounding the legitimacy of the activities of security researchers, bug-bounty hunters and penetration testers, ie white hat hackers who do almost the same as the bad guys, but for good purposes. That and the fact that code we write can get used by others for different purposes. The law is still being worked out when it comes to prosecuting the creators of code that is subsequently used for crime.
It's true that Hutchins' teenage history as ‘TouchMe' does show some embarrassing Internet Relay Chat (IRC) logs suggesting a certain amount of low level hacking as a kid, but that's not uncommon among current white hat security researchers and it's easy enough to see the temptations at a young age.
In the Kronos case, Hutchins' supporters say he simply found an exploitable flaw, which he posted, and which was then taken and used by the bad guys. The FBI says that he and a co-conspirator knowingly caused the transmission of a program, information, code and command to result in intentionally causing damage without authorisation to 10 or more protected computers.
He and his co-accused are said to have created the Kronos malware, updating the malware, advertising the availability of Kronos on AlphaBay market forum and of selling Kronos malware for $US 2,000 in digital currency. FBI agents took AlphaBay offline on 4th July, seven days before the indictment against Hutchins and his co-defendant, so the move could well be fallout from that takedown.
Hutchins is also accused of posting a video showing the functionality of the Kronos banking Trojan to demonstrate how it works. That wouldn't be surprising.
Kronos itself comprises available code taken from various places including earlier programs and desk-sharing elements which others – potentially including Hutchins – could have coded without malicious intent.
Hutchins personally is specifically accused of creating the Kronos software in 2014, and updating the software later in 2015, after his unnamed co-defendant began to sell the malware. Much of the indictment refers to Hutchins' co-defendant, whose name remains under seal – and could now be working with the government and testifying against Hutchins.
In July 2014 a Twitter post by Hutchins asked if anyone had a sample of Kronos, presumably not something he'd say if he'd written it, unless checking to see if it included his code, or part of an elaborate ploy to distance himself from it.
The Verge reports Tor Ekeland, a defence attorney who frequently takes on Computer Fraud and Abuse Act cases, saying on Twitter, “[The Department of Justice] just arrested the guy who helped stop Wannacry because someone he allegedly worked with made $2,000 from the sale of malware.”
Four of the six counts against Hutchings are based on an anti-wiretapping statute, which might not apply, plus no one says he used the tools himself.
Kurt Opsahl, deputy executive director of digital civil liberties group the Electronic Frontier Foundation, was reported by The Independent as saying outside court: “Security researchers are vital to protecting the computers we rely upon every day. Mr Hutchins' arrest has unfortunately deepened the divide between the research community and the government.”
You could say SC has a vested interest in that earlier this year SC awarded Hutchins a Special Recognition award for registering what turned out to be a kill switch for the WannaCry ransomware worm that froze data on some 75,000 systems globally. I stand by that decision. Frankly, Hutchins could be convicted and I'd be inclined to say he deserved a pardon for that act, saving not just the NHS but halting a globally spreading contagion of locked computers.
However, SC does not and never would condone criminal activity, and it supports efforts to prevent it, which is why I for one, hope Marcus Hutchins is found ‘not guilty'.
Tony Morbin, Editor in Chief, SC Media UK
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.