The Arrest of MalwareTech (Marcus Hutchins)

[EDIT] Donations For MalwareTech's Legal Fees Can Be Made HERE.

I've been putting off this post for a while, for various reasons. Immediately after I saw MalwareTech had been arrested and held without contact with the outside world, even an attorney, I was immediately infuriated. As I read the small bits and pieces that were coming out soon after news of his arrest broke, that anger grew. I couldn't believe that the Federal Government was alienating the White Hat security community this way: arresting someone who gave so much of his time fighting malware and protecting the rest of us, and doing so in the sketchiest way possible.

Since then, I've had my ups and downs. A lot of my feelings have been disbelief, confusion, and still a lot of anger. I've calmed down enough to pen a more well-written article, and enough information has come out to at least offer platforms for speculation (and indignation).

All I will say further on the personal vein is that the way this was handled by the US Federal Government is immediately suspect. Marcus has devoted the better half of his life to researching and stopping malware, helping worldwide governments and corporations secure their networks, and helping the community learn more about current threats. The idea he would give up those morals, along with his seemingly significant salary, to build a banking trojan to steal and ruin lives... there's not much logic there.

MalwareTech: A Brief, Outsider's History

Piecing together the answers from MalwareTech's Ask Me Anything (AMA) post on Reddit, Marcus lived a pretty normal life. Before his takedown of the WannaCry ransomware, he was an anonymous researcher posting on pseudonymous blogs and his Twitter page. Even after UK tabloids ousted his identity, MalwareTech stayed relatively private. He rarely posted selfies on his personal Twitter page and didn't give up much about his personal life.

Regarding his education, Marcus explains he never got a college degree. He didn't hold any professional certificates, and explains that most of his education was self-taught. He began teaching himself computers and security around age 11, and became intensely interested in the inner workings of malware after reading analysis blog posts much like the ones he would one day post.

Yes, the guy who stopped the (thus far) largest ransomware outbreak in history was a man in his early twenties, who, while he's not studying the latest and greatest malware, spends his time eating pizza, surfing, and shitposting on Twitter. 

MalwareTech the Professional

Marcus admits that in the beginning, it was difficult to find a job that would employ an anonymous internet guy. I would assume that he landed his position with his current company largely out of merit: his blog is extremely popular in the InfoSec space, he boasts over a hundred thousand Twitter followers. At that point, you look past the lack of certs, college degrees, or legal identities. Now, he works for Kryptos Logic, an LA-based cyber security firm that seemingly has him on a pretty comfortable salary for someone who is rumored to have written a banking malware.

His blog is very popular, and he has worked with several well-known information security professionals, including Jake Williams, Malware Unicorn (Amanda Rousseau), and SwiftOnSecurity. His work has covered all of the big names and most of the small ones, including the infamous WannaCry takedown, NotPetya, Petya, Kelihos, and Mirai, just to name a few. These posts are generally technical but short, and offer a valuable look into the processes that go into reverse engineering malware.

MalwareTech the Hero

WannaCry infected an estimated 300,000 devices worldwide, with some saying that is a conservative estimate. It was a not-so-advanced ransomware that used an exploit supposedly stolen from the National Security Agency by @theshadowbrokers . This exploit lead the ransomware to infect systems all over the world, crippling hospitals and big businesses alike. 

MalwareTech, the eventual hero of the story, was on vacation at the time of the outbreak. On Reddit he says he was three days into a week of vacationing, likely eating pizza and surfing, when news hit about the outbreak. He quickly got back to work in his bedroom office and found a killswitch that was left in the code in the form of an unregistered domain. When he registered the domain, he admitted he had no idea it would halt the spreading of the virus indefinitely, effectively killing the virus, but said that registering domains was common practice in his investigations.

The ransomware stopped spreading, and the fame brought to MalwareTech's pseudonym lead the tabloids straight to his door only three days after flipping the killswitch. He hated the fame, constant press attention, and his sudden lack of anonymous identity online, but eventually life got back to normal. He continued studying malware, researching the NotPetya outbreak.

MalwareTech the Controversy

Shortly after the end of Defcon, an annual information security conference in Las Vegas, Nevada, rumors began to spread that MalwareTech had been arrested. He only shortly before had been tweeting pictures of drinks, going shooting at a tourist gun range, and fancy rental cars, but Jake Williams noticed he had gone silent on social media for a while. 

Eventually, MalwareTech was found. He had been denied a lawyer for 48 hours, and nobody had been told that he was arrested. Evidently, the arrest occurred in the airport on his way back to the UK, making the whole ordeal seem more like a kidnapping then an arrest.

Furthering the oddities in the case, it was revealed the indictment cited transgressions from 2014 and 2015, indicating that the indictment had been sealed until this month, two years after the alleged transgressions occurred. The indictment alleges that Marcus was the creator and codistributor, along with a redacted second person who likely sold out Hutchins, of the Kronos banking malware. Multiple questions arise with these facts, such as why weren't UK intelligence authorities given charge of this case? Why was Hutchins not arrested in his home town for the past two years? 

Hutchins is now being held on a $30,000 dollar bail. His attorney says the bail will be paid on Monday the 7th. When he makes bail, he is to have no contact with the mystery defendant that 'ratted him out', and he is to have no internet access at all. With all of the charges against him, Marcus faces a maximum sentence of 40 years in federal prison.

MalwareTech the Legal Discussion

I'm going to keep this portion short, as I believe the Washington Post article posted a few days ago explained the legal intricacies behind the case far better than I could. Essentially, there are several semantic issues with the prosecutions allegations. The issue of creation and distribution of malware is an extremely gray area in the legal realm. The core of the argument seems to be intent, in that the prosecution will have to show that Marcus did in fact write the Kronos banking trojan, and he did so with clear intent to cause damage to computer systems. Even then, semantic issues in the current legal code in question are still a huge blockade to the prosecution. While the heavy handed prosecutors of the US Government usually have the advantage, with the currently supplied evidence, it seems like their case is shakey at best.

I wish only the best for Marcus. I could write an entire post about how damaging this arrest and case is to the relationship between White Hat security researchers and the government. I will be following the case closely, and will update my blog with any news regarding the case.

----------------------

Like the post? I run this threat intelligence blog on   Steemit     and offer the content free of charge. If you're a Steemit  user,  you     know that upvoting, which you do for free, magically puts  a couple cents in my pocket. Maybe I'll buy a pack of gum with  last week's      earnings, but it all depends on your help. Not a  Steemit user? My biggest metric of success is my viewership. If I  don't make a cent   but    my content reaches a wide audience, that  means my product is   valuable    and my efforts are worthwhile.  Therefore, give me a share on your social media of choice, follow me on Steemit for more threat intel posts, and follow me on Twitter to see stupid memes and get updates when I post.