The FBI on Thursday, August 3 arrested Marcus Hutchins, a U.K. national, on charges he was involved with a malicious software program called Kronos.
Hutchins is known for stopping the WannaCry ransomware attack that took down part of the U.K. National Health Service and affected tens of thousands of other computers in May.
He was arrested at the Las Vegas airport on his way home from the hacker conference DEF CON and is being held by the FBI.
A spokesperson for the U.K. Foreign Office told Grasswire: “We are in contact with the local authorities in Las Vegas following the arrest of a British man, and are providing support to his family.” The spokesperson referred further questions to U.S. law enforcement.
According to a July 11 indictment published on Thursday, a grand jury has indicted Hutchins on six charges, including one that asserts he wrote the banking trojan Kronos.
[gview file=”https://assets.documentcloud.org/documents/3912524/Kronos-Indictment-R.pdf” width:”100%” height=”600px”]
Kronos was published on a Russian forum in 2014 with a price tag of $7,000. Hutchins and a second accused co-conspirator, whose name has been redacted in the indictment, allegedly developed, advertised and sold the malware on an internet marketplace called AlphaBay.
- Designed to steal log-in credentials from banking websites
- Considered to be a Man-In-The-Browser type injection
- Built to work with Google Chrome, Mozilla Firefox, and Internet Explorer web browsers
- Uses form-grabbing and HTML content injection techniques
- Creates a registry entry that enables it to run each time Windows is started
- Logs keystrokes from keyboards of infected machines and dumps the keystrokes into a log file that can later be viewed and/or saved remotely via FTP, SMTP, or HTTP
- Creates and loads HTML to mirror legitimate websites that dupe users into providing their credentials for those websites, like Amazon, for example
- Reports infected machines specifications, including processor type, installed local drives, operating system, IP address, mail accounts, documents, and much more
Apparent video of the graphical user interface of Kronos
AlphaBay was an online “darknet” market that operated on the Tor network. Officially launched in 2014, it was shut down last month as part of Operation Bayonet.
- Had 14,000 users in the first 90 days it was open
- Was in the top tier of markets on the darknet
- Recognized in October 2015 as the largest online darknet market, according to Dan Palumbo (research director at Digital Citizens Alliance)
- Had over 400,000 users when it was shuttered in July 2017
- Used both bitcoin and Monero cryptocurrencies
In July 2014, Hutchins sent a tweet soliciting a sample of the Kronos code.
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014
Hutchins was employed by a U.S.-based threat intelligence company, Kryptos Logic, in 2015, but his parents said after a U.K. tabloid outed him as the person who stopped WannaCry that they were unaware he had a job.
Hutchins may have been looking for an example of the code to explore how it worked, Grasswire’s in-house experts said.
One information security expert told Grasswire that Hutchins may have been looking for an example of the code to explore: “You can’t defend if you don’t know how the malware works,” System Engineer Stephen Repetski said.
Systems Administrator Justin Gann explained:
“That lets them dissect methods of transfer, what it’s doing, how it’s mutating, what code it is injecting … I think sometimes people ask for bits of code to look at specific pieces, rather than dumping out the proverbial puzzle pieces on the digital table, as it were.”
The U.S. Department of Justice, however, alleges criminal intent: