Federal prosecutors charged security researcher Marcus Hutchins—better known by his online handle MalwareTech—with four new charges accusing him of creating and promoting malware used to steal financial information. Hutchins, recognized as the person responsible for stopping the spread of the WannaCry ransomware attack, called the charges “bullshit.”
The new charges, introduced in a superseding indictment, were added on top of six prior counts filed against Hutchins by the federal government last year. The British-born security researcher now faces charges of conspiracy to defraud the US, computer fraud, lying to the FBI, and distribution, possession, and advertisement of an intercept device.
The latest batch of charges put forth by government prosecutors alleges that Hutchins was responsible for creating and selling a piece of malware called UPAS Kit. According to the indictment, USPAS Kit “used a form grabber and web injects to intercept and collect personal information from a protected computer,” and “allowed for the unauthorized exfiltration of information from protected computers.”
By the government’s account, Hutchins created the malware in 2012, when he was 18 years old. He supposedly began selling the malware online with another person identified as “VinnyK.” The tool was supposedly marketed for its capability to “install silently and not alert antivirus engines.” The government claims he eventually sold UPAS Kit to a person going by the username of Aurora123, who used it to infect people in the US.
As independent journalist Marcy Wheeler pointed out, One of the stranger pieces of evidence the government presents in the indictment claiming Hutchins created UPAS Kit is a chat with an unidentified person in which Hutchins states he found an exploit and “posted it on my blog.” The chat seems to reference a blog post in which Hutchins explains how to stop a malware attack by exploiting a vulnerability in the command and control module—essentially laying out how to stop the spread of malware. The government presents it as an attempt to attack another strain of malware “perceived to be competing” with his own, which seems kind of bizarre.
In addition to accusing Hutchins of creating malware, the government also claimed in its latest indictment that the security researcher lied to the FBI when he was detained last August. After being pulled from a planned flight from Las Vegas to the United Kingdom, Hutchins was confronted with accusations that he created a piece of malware called Kronos that was used to steal financial information. Prosecutors claim he later admitted to creating Kronos, therefore admitting he initially lied when questioned by the FBI.
The legal team representing Hutchins has attempted to get his initial statements dismissed, claiming he didn’t fully understand his rights and that he was “sleep-deprived and intoxicated” at the time of his questioning.
As for the rest of the charges, Hutchins’ defense believes those to be pretty baseless as well. Brian Klein, who is representing Hutchins, tweeted he is “disappointed the [government] has filed this superseding indictment, which is meritless. It only serves to highlight the prosecution’s serious flaws.”
“We expect @MalwareTechBlog to be vindicated and then he can return to keeping us all safe from malicious software,” he wrote.
Hutchins pleaded not guilty to the initial charges filed against him last year. In a tweet, he said the case has cost him more than $100,000 to fight and solicited donations to his legal defense fund.