WannaCry hero arrested

Marcus Hutchins, British cyber-security researcher, who was credited for derailing the WannaCry attack that took place in May, has been arrested.

According to US authorities, he allegedly created and distributed malicious software designed to collect bank-account passwords. He was arrested while attending a conference in Las Vegas.

Background

One of the most potent cyberattacks took place in May 2017 that paralyzed hundreds of thousands of systems across the world. The WannaCry ransomware cryptoworm, targeted computers that were running on Microsoft Windows operating system. It encrypted data in the systems and demanded ransom payments in Bitcoins.

In one day, it infected over 230,000 computers and the attack spread over 150 countries. Many institutions across the world like UK’s National Health Service (NHS), FedEx, Deutsche Bahn and Spain’s Telefonica were hit. Hutchins, a 23-year-old researcher, accidentally found and activated the “kill switch” that helped end the attack. At the time, Hutchins wanted to be anonymous and called himself MalwareTech. However, his identity was revealed by the media and he was subsequently lauded for his actions.

Hutchins got his first job straight out of school largely because of his skill at writing software and his tech blog. A company in the US called Krptos Logic, got in touch with him and offered him a job impressed with his work about a year ago. He worked for the company remotely from Britain.

Analysis

Hutchins was reportedly stopped by the FBI and arrested as he was about to board a flight from Las Vegas back to Britain. He had been in the country to attend Black Hat and Defcon security conferences. According to the Department of Justice (DoJ), he stands accused of having created the Kronos banking trojan. This was a widespread piece of malware used to steal banking credentials from victim’s computer systems. He has been charged with conspiracy to sell this malware for $3,000 in a dark web market place called AlphaBay. AlphaBay was recently shut down by the US authorities.

His arrest has created a lot of ripples within the cyber-community where he was a respected member. Orin Kerr, a law professor at George Washington University said, “It’s not a crime to create malware. It’s not a crime to sell malware. It’s a crime to sell malware with the intent to further someone else’s crime. This story alone doesn’t really fit. There's got to be more to it, or it’s going to run into legal problems."

The UK's National Crime Agency said: "We are aware a UK national has been arrested but it's a matter for the authorities in the US."

Assessment

Our assessment is that it is too early to say if the charges against Hutchins will lead to an indictment or if they will be dropped.