Hacker News new | past | comments | ask | show | jobs | submit login
Researcher Who Stopped WannaCry Ransomware Detained in US After Def Con (vice.com)
567 points by Shinkirou on Aug 3, 2017 | hide | past | web | favorite | 254 comments



Since https://news.ycombinator.com/item?id=14922563 adds significant new information (or at least I assume it does), the discussion can shift there now.


I'm more than happy to discuss this issue here.

In my opinion, Marcus Hutchins will spend the next 10 years of his life working for the NSA and reverse engineering malware built by the Chinese. Unless MI5 has other plans.


CNN got the indictment:

On Wednesday, 22-year-old Marcus Hutchins -- also known as MalwareTech -- was arrested in Las Vegas for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice.

The charges relate to alleged conduct occurring between July 2014 and July 2015.

According to an indictment provided to CNN Tech, Hutchins created the malware and shared it online.

http://money.cnn.com/2017/08/03/technology/culture/malwarete...


> "I've spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we've been trying to get in contact with Marcus for 18 hours and nobody knows where he's been taken," the person added. "We still don't know why Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."

What the hell? How does something like this even happen? Surely they can't just take somebody away and keep it a secret?


He's at the FBI field office in Las Vegas:

https://twitter.com/MabbsSec/status/893166585736724481


Indicted:

"Hutchins, who is indicted with another un-named co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendent Marcus Hutchins created the Kronos malware,”"

https://www.theguardian.com/technology/2017/aug/03/researche...


Just to make this all stranger:

   @MalwareTechBlog
   Anyone got a kronos sample?
   10:26 AM - 13 Jul 2014

https://twitter.com/MalwareTechBlog/status/48837379416825446...

edit:

Weird, read the Indictment. This day is specifically called out (although not this post).

edit #2:

The video mentioned in the indictment: https://www.youtube.com/watch?v=IZPzMzK78tc&feature=youtu.be


The video has been removed, here's one that seems to be the same though. https://www.youtube.com/watch?v=lgjklWxiCzY



Given that the name is censored, I think that's probably referring to his supposed co-conspirator whose name is censored throughout the document.


According to people on Twitter, the EFF is getting involved.


Excellent. Glad to hear he hasn't been disappeared.


This is common even in routine police arrests. People can disappear for hours or even days[0][1]. It's hard to believe but well documented. Ask any criminal attorney.

0: https://www.theguardian.com/us-news/2015/feb/24/chicago-poli...

1: My brother's arrest


>What the hell? How does something like this even happen? Surely they can't just take somebody away and keep it a secret?

There's this little thing called the Patriot Act that Bush brought into law after 9/11 that allows the feds to do exactly this.


This. Welcome to the new America.


The next paragraph says it was an FBI arrest.


So where is he? It surely can't be secret, regardless of who arrested him?


He's in the FBI Field Office in Las Vegas. EFF is working to arrange legal representation for him.


They would need to ask the FBI, not the Marshals.


Actually, once he is booked into jail, he will be the responsibility of the US Marshals. It's very odd that if he were arrested yesterday, that he would still be in custody at the FBI office. The FBI itself does not have detention facilities...they have holding cells that are supposed to be used for a few hours during processing and interrogation.

It sounds like he was arrested in Henderson (a suburb of Vegas), kept overnight in that city's detention facility, then brought to the Las Vegas FBI field office today. He will probably see a judge for a detention hearing today or tomorrow, and if he is not granted bail will then be put in jail at the Clark County Detention Center in downtown Las Vegas, at which time he will be in the custody of US Marshals.



There is no law or procedure that would compel the FBI to report on whom they have in custody to journalists, friends or random bloggers.


I consider that a huge issue. No justifiable reason for that.


The license to for such illegal actions became legal after 9/11. This is nothing new. Police abductions happen in the pretty USA too.


Not sure why this is being downvoted, it's accurate.


Probably because it lacks references.


Well, there was the Chicago story a few years back... https://www.theguardian.com/us-news/2015/feb/24/chicago-poli...


Where have you been? In the US, they can do whatever they want to you.


This is by all appearances a lawful and routine arrest.


That's what's even more worrying. People getting accustomed to such "routine" arrests.


By "routine" you mean "happens approximately once every other year and is covered in essentially every news outlet in the western world", right?


No, because:

a) by "such routine events" I don't constrain it to "hacker arrested at borders/Def Con" -- but to the general pattern of abuse

b) whether it is "covered" by news outlets or not I don't consider relevant


"Routine" and "newsworthy" are practically antonyms.


That's not relevant in at least two ways:

First, being in the news does not necessitate something actually being newsworthy. Between celebrity gossip, the latest fads, and shallow exchanges between career politicians that impact no one and everybody will forget a couple of days later, a very small part of the news is actually newsworthy.

Second, something happening routinely does not mean it's necessarily not worth reporting. Especially for things that happen routinely but shouldn't -- and whose routine re-emergence invokes outrage. The shooting of a black person walking/driving around by cops is very much a routine affair (as they have been 100s of incidents), but it continues to get media coverage and rightly so.


The shooting of a black person walking/driving around by cops is very much a routine affair

Not unless you make up some meaning of 'routine' that nobody else uses. Police shootings are not routine.


That's besides the point. In the US the police can do anything they like to you.


Then your comment is off-topic.


Maybe you should learn how threads work. Read the original parent thread.


That's the problem.


> What the hell? How does something like this even happen? Surely they can't just take somebody away and keep it a secret?

You absolutely can. [1]

[1] https://www.theguardian.com/us-news/2015/feb/24/chicago-poli...


"can" probably meant "can lawfully".


FYI, if you've committed any form of cybercrime in the previous 3 years (edit: the statute of limitations is 5 years for most federal computer crimes, as pointed out below), you should avoid such conferences in the US for exactly this reason. You probably aren't as smart as you think, and there may be a sealed arrest warrant for you.

The FBI waits for these kinds of conferences to do exactly what they did here. Another Las Vegas DEF CON victim was Dmitry Sklyarov [1]. They won't bother with all of the problems associated with international arrest warrants and extradition if they know you're coming to them.

[1] https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.


It's actually 5 years and potentially more depending on the specifics.

Relevant information begins on the bottom of page 126/213 or 120 using the numbers printed on the pdf.

https://www.justice.gov/sites/default/files/criminal-ccips/l...


I stand corrected. It is three years for many federal crimes, but since the CFAA has no specific statute of limitations, you are correct that crimes prosecuted under it use the default number, which is 5 years. On a side note, if you are an international person visiting the US, you do not want to be arrested for a federal crime in Las Vegas...if you think you may be arrested, visit somewhere else. There is no automatic right to bail in the federal system, and the District Court in Las Vegas is notorious for ruling that most non-US defendants are flight risks. That means, at a minimum, you will go through a month-long transfer process (that goes through Oklahoma, regardless of your destination) to get to wherever your federal warrant was actually issued before you are likely to be granted bail.


This is good advice, but if you think you may be arrested, you should not visit at all.


Probably even better advice :) .


Or may be DEFCON should stop hosting their conference in the US. It used to be a game “Spot the Fed”, now the jokes on them “Spot the hacker” . Because DEFCON is a fishing ground for Feds.


Shouldn't we all avoid US conferences?

Half the people have some day done something which in a generic way is "against US interests" (from a false name on Facebook to competing against a US corp to starting a petition or a secure app). I personally don't go to US conferences or visit US customers, simply because of TSA (same for Japan and China; Europe has a better track record). If you have a choice, it's not really giving the world a service to choose the USA land to organize a conf, as it will exclude many, many people.


Competing against a US corporation is not a crime and neither is a False name on Facebook.


Using a false name on facebook is against their ToS, is it not? There was a story within the last week about how violating ToS is arguably a felony in the US.


The story was actually from 2013, but yeah, the DOJ tries to pass that theory. Fortunately the Ninth and Fourth Circuits have already shown they won't play ball, but there are other courts.


...do they care? Is there a correlation between committing crimes and, for example, being on the no-fly-list? The TSA doesn't wait for a crime to interrogate you, send you back, download or bug your phone, and I'll eat my hat if they never planted child pornography on someone's phone to accuse them of a crime. If a CIA/NSA clerk once flagged you as a "person of interest" (and 3rd degree phone relationship with a criminal is enough), they'll find a good reason to accuse you.


This is really flippant, but you could just generalise to "avoid the US."


Not flippant at all. The US is becoming a dangerous place to visit.


Or you could not make and sell malware, no matter where you are in the world.


Has he been convicted?


Not at all. These are allegations. The indictment itself states this clearly.


Wouldn't it be better for everyone if US infosec conferences were hosted in Canada ?


Why do you believe that Canada offers better legal protections? I'm Canadian, but I have no idea what the situation is here.


> FYI, if you've committed any form of cybercrime

According to the US definition of cybercrime. So you could be totally innocent in your country, and have done nothing directly in the US.


And according to the US definition of cybercrime, we are probably all guilty of something.


No good deed goes unpunished. But why is DefCon still in the US? I think the creators of the conference might want to seriously think about holding it somewhere that isn't so hostile to pretty much everyone who attends.


Because Las Vegas is in the US. DC/BH are just an excuse for security people to get a company paid trip.


Having just attended DEF CON, I can say that I didn't get that vibe at all. The people who were there were very serious about the whole point of it all. I got a lot of value out of it as well.


It looks like Berlin could be a better place for such type of event.


The Chaos Communication Congress is already held annually in Germany, and is well-attended. There is absolutely an appetite for annual hacker/security conferences in the United States (and indeed we already have dozens that are held annually, of all sizes: DEF CON, BlackHat, B-Sides, SchmooCon, etc).


Haha, the ones that actually attended sessions are serious. The other guys just visit casinos and the pool and their boss pays for the trip.


The sessions were all pretty much full. There were many, many people who were taking it seriously. I can't speak to how many people just goofed around the whole trip, as I wouldn't've seen them, but it seemed to be a minority.


Probably true for Blackhat, but I think you're way off the mark on Defcon. It's the highest quality conference I've ever attended, bar none.


You mean like Defcon Beijing?


FYI for those reading this, that's not a joke. Defcon actually seems to be hosting a con in Beijing in the near future.


No. Defcon Toronto


Defcon Reykjavik? Bunch of hackers in hotsprings sounds like a party


At least then we don't have to worry about the FBI... just Bell and Rogers.

https://news.ycombinator.com/item?id=14911330


This is surreal, no other words. Like NK.


Moving Defcon to Canada doesn't solve the issue if attendees have to get there via US airspace.

Deplaning [0] is a real possibility.

[0] https://news.vice.com/story/somali-canadian-forced-off-fligh...


No thanks, don't want Canada turning into the next US.


Defcon Prague?


>But why is DefCon still in the US?

Most of the attendees are US citizens. They will lose a lot if they move it. It's better to just host another one outside of the country (and I think there are already a bunch) for people that don't want to visit the US.


It's not about his good deed, it's about the fact that he may have been involved with a bank scam Trojan in 2015


The Guardian has more:

https://www.theguardian.com/technology/2017/aug/03/researche...

He may have a shady past:

  According to an indictment released by the US Department of Justice, Hutchins is accused of having helped to spread and maintain the banking trojan Kronos between 2014 and 2015"


Since he's only been in custody for less than 24 hours, and CNN already has the indictment, presumably the DOJ had his case before a grand jury awhile ago. Which implies that they did not do this on a whim.

Since CNN has the indictment, we'll all have it soon enough, and we'll get a look at the basis for the DOJ's claims.


Date on the indictment says July 12th. So this has been cooking for a while.



This sends a clear message to the global whitehat security community: travel to the US at your own peril.


Or, maybe, there's a legit good or bad reason that he is unreachable? But let's just jump to the conclusion that he was blackbagged and in a CIA black site.


How many security researchers have squeaky-clean records, though? In hindsight, gathering all of the hackers under one of the most sophisticated, militant, intelligence systems in the world, might not be a great idea.



what is a "legit bad reason"


He broke a law?


Why would that prevent him from securing legal representation?


It hasn’t even been a day and you have no idea if he has legal representation or not. Give it a couple days before starting up the outrage machine.


Arrest warrant?


Yeah, sure, I've got it right here... oh wait, I'm just a random commenter on a forum.



There are zero details on this story...calm down..


There are absolutely details:

> Motherboard verified that a detainee called Marcus Hutchins, 23, was being held at the Henderson Detention Center in Nevada early on Thursday.

So at least we know he was detained.

This one relies on a friend, so presumably it's "less verified" as far as these things go:

> A few hours after, Hutchins was moved to another facility, according to a close personal friend.

I don't know if Motherboard has tried to contact Hutchins, though.


Detained for what? You don't know.

I mean, I agree, detainment isn't usually the way to make friends, but those are not specific details of the incident.


We should have overwhelming confidence that people are detained for good reasons. Given US's track record, it is entirely reasonable to think that it's not the case, until demonstrated otherwise by proof brought forward by the agressor.


> Detained for what? You don't know.

That's rather my concern.


it's a clear message to the global community.


Bitcoin wallets associated with WannaCry have been emptied: https://arstechnica.com/gadgets/2017/08/wannacry-operator-em...


Strange coincidence


I'm curious what charges are being brought against him. For all we know, this detention is completely unrelated to WannaCry. We shall see.


I may be totally off base here but IIRC, before he ran MalwareTech and was a whitehat, he participated (and was an op) in fairly "shady" IRC channels, with his oldest nick I can recall being `Ntoskrnl`, dedicated to malware and malware development which even had a person (Edit3: As pointed out in this thread, that person was `BetaMonkey/TouchMe`) who was selling a variant of a botnet drone client builder. Edit2: From one of the comments below in this thread, the network on which he was present (and was an IRC operator of) was `irc.voidptr.cz` or a variation of that, I could not recall the name of the network at first but when someone mentioned it, I instantly recognized it.

If he's who I think he is, I doubt his early background is that clean, despite him being a whitehat now. It is very much possible he is being held because of something related to that and not because of anything related to WannaCry. This was all before he even started running the MalwareTech blog, it's very much possible the FBI decided to look into his background or were already familiar with it prior to him arriving in or leaving the US.

That being said, it's possible that I'm mistaking him for someone else in which case I do apologize. I edited the post a bit, to clarify, the first paragraph to the best of my knowledge is certainly true, second one is based on my own speculation so take it with a grain of salt.


Instead of apologizing for potentially spreading FUD and falsehoods, maybe you should refrain from posting until you have actual facts in hand?


The grandparent is making a good point. It is entirely possible that the researcher is being prosecuted for something related to his past. It's not likely that he's being prosecuted for smuggling a small amount of drugs (for example), the FBI wouldn't be the one making the arrest. Even if all the activities he has done in the past are completely legal the FBI could still try to wring him for them.


> maybe you should refrain from posting until you have actual facts in hand?

Yeah, like the rest of the people commenting here, right? They have all the facts.


There's an equal number of FUD and speculation going the other way, e.g. that he was arrested for no reason or that he was "disappeared".


Kind of like the assumptions as to why he was arrested?


Like the article itself?


I can confirm that christina_b is correct and sbarre can rest easy knowing that nobody is being defamed.


He ran a carding forum in the past, malkit.ws and then malkit.su.

Virustotal passive DNS shows that it was hosted for a time on the same server as his old irc, irc.voidptr.cz

https://www.virustotal.com/en/ip-address/188.190.99.148/info...


Was it him or BetaMonkey running this? If I recall correctly BM owned voidptr but both had admin access there?

EDIT: Ah, found some old logs on google: http://www.exposedbotnets.com/2013/05/hf-elite-coding-team.h...

  [08:08] <TouchMe> if i still owned this irc
  [08:09] <TouchMe> i would shut it down and start over


BetaMonkey/TouchMe was in fact the person I was referring to who was providing support for his botnet drone builder until he dissapeared with no trace at a later date. Just could not recall the nick at the time of making my original post.


I always assumed the two to be different people. The log shows the two of them talking at the same time, and I remember the two of them having very different attitudes in general.

I know TouchMe is malwaretech but would be inclined to assume that BetaMonkey isn't.

TouchMe was still a malware developer though, and apparently used to run voidptr before handing it over to BetaMonkey.


I was pretty sure TouchMe was BetaMonkey's new nick, I don't think it was Ntoskrnl (MalwareTech). From what I've heard TouchMe continued support of his drone's users until he dissapeared without a trace. This was so long ago and my memory isn't amazing.


TouchMe is MalwareTech, 0 doubt https://twitter.com/touchmymalware

If BetaMonkey==TouchMe then they were trying really hard to conceal that.

Here's a hackforums thread mentioning some other malware TouchMe was distributing though https://hackforums.net/showthread.php?tid=3786935


> TouchMe is MalwareTech, 0 doubt https://twitter.com/touchmymalware

If I was a bad man in the security profession who was certain he was anonymous, I'd point to someone else who was a security professional on twitter when I vanished too.

It just y'know, wouldn't have been me.


That tweet was in 2013 however.


If you tweet and stop using an account that is what happens and that was a shady group of people in 2013.


pfft.

I used to talk to this guy on a malware dev IRC on a daily basis, he started a blog "TouchMyMalware" which eventually evolved into Malwaretech.

This is all easily verifiable with google and archive.org.

And lol, apparently some twitter user dug up logs of him offering to sell me a rootkit for $20k https://twitter.com/jeremiahg/status/893207272154734592


> This is all easily verifiable with google and archive.org.

Yes. And I've had a hostile fellow once upon a time put my RL info in the whois and post a bunch of shit on it. I generally give people the benefit of the doubt when its random online public stuff until they are convicted.

The internet "evidence" is way too flimsy to be considered reasonable standards of proof imho.


Okay, never fear! In that case I will provide you with irrefutable proof.

Navigate to: https://web.archive.org/web/20131031200609/https://twitter.c...

Pick any of the tweets, copy the direct link to that tweet.

You'll end up with something like this: https://web.archive.org/web/20131031200609/https://twitter.c...

Now remove the archive.org part from the beginning: https://twitter.com/TouchMyMalware/status/395862786602827776

Click on the link and boom you're suddenly redirected to https://twitter.com/MalwareTechBlog/status/39586278660282777...

Here's also an archive.org link showing the account with the "TouchMe" name on it: https://web.archive.org/web/20130710045915/https://twitter.c...

Happy?


> Now remove the archive.org part from the beginning: https://twitter.com/TouchMyMalware/status/395862786602827776

> Click on the link and boom you're suddenly redirected to https://twitter.com/MalwareTechBlog/status/39586278660282777....

> Okay, never fear! In that case I will provide you with irrefutable proof.

> Happy?

https://twitter.com/TouchMyMalware/status/893243147580473344

You proved he is Donald Trump?

I'm not trying to pick a fight here so just chill and move on. We aren't going to agree.


>I'm not trying to pick a fight here so just chill and move on. We aren't going to agree.

Yes, I'm sorry I didn't immediately realize that you were just trolling. If not, you might want to look at the parts of my post you decided not to quote.


Even better -- Here's someone @'ing TouchMyMalware and then MalwareTechBlog replying "Thanks for the tweet, also my new twitter handle is @MalwareTechBlog"

https://twitter.com/MalwareTechBlog/status/40533646447018393...


That just looks like standard IRC bantz though. Do you know if he was actually trying to sell/weaponize the malware he was developing? (I assume he was, given the indictment, but can't hurt to ask.)


I'd go with "no doubt" for both. Although I'd assume he'd have loved the $20k if it was actually on the table.


Sup ryan, remember me? i used to chill on voidptr sometimes too. I don't know why everyone is so surprised by this

"he's a fucking genius because he got us all" https://twitter.com/x0rz/status/893203106338680832


Betamonkey was someone different. The reason he disappeared without a trace was that he was so bad at PHP that people got sent to prison (his support site was owned by a whitehat and all the customer information was harvested and distributed to law enforcement)[0].

Touchme/Marcus was a close friend of his though, one of his first articles on the site that eventually became malwaretech.com was an attempt to disprove the claim that betamonkey's malware was banking malware. This had gotten him banned from selling on hackforums, his main source of customers at the time. You have to read the article on the way back machine, for some reason he deleted it from his site later on [1].

If I were betamonkey I would be sweating pretty hard right now, his malware is also still being used and Marcus will be looking hard for someone else to drag under the bus.

[0] http://www.xylibox.com/2015/04/betabot-retrospective.html [1] https://web-beta.archive.org/web/20130625172146/http://touch... (halfway down the page)


I don't think he directly ran his own IRC, it was a "in partnership with another organization" sort of thing.


Here it is

> For anyone still into IRC, MalwareTech has partnered with sigterm.no to launch a new IRC network. It’s still fairly new so don’t expect an instant response, but everyone is welcome (socializing or just asking for help).

https://www.malwaretech.com/2014/10/new-irc-launc.html


Different irc, different time. Look at the timestamps on VT, we're talking about 2013 stuff :)


> For all we know, this detention is completely unrelated to WannaCry.

No everyone has already determined 'wow he did a good deed' and 'us law enforcement bad'.

The fact is he is linked to this event and a person of interest who they want to get more info from. As such it makes total sense they would detain him for some questioning searches and so on.

If you are someone who stops a crime you will also get questioned by the police. For all they know you are covering your own tracks and had a role in the crime. This is almost a cliche in movies and tv.


> If you are someone who stops a crime you will also get questioned by the police. For all they know you are covering your own tracks and had a role in the crime. This is almost a cliche in movies and tv.

Yup. Law enforcement is not obliged to assume his innocence.


I understand your point of view, but I don't share it. First, asking questions doesn't require to detain people. Second, that person is not an American citizen. Unless he committed crimes on the American soil, which might be the case, handling foreign visitors like that is puzzling to say the least.


Everyone's determined 'us law enforcement bad' because it doesn't matter what crime he may or may not have committed. He was arrested in the US, which means he may be tortured or murdered, and if he's sentenced he almost certainly will be tortured through means such as prisoner assaults, permanent solitary confinement or abuse, or god knows what else. And heaven forbid he's sent to a military prison. He will never come out again.


If you believe the USA is so terrible then push for sanctions against them. Its better than wringing your hands anytime one of our longtime allies decides to arrest a alleged criminal.


UK's National Cyber Security Centre on MalwareTech's arrest: "We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further."

https://twitter.com/josephfcox/status/893160214664445952


Would the UK National Cyber Security Center respond differently if he were detained by law enforcement in Iran?


They'd probably refer you to the Foreign Office in that case.


that'll be the 'rapid response' unit leaping into action right there


Reading the indictment, it seems like his partner ratted him out. Curious though, the indictment seems to list the redacted partner as doing most of the incriminating things (posting a video demonstration, advertising the sale on AlphaBay, etc), it merely accused Marcus as being the author and co-conspirator.

I wonder if his partner/friend got caught, and plea bargained to turn state's evidence against Marcus.


> I wonder if his partner/friend got caught, and plea bargained to turn state's evidence against Marcus.

I always wonder a bit about how often these things end up like Rubin Carter, with the guilty party turning state's evidence against someone less guilty or entirely innocent. I mean... one presumes there's more evidence generated by being more involved with the crime, as in this case. If you catch whoever is most identifiable and turn them, there ought to be a lot of cases where you're starting with the worst player and cutting them a deal.


I would love to have a game theorist break this down in an understandable way.


Makes me wonder if he was involved with criminal intentions - maybe they produced it together as a research project, then the partner decided to sell it? It would explain why he wanted a sample of his own software, if it wasn't just a cover.


Based on the number of people who are absolutely certain he wouldn't be involved, the circumstantial evidence suggesting he wasn't, and the lack of any solid evidence that he is, I think the smart bet to place is on this being Swatting.

In other words, AlphaBay goes down, FBI analyses information and determines Mr. Redacted was responsible for Kronos. They arrest him, and in interrogation, he decides to blame someone else for anything they can't actually prove is him directly.



So there's another individual who was involved as well. I wonder if they've been detained as well.


Maybe this is the reason he did not appreciate people revealing his identity online (basically DOXing him for fun, some journalist did it if I recall correctly). It really sucks when somebody that is trying to do well (stopping the WannaCry Ransomware as he did) is detained, even though we don't know more details at this points, this hits him rather personally and probably not for the good, I am very sorry for him and I hope he gets out soon and that all is well.


They're surprisingly clever, to arrest after DefCon. Typical stupid USA LEOs would arrest ASAP, so the unjust detention could be a cause célèbre hyped up by half the talks.


Or maybe they wanted to see what he presents, who he meets there. Could be useful for prosecution.


Obviously I won't condone everything they do, and internal corruption remains an issue (as we've seen with Bitcoin..), but US LE - at least at the federal level - is certainly not stupid. They have a level of strategic, tactical and technical intelligence that is objectively pretty impressive especially compared to where they were at, say, 20 years ago WRT computer security. That said, it certainly doesn't hurt that some of the highest-profile criminal "masterminds" of the past 3-5 years have had fairly sloppy opsec.


They may be trying to identify the real identity of the redacted co-conspirator and were cross checking suspects against who he met at DefCon.


This reminds me of Kevin Mitnick: https://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest.2C_convic...

Do we need to create some "Free Marcus" bumper stickers?


Met Mitnick in Chicago last year at a bank that was paying him to demonstrate hacks for the audience.

His business cards are amazing.

I got stopped by security once because it was in my wallet.



Mitnick was actually a criminal. He was living off stolen credit cards.


I completely agree with you. I'm pretty sure Marcus isn't either from the sound of it. Just a bit freaked out by our government's tactics and sharing a memory.


Do you have a reference?


I mean. He he wrote a book about it. About how he used the identities of children who died while living across state lines because no record of death goes back to the originating state.

And how he used those identities and stole credit cards to survive being chased by the FBI.


..do you not know who Mitnick is or something?


Why in heaven's name did he travel to the US?


There is an annual security focused convention going on this week called "Defcon" that many security focused engineers typically attend. Since wannacry was a big thing that happened between this year's con and last year's con, and because Hutchins is a security researcher, I'm sure he was invited to attend if not give a talk.


That doesn't answer OP's question.

Why travel to the US if just three years ago, he broke multiple US cyber laws?

Answer: because he's not as smart as he thought.


DEFCON. I'm sure a lot of people wanted to see him there. What crime did he commit anyway? There was no reason for him to worry at all...


He was here for DEFCON

> It's now been reported that Hutchins, after attending the DEF CON hacker event in Las Vegas, has been arrested.

Source: https://motherboard.vice.com/en_us/article/ywp8k5/researcher...


I know that he was going to a conference, but I wonder why anyone bothers to travel here for simple tourism anymore. It seems awfully unnecessarily risky.


It's not clear to me why he should've expected arrest. He didn't write the virus, he shut it down. The arrest makes no sense. It's not a reasonable thing to have expected.

I was at DEF CON too, for what it's worth.


There's almost zero chance that he was arrested for stopping Wannacry. I'd guess a 23-year old in that business has a history of "less-than-white-hat" activities...


> I'd guess a 23-year old in that business has a history of "less-than-white-hat" activities...

Indeed, and given that he's only 23 years old, there's a good chance the statute of limitations has not been reached for those activities.


There's several other comments in this thread now saying things to that effect. I suppose that's not too surprising.


Wouldn't be surprised if this gets a lot of other people in the field thinking.


That's an interesting position to be in. If you're legit now but you have some past event which might be uncovered, do you approach the DOJ (through a lawyer, of course) to turn yourself in and try to cut a deal, maybe probation and free consulting services for TLAs for a few years, or do you just hope it never comes to light?

Then again, any deal probably means informing on friends and acquaintances of that period and scene. You could try to contact some of them and see if you could go forward together, but then you're setting yourself up for a prisoner's dilemma situation.


I'm sure he was thinking, "hey, what's the harm? It's a first world country!". Classic mistake.


removed, misunderstood parent.


> Since we're all speculating,

No we are not. He was here for Black Hat and DEFCON

> Shortly before his arrest, Hutchins was in Las Vegas during Black Hat and Def Con, two annual hacking conferences.

Source: https://motherboard.vice.com/en_us/article/ywp8k5/researcher...


The bitcoin ransom wallets for WannaCry were just emptied today as well. What was the time difference between these two events? It seems possible that Hutchins could have had control of the wallets and fed seized the coins.


I'd like to know on what grounds?


EDIT: Here's the indictment: https://www.scribd.com/document/355466286/Kronos-Indictment-...

> for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice.

> The charges relate to alleged conduct occurring between July 2014 and July 2015.

======

They are awfully quiet about the charges.

> It is not clear why Hutchins has been arrested or if he will face charges in the US. The US Marshals office confirmed it was the FBI who arrested Hutchins.

Source: OP

and on motherboard.vice.com

> The friend told Motherboard they "tried to visit him as soon as the detention centre opened but he had already been transferred out." Motherboard granted the source anonymity due to privacy concerns.

> "I've spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we've been trying to get in contact with Marcus for 18 hours and nobody knows where he's been taken," the person added. "We still don't know why Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."

Source: https://motherboard.vice.com/en_us/article/ywp8k5/researcher...


Same here. I reserve judgement until there's more information on the reason for his arrest.


Exactly. This may be entirely unrelated to wannacry.


I guess not everyone was happy that he stopped Wannacry. US agencies in particular.


This is utter nonsense. He didn't stop Wannacry. The Wannacry devs stopped Wannacry, if he didn't grab the domain it'd have been picked up by some other TI firm within minutes or hours.


I mean, he literally stopped WannaCry.

Just because someone else could have stopped it, doesn't mean he didn't stop it. That's... just a fact...


You're mixing up could and would here.

This was inevitable because of how WannaCry was designed.


If Newton had not discovered and articulated his 3 laws of motion when he did someone else WOULD have in the decades that followed. Is it an error to say Newton was the first to discover his laws of motion? By this definition how can anything be attributed to anyone?


Do you attribute a car bombing to the person that set up the bomb or the guy that inevitably turned on the car and set off the bomb?

In this case WannaCry creators built a system that would inevitably be triggered within a few hours from the malware going live.

I think it is meaningless to attribute the WannaCry killswitch to him instead of the authors. If he hadn't registered the domain some other threat intelligence firm would've done it moments later.


I mean he had to notice that it was contacting that website, might not have been an obvious thing to look for.


Nah, this was one of the first things you'd notice. No need to reverse the binary, you see the domain in pcaps when you run it.

Registering unregistered domains the malware connects to is a very obvious thing to do, in this case he got "lucky".


Why are people in this thread so outraged without knowing any of the facts? For all we know there might be a legitimate charge on which he was arrested.

As per him being untraceable, if he was not read his rights then the FBI just jeopardized their own case. If no one knows where he is, it's more likely that it's what Marcus wants at the moment rather than what the FBI wants.


>If no one knows where he is, it's more likely that it's what Marcus wants at the moment rather than what the FBI wants.

Oh come on...


He could call his attorney have him release a statement right? Are you saying he is being denied access to a lawyer? Because that's a very serious charge and it would very silly of the FBI. IDK if I were arrested I would pray that the police abuse their power and deny me access to an attorney.


> He could call his attorney have him release a statement right?

How many people traveling to the US from the UK, just to attend a conference, have an attorney they can call in the US?


What about your free public defender? Can't you tell him to make a statement or to contact someone?


You have to be assigned a free public defender by court, requiring a hearing, before you have one to call. That makes it impractical to use one when you are detained without being brought before a magistrate, even if you have the opportunity to make a phone call.


They don't just give them out when you get arrested. Often you have to file paperwork, prove you're indigent, and prove you made an effort to hire an attorney.

Moreover, most public defenders are overworked. They will do their job (hopefully), but they are not your secretary. (I'm sure most will make those phone calls, out of being a decent human being, not because it's their job)


Would you? Would you like them to detain you unjustly for your entire life for example? Personally, I'd prefer the state to act within the bounds of Justice.


He is not a US citizen -- do those rights extend to him? (no snark, I don't know)


When the US government kidnaps non US-citizens they don't give you the chance to call your lawyer. You get stripped, beaten, sodomised and sedated. If you're lucky you get released after a few months of torture.

https://en.wikipedia.org/wiki/Khalid_El-Masri

>Khalid El-Masri (born June 29, 1963) is a German and Lebanese citizen who was mistakenly abducted by the Macedonian police in 2003, and handed over to the U.S. Central Intelligence Agency (CIA). While in CIA custody, he was flown to Afghanistan, where he was held at a black site and routinely interrogated, beaten, strip-searched, sodomized, and subjected to other cruel forms of inhumane and degrading treatment and torture. After El-Masri held hunger strikes, and was detained for four months in the "Salt Pit," the CIA finally admitted his arrest and torture were a mistake and released him


"interrogated, beaten, strip-searched, sodomized, and subjected to other cruel forms of inhumane and degrading treatment and torture"... so exactly like hanging out with my ex.


>Why are people in this thread so outraged without knowing any of the facts

Because they've seen the same movie time and again...


There's also the possibility that he was the target of some blackhat shenanigans:

https://twitter.com/hostshell/status/893155033084252161


Is it fraud if you declare a wrong birthday on your bank account? Don't they get that information from your documents, instead of relying on you to answer it?


Why are people in this thread so outraged without knowing any of the facts? For all we know there might be a legitimate charge on which he was arrested.

Because US law enforcement have consciously chosen, over the past couple of decades, to engage in activities that make them "the bad guy". It's just abductive inference and a simple bayesian prior at this point. Nobody is reaching any absolute conclusions yet, but a highly plausible explanation, until such time as other facts become available, is over-reach / malicious behavior by the FBI and their cronies.


US law enforcement would be horrifically, jaw-droppingly corrupt if 20% of arrests were "malicious." But even then, 80% of arrests would be non-malicious, so a very strong prior that a given arrest is malicious would be completely unreasonable.

"US law enforcement is the bad guy, therefore any given choice they make is probably evil" is fiction-logic. It works in movies, not in real life.


80% of arrests would be non-malicious, so a very strong prior that a given arrest is malicious would be completely unreasonable.

Sure, but we're not talking about a randomly selected item here. Looking at US arrests w/r/t "cybercrime" and given the history of overly broad interpretations of the CFAA and what-not, I think it's a lot less clear than you are suggesting.

"US law enforcement is the bad guy, therefore any given choice they make is probably evil" is fiction-logic. It works in movies, not in real life.

We're not talking about "logic" (as in "deductive logic") here... w're talking about the kind of fuzzy reasoning, based on abduction and bayesian inference, that human beings use in the face of limited information... and with an understanding that you revise your position as new information is acquired.


> As per him being untraceable, if he was not read his rights

Rights? Which rights?


better summary: http://www.reuters.com/article/us-usa-cyber-arrest-idUSKBN1A...

insightful thread also delving into wannacry: https://twitter.com/3L3V3NTH/status/893181445824446464

edit: there is a nice HN discussion already about the bitcoin: https://news.ycombinator.com/item?id=14918545


Maybe he violated WannaCry's terms of service. The DoJ are pretty down on that kind of thing.


Indeed. If he didnt get permission to stop WanaCry, then he violated the CFAA.

No, a "crime" is not good justification of a different crime.

I wish I was making this stuff up, but thank overly-broad '80s laws regarding "access", "permission", and that sort of language which weaponizes EULAs.


UK is no better.

http://www.legislation.gov.uk/ukpga/1990/18

That thing is 27 years old.

Massively over broad.

> Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.

Basically supplying a disassembler to someone who then uses it for a crime is itself possibly covered for example.

It's the possibly that's the problem, when you can't tell if an offence has actually been committed you leave it open for abuse.


yeaaah let us arrest the good guys...


Just because you did one good thing doesn't make you a good guy if you've done bad things too.

The indictment shows he broke six US cyber laws in 2014 in connection to the Kronos malware, which he created.


In the eyes of the court, there is no good or bad, only law if followed based on evidence.


In fact the court is concerned with justice, which absolutely depends on good and bad as opposed to the strictures of the law.


In the magical fairyland, yes.


As much as this article contains very little information,this sounds very much like something the US will do.

Whenever someone has to be the butt of some global joke .....somehow the US has to be the one to step up. Taking someone into custody for 18 hours without giving the family or press any information. How different is this from Iran or North Korea?

Two things could've happened here IMO. They asked for the domain to turned over to them and were politely refused, or they're about to punish an accidental hero for white hat work/previous black hat work not related to WannaCry


Who’s to say he didn’t call his family? The linked article cites a “close personal friend” who has been in contact. The fact they didn’t give a heads up to random reporters and Twitter users after arresting someone isn’t scandalous.


>Taking someone into custody for 18 hours without giving the family or press any information. How different is this from Iran or North Korea?

Most countries don't give the press information. Why do you believe his family or a lawyer hasn't been contacted?


You called it


In Iran and NK detention without rights is an institutionalized practice. In US if you deny them a phone call immediately, you just threw away your own case.


... unless "national security" is cited


The patriot act (amazing name) invalidated that statement. Not sure if it applies in this specific case.


The full name of the "USA PATRIOT" act:

> Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism


just say "national security" and all things are permitted.


You watch too much tv


>> this sounds very much like something the US will do.

As an American this sounds very much like something many, many, many countries around the world would do.


Many, many countries are brutal, totalitarian dictatorships. Doesn't mean we have an excuse to sink to their level.

I couldn't imagine this story coming from, say, Germany or Sweden.



The first article is about Peter Sunde. Another TPB founder, Gottfrid Svartholm Warg was treated even worse, being held in solitary confinement for months before his trial. Which sadly happens way too often.

http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?Ne...

> Among the issues discussed during the session:

> [...] excessive length of pre-trial detention [...] wide use of solitary confinement


Pretty sure Sweden has a certain Australian that, according to many on this site, they've been very unfair to.


That has been because of US pressure too...


He isn't even in Sweden.


Yes, well aware of that.


Omitting the really bad ones, can you give a few examples so I know where I definitely don't want to live?


There are websites that track these things. Here's one: http://www.vexen.co.uk/countries/best.html


I'm thinking some people are misunderstanding the point of my statement and assuming things.


"We're as good as Burma!" isn't saying much.


This is some seriously shady shit. The smart bet is we're not getting the whole story.

"Buy guns, lock your doors." - Bill Hicks


Trump's Dept of Justice is out of control.


--


You watch too many movies. FBI doesn't recruit people by kidnapping them.


At this point we can certainly hope he hasn't just been disappeared forever.


Only if recruited is a euphemism for the LEO version of "given an offer he can't refuse".


Seems like a bad way to go about it.


I like how this malware writer/researcher claims he "found" the address and "miraculously saved" everyone by grabbing the domain.

Not sure why everyone says he isn't the malware writer. What proof do you have that he didn't write it? Maybe he left a trail that you missed.


He found the address in the source code of the ransomware, any researcher could have found it. He even said himself that when he found it in the source code and saw it was unregistered he registered it to see what would happen. As it turned out it stopped infections from occurring.

Not to say that he isnt the malware writer but your use of quote marks makes me think you have no idea about what happened and havent looked into it, just made some "wild assumptions".


Pretty sure it was in disassembled machine code, not source code.


I have taken the liberty to download a sample of WannaCry and I can see the "killswitch" domain just running strings on the binary.

    $ strings Downloads/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.bin |grep .com
   __p__commode
   http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com


An extraordinary claim requires an extraordinary proof.


You don't need to proof anything to raise questions. The comment didn't claim anything, it was just a sceptical one. We should cheer those.


The firm he works for literally pays him to track size and scale of malware outbreaks. Whats the best way to do that? Look for domains the malware attempts to communicate with and register them, pointing them at the firm's sinkhole server. From there the server can generate reports on how many connections it gets and from where.

He did what he would of done to any malware once he found an unregistered domain, he registered it. He didn't realise the malware was using that domain as a killswitch.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: