LAS VEGAS — The U.S. arrest of a young British cybersecurity researcher is raising major concerns among information-security specialists, leading some to warn it could limit co-operation between the U.S. government and computer experts needed to help fight off future cyberattacks.
Marcus Hutchins was arrested in Las Vegas Wednesday for allegedly creating and selling malicious software able to collect bank account passwords. Many in the security community rallied behind the 22-year-old British hacker, whose quick thinking helped control the spread of the WannaCry ransomware attack that crippled thousands of computers around the world in May. Others reserved judgment as they waited for more evidence that might justify his prosecution.
Computer law expert Tor Ekeland described the evidence so far as flimsy.
“This is a very, very problematic prosecution to my mind, and I think it’s bizarre that the United States government has chosen to prosecute somebody who’s arguably their hero in the WannaCry malware attack and potentially saved lives and thousands, hundreds of thousands, if not millions, of dollars over the sale of alleged malware,” Ekeland said. “This is just bizarre; it creates a disincentive for anybody in the information security industry to co-operate with the government.”
Hutchins, who worked for Los Angeles security firm Kryptos Logic, was detained in Las Vegas as he was returning to his home in southwest Britain from Def Con, an annual gathering of hackers and information security gurus. A grand jury indictment charged Hutchins with creating and distributing malware known as the Kronos banking Trojan.
He was scheduled to appear at a Friday afternoon court hearing after two nights spent at a local lockup.
Such malware infects web browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location, enabling cybertheft.
The indictment, filed in a Wisconsin federal court last month, alleges that Hutchins and another defendant — whose name was redacted — conspired between July 2014 and July 2015 to advertise the availability of the Kronos malware on internet forums, sell the malware and profit from it. The indictment also accuses Hutchins of creating the malware.
The problem with software creation, however, is that often a program can include code written by multiple programmers. Prosecutors might need to prove that Hutchins wrote code with specific targets.
U.S. Justice Department officials on Friday declined to answers questions about the case. The FBI’s Milwaukee field office, which led the 2-year investigation, didn’t return requests for comment.
Ekeland said that what is notable to him from the indictment is that it doesn’t allege any financial loss to any victims — or in any way identify them. Besides that, laws covering aspects of computer crime are unclear, often giving prosecutors broad discretion.
“The only money mentioned in this indictment is … for the sale of the software,” he said. “Which again is problematic because in my opinion of this, if the legal theory behind this indictment is correct, well then half of the United States software industry is potentially a bunch of felons.”
Jake Williams, a respected cybersecurity researcher, said he found it difficult to believe Hutchins is guilty. The two men have worked together on various projects, including training material for higher education for which the Briton declined payment.
“He’s a stand-up guy,” Williams said in a text chat. “I can’t reconcile the charges with what I know about him.”
Hutchins, who lives with his family in the town of Ilfracombe, England, and worked out of his bedroom, had until Friday afternoon to determine if he wants to hire his own lawyer. The Electronic Frontier Foundation, a San Francisco-based digital rights group, said Friday it was “deeply concerned” about Hutchins’ arrest and was attempting to help him “obtain good legal counsel.”
Hutchins’ mother, Janet, who has been frantically trying to reach her son, said she was “outraged” by the arrest and that it was “hugely unlikely” her son was involved because he spends much of his time combatting such attacks.
The curly-haired computer whiz and surfing enthusiast discovered a so-called “kill switch” that slowed the unprecedented WannaCry outbreak. He then spent the next three days fighting the worm that crippled Britain’s hospital network as well as factories, government agencies, banks and other businesses around the world.
Though he had always worked under the moniker of MalwareTech, cracking WannaCry led to the loss of his anonymity and propelled him to cyber stardom. There were appearances and a $10,000 prize for cracking WannaCry. He planned to donate the money to charity.
“I don’t think I’m ever going back to the MalwareTech that everyone knew,” he told The Associated Press at the time.