Information security experts are expressing surprise and dismay at yesterday's FBI arrest of Marcus Hutchins, aka "MalwareTech," the young U.K. researcher whose actions in May found the kill switch to the WannaCry ransomware attack that crippled tens of thousands of computer systems across the U.K., Russia, Ukraine, and many other countries.
Hutchins and an unnamed co-defendant were charged in connection with the creation and distribution of Kronos, malware that first appeared in 2014 and targets banking Web sites. Hutchins was arrested yesterday in Las Vegas as he was preparing to return home after attending the Defcon and Black Hat security conferences.
The U.S. Department of Justice filed its indictment against Hutchins and the other defendant on July 12. A week later, the agency shut down and seized AlphaBay, a dark Web marketplace on which Kronos had been offered for sale.
On the same day Hutchins was arrested, the hacker or hackers responsible for the WannaCry attack also apparently moved their Bitcoin ransom payments to other accounts, records show. According to the latest information posted by sources on Twitter, Hutchins is currently being held in custody at the FBI field office in Las Vegas.
'Pushing the Envelope'
The grand jury indictment against Hutchins and the other defendant charges the two with conspiracy to commit computer fraud and abuse, endeavoring to intercept electronic communications, attempting to access a computer without authorization, and three counts of distributing and advertising an electronic communication interception device.
According to the indictment, between July 2014 and July 2015, Hutchins and the other defendant "knowingly conspired and agreed with each other to commit an offense against the United States, namely, to knowingly cause the transmission of a program, information, code, and command and as a result of such conduct, intentionally cause damage without authorization, to 10 or more protected computers during a 1-year period in violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (c)(4)A)(i)(VI)."
Those charges are "fairly aggressive" and raise "significant legal challenges," according to Orin Kerr, a George Washington University Law School professor whose op-ed analysis of the Justice Department charges was published yesterday in The Washington Post. For example, he said the charges appear to treat the selling of malware as equivalent to the use of malware, and also treat software, in this case, the Kronos trojan, as a "device."
"[W]hile we can't say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case," Kerr said. He also noted that the three counts of distributing and advertising an "interception device" are a rarely used wiretapping law.
"Notably, the crime here isn't making, selling or advertising malware generally," Kerr said. "Rather, it's making, selling or advertising 'any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.' In other words, the problem is that the malware was designed so that its primary use was to engage in surreptitious wiretapping."
'A Very Delicate Situation'
Since word first came out about Hutchins' arrest, information security experts have been discussing the possible implications on Twitter. A number of them have expressed concern about the possible impact the Justice Department's actions could have on future cooperation between cybersecurity researchers and law enforcement authorities.
"To any federal contacts I have that follow me, understand that the arrest of @MalwareTechBlog could severely impact trust in sharing intel," malware researcher Daniel Gallagher tweeted yesterday. "Now I know there could be unknown circumstances, but this is a very delicate situation. This could change the entire research community."
In a tweet yesterday, Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation, a digital civil rights organization, said that the EFF was trying to contact Hutchins following his arrest. "This is the sort of thing that concerns us a lot," she said.
Another security researcher, Jake Williams, said on Twitter that he had worked with Hutchins "on a project in 2014 he refused payment for. This is incongruous with a blackhat writing code for money at the same time."
On his blog today, U.K.-based security researcher Graham Cluley noted there will be significant fallout whatever the outcome of the Justice Department's case.
"What I can say is that if Hutchins is innocent, there will undoubtedly be many questions asked as to how the FBI could have got things so wrong, and the risk that damage will be done to the relationship between the computer security community and law enforcement," Cluley said. "If, on the other hand, Hutchins is found to be guilty... Well... it'll be one of the largest falls from hero to zero that the cybersecurity industry has ever seen. And we'll all question what on earth he was thinking when he got on that plane to the United States."