
Researcher Who Stopped WannaCry Ransomware Detained in US After Def Con - Shinkirou
https://motherboard.vice.com/en_us/article/ywp8k5/researcher-who-stopped-wannacry-ransomware-detained-in-us-after-def-con
======
dang
Since
[https://news.ycombinator.com/item?id=14922563](https://news.ycombinator.com/item?id=14922563)
adds significant new information (or at least I assume it does), the
discussion can shift there now.

~~~
pyman
I'm more than happy to discuss this issue here.

In my opinion, Marcus Hutchins will spend the next 10 years of his life
working for the NSA and reverse engineering malware built by the Chinese.
Unless MI5 has other plans.

------
maxerickson
CNN got the indictment:

 _On Wednesday, 22-year-old Marcus Hutchins -- also known as MalwareTech --
was arrested in Las Vegas for "his role in creating and distributing the
Kronos banking Trojan," according to a spokesperson from the U.S. Department
of Justice.

The charges relate to alleged conduct occurring between July 2014 and July
2015.

According to an indictment provided to CNN Tech, Hutchins created the malware
and shared it online. _

[http://money.cnn.com/2017/08/03/technology/culture/malwarete...](http://money.cnn.com/2017/08/03/technology/culture/malwaretech-
arrested-las-vegas-trojan/index.html)

------
jstanley
> "I've spoken to the US Marshals again and they say they have no record of
> Marcus being in the system. At this point we've been trying to get in
> contact with Marcus for 18 hours and nobody knows where he's been taken,"
> the person added. "We still don't know why Marcus has been arrested and now
> we have no idea where in the US he's been taken to and we're extremely
> concerned for his welfare."

What the hell? How does something like this even happen? Surely they can't
just take somebody away and keep it a secret?

~~~
strictnein
He's at the FBI field office in Las Vegas:

[https://twitter.com/MabbsSec/status/893166585736724481](https://twitter.com/MabbsSec/status/893166585736724481)

~~~
strictnein
Indicted:

"Hutchins, who is indicted with another un-named co-defendant, stands accused
of six counts of hacking-related crimes as a result of his alleged involvement
with Kronos. “Defendent Marcus Hutchins created the Kronos malware,”"

[https://www.theguardian.com/technology/2017/aug/03/researche...](https://www.theguardian.com/technology/2017/aug/03/researcher-
who-stopped-wannacry-ransomware-detained-in-us)

~~~
strictnein
Just to make this all stranger:

    
    
       @MalwareTechBlog
       Anyone got a kronos sample?
       10:26 AM - 13 Jul 2014
    
    

[https://twitter.com/MalwareTechBlog/status/48837379416825446...](https://twitter.com/MalwareTechBlog/status/488373794168254464)

edit:

Weird, read the Indictment. This day is specifically called out (although not
this post).

edit #2:

The video mentioned in the indictment:
[https://www.youtube.com/watch?v=IZPzMzK78tc&feature=youtu.be](https://www.youtube.com/watch?v=IZPzMzK78tc&feature=youtu.be)

~~~
sp332
The video has been removed, here's one that seems to be the same though.
[https://www.youtube.com/watch?v=lgjklWxiCzY](https://www.youtube.com/watch?v=lgjklWxiCzY)

------
downandout
FYI, if you've committed any form of cybercrime in the previous 3 years (edit:
the statute of limitations is 5 years for most federal computer crimes, as
pointed out below), you should avoid such conferences in the US for exactly
this reason. You probably aren't as smart as you think, and there may be a
sealed arrest warrant for you.

The FBI waits for these kinds of conferences to do exactly what they did here.
Another Las Vegas DEF CON victim was Dmitry Sklyarov [1]. They won't bother
with all of the problems associated with international arrest warrants and
extradition if they know you're coming to them.

[1]
[https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd](https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd).

~~~
switch007
This is really flippant, but you could just generalise to "avoid the US."

~~~
tannhauser23
Or you could not make and sell malware, no matter where you are in the world.

~~~
switch007
Has he been convicted?

~~~
willstrafach
Not at all. These are allegations. The indictment itself states this clearly.

------
mnm1
No good deed goes unpunished. But why is DefCon still in the US? I think the
creators of the conference might want to seriously think about holding it
somewhere that isn't so hostile to pretty much everyone who attends.

~~~
893helios
You mean like Defcon Beijing?

~~~
mankash666
No. Defcon Toronto

~~~
rapind
At least then we don't have to worry about the FBI... just Bell and Rogers.

[https://news.ycombinator.com/item?id=14911330](https://news.ycombinator.com/item?id=14911330)

~~~
jdright
This is surreal, no other words. Like NK.

------
samwillis
The Guardian has more:

[https://www.theguardian.com/technology/2017/aug/03/researche...](https://www.theguardian.com/technology/2017/aug/03/researcher-
who-stopped-wannacry-ransomware-detained-in-us)

He may have a shady past:

    
    
      According to an indictment released by the US Department of Justice, Hutchins is accused of having helped to spread and maintain the banking trojan Kronos between 2014 and 2015"

~~~
tptacek
Since he's only been in custody for less than 24 hours, and CNN already has
the indictment, presumably the DOJ had his case before a grand jury awhile
ago. Which implies that they did not do this on a whim.

Since CNN has the indictment, we'll all have it soon enough, and we'll get a
look at the basis for the DOJ's claims.

~~~
duskwuff
Date on the indictment says July 12th. So this has been cooking for a while.

------
QUFB
This sends a clear message to the global whitehat security community: travel
to the US at your own peril.

~~~
strictnein
Or, maybe, there's a legit good or bad reason that he is unreachable? But
let's just jump to the conclusion that he was blackbagged and in a CIA black
site.

~~~
abiox
what is a "legit bad reason"

~~~
strictnein
He broke a law?

~~~
rovr138
Arrest warrant?

~~~
strictnein
Yeah, sure, I've got it right here... oh wait, I'm just a random commenter on
a forum.

------
mholt
Bitcoin wallets associated with WannaCry have been emptied:
[https://arstechnica.com/gadgets/2017/08/wannacry-operator-
em...](https://arstechnica.com/gadgets/2017/08/wannacry-operator-empties-
bitcoin-wallets-connected-to-ransomware/)

~~~
adad95
Strange coincidence

------
holtalanm
I'm curious what charges are being brought against him. For all we know, this
detention is completely unrelated to WannaCry. We shall see.

~~~
gist
> For all we know, this detention is completely unrelated to WannaCry.

No everyone has already determined 'wow he did a good deed' and 'us law
enforcement bad'.

The fact is he is linked to this event and a person of interest who they want
to get more info from. As such it makes total sense they would detain him for
some questioning searches and so on.

If you are someone who stops a crime you will also get questioned by the
police. For all they know you are covering your own tracks and had a role in
the crime. This is almost a cliche in movies and tv.

~~~
bitJericho
Everyone's determined 'us law enforcement bad' because it doesn't matter what
crime he may or may not have committed. He was arrested in the US, which means
he may be tortured or murdered, and if he's sentenced he almost certainly will
be tortured through means such as prisoner assaults, permanent solitary
confinement or abuse, or god knows what else. And heaven forbid he's sent to a
military prison. He will never come out again.

~~~
true_religion
If you believe the USA is so terrible then push for sanctions against them.
Its better than wringing your hands anytime one of our longtime allies decides
to arrest a alleged criminal.

------
sajal83
UK's National Cyber Security Centre on MalwareTech's arrest: "We are aware of
the situation. This is a law enforcement matter and it would be inappropriate
to comment further."

[https://twitter.com/josephfcox/status/893160214664445952](https://twitter.com/josephfcox/status/893160214664445952)

~~~
QUFB
Would the UK National Cyber Security Center respond differently if he were
detained by law enforcement in Iran?

~~~
tankenmate
They'd probably refer you to the Foreign Office in that case.

------
cromwellian
Reading the indictment, it seems like his partner ratted him out. Curious
though, the indictment seems to list the redacted partner as doing most of the
incriminating things (posting a video demonstration, advertising the sale on
AlphaBay, etc), it merely accused Marcus as being the author and co-
conspirator.

I wonder if his partner/friend got caught, and plea bargained to turn state's
evidence against Marcus.

~~~
Bartweiss
> I wonder if his partner/friend got caught, and plea bargained to turn
> state's evidence against Marcus.

I always wonder a bit about how often these things end up like Rubin Carter,
with the guilty party turning state's evidence against someone less guilty or
entirely innocent. I mean... one presumes there's more evidence generated by
being more involved with the crime, as in this case. If you catch whoever is
most identifiable and turn them, there ought to be a lot of cases where you're
starting with the worst player and cutting them a deal.

~~~
ktta
I would love to have a game theorist break this down in an understandable way.

------
openmosix
Indictment: [https://www.documentcloud.org/documents/3912524-Kronos-
Indic...](https://www.documentcloud.org/documents/3912524-Kronos-
Indictment-R.html)

~~~
c-slice
So there's another individual who was involved as well. I wonder if they've
been detained as well.

------
djvdorp
Maybe this is the reason he did not appreciate people revealing his identity
online (basically DOXing him for fun, some journalist did it if I recall
correctly). It really sucks when somebody that is trying to do well (stopping
the WannaCry Ransomware as he did) is detained, even though we don't know more
details at this points, this hits him rather personally and probably not for
the good, I am very sorry for him and I hope he gets out soon and that all is
well.

------
jessaustin
They're surprisingly clever, to arrest after DefCon. Typical stupid USA LEOs
would arrest ASAP, so the unjust detention could be a cause célèbre hyped up
by half the talks.

~~~
21
Or maybe they wanted to see what he presents, who he meets there. Could be
useful for prosecution.

------
danesparza
This reminds me of Kevin Mitnick:
[https://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest.2C_convic...](https://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest.2C_conviction.2C_and_incarceration)

Do we need to create some "Free Marcus" bumper stickers?

~~~
dsl
Mitnick was actually a criminal. He was living off stolen credit cards.

~~~
BenjiWiebe
Do you have a reference?

~~~
dijit
I mean. He he wrote a book about it. About how he used the identities of
children who died while living across state lines because no record of death
goes back to the originating state.

And how he used those identities and stole credit cards to survive being
chased by the FBI.

------
rocky1138
Why in heaven's name did he travel to the US?

~~~
sovietmudkipz
There is an annual security focused convention going on this week called
"Defcon" that many security focused engineers typically attend. Since wannacry
was a big thing that happened between this year's con and last year's con, and
because Hutchins is a security researcher, I'm sure he was invited to attend
if not give a talk.

~~~
hota_mazi
That doesn't answer OP's question.

Why travel to the US if just three years ago, he broke multiple US cyber laws?

Answer: because he's not as smart as he thought.

------
c-slice
The bitcoin ransom wallets for WannaCry were just emptied today as well. What
was the time difference between these two events? It seems possible that
Hutchins could have had control of the wallets and fed seized the coins.

------
cjsuk
I'd like to know on what grounds?

~~~
LyndsySimon
Same here. I reserve judgement until there's more information on the reason
for his arrest.

~~~
cjsuk
Exactly. This may be entirely unrelated to wannacry.

------
abhi3
Why are people in this thread so outraged without knowing any of the facts?
For all we know there might be a legitimate charge on which he was arrested.

As per him being untraceable, if he was not read his rights then the FBI just
jeopardized their own case. If no one knows where he is, it's more likely that
it's what Marcus wants at the moment rather than what the FBI wants.

~~~
awesomepantsm
>If no one knows where he is, it's more likely that it's what Marcus wants at
the moment rather than what the FBI wants.

Oh come on...

~~~
abhi3
He could call his attorney have him release a statement right? Are you saying
he is being denied access to a lawyer? Because that's a very serious charge
and it would very silly of the FBI. IDK if I were arrested I would pray that
the police abuse their power and deny me access to an attorney.

~~~
QUFB
> He could call his attorney have him release a statement right?

How many people traveling to the US from the UK, just to attend a conference,
have an attorney they can call in the US?

~~~
21
What about your free public defender? Can't you tell him to make a statement
or to contact someone?

~~~
dragonwriter
You have to be assigned a free public defender by court, requiring a hearing,
before you have one to call. That makes it impractical to use one when you are
detained without being brought before a magistrate, even if you have the
opportunity to make a phone call.

------
mzs
better summary: [http://www.reuters.com/article/us-usa-cyber-arrest-
idUSKBN1A...](http://www.reuters.com/article/us-usa-cyber-arrest-
idUSKBN1AJ2IC)

insightful thread also delving into wannacry:
[https://twitter.com/3L3V3NTH/status/893181445824446464](https://twitter.com/3L3V3NTH/status/893181445824446464)

edit: there is a nice HN discussion already about the bitcoin:
[https://news.ycombinator.com/item?id=14918545](https://news.ycombinator.com/item?id=14918545)

------
moomin
Maybe he violated WannaCry's terms of service. The DoJ are pretty down on that
kind of thing.

~~~
occultist_throw
Indeed. If he didnt get permission to stop WanaCry, then he violated the CFAA.

No, a "crime" is not good justification of a different crime.

I wish I was making this stuff up, but thank overly-broad '80s laws regarding
"access", "permission", and that sort of language which weaponizes EULAs.

~~~
noir_lord
UK is no better.

[http://www.legislation.gov.uk/ukpga/1990/18](http://www.legislation.gov.uk/ukpga/1990/18)

That thing is 27 years old.

Massively over broad.

> Section 37 (Making, supplying or obtaining articles for use in computer
> misuse offences) inserts a new section 3A into the 1990 Act and has drawn
> considerable criticism from IT professionals, as many of their tools can be
> used by criminals in addition to their legitimate purposes, and thus fall
> under section 3A.

Basically supplying a disassembler to someone who then uses it for a crime is
itself possibly covered for example.

It's the possibly that's the problem, when you can't tell if an offence has
actually been committed you leave it open for abuse.

------
cnkk
yeaaah let us arrest the good guys...

~~~
suyash
In the eyes of the court, there is no good or bad, only law if followed based
on evidence.

~~~
tanderson92
In fact the court is concerned with justice, which absolutely depends on good
and bad as opposed to the strictures of the law.

------
elorm
As much as this article contains very little information,this sounds very much
like something the US will do.

Whenever someone has to be the butt of some global joke .....somehow the US
has to be the one to step up. Taking someone into custody for 18 hours without
giving the family or press any information. How different is this from Iran or
North Korea?

Two things could've happened here IMO. They asked for the domain to turned
over to them and were politely refused, or they're about to punish an
accidental hero for white hat work/previous black hat work not related to
WannaCry

~~~
abhi3
In Iran and NK detention without rights is an institutionalized practice. In
US if you deny them a phone call immediately, you just threw away your own
case.

~~~
astronautjones
... unless "national security" is cited

------
featherverse
This is some seriously shady shit. The smart bet is we're not getting the
whole story.

"Buy guns, lock your doors." \- Bill Hicks

------
BigChiefSmokem
Trump's Dept of Justice is out of control.

------
AndrewKemendo
\--

~~~
awesomepantsm
You watch too many movies. FBI doesn't recruit people by kidnapping them.

------
Traytorz
I like how this malware writer/researcher claims he "found" the address and
"miraculously saved" everyone by grabbing the domain.

Not sure why everyone says he isn't the malware writer. What proof do you have
that he didn't write it? Maybe he left a trail that you missed.

~~~
celticninja
He found the address in the source code of the ransomware, any researcher
could have found it. He even said himself that when he found it in the source
code and saw it was unregistered he registered it to see what would happen. As
it turned out it stopped infections from occurring.

Not to say that he isnt the malware writer but your use of quote marks makes
me think you have no idea about what happened and havent looked into it, just
made some "wild assumptions".

~~~
Avery3R
Pretty sure it was in disassembled machine code, not source code.

~~~
jtl999
I have taken the liberty to download a sample of WannaCry and I can see the
"killswitch" domain just running strings on the binary.

    
    
        $ strings Downloads/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.bin |grep .com
       __p__commode
       http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

