WannaCry 'hero' Marcus Hutchins 'was coerced' into Kronos confession


WannaCry 'hero' Marcus Hutchins was allegedly coerced into confessing that he authored the Kronos banking malware, according to his US lawyers.

The computer researcher, who found the 'kill switch' for the WannaCry ransomware that forced the NHS to cancel or postpone thousands of operations last May, has pleaded not guilty to US charges of creating and distributing a banking malware called Kronos.

Arrested at Las Vegas airport after attending an IT security convention in August 2017, Hutchins now faces six charges related to the bank detail-stealing malware between 2014 and 2015.

Prosecutors allege that Hutchins confessed to creating Kronos during interrogation, but his lawyers filed a document on Friday outlining their argument that Hutchins' confession was coerced, according to The Daily Mail.

"The defence intends to argue that the government coerced Mr Hutchins, who was sleep-deprived and intoxicated, to talk," the filing read.

"As such, his decision to speak with the agents was not knowing, intelligent, and made in full awareness of the nature of the right given up and the consequences of giving up that right, as the law requires."

They claimed Hutchins was probably under surveillance leading up to his arrest, meaning prosecutors knew that he was "exhausted and intoxicated".

UK spy agency GCHQ knew that Hutchins was going to be arrested in the US, but did not warn him in order to avoid a lengthy extradition process, according to the Sunday Times.

Hutchins is currently on bail in Los Angeles, and no date for his trial in Wisconsin has yet been set.

Picture: Bigstock

22/08/2017:GCHQ 'knew in advance' about US plan to arrest WannaCry hero

GCHQ was reportedlyaware in advance that WannaCry 'hero' and suspected malware author Marcus Hutchins would be arrested in the US, but chose not to warn him to avoid a lengthy extradition process, according to the Sunday Times.

Officials at the UK's spy agency knew that Hutchins, also known as MalwareTech, was under surveillance by the US and that the FBI would detain him once he left the Defcon security conference in Las Vegas, which he flew out to attend in late July, the publication reported.

GCHQ decided not to warn the 23-year-old before he left the UK to avoid the "headache of an extradition battle", according to anonymousSunday Timessources familiar with the case.

Hutchins was praised by the National Cyber Security Centre, a branch of GCHQ, when he helped stop the WannaCry ransomware outbreak in May, which affected over 200,000 computers in more than 150 countries, including NHS systems.

However, the US has accused Hutchins of creating and distributing the 'Kronos' banking malware, which scalps personal banking information from infected PCs. He has pleaded not guilty to six charges relating to computer misuse, and could spent up to 40 years in prison if found guilty.

Sources speaking to the Sunday Times said: "Our US partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition. Hutchins' arrest free[s] the British government and intelligence agencies from yet another headache of an extradition battle."

The UK has previously fought with the US over the extradition of suspected computer hackers, including 51-year-old Gary McKinnon, who gained unauthorised access to US government systems in 2012. McKinnon, who suffers from Asperger's syndrome, avoided extradition after a 10-year battle after he was deemed too ill to travel.

Laurie Love, a 32-year-old activist who also suffers from Asperger's syndrome, won the right to appeal his US extradition in April this year. He is charged with hacking into US military systems and NASA.

Hutchins has been free on bail since 5 August, but he is unable to leave the US and has been placed under electronic surveillance.

IT Pro has approached the National Cyber Security Centre for comment. At the time of Hutchins' arrest, a spokesman for the organisation told theBBC that it was aware of the situation, adding:"This is a law enforcement matter and it would be inappropriate to comment further."

15/08/2017: Marcus Hutchins, the cyber security researcher who put a stop to the global WannaCry ransomware attack, has pleaded not guilty to involvement in the creation and distribution of another malware, Kronos.

Hutchins, a 23-year-old UK national, was arrested at Las Vegas McCarran Airport on 2 August as he attempted to leave the US after attending Def Con cyber security conferences. He was then charged approximately 48 hours later on six counts relating to the creation and distribution of a banking Trojan known as Kronos.

This is the second time Hutchins has pleaded not guilty to the charges against him. Yesterday, he appeared in a court in Milwaukee, where the charges were actually filed, but he initially appeared in court in Las Vegas on 6 August, before being flown to Wisconsin.

The judge trying the case, which has been brought by the FBI, has set a trial date for October and permitted Hutchins to use the internet something he had been banned from doing until now although he's banned from accessing the server he used to kill off the WannaCry attack. He also has to remain in the US under house arrest until his trial and, according to BBC News, will have to surrender his passport to the authorities and be tracked by GPS until his trial.

Hutchins took to Twitter to thank his supporters.

He also stated that while he would like to talk openly about his experience, he can't as the case is ongoing, so cracked some jokes instead, including a list of "what to do during Def Con" (which refers back to some of the earlier charges he faced that have since been dropped, including visiting a firing range) and a short review of UberEATS.

His lawyer, Adrian Lobo, addressed reporters outside of court on Friday following a bail hearing, saying the judge set bail at $30,000, but that the clerk's office closed shortly after the hearing, meaning Hutchins was forced to spend the weekend in jail.

Lobo said the money is coming "from a variety of sources; he has tremendous community support, local and abroad, and in the computer world".

Mabbitt, along with fellow security researcher Tarah M Wheeler, are among the people attempting to raise money for his bail and other legal expenses via crowdfunding. It's unclear how much has been raised so far, although it's anticipated that Hutchins will be able to post bail today.

Other conditions of Hutchins' bail are that he must surrender his passport, remain in the US, be held under house arrest and not attempt to use the internet. He will reportedly appear in a Wisconsin court, where a grand jury indicted him, tomorrow, where he is expected to formally enter his pleas to the specific charges.

Hutchins was hailed a hero after stopping the spread of the WannaCry ransomware in May, after finding a kill-switch in its code.

04/08/2017: US charges WannaCry 'hero' with creating Kronos banking Trojan

A British security researcher who stopped the WannaCry ransomware attackin its tracks has been charged with creating and distributing the Kronos banking Trojan.

Marcus Hutchins, 23, also known as MalwareTech, was detained on Wednesday 2 August at Las Vegas McCarran airport as he tried to leave the country, having spent the first half of the week at the Black Hat and Defcon security conferences in the city. He was then charged either the same day or on Thursday 3 August the exact timing is not currently clear.

The US Department of Justice (DoJ) said in a statement: "Marcus Hutchins... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan.

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

Kronos, which steals banking logins from users, was largely marketed and distributed through a dark website hosted on Tor called AlphaBay, and the DoJ announced on 20 July that the US and other countries had successfully shut it down.

The DoJ said it's been used to steal banking logins from Canada, Poland, Germany, the UK and France.

Marcus Hutchins in Las Vegas last week

Hutchins was charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavouring to intercept electronic communications, and one count of attempting to access a computer without authorisation.

Another person has also been arrested and faces the same charges, however no details have so far been released about them. They are both due to appear in court later today.

A spokesperson for the Foreign and Commonwealth Office toldIT Pro: "We are in contact with the local authorities in Las Vegas following the arrest of a British man, and are providing support to his family."

For more information about what Kronos is, head over to our sister title Alphr's explainer article.

It's not clear where Hutchins is being held, having apparently been moved on from the Henderson Detention Center in Nevada at some point on Thursday.

IT Pro also contacted the FBI in Las Vegas for clarification of what role that agency has had in the arrest, if any, and was awaiting a response at the time of publication.The Henderson Detention Center couldn't be contacted.

"Cybercrime remains a top priority for the FBI," said Justin Tolomeo, the FBI's special agent in charge. "Cybercriminals cost our economy billions in loses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice."

Hutchins shot to famein May 2017 when he managed to put a stop to the WannaCry ransomware attack accidentally by registering a website found in the malware's code. It was claimed by The Telegraphthat Hutchins began working with the National Cyber Crime Unit of the National Crime Agency, but this hasn't been confirmed.

Main image credit: Bigstock