In my opinion, Marcus Hutchins will spend the next 10 years of his life working for the NSA and reverse engineering malware built by the Chinese. Unless MI5 has other plans.
On Wednesday, 22-year-old Marcus Hutchins -- also known as MalwareTech -- was arrested in Las Vegas for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice.
The charges relate to alleged conduct occurring between July 2014 and July 2015.
According to an indictment provided to CNN Tech, Hutchins created the malware and shared it online.
What the hell? How does something like this even happen? Surely they can't just take somebody away and keep it a secret?
"Hutchins, who is indicted with another un-named co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendent Marcus Hutchins created the Kronos malware,”"
Anyone got a kronos sample?
10:26 AM - 13 Jul 2014
Weird, read the Indictment. This day is specifically called out (although not this post).
The video mentioned in the indictment:
He was supposedly selling the malware on Alphabay, of all places.
1: My brother's arrest
There's this little thing called the Patriot Act that Bush brought into law after 9/11 that allows the feds to do exactly this.
It sounds like he was arrested in Henderson (a suburb of Vegas), kept overnight in that city's detention facility, then brought to the Las Vegas FBI field office today. He will probably see a judge for a detention hearing today or tomorrow, and if he is not granted bail will then be put in jail at the Clark County Detention Center in downtown Las Vegas, at which time he will be in the custody of US Marshals.
a) by "such routine events" I don't constrain it to "hacker arrested at borders/Def Con" -- but to the general pattern of abuse
b) whether it is "covered" by news outlets or not I don't consider relevant
First, being in the news does not necessitate something actually being newsworthy. Between celebrity gossip, the latest fads, and shallow exchanges between career politicians that impact no one and everybody will forget a couple of days later, a very small part of the news is actually newsworthy.
Second, something happening routinely does not mean it's necessarily not worth reporting. Especially for things that happen routinely but shouldn't -- and whose routine re-emergence invokes outrage. The shooting of a black person walking/driving around by cops is very much a routine affair (as they have been 100s of incidents), but it continues to get media coverage and rightly so.
Not unless you make up some meaning of 'routine' that nobody else uses. Police shootings are not routine.
You absolutely can. 
The FBI waits for these kinds of conferences to do exactly what they did here. Another Las Vegas DEF CON victim was Dmitry Sklyarov . They won't bother with all of the problems associated with international arrest warrants and extradition if they know you're coming to them.
Relevant information begins on the bottom of page 126/213 or 120 using the numbers printed on the pdf.
Half the people have some day done something which in a generic way is "against US interests" (from a false name on Facebook to competing against a US corp to starting a petition or a secure app). I personally don't go to US conferences or visit US customers, simply because of TSA (same for Japan and China; Europe has a better track record). If you have a choice, it's not really giving the world a service to choose the USA land to organize a conf, as it will exclude many, many people.
According to the US definition of cybercrime. So you could be totally innocent in your country, and have done nothing directly in the US.
Deplaning  is a real possibility.
Most of the attendees are US citizens. They will lose a lot if they move it. It's better to just host another one outside of the country (and I think there are already a bunch) for people that don't want to visit the US.
He may have a shady past:
According to an indictment released by the US Department of Justice, Hutchins is accused of having helped to spread and maintain the banking trojan Kronos between 2014 and 2015"
Since CNN has the indictment, we'll all have it soon enough, and we'll get a look at the basis for the DOJ's claims.
> Motherboard verified that a detainee called Marcus Hutchins, 23, was being held at the Henderson Detention Center in Nevada early on Thursday.
So at least we know he was detained.
This one relies on a friend, so presumably it's "less verified" as far as these things go:
> A few hours after, Hutchins was moved to another facility, according to a close personal friend.
I don't know if Motherboard has tried to contact Hutchins, though.
I mean, I agree, detainment isn't usually the way to make friends, but those are not specific details of the incident.
That's rather my concern.
If he's who I think he is, I doubt his early background is that clean, despite him being a whitehat now. It is very much possible he is being held because of something related to that and not because of anything related to WannaCry. This was all before he even started running the MalwareTech blog, it's very much possible the FBI decided to look into his background or were already familiar with it prior to him arriving in or leaving the US.
That being said, it's possible that I'm mistaking him for someone else in which case I do apologize. I edited the post a bit, to clarify, the first paragraph to the best of my knowledge is certainly true, second one is based on my own speculation so take it with a grain of salt.
Yeah, like the rest of the people commenting here, right? They have all the facts.
Virustotal passive DNS shows that it was hosted for a time on the same server as his old irc, irc.voidptr.cz
EDIT: Ah, found some old logs on google: http://www.exposedbotnets.com/2013/05/hf-elite-coding-team.h...
[08:08] <TouchMe> if i still owned this irc
[08:09] <TouchMe> i would shut it down and start over
I know TouchMe is malwaretech but would be inclined to assume that BetaMonkey isn't.
TouchMe was still a malware developer though, and apparently used to run voidptr before handing it over to BetaMonkey.
If BetaMonkey==TouchMe then they were trying really hard to conceal that.
Here's a hackforums thread mentioning some other malware TouchMe was distributing though https://hackforums.net/showthread.php?tid=3786935
If I was a bad man in the security profession who was certain he was anonymous, I'd point to someone else who was a security professional on twitter when I vanished too.
It just y'know, wouldn't have been me.
I used to talk to this guy on a malware dev IRC on a daily basis, he started a blog "TouchMyMalware" which eventually evolved into Malwaretech.
This is all easily verifiable with google and archive.org.
And lol, apparently some twitter user dug up logs of him offering to sell me a rootkit for $20k https://twitter.com/jeremiahg/status/893207272154734592
Yes. And I've had a hostile fellow once upon a time put my RL info in the whois and post a bunch of shit on it. I generally give people the benefit of the doubt when its random online public stuff until they are convicted.
The internet "evidence" is way too flimsy to be considered reasonable standards of proof imho.
Navigate to: https://web.archive.org/web/20131031200609/https://twitter.c...
Pick any of the tweets, copy the direct link to that tweet.
You'll end up with something like this: https://web.archive.org/web/20131031200609/https://twitter.c...
Now remove the archive.org part from the beginning: https://twitter.com/TouchMyMalware/status/395862786602827776
Click on the link and boom you're suddenly redirected to https://twitter.com/MalwareTechBlog/status/39586278660282777...
Here's also an archive.org link showing the account with the "TouchMe" name on it: https://web.archive.org/web/20130710045915/https://twitter.c...
> Click on the link and boom you're suddenly redirected to https://twitter.com/MalwareTechBlog/status/39586278660282777....
> Okay, never fear! In that case I will provide you with irrefutable proof.
You proved he is Donald Trump?
I'm not trying to pick a fight here so just chill and move on. We aren't going to agree.
Yes, I'm sorry I didn't immediately realize that you were just trolling. If not, you might want to look at the parts of my post you decided not to quote.
"he's a fucking genius because he got us all" https://twitter.com/x0rz/status/893203106338680832
Touchme/Marcus was a close friend of his though, one of his first articles on the site that eventually became malwaretech.com was an attempt to disprove the claim that betamonkey's malware was banking malware. This had gotten him banned from selling on hackforums, his main source of customers at the time. You have to read the article on the way back machine, for some reason he deleted it from his site later on .
If I were betamonkey I would be sweating pretty hard right now, his malware is also still being used and Marcus will be looking hard for someone else to drag under the bus.
 https://web-beta.archive.org/web/20130625172146/http://touch... (halfway down the page)
> For anyone still into IRC, MalwareTech has partnered with sigterm.no to launch a new IRC network. It’s still fairly new so don’t expect an instant response, but everyone is welcome (socializing or just asking for help).
No everyone has already determined 'wow he did a good deed' and 'us law enforcement bad'.
The fact is he is linked to this event and a person of interest who they want to get more info from. As such it makes total sense they would detain him for some questioning searches and so on.
If you are someone who stops a crime you will also get questioned by the police. For all they know you are covering your own tracks and had a role in the crime. This is almost a cliche in movies and tv.
Yup. Law enforcement is not obliged to assume his innocence.
I wonder if his partner/friend got caught, and plea bargained to turn state's evidence against Marcus.
I always wonder a bit about how often these things end up like Rubin Carter, with the guilty party turning state's evidence against someone less guilty or entirely innocent. I mean... one presumes there's more evidence generated by being more involved with the crime, as in this case. If you catch whoever is most identifiable and turn them, there ought to be a lot of cases where you're starting with the worst player and cutting them a deal.
In other words, AlphaBay goes down, FBI analyses information and determines Mr. Redacted was responsible for Kronos. They arrest him, and in interrogation, he decides to blame someone else for anything they can't actually prove is him directly.
Do we need to create some "Free Marcus" bumper stickers?
His business cards are amazing.
I got stopped by security once because it was in my wallet.
In case anyone else was wondering
And how he used those identities and stole credit cards to survive being chased by the FBI.
Why travel to the US if just three years ago, he broke multiple US cyber laws?
Answer: because he's not as smart as he thought.
> It's now been reported that Hutchins, after attending the DEF CON hacker event in Las Vegas, has been arrested.
I was at DEF CON too, for what it's worth.
Indeed, and given that he's only 23 years old, there's a good chance the statute of limitations has not been reached for those activities.
Then again, any deal probably means informing on friends and acquaintances of that period and scene. You could try to contact some of them and see if you could go forward together, but then you're setting yourself up for a prisoner's dilemma situation.
No we are not. He was here for Black Hat and DEFCON
> Shortly before his arrest, Hutchins was in Las Vegas during Black Hat and Def Con, two annual hacking conferences.
> for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice.
> The charges relate to alleged conduct occurring between July 2014 and July 2015.
They are awfully quiet about the charges.
> It is not clear why Hutchins has been arrested or if he will face charges in the US. The US Marshals office confirmed it was the FBI who arrested Hutchins.
and on motherboard.vice.com
> The friend told Motherboard they "tried to visit him as soon as the detention centre opened but he had already been transferred out." Motherboard granted the source anonymity due to privacy concerns.
> "I've spoken to the US Marshals again and they say they have no record of Marcus being in the system. At this point we've been trying to get in contact with Marcus for 18 hours and nobody knows where he's been taken," the person added. "We still don't know why Marcus has been arrested and now we have no idea where in the US he's been taken to and we're extremely concerned for his welfare."
Just because someone else could have stopped it, doesn't mean he didn't stop it. That's... just a fact...
This was inevitable because of how WannaCry was designed.
In this case WannaCry creators built a system that would inevitably be triggered within a few hours from the malware going live.
I think it is meaningless to attribute the WannaCry killswitch to him instead of the authors. If he hadn't registered the domain some other threat intelligence firm would've done it moments later.
Registering unregistered domains the malware connects to is a very obvious thing to do, in this case he got "lucky".
As per him being untraceable, if he was not read his rights then the FBI just jeopardized their own case. If no one knows where he is, it's more likely that it's what Marcus wants at the moment rather than what the FBI wants.
Oh come on...
How many people traveling to the US from the UK, just to attend a conference, have an attorney they can call in the US?
Moreover, most public defenders are overworked. They will do their job (hopefully), but they are not your secretary. (I'm sure most will make those phone calls, out of being a decent human being, not because it's their job)
>Khalid El-Masri (born June 29, 1963) is a German and Lebanese citizen who was mistakenly abducted by the Macedonian police in 2003, and handed over to the U.S. Central Intelligence Agency (CIA). While in CIA custody, he was flown to Afghanistan, where he was held at a black site and routinely interrogated, beaten, strip-searched, sodomized, and subjected to other cruel forms of inhumane and degrading treatment and torture. After El-Masri held hunger strikes, and was detained for four months in the "Salt Pit," the CIA finally admitted his arrest and torture were a mistake and released him
Because they've seen the same movie time and again...
Because US law enforcement have consciously chosen, over the past couple of decades, to engage in activities that make them "the bad guy". It's just abductive inference and a simple bayesian prior at this point. Nobody is reaching any absolute conclusions yet, but a highly plausible explanation, until such time as other facts become available, is over-reach / malicious behavior by the FBI and their cronies.
"US law enforcement is the bad guy, therefore any given choice they make is probably evil" is fiction-logic. It works in movies, not in real life.
Sure, but we're not talking about a randomly selected item here. Looking at US arrests w/r/t "cybercrime" and given the history of overly broad interpretations of the CFAA and what-not, I think it's a lot less clear than you are suggesting.
We're not talking about "logic" (as in "deductive logic") here... w're talking about the kind of fuzzy reasoning, based on abduction and bayesian inference, that human beings use in the face of limited information... and with an understanding that you revise your position as new information is acquired.
Rights? Which rights?
insightful thread also delving into wannacry: https://twitter.com/3L3V3NTH/status/893181445824446464
edit: there is a nice HN discussion already about the bitcoin: https://news.ycombinator.com/item?id=14918545
No, a "crime" is not good justification of a different crime.
I wish I was making this stuff up, but thank overly-broad '80s laws regarding "access", "permission", and that sort of language which weaponizes EULAs.
That thing is 27 years old.
Massively over broad.
> Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.
Basically supplying a disassembler to someone who then uses it for a crime is itself possibly covered for example.
It's the possibly that's the problem, when you can't tell if an offence has actually been committed you leave it open for abuse.
The indictment shows he broke six US cyber laws in 2014 in connection to the Kronos malware, which he created.
Whenever someone has to be the butt of some global joke .....somehow the US has to be the one to step up. Taking someone into custody for 18 hours without giving the family or press any information. How different is this from Iran or North Korea?
Two things could've happened here IMO. They asked for the domain to turned over to them and were politely refused, or they're about to punish an accidental hero for white hat work/previous black hat work not related to WannaCry
Most countries don't give the press information. Why do you believe his family or a lawyer hasn't been contacted?
> Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
As an American this sounds very much like something many, many, many countries around the world would do.
I couldn't imagine this story coming from, say, Germany or Sweden.
> Among the issues discussed during the session:
> [...] excessive length of pre-trial detention [...] wide use of solitary confinement
"Buy guns, lock your doors." - Bill Hicks
Not sure why everyone says he isn't the malware writer. What proof do you have that he didn't write it? Maybe he left a trail that you missed.
Not to say that he isnt the malware writer but your use of quote marks makes me think you have no idea about what happened and havent looked into it, just made some "wild assumptions".
$ strings Downloads/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.bin |grep .com
He did what he would of done to any malware once he found an unregistered domain, he registered it. He didn't realise the malware was using that domain as a killswitch.