WannaCry 'kill switch hero' arrested by FBI; bitcoin wallets emptied

News by Bradley Barth

On Wednesday the US FBI arrested UK researcher Marcus Hutchins, aka Malwaretech, who was internationally celebrated after disabling WannaCry ransomware with a kill switch he reported discovering.

Specifically, the US is alleging that Hutchins created the Kronos banking trojan and conspired with others to advertise, sell and profit from the malware between July 2014 and July 2015, in the process causing damage to at least 10 protected computers within a one-year period.

Citing a spokeswoman from the US Marshal's Service, a report from Motherboard states that Hutchins was picked up by authorities in Las Vegas, where he was attending the Black Hat and DEF CON conventions. Later, Motherboard separately published a federal indictment formally charging Hutchins with computer fraud.

Filed on July 11, 2017 in the Eastern District of Wisconsin, the indictment states that the Kronos malware records and exfiltrates users' banking credentials. It also references a July 2014 video that was published on a publicly accessible website in order demonstrate Kronos' capabilities to potential buyers. SC Media has contacted the FBI for additional details.

Hutchins is reported to be indicted with another unnamed co-defendant and according to the Guardian is accused of six counts of hacking related crimes as a result of his alleged involvement with Kronos. Radio 4 reports questioned whether making and updating the software - if this were proven to be the case - would actually be a crime or whether it would also need to be proven it was deployed by the defendant.

On the same day, Wednesday separately, the adversaries behind the May 2017 ransomware campaign apparently emptied their bitcoin wallets  after lying low for roughly 12 weeks.

Separately, also on Wednesday, 2nd August, someone withdrew roughly £110,000 from three bitcoin wallets linked to the May 2017 WannaCry ransomware attack and transferred the funds into several additional accounts.

It was Keith Collins, a tech reporter at Quartz, who disclosed the WannaCry cryptocurrency transactions, after a Twitter bot he set up detected that someone withdrew roughly £110,000 from three bitcoin wallets in multiple installments of roughly £15,000 to £20,000.

"The money was likely sent through a bitcoin mixer, a process that obscures its trail from bitcoin to hard currency. The process is a sort of laundering operation for digital currency," explained Collins in a blog post detailing his observations.

"It was thought that there was so much attention to those particular accounts by law enforcement and by other agencies as well that the [bitcoin] stored in those wallets wouldn't have been able to be released. There was just too much heat, as it were," said Carl Leonard, principal security analyst at Forcepoint, in an interview with SC Media. "But... what we're seeing is large chunks of that money are being taken bit by bit through the bitcoin exchange system. The malware authors are now trying to spread those funds around in order to get them outside of the bitcoin platform." Leonard said that monitoring this activity could help investigators in identifying additional abused cryptocurrency accounts and wallets, if not necessarily the perpetrator.The prevailing theory among experts is that the WannaCry attack was launched by North Korea-sponsored hackers.

However, Orla Cox, director of security response at Symantec, said that it's not entirely certain who emptied the wallets. “There is no way of knowing whether it was the WannaCry attackers, or even law enforcement, that accessed the three bitcoin addresses," she told SC Media, passing along a quote she had previously provided to Bloomberg Technology. Additionally, "These addresses may not represent all of the attackers' earnings as WannaCry can generate unique bitcoin addresses per infection."


The WannaCry attacks shut down endpoints and organisations in more than 150 countries, spreading across networks using a wormable exploit. Its propagation was halted, however, after Hutchins triggered a kill switch mechanism by registering an unclaimed domain that the ransomware was attempting to query.

In a tweet, the Electronic Frontier Foundation digital rights group commented that it is "deeply concerned about security researcher Marcus Hutchins' arrest. We are looking into the matter, and reaching out to Hutchins." Hutchins was given a US $10,000 (£7,600) reward, an SC Special Recognition Award and was reported to have been helping GCHQ in the wake of his actions, which he described as "accidentally stopping an international cyber-attack2.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews