The dangers of leaving home: UK WannaCry ransomware hero arrested in the US

The 23 year old UK cybersecurity expert Marcus Hutchins who was involved in stopping the spread of the WannaCry ransomware attack has been arrested by the FBI in the US. Hutchins – also know as “MalwareTech” – had been attending the Defcon hacking conference in Las Vegas, and was about to board a plane back to the UK when he was taken away by law enforcement officials.

The indictment filed against Hutchins and another accomplice claims that he had been involved with the creation of a banking trojan malware called “Kronos”, and that both he and the other defendant were involved in the promotion and selling of the trojan through darknet markets and Russian hacking forums.

A friend of Hutchins, Andrew Mabbit who had travelled to Defcon with him, has been trying to coordinate legal aid and find out more details of where Hutchins is being held.

One of the claims of the indictment is that Hutchins’ co-defendant had created a YouTube video demonstrating how Kronos works. A video posted on the same date as that claimed in the indictment is still available on YouTube, as are other videos showing how to setup Kronos.

Interestingly, the darknet market that was allegedly used to sell Kronos was AlphaBay which was taken down recently through a global law enforcement operation. Methods of payments for the Kronos malware also included payments through the BTC-e.com cryptocurrency exchange that has also been shut down after being implicated in money laundering.

What is Kronos?

Kronos is a type of malware that, once installed on a victim’s computer, is able to alter forms from financial institutions and online sites to capture a user’s credit card or bank login details.

The malware came to researchers’ attention because of the relatively high price being asked for it: US$7,000.

In addition to being able to capture user details, Kronos comes with user interfaces and administration capabilities to manage the infected machines through its “command and control centre” software.

On an infected machine, Kronos tries to disable other malware that may be present, and hides itself from antivirus software and examination by cybersecurity investigators.

What will happen to Hutchins now?

Hutchins appeared before a US Judge in Las Vegas on Thursday, with the trial set to continue on Friday. Although the lawyer defending Hutchins claimed that he “had cooperated with the government prior to being charged”, it is unclear whether his other work helping the FBI and other countries to deal with WannaCry will be taken into consideration in sentencing him.

The dangers of travelling to the US

Arresting people when they are travelling outside of the protection of their home country is a popular tactic of the US authorities. So much so, that Russia issued a warning in 2013 that anyone who risked the attentions of the US authorities should not leave Russia. This followed the arrest in 2013 of Russian hacker Aleksander Panin, wanted for an online banking theft, when he was in the Dominican Republic. More recently, Russian Alexander Vinnik was arrested in Athens on behalf of US authorities for his part in laundering money through the BTC-e.com exchange.

Companies have even tried to lure hackers to the US with offers of an interview for a fake job. Games company Valve worked with the FBI in 2003 to lure Axel “Ago” Gembe from Germany to the US for his involvement in stealing and releasing the source code for the game Half Life 2.

It may have been simply serendipity that Hutchins was coming to the US a month after the indictment for his arrest had been filed and he would have faced arrest in the UK and then extradition. The FBI would certainly have wanted to avoid the complications of extradition, but it’s unclear whether there was cooperation with the UK’sNational Crime Agency in this arrest.

The distinction between White and Black Hat Hackers is often Grey

Many cybersecurity researchers and investigators often find themselves in a difficult position when it comes to dealing with cybersecurity. Pointing out vulnerabilities in a system can result in the person doing the reporting being charged themselves.

In 2011, an Australian pensions company, First State Superannuation reported security investigator Patrick Webster to police, and threatened to levy charges on him when he reported that he was able to access the accounts of other customers by modifying the web address details.

Investigating cybercriminals can sometimes require gaining their confidence by pretending to be a criminal. Whether something like this motivated Hutchins’ involvement in Kronos, or indeed whether the allegations are actually true, is yet to be determined.