UK Security Researcher Who Stopped WannaCry Outbreak Arrested in US

Zack Whittaker, reporting for ZDNet: A security researcher who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas. Marcus Hutchins, 23, a British national, was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends confirmed to ZDNet. A friend told ZDNet that he was "was pulled by Marshals at the lounge" after clearing security. He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and we had already been moved," said the friend. Hutchins is now understood to be in custody at an FBI field office in the state. Motherboard first broke the story on Thursday. Update: A Motherboard reporter tweets, "Here's the indictment accusing @MalwareTechBlog of running the Kronos banking malware."
Update 2: New DOJ statement: Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as "Malwaretech," for his role in creating and distributing the Kronos banking Trojan.

What's what!?

[Dutchmaan]

He may have helped to stop it, but it begs the question.. Did he have a hand in spreading it in the first place, or is this an unrelated charge?

Re:What's what!?

[Anonymous Coward]

He may have helped to stop it, but it begs the question.. Did he have a hand in spreading it in the first place, or is this an unrelated charge?

It doesn't beg that question any more than it begs the question of why anyone who is a high profile security researcher would be stupid enough to travel to the US.

Re:What's what!?

[TechyImmigrant]

He may have helped to stop it, but it begs the question.. Did he have a hand in spreading it in the first place, or is this an unrelated charge?

It doesn't beg that question any more than it begs the question of why anyone who is a high profile security researcher would be stupid enough to travel to the US.

No question was begged. It raises the question. Begging the question is something else entirely. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:What's what!?

[I'm New Around Here]

Yes, but 'beg the question' is just a really bad translation of the original phrase. Let 'beg the question' have its new meaning, which makes linguistic sense, and come up with a new phrase for what is essentially circular logic.

Re:

[azcoyote]

Good point. (Where's my mod points when I need them?)

Re:

[TechyImmigrant]

Yes, but 'beg the question' is just a really bad translation of the original phrase. Let 'beg the question' have its new meaning, which makes linguistic sense, and come up with a new phrase for what is essentially circular logic.

However, it's not some obscure corner of the English language. It's taught in school, by English teachers, to children. They learn and remember these things that add the semantics to the words they hear and say. The various types of logical argument and logical fallacy are taught. These things were even taught in school in the crappy mining and steel-works shithole that I grew up in.

It's not hard. It's not inaccessible information. It's not like it doesn't get pointed out most times that people screw it up.

Re:

[gnick]

No question was begged.

When I see somebody use the phrase, "begs the question," I mentally substitute "begets the question." It settles my inner pedant.

Pedantry

[Tenebrousedge]

"Begging the question" is a bad translation of petitio principii, which is itself a bad translation from Greek sources. Linguistically there isn't really a right answer here. The exact meaning is almost always clear from context, and the usage is very much moving away from the "scholarly" definition. Given that there's not an absolutely correct position on this issue, I think that it's best to avoid using the phrase oneself, and tolerate its use or misuse with others. And if the argument you are responding to does not directly hinge on a point of meaning, it's probably just as well to avoid raising the subject. Life is too short for needless semantic arguments.

Language evolves

[Martin S.]

The modern usage has evolved and clearly understood by most. Those complaining on that basis are demonstrating an inability to adapt.

Re:

[Megol]

Yes it's understood by most. The problem is that begging the question really means another thing than most think it does - a thing that is hard to describe without using the phrase. So the problem isn't one of a language evolving rather than devolving, the common use of the phrase now hinders the proper* use meaning it's harder to express the original meaning. And there's no reason as the phrase people really want to express already exist, is just one extra letter and is more logical (the use of "begs" need

Re:

[thegarbz]

Based on your own citation he did beg the question. Scroll down to the section "Modern Usage".

Re:

[EETech1]

Looking at the Care-O-Meter..

That means you do care...
At least a little...

Gotta love Weird Al:)
https://youtu.be/8Gv0H-vPoDc [youtu.be]

I know your joking, just plugging Weird Al.

Re:

[sexconker]

By whom? You and you alone?

Re:

[TechyImmigrant]

>Being pedantic does not change the facts or make you look intelligent.

Or even being pernickety.

Re:What's what!?

[iced_773]

Allegedly created Kronos. I'd like to see the actual indictment, so hopefully that will be up soon. http://money.cnn.com/2017/08/0... [cnn.com]

Re:

[the_skywise]

I wonder if he played the Kronos slot machine while he was in Vegas. :p

Re:What's what!?

[iced_773]

I'd like to see the actual indictment

Aaaaand here it is [documentcloud.org].

Re:What's what!?

[no-body]

I'd like to see the actual indictment

Aaaaand here it is [documentcloud.org].

OK - looks he has some past and that's catching up with him now - bummer or ??? at least, he seemed to do some good on this WannaCry remedy.
Who knows...

Re:

[dbIII]

It's kind of a bit odd though that the guy who stopped "Wannacry" is the only one involved in the entire thing from NSA to in the wild who has been arrested, especially given things like the situation where the "Stratfor" hack was carried out by one of the FBI's tame hackers/informants who is still wandering around free.
I think it's looking more likely that this guy got in the way of someone's agenda at the FBI by limiting the damage of "Wannacry" and thus ruining a chance for extra "cybersecurity" funding.

Re:

[Antique Geekmeister]

Who is the "blacked out" defendant in that indictment? Why is their name blacked out?

It makes me wonder if the other defendant is a juvenile. I'm afraid it's not uncommon for the FBI to arrest a "small fish", to try to get them to turn in a "big fish" for leniency in sentencing. It was very common in their work against, and far too often with and for, organized crime. It's led to them protecting and even supporting smaller criminals in the hope of prosecuting "kingpins", and led to their sheltering of Kevin

Re:

[parkinglot777]

Who is the "blacked out" defendant in that indictment? Why is their name blacked out?

It makes me wonder if the other defendant is a juvenile...

It is call "redact" version where certain information needs to remain secret until it is the right time to release to public (or when all actors are indict). Thus the person doesn't need to be a juvenile but rather be kept as secret for now for some reasons. You shouldn't be over thinking yet when you don't really have enough information.

Re:

[Antique Geekmeister]

Who redacted it? And why? Those are important questions..As an interested member of the public, I may disagree with the reason that it "needs to remain secret". From observation, courts operate best when they are completely public. I'm also concerned that "you shouldn't be over thinking" is often a very dangerous policy.

I'm also forced to see this case in terms of FBI history. The FBI has a long history of "turning" witnesses and granting clemency or even prosecutorial immunity for helping turn in the "big

Re:

[Anonymous Coward]

Here ya go:

https://www.documentcloud.org/documents/3912520-Marcus-Hutchinson-Indictment.html

Re:

[Anonymous Coward]

Allegedly created Kronos. I'd like to see the actual indictment, so hopefully that will be up soon. http://money.cnn.com/2017/08/0... [cnn.com]

Oh.. I thought you meant the other - like Kronos.com - that's even more wretched than PC malware.

Re:What's what!? A tinfoil hat conspiracy!

[amigabill]

Allegedly did X. But the tinfoil hatters will say that he foiled the NSA/CIA/FBI/HS plan to both infiltrate everyone's computers and to make a few bucks in the process.

Will be interesting reading either way...

Re:

[fibonacci8]

I doesn't beg the question. Post hoc ergo propter hoc. Suspicion alone falls under unreasonable search and seizure. I hope those detaining Hutchins have a proper warrant for their actions against him. If they do not, I sincerely desire to see them dragged through court causing inconvenience in proportion with what they've caused him.

Re:

[Anonymous Coward]

A two-year investigation culminating in a grand-jury handing down 6 counts for prosecution?

That is a lot more than suspicion. That is the US attorney convincing a grand-jury that there was enough evidence to warrant a full trial to evaluate the merits of six different charges.

Re:

[russotto]

That is a lot more than suspicion. That is the US attorney convincing a grand-jury that there was enough evidence to warrant a full trial to evaluate the merits of six different charges.

That's pretty much nothing, given the maxim that a grand jury will indict a ham sandwich if the prosecution wants them to.

Re:What's what!?

[PPH]

WannaCry was built on top of an NSA exploit that had been leaked. A part of that NSA package was the kill switch that Hutchins discovered and published. He may have had nothing to do with WannaCry's development or propagation. But he caused a TLA to lose one of it's fun toys. And for that, he will be punished.

When agencies get this far out of control, it's time to shut them down.

Re:What's what!?

[Anonymous Coward]

This is dumb and wrong. The NSA didn't create the malware, nor the kill switch within it.

What the NSA did that is relevant to the issue being discussed is to know about the Windows SMBv1 vulnerability and not tell Microsoft, and created an exploit to use the vulnerability. The SMBv1 exploit is simply a tool used by the malware, and the malware itself was coded to have a kill switch, separate parts.

If the NSA had disclosed the vulnerability after finding it, we probably wouldn't have had the WCry malware outbreak, because patches would have been out a lot sooner to plug the hole.

Re:

[thygate]

mod parent up, GP is BS

Re:What's what!?

[PPH]

This is dumb and wrong. The NSA didn't create the malware,

https://en.wikipedia.org/wiki/EternalBlue [wikipedia.org]

There's a theory that the kill switch was built into WannaCry to prevent it from being run in a sandbox environment. It checks for a non-existent URL and refuses to run if it gets a reply, figuring that the sandbox will reply to anything. But that is pretty simple-minded. It is trivially easy to get a decent sandbox to reply (or not) correctly based on actual DNS data. What viruses do (even scrip kiddie stuff) is to look for a correct response from a command and control network. And refuse to run (and be inspected) if a server replies but incorrectly.

It's more likely that the dummy URL was created to keep EternalBlue payloads from propagating within 'friendly' environments like government and contractor intranets. Just load the URL into the DNS cache inside your firewall and your network is safe.

Re:

[PPH]

No one puts kill switches in exploits - that's stupid.

No, its not. You might not want the exploit to propagate the payload in certain environments. Like within your government or contractors' intranets. So you give them a domain name that they can resolve to something. That way, when an infected system (laptop, USB stick, etc.) is inadvertently brought to work, it won't spread.

Re:

[Antique Geekmeister]

> The kill switch is part of wannacry, thus the NSA had no part in it. No one puts kill switches in exploits - that's stupid.

From my personal security work, _of course_ one puts in a kill switch. The ability to disable malware to avoid detection, and re-activate it when the payload needs delivery, is fundamental to many DDOS attacks. Dormancy is a vital aspect of avoiding detection.

Re:What's what!?

[Baloroth]

A part of that NSA package was the kill switch that Hutchins discovered and published.

This is utterly, totally, and completely wrong. The kill-switch had nothing to do with the exploit or NSA at all. It was implemented separately by the malware developers, likely as a check if the system was a sandbox.

But he caused a TLA to lose one of it's fun toys. And for that, he will be punished.

No, he didn't. This is also totally and completely wrong. The EternalBlue exploit used by Wannacry was leaked a month before Wannacry came out by a group (presumably) entirely unrelated to Marcus, and even that didn't really effect the NSA, as MS had fixed the big a month before that.

There's plenty of bad things the NSA has done to criticize, you don't need to create outright lies about them.

Re:

[geekymachoman]

> When agencies get this far out of control, it's time to shut them down.

Right. They haven't even started yet.
What you going to do, write a letter ?

Re: What's what!?

[Anonymous Coward]

Reading about all of these horrible things Trump is doing just makes me want to die.

Snark is..

[s.petry]

Lost on you...

Re:

[desdinova 216]

I thought it was during the Bush Administration

Re:

[Anonymous Coward]

The people who spread it in the first place arrested him and now have physical access to his devices in order to do whatever the hell they want to logs and drive contents alike.

You do the math.

Re:

[Dread_ed]

More like the government that secretly created and distributed WannaCry is looking for retribution against the person who stopped its spread.

Vindictive bastards they are. Wouldn't put it past them.

Re:

[dbIII]

It doesn't have to be that sinister to still have vindictive bastards.
No matter where "Wannacry" came from a massive spread of it would have resulted in lots of lovely "cybersecurity" money getting sent in the direction of the FBI and others. This guy got in the way of someone's empire building. Whether they acted and laid a false charge or took a close look and found something real is the question now IMHO.

Re:

[Kadin2048]

That doesn't make any sense and has no basis in fact.

There are enough legitimate issues with the FBI / CIA and their handling of cybersecurity issues that creating conspiracy-theory narratives is both unnecessary and counterproductive. Frankly it just muddies the waters on the real issues.

Re:

[I'm New Around Here]

As I replied above, and many times before,

Yes, but 'beg the question' is just a really bad translation of the original phrase. Let 'beg the question' have its new meaning, which makes linguistic sense, and come up with a new phrase for what is essentially circular logic.

Re:

[Anonymous Coward]

Interesting that shibboleth has managed to retain its meaning for over 3000 years.

Re:

[spun]

Hardly. I used to be like you, but then i learned about the difference between descriptivism and prescriptivism and decided it just wasn't worth it to keep harping on the "begging the question" thing.

Re:

[spun]

Oh gramps, you so silly. Descriptivism is dead, long live prescriptivism. Language is not, nor should it be, static. Stasis is for losers who are too old to live with the fact that everything changes. Get with the times, old man. Or don't, you'll be dead soon enough anyhow.

Re:

[aiht]

Descriptivism is dead... Language is not, nor should it be, static.

Call me a prescriptivist, but I think the way you redefined the two terms 'descriptivism' and 'prescriptivism' to mean each other is bound to cause confusion and should be proscribed.



In other news, I have now looked at words containing 'ivi' for long enough that all I can see is Roman numerals.

No good deed goes unpunished

[fiannaFailMan]

EOM

What happens in Vegas

[jfdavis668]

stays in Vegas

Re:

[hattable]

One night with Venus...

Loss of revenue

[lsllll]

Don't they understand? Doing shit like this means we won't have DefCon in the U.S. any longer. Think of the hotels and all the revenue we'll be missing!!! Does Trump know about this?

Re:Loss of revenue

[TechyImmigrant]

Don't they understand? Doing shit like this means we won't have DefCon in the U.S. any longer. Think of the hotels and all the revenue we'll be missing!!! Does Trump know about this?

This is becoming necessary. Similarly for more academic crypto conferences. They split their locations evenly between Europe, Asia and the US which in addition to sharing the travel pain, allows people to avoid countries that might try to prosecute them for being a security researcher. DefCon and BlackHat need to move about so they can be available to researcher that would otherwise be unable to travel there.

Re:

[volodymyrbiryuk]

I heard Switzerland is lovely this time of year.

Re:

[Kobun]

Switzerland is lovely throughout the year.

Re:

[aberglas]

They are no longer hacker conferences.

They are business conferences that compete with RSA security. The Hacker element is just a bit of tinsel.

And the corporate customers and IT companies are in the US.

Re:

[gatkinso]

So we are supposed to let wanted criminals walk to keep a shitty conference in Vegas?

Defcon really sucked this year - it seems to have jumped the shark awhile ago.

Re:

[John.Banister]

So, would Toronto work, or do all the Five Eyes [wikipedia.org] countries need to be avoided? The Adelaide Hotel in Toronto might enjoy hosting a conference like this one.

Re:

[Zemran]

Everything needs to get out of the US not just DefCon. Even the UN end up having important people refused entry and how about that robotics competition when the girls from Afghanistan who should have been encouraged where refused entry. The US is the worst country in the world for just about anything.

What was he arrested for?

[Anonymous Coward]

... no one seems to know.

So it's all very preliminary.

Soon enough he'll appear in front of a judge to be charged and/or a bail hearing.

Re:

[almitydave]

... no one seems to know.

So it's all very preliminary.

Soon enough he'll appear in front of a judge to be charged and/or a bail hearing.

Right, but that doesn't stop us from making wild assumptions and overreacting in the meantime.

Re:

[CanHasDIY]

Generally, in the US, when a person is arrested, they're charged with something.

So what has he been charged with? Anything? Or is this yet another 'parallel construction' situation?

Re:

[jfdavis668]

In the US, the person arrested is told of the charges. The charges will also be told to his legal representation. It is not broadcasted to the news.

Re:

[Megol]

Scarily no, that's not the case anymore. Guantanamo, secret courts and a lot of other crap new and old (like holding a person as suspect of something obviously false until a case can be built up) means the US legal system can't be trusted.

Re:

[CanHasDIY]

As stated by an AC, criminal charges in the US are public information, unless the person charged is under the age of 18.

So if he was charged with a crime, that information should be accessible by anyone.

Re:

[Megol]

Take that parallel construction and shove it! Do you know what it describes? Do you understand that using it without a proper context and without any reason you sound like a conspiracy nut without a clue?

Waited a while before posting the above. I'll not change anything as I stand by it but you shouldn't necessarily take it 100% seriously...

Re:

[CanHasDIY]

Take that parallel construction and shove it! Do you know what it describes? Do you understand that using it without a proper context and without any reason you sound like a conspiracy nut without a clue?

Waited a while before posting the above. I'll not change anything as I stand by it but you shouldn't necessarily take it 100% seriously...

Meth is a hell of a drug.

Re:

[b0bby]

... no one seems to know.

Well, TFA gives a likely reason:

A Justice Department spokesperson has confirmed on the phone that his arrest is in relation to his alleged role "in creating and distributing the Kronos banking Trojan."

Re:

[JoelKatz]

I don't think it's illegal to create malware though. That seems to be the only overt act they accuse him of in the indictment. So, assuming he did in fact write it, it will come down to whether the government can prove that he conspired to sell and distribute it based on more than just accusations from his alleged co-conspirator.

Imagine you wrote some malware and I took it from you and sold it. If I was arrested, I would offer to give up the person who created it in exchange for something. Then I'd point to

Re:

[Dread_ed]

None of those books are censored in the US now. Silly git.

Recruiting

[budsetr]

They probably just recruited him to help thwart a Decepticon attack. Where did this boom-box come from?

WannaCry was an Spook Sponsored Virus

[DatbeDank]

The real reason he was arrested was because the security agencies were using the malware to actively try and discredit Bitcoin by dropping a massive software leak on the entire world. Had more people opted to "pay" the ransom, it would have offered proof to the powers that be that cryptocurrencies are dangerous and convertibility into real fiat should be banned.

Will such proof stop bitcoin? No, but making it more difficult to convert from BTC to fiat will drive the price way down south.

He was arrested becau

Re:

[omnichad]

That sounds so credible.

Re:

[dbIII]

Something slightly more credible is that because there are so many fucking spooks on the payroll there's at least one vindictive bastard who saw the chaos of "Wannacry" as a way to get a bigger budget, and when the expected crisis didn't happen they decided to take it out on the guy who turned "Wannacry" into a non-event.
You don't have to engineer a crisis to profit from it (as the cynical and expensive security theatre after 9/11 shows).

Re:

[Anonymous Coward]

You might want to adjust your hat, the tinfoil is showing.

Re:

[Megol]

It's not tinfoil - it's his overconsumption of colloidal silver showing.

Re:

[Megol]

I think I spot a logical hole there with a larger diameter than that of Mr. Goatse.cx, how about you run away and play with the other nuts at abovetopsecret?

Re:

[Zemran]

The exchange he was using had already closed his account so that ransom payments could not be made.

Job offer.

[WolfgangVL]

He probably refused a job while in Vegas, and now they need to make good on the "or else" clause that came with it. I wonder what they are offering him now instead of what they offered before.

Indicted for involvement with Kronos trojan

[Anonymous Coward]

https://www.documentcloud.org/documents/3912520-Marcus-Hutchinson-Indictment.html

Swordfish is a ridiculous movie

[Anonymous Coward]

But there was an insightful bit: The German/Finnish hacker who is initially hired to do the job is caught at the airport, and during the interrogation he is asked: Why would the number one hacker in the world risk life imprisonment by coming into the continental US?
So that's the question I have. Why would a "security researcher" enter the United States of America? What is the expectation there?

No Extradition

[simpz]

Surely if the US authorities had enough evidence they would have requested (and got) his extradition from the UK ages ago. Why wait until he is in the US?

Re:

[LostOne]

Because it is significantly cheaper and easier to wait for someone to be on your own territory where your laws are sovereign than to try to get foreign state which has different laws to cooperate. Even a friendly foreign state. Extradition is often a complex mess and often requires, among other things, the party requesting extradition to demonstrate that the alleged crime actually is illegal in the juridiction being asked to extradite.

Re:

[simpz]

I know extradition is hard but doing this doesn't say we are *that* bothered by his crime.

He committed a crime so heinous that we aren't even going to try to extradite we are just going to brood over it on the off chance he enters the country.

Re:

[Martin S.]

He can only be extradited from the UK to US if he has been charged.

He cannot be extradited from the UK as a material witness or just a suspect just to face a grand jury. That would be considered an abuse of process.

Re:

[coofercat]

Aside from the legal hoops you'd have to jump through, it would alert him to their intent and allow him to build a case against them. Just because the US requests extradition doesn't mean it happens every single time (although I'll grant you, it's closer to a formality between the UK and US than it probably should be). This way, he didn't know a thing about it, and they've arrested him and have 100% control over him - the UK can piss right off.

Right now, UK diplomats are talking to US diplomats about this.

Something fishy...

[MotoRyan]

This is crazy. Wonder if it is retaliation or if he was really involved? If he was involved, why did he go through all of the trouble to put himself in the public view? The guy did an AMA just 2 months ago: https://www.reddit.com/r/IAmA/... [reddit.com] AND he attends Defcon? Something is fishy...

More from the Register

[Martin S.]

The Register reporting that asking for a sample of Kronos on twitter is the smoking gun for this grand jury indictment.

https://www.theregister.co.uk/... [theregister.co.uk]

Re:

[Martin S.]

The original offer for sale of Kronos was in Russian natural language so not machine translated. There is no evidence that Marcus speaks or writes Russian. Miss-direction is possible, but that doesn't fit with the relative lack of sophistication of Kronos.

Def Con Toronto

[uvajed_ekil]

No problem, we'll just hold Def Con in Toronto form now on if Vegas doesn't want us. Not the same casino scene, but literally everything else is better there.

Grey hat?

[LordWabbit2]

So he's a grey hat, not surprised, what's that saying again??? [Googles..]

"He who fights with monsters should be careful lest he thereby become a monster. And if thou gaze long into an abyss, the abyss will also gaze into thee." - Nietzsche

Maybe I should make that my sig?

Re:

[queazocotal]

total sum?

Re:

[TechyImmigrant]

The 3 WannaCry addresses used that held the Bitcoin from this exploit have been drained

They have remained built up on these addresses until today.

So which is it? They've been drained or they remain built up?

Re:

[Kaenneth]

"Until Today"

Re:

[TechyImmigrant]

>Do you not know how to read?

I do, The ambiguity in the second sentence was clear to me.

The built-up-ness did not remain at all, yet you said it did, You said it remained built up and left it to the reader to discern whether 'until today' means "It's still remaining built up today" or "the built-up-ness ceased today".

Disambiguation for the Nation! Now!

Re:

[Cederic]

While the second sentence allows a level of ambiguity that many readers may not even spot, when taken in context of the first sentence it becomes very clear and any ambiguity can only result from deliberate misinterpretation.

Re:

[Obfuscant]

While the second sentence allows a level of ambiguity that many readers may not even spot,

I don't spot it. "Remained ... until today ...". "Remained is past tense. "Doesn't remain anymore." Had the sentence been "remains ... until today", then there is still no ambiguity. Current tense means it still remains.

Re:

[Cederic]

Well, I was being generous about it.

Re:

[Anonymous Coward]

mind blown, what is going on!?

Sara said she wants to talk to me tomorrow night. Said she wants to get dinner, so I think she wants to be somewhere public when she leaves me. I hope she doesn't try to keep Schmitty. I'm sure the kids will go with her since courts never side with the dad.

Aside from all that everything else is OK. I mean I'm healthy and my job is going OK.

What is going on with you?

Re:

[kwbauer]

Nice one. Well done.