So yesterday afternoon, Twitter exploded as word spread that Marcus Hutchins, aka @MalwareTechBlog, had been arrested as he attempted to board a flight back to the U.K. Hutchins, who became an “accidental hero” in stopping the spread of WannaCry, was accused of creating and conspiring with another unnamed defendant in the matter of the Kronos banking trojan.
Later yesterday, the DOJ released this press release:
Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as “Malwaretech,” for his role in creating and distributing the Kronos banking Trojan. Hutchins, a citizen and resident of the United Kingdom, was arrested in the United States on August 2, 2017, in Las Vegas, Nevada.
In the indictment, Hutchins was charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization. The alleged conduct for which Hutchins was arrested occurred between in or around July 2014 and July 2015.
Publically available information for the Kronos banking Trojan indicates that it was first made available through certain internet forums in early 2014, and marketed and distributed through AlphaBay, a hidden service on the Tor network. On July 20, 2017, the Department of Justice announced that the Alphabay marketplace was shuttered through an international law enforcement effort led by the United States. See www.justice.gov/opa/pr/alphabay-largest-online-dark-market-shut-down
According to the indictment, the Kronos banking Trojan was designed to harvest and transfer the username and password associated with banking websites as they are entered on an infected computer to a control panel hosted on another computer inaccessible to the victim. According to publically available information, since it was created, Kronos has been configured to exfiltrate user credentials associated with banking systems located in Canada, Germany, Poland, France, and the United Kingdom, among others countries.
Kronos presents an ongoing threat to privacy and security, as the Kelihos botnet was observed loading Kronos on computers through email phishing campaign in late 2016. On April 10, 2017, the Department of Justice announced its efforts to dismantle the Kelihos botnet.
See www.justice.gov/opa/pr/russian-national-indicted-multiple-offenses-connection-kelihos-botnet and www.justice.gov/opa/press-release/file/956506/download
“Cybercrime remains a top priority for the FBI,” said Special Agent in Charge (SAC) Justin Tolomeo. “Cybercriminals cost our economy billions in loses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice.”
This case was investigated by the Federal Bureau of Investigation Cyber Crime Task in Milwaukee. The case is being prosecuted by Assistant United States Attorneys Michael J. Chmelar and Benjamin W. Proctor.
The public is reminded that an indictment contains only charges and is not evidence of guilt. The defendant is presumed innocent and is entitled to a fair trial at which the government has the burden of proving guilt beyond a reasonable doubt.
Law professor Orin Kerr took a closer look at the charges in the indictment and offered some preliminary thoughts on the government’s case.