LONDON – A computer law expert describes the evidence behind the U.S. arrest of a notorious British cyber security researcher as being problematic — an indictment so flimsy that it would create a climate of distrust between the U.S. government and the community of software experts.
News of Marcus Hutchins’ arrest in the United States for allegedly creating and selling malicious software able to collect bank account passwords has shocked the cyber security community. Many had rallied behind the British hacker whose quick thinking helped control the spread of the WannaCry ransomware attack that crippled thousands of computers in May.
Attorney Tor Ekeland told press that the facts in the indictment fail to show intent.
“This is a very, very problematic prosecution to my mind, and I think it’s bizarre that the United States government has chosen to prosecute somebody who’s arguably their hero in the WannaCry malware attack and potentially saved lives and thousands, hundreds of thousands, if not millions, of dollars over the sale of alleged malware for two thousand dollars,” Ekeland said. “This is just bizarre, it creates a disincentive for anybody in the information security industry to cooperate with the government.”
Hutchins was detained in Las Vegas as he was returning to his home in southwest Britain from an annual gathering of hackers and information security gurus. A grand jury indictment charged Hutchins with creating and distributing malware known as the Kronos banking Trojan.
Such malware infects web browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location, enabling cyber theft.
The indictment, filed in a Wisconsin federal court last month, alleges that Hutchins and another defendant — whose name was redacted — conspired between July 2014 and July 2015 to advertise the availability of the Kronos malware on internet forums, sell the malware and profit from it. The indictment also accuses Hutchins of creating the malware.
The problem with software creation, however, is that often a program can include code written by multiple programmers. Prosecutors might need to prove that Hutchins wrote code with specific targets.
Another big question is the identity of the co-defendant in the case, whose name is redacted in the indictment. The co-defendant allegedly advertised the malware online. Hutchins is accused of creating and transmitting the program.
Ekeland said that what is notable to him from the indictment is that it doesn’t allege any financial loss to any victims — or in any way identify them.
“The only money mentioned in this indictment is $2,000 for the sale of the software,” he said. “Which again is problematic because in my opinion of this, if the legal theory behind this indictment is correct, well then half of the United States software industry is potentially a bunch of felons.”
Authorities said the malware was first made available in early 2014, and “marketed and distributed through AlphaBay, a hidden service on the Tor network.” The U.S. Department of Justice announced in July that the AlphaBay “darknet” marketplace was shut down after an international law enforcement effort.
Hutchins, who lives with his family in the town of Ilfracombe, England, and worked out of his bedroom, has until Friday afternoon to determine if he wants to hire his own lawyer.
The British hacker was in Las Vegas for Def Con, an annual cyber security conference that ended Sunday. On Wednesday, Hutchins made comments on Twitter that suggested he was at an airport getting ready to board a plane for a flight home. He never left Nevada.
Another expert in computer crime, Orin Kerr from George Washington University law school, also took aim at the charges. Kerr said it’s unusual, and problematic, for prosecutors to go after someone simply for writing or selling malware — as opposed to using it to further a crime.
“The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts,” Kerr wrote in an opinion piece in the Washington Post. “So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case.”
Jake Williams, a respected cyber security researcher, said he found it difficult to believe Hutchins is guilty. The two men have worked on various projects, including training material for higher education for which the Briton declined payment.
“He’s a stand-up guy,” Williams said in a text chat. “I can’t reconcile the charges with what I know about him.”
The curly-haired computer whiz and surfing enthusiast discovered a so-called “kill switch” that slowed the unprecedented WannaCry outbreak. He then spent the next three days fighting the worm that crippled Britain’s hospital network as well as factories, government agencies, banks and other businesses around the world.
Though he had always worked under the moniker of MalwareTech, cracking WannaCry led to the loss of his anonymity and propelled him to cyber stardom. There were appearances and a $10,000 prize for cracking WannaCry. He planned to donate the money to charity.
“I don’t think I’m ever going back to the MalwareTech that everyone knew,” he told press agencies at the time.
DANICA KIRKA
KEN RITTER
