MalwareTech arrested for Kronos banking Trojan connection

The FBI detained and arrested a security researcher who allegedly created the Kronos banking Trojan.

Marcus Hutchins, also known as MalwareTech, was arrested in Las Vegas following the DefCon 2017 conference after what the FBI said was a two-year investigation. Hutchins, a U.K. citizen, gained notoriety during the WannaCry ransomware outbreak when he and fellow security researcher Matt Suiche found hardcoded command-and-control servers in the WannaCry code. The two researchers registered the C&C domains and effectively broke the ransomware.

However, the U.S. Department of Justice alleges that Hutchins, who also works for cybersecurity vendor Kryptos Logic, was one of two people behind the Kronos banking Trojan.

"Hutchins was charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization," Gregory Haanstad, U.S. attorney for the eastern district of Wisconsin, wrote in a statement. "The alleged conduct for which Hutchins was arrested occurred between in or around July 2014 and July 2015."

According to the indictment obtained by CNN Tech, the FBI claims Hutchins created the Kronos banking Trojan, a co-defendant (name redacted) released a video demonstration of the malware on July 13, 2014, Hutchins and the co-defendant updated the Kronos banking Trojan in February 2015, and then the co-defendant posted and sold the Trojan on the AlphaBay darknet marketplace in mid-2015.

AlphaBay was seized and shut down by the FBI and DEA in early July and European law enforcement used that closure to lure users to the Hansa darknet market, which was also shut down last month.

However, because Hutchins tweeted on July 13, 2014, asking for a malware sample of the banking Trojan, Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said on Twitter that "it doesn't add up that he wrote it in 2014 and asked for a sample of it in the same time frame."

In this tweet, the man who is accused of writing Kronos publicly asked for a Kronos sample. He sure knows how to play the alibi long game... https://t.co/IiTeO5Imdb

— Jake Williams (@MalwareJake) August 3, 2017

The news of Hutchins' arrest was first reported by Motherboard, which wrote that Hutchins was first detained at the Henderson Detention Center in Nevada.

Andrew Mabbitt, a friend of Hutchins and founder of Fidus Information Security, said on Twitter that he initially didn't know where Hutchins had been taken, but ultimately found him at the FBI's field office in Las Vegas. Mabbitt also said the Electronic Frontier Foundation has arranged legal representation for Hutchins.