In an astonishing turn of events, the man who stopped the spread of the WannaCry ransomware earlier this year has been arrested and charged with creating a banking malware known as Kronos.
Marcus Hutchins, also known as MalwareTech, was held in Nevada, just as he was getting ready to head home from the Las Vegas-based hacker conferences Black Hat and Def Con. News of his apprehension came first via Motherboard.
The 23-year-old was hailed as a hero for registering a web domain the ransomware creators planned to use, which turned out to be a killswitch, preventing the NSA cyberweapon-powered malware from spreading further. Just before his arrest he was attending the Black Hat and Def Con hacker conferences in Las Vegas. His most recent tweets, from 24 hours ago, indicated he was getting ready to board a flight.
But now his reputation is under threat as he was charged as one of two people responsible for running the Kronos malware. The software first emerged in 2014, attempting to pilfer individuals’ banking logins, selling on Russian criminal markets for as much as $,7,000, according to IBM research. It was later altered to infect point-of-sale systems too.
According to the short indictment released today, Hutchins was responsible for updating and spreading the malware alongside an unnamed co-conspirator. Intriguingly, prosecutors alleged the unnamed party sold the tool on AlphaBay, a dark market that law enforcement recently took over and shut down.
Hutchins, whose day job is researching malware, tweeted in July 2014 asking for a sample of Kronos.
He is, as the Department of Justice noted in its press release, innocent until proven guilty.
According to that release, the government saw the Kelihos botnet spread Kronos. That’s another malware that Hutchins has previously researched and published on, as recently as April this year.