WannaCry ‘hero’ to pay $30,000 for bail, plead not guilty to Kronos trojan charges

Be a “hero” to the internet; come to the U.S. and get arrested. That is the situation that shook the security community when the FBI arrested British security researcher Marcus Hutchins after he left Def Con.

Hutchins, aka MalwareTech, was arrested Aug. 2 for allegedly creating the banking trojan Kronos. Earlier this year, Hutchins was dubbed a hero for finding the WannaCry ransomware kill switch and was then doxed by reporters as a show of gratitude. His bail was set at $30,000, yet he spent the weekend in jail because there wasn’t enough time to pay the bail before the clerk’s office closed on Friday.

After he is released on Monday, Hutchins will remain in the U.S. with GPS monitoring and go to Wisconsin where he will face a six-count federal indictment; it alleges he created and sold Kronos. He will not be allowed to use a computer or access the internet.

The U.S. government claims that between July 2014 and 2015, Hutchins created, advertised, distributed and profited from the Kronos malware. Another defendant is also named in the indictment, but that name was redacted and the person is still at large.

The redacted co-defendant allegedly advertised Kronos for sale on the darknet marketplace AlphaBay. A video showing off Kronos, the government said, was posted on a publicly available website by the co-defendant before that person tried to sell the trojan for $3,000. Prosecutors told a Las Vegas court that undercover officers bought the code from Hutchins and his co-defendant for $2,000 during a sting operation.

The BBC added that prosecutor Dan Cowhig told the court Hutchins confessed during a police interview. Cowhig said, “He admitted he was the author of the code of Kronos malware and indicated he sold it.”

The government allegedly has chat log evidence of Hutchins complaining about not receiving a fair share from that sale.

The government also claimed Hutchins poses a risk to the public and should not be released on bail because he visited a touristy gun range and went shooting. Judge Nancy Kobbe didn’t buy into that.

Hutchins’ attorney, Adrian Lobo, said Hutchins pled not guilty.

Regarding the six counts in the indictments, which range from conspiracy to violate CFAA and wiretapping, attorney and professor Orin Kerr said the “government’s theory of the case is fairly aggressive” and “will lead to some significant legal challenges.”

People who believe he is innocent, as well as those who don’t, are digging into the case; that includes finding old IRC chat logs, an old tweet and blog post, and interviewing a Kronos banking malware dealer.

Hutchins is being painted as a white hat and a black hat, depending on who is talking. Some media outlets, such as the Daily Mail, claimed Hutchins was really living it up while visiting Las Vegas, such as by renting a Lamborghini and a mansion. Those misreported facts were later swatted down.

Security researchers have long been wary that their research will land them in hot legal water; the case against Hutchins has only intensified that fear. As the BBC reported, Hutchins had previously tweeted that someone stole his code and used it in Kronos. That’s a far cry from what the government claims. If indicted, Hutchins could face decades in prison.

If interested, there is the crowdfunding campaign for Hutchins; there’s a page for U.S. users and one for users overseas.