Just three short months ago, security researcher Marcus Hutchins entered the pantheon of hacker heroes for stopping the WannaCry ransomware attack that ripped through the internet and paralyzed hundreds of thousands of computers. Now he's been arrested and charged with involvement in another mass hacking scheme—this time on the wrong side.

Yesterday authorities detained 22-year-old Hutchins after the Defcon hacker conference in Las Vegas as he attempted to fly home to the UK, where he works as a researcher for the security firm Kryptos Logic. Upon his arrest, the Department of Justice unsealed an indictment against Hutchins, charging that he created the Kronos banking trojan, a widespread piece of malware used to steal banking credentials for fraud. He's accused of intentionally creating that banking malware for criminal use, as well as being part of a conspiracy to sell it for $3,000 between 2014 and 2015 on cybercrime market sites such as the now-defunct AlphaBay dark web market.

But the short, eight-page indictment against Hutchins, a rising star in the hacker world, has already raised questions and skepticism in both legal and cybersecurity circles. Orin Kerr, a law professor at George Washington University who has written extensively about cybersecurity and hacking cases, says that based on the indictment alone, the charges look like "a stretch." Although the indictment claims Hutchins wrote the Kronos malware, nothing in the document illustrates that Hutchins possessed actual intent for the malware he allegedly created to be used in the criminal "conspiracy" he's accused of.

"It’s not a crime to create malware. It’s not a crime to sell malware. It’s a crime to sell malware with the intent to further someone else’s crime." Kerr says. "This story alone doesn’t really fit. There's got to be more to it, or it’s going to run into legal problems."

The news of Hutchins' arrest also shocked Defcon attendees and the wider cybersecurity community, in which Hutchins is a widely admired figure for his technical knowledge and his key actions to neuter the WannaCry epidemic in May. As Hutchins analyzed that catastrophic ransomware worm within its first hours of spreading, he noticed that it was connected to a nonexistent web domain, perhaps as a kind of test of whether it was running in a software simulation. Hutchins, who at the time was more widely known by his pseudonym MalwareTech or MalwareTechBlog, registered that domain and was surprised to find that it immediately caused WannaCry to stop spreading.

That quick work earned him immediate celebrity but also led some members of the media to track down his real name, though it's unclear whether that exposure helped law enforcement connect him to Kronos. Indications of his Kronos involvement could also have come in last month's FBI and Europol seizure of AlphaBay servers.

Hutchins isn't the only member of the malware "conspiracy" named in the indictment against him. It accuses another person, whose name is redacted from the document, of doing what seems to be the majority of the legwork to distribute Kronos, including listing the malware for sale on criminal forums, creating a video advertisement that showed how it worked, and offering so-called "crypting" services meant to hide the malware from detection. The indictment also accuses Hutchins of helping update the malware in February 2015, at least six months after it first went on sale—the only hint that he may have worked on it after it was being actively used for criminal actions.

Kronos gained attention in the security community in the summer of 2014, in part for its moderately hefty price tag: One Russian forum set the price tag at $7,000. IBM's security researchers at the time posted a translation of the Russian-language advertisement for the malware on a cybercriminal market, which promised that the code was "equipped with the tools to give you successful banking actions." Kronos was designed to not only function as a keylogger, collecting users' credentials from web banking interfaces, but also to alter banks' web pages in any major browser to add fields for additional information, like PIN codes, it would then transmit to a remote server. And it promised it would bypass any of the "sandbox" protections designed to isolate apps from interference and even protect the data it collected from being hijacked by other trojans on the same machine.