Marcus Hutchins, the British security researcher instrumental in neutralizing the virulent WCry ransomware worm that shut down computers worldwide in May, appeared in federal court Monday and pleaded not guilty to unrelated criminal charges that he created and distributed malware that steals banking credentials.
Hutchins, who is free on $30,000 bond, was arrested August 3 in Las Vegas following the Black Hat and Defcon security conferences. A six-count Wisconsin federal indictment (PDF) accuses him of developing the Kronos banking trojan. Along with an unnamed co-conspirator, Hutchins allegedly advertised the malware on the AlphaBay underground online market forum, according to the indictment. The document says the duo “sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency” on June 11, 2015.
The indictment said the defendant, who goes by the online nickname of “MalwareTech,” knowingly “disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications…” Other charges include allegations that he sold an “electronic, mechanical, or other device, in interstate and foreign commerce, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications.”
Outside of a Milwaukee federal courtroom where Hutchins pleaded not guilty, his attorney, Marcia Hofmann, said the defendant “is going to vigorously defend himself against these charges and when the evidence comes to light we are confident he will be fully vindicated.”
IBM security researchers have reported that the malware was being advertised in Russian underground forums with a price of $7,000. It was billed as a method for criminals to extract passwords and other financial credentials transmitted in major browsers. The ads also claimed Kronos could evade antivirus detection and protection from browser security sandboxes.
In May, Ars published Hutchins’ account of how he stopped the WCry ransomware. You can read that here.
Hutchins, who works for Kryptos Logic of Los Angeles, is going to live in Los Angeles while awaiting an undetermined trial date. He will be tracked by a GPS monitoring device. He has been ordered not to touch the WCry sinkhole, presumably because if it’s shut off it could possibly make the ransomware start spreading again.
Powered by WPeMatico