Regarding Marcus Hutchins aka MalwareTech

Brief background

For the last few weeks Marcus Hutchins has been in Las Vegas attending a security conference, and on holiday. On Wednesday he was arrested on the flight home due to an indictment made in the US state of Wisconsin back in early July. He has now been granted bail for Monday, assuming bond is posted.

The allegations are around him allegedly selling malicious software for $2,000 in digital currency in June 2015. The case seems to stem from the takedown of a website called AlphaBay, where a large amount of new cases are now entering the US justice system.

Who Marcus is

Marcus is a leading voice in the UK cybersecurity scene, and indeed worked with the UK Government’s National Cyber Security Center on stopping WannaCry and analysing other malicious software:

The NCSC website includes Marcus’ work

He is an incredibly valuable asset to the UK. He isn’t just a voice — his work has an been invaluable to the UK for some time. He lives and breathes cyber security, almost 24/7, protecting people.

For the past few years there has not been a day gone by where I haven’t used or heard his research in my day to day cybersecurity work. This is going to create a huge hole for everybody, in particular the UK.

On a personal level, Marcus is a good person who does not deserve how this has been handled by authorities.

What happened in last few days

He was not arrested on the way into the US for whatever reason.

The indictment was a complete surprise to everybody, not least Marcus.

When he was arrested, he simply disappeared. He did not exit the plane at the other end in the UK to meet his mother. No information was provided as to what was happening. When his arrest had been established, he was moved location 10 minutes before visiting was allowed.

He did not have a lawyer for the first 48 hours. During this time he was in the custody of the FBI.

He has still not been allowed to talk to his parents.

Members of the press have asked why they cannot reach him for comment. He has no internet access or outside communication.

As part of his bail conditions next week, he cannot use the internet.

He is not allowed to communicate with the co-defendant named in the case. That name is blacked out on the indictment. Neither Marcus’ lawyer nor Marcus know who the co-defendant is.

To quote his lawyer: “He’s pled not guilty. He is standing by that and he fights the charges and we intend to fight the case in Wisconsin.” His lawyer — funded by somebody in the UK cybersecurity scene — addresses reporter questions here.

Kronos

When the indictment was first released, I had to Google “Kronos” to establish what it even was — I haven’t seen it in my 17 years in cyber security.

The first public post I can see for it is on 10th June 2014 in Russian:

Per a Forbes reporter: “…it was largely a failure amongst serious cybercriminals”.

MalwareTech’s business and job is around finding, reversing and analysing malicious software (malware) and finding the techniques used. This includes monitoring “dark web” websites, where covert identifies are used to gain access — as is common across the security industry.

His data around botnets is sold to organisations, including Law Enforcement, around the world.

Sometimes, his research is misused:

Help Marcus

To help get to the truth, I strongly encourage:

His MP needs to (and is) support Marcus.

The Foreign Office needs to provide excellent consular assistance.

His parents both need support.

The NCSC and UK Government need to take responsibility here, and ensure every possible means of making sure the case is responsibly handled within the US.

A crowdfunding campaign for legal fees is now live, with funds handled by a trusted party. The US donation address is: https://secure.lawpay.com/pages/torekeland/hutchinsldf — the website outside the US is https://secure.lawpay.com/pages/torekeland/hutchins-internationalldf — the BitCoin address is 1AoiAwTQbUvHNQQ55gCXAw3SLqRVs6ZtW1

In summary

I have been in a state of shock since I found out about the arrest. The allegations are essentially over $2,000 in digital currency, and could potentially incur up to 40 years in jail in the US. If MalwareTech is to be tried, he should be tried in his home, the UK. Every effort needs to be made to ensure this case is properly investigated.

On a personal note, I am withdrawing from dealing with the NCSC and sharing all threat intelligence data and new techniques until this situation is resolved. This includes through Cyber Security Information Sharing Partnership. Many of us in the cyber security community openly and privately share information about new methods of attacks to ensure the security for all, and I do not wish to place myself in danger.

Edit: Corrected the date of exploit.in forum post on Kronos to be June 10th.

Edit 06/08/2017: Corrected exploit.in link.