UK researcher who stopped WannaCry outbreak indicted over Kronos malware

Marcus Hutchins, a British national, is in FBI custody for alleged involvement with the Kronos malware.
Written by Zack Whittaker, Contributor
(Image: Frank Augstein, AP)

A security researcher who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas.

Marcus Hutchins, 22, a British national, was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends have confirmed.

A Justice Department spokesperson has confirmed on the phone that his arrest is in relation to his alleged role "in creating and distributing the Kronos banking Trojan."

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015," said the spokesperson.

The indictment was dated July 11, about two weeks before he flew to the US to attend the annual security conference.

A friend told ZDNet that he was "was pulled by Marshals at the lounge" after clearing security.

He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and he had already been moved," said the friend.

Hutchins is now understood to be in custody at an FBI field office in the state.

Hutchins, also known as @MalwareTechBlog, stormed to fame after he found a kill switch in the malware, known as WannaCry, amid a global epidemic of ransomware. Hutchins registered a domain name that stemmed the infection.

He was hailed as a hero for stopping the attack, which gripped UK hospitals and other major industries around the world.

The charges are not related to WannaCry, said the Justice Department spokesperson.

The Justice Department has been after those involved with the notorious Kronos malware for more than two years. The indictment accuses another unnamed defendant in the case of advertising and selling the malware on the now-defunct dark web marketplace AlphaBay. Its founder and operator, Alexandre Cazes, was found dead last month.

The Kronos malware can steal credentials, and uses web injections for every major browser to modify legitimate banking websites. Kronos is able to evade some antivirus detection and sandbox environments.

A message to the UK Consulate in Los Angeles -- which is reportedly assisting Hutchins, according to a friend -- was unreturned at the time of writing. The UK Consulate in New York is "in touch with local authorities in Las Vegas" following Hutchin's arrest.

The UK's National Cyber Security Center said it was "aware" of the situation but would not comment on a matter of law enforcement.

Editorial standards