British security researcher Marcus Hutchins, who was indicted and arrested last summer for allegedly creating and conspiring to sell the Kronos banking trojan, now faces four additional charges. Hutchins, also called MalwareTech and MalwareTechBlog, is well-known in the security community for slowing the spread of WannaCry ransomware as it tore through the world’s PCs in May 2017. And as the months have dragged on since his indictment—he has been living in Los Angeles on bail—the latest developments in the case have stoked further fears among white hat hackers that the Department of Justice wants to criminalize their public interest research.
Wednesday’s superseding indictment, which ups the total number of charges Hutchins faces to 10, alleges that in addition to Kronos, Hutchins also created a hacking tool called UPAS Kit, and sold it in 2012 to a coconspirator known as “VinnyK” (also called “Aurora123” and other monikers). Prosecutors also assert that Hutchins lied to the FBI during questioning when he was apprehended in Las Vegas last year. The original Hutchins indictment listed a redacted defendant along with Hutchins; the superseding indictment only lists Hutchins, which indicates to some observers that a shift has occurred.
“Back when Hutchins was originally indicted I thought there was a possibility that he might be cooperating and that he might get favorable treatment because of WannaCry. Now that seems way more unlikely,” says Marcus Christian, a cybersecurity-focused litigation partner at the firm Mayer Brown, who was previously a prosecutor in the Florida US Attorney’s Office. “It’s usually a bad sign when they’re charging additional crimes, particularly when one has to do with lack of honesty, so there could be someone else who’s cooperating.”
One of Hutchins’ lawyers, Brian Klein, said in a tweet on Wednesday that the new indictment is “meritless” and “only serves to highlight the prosecution’s serious flaws.” Klein added, “We expect @MalwareTechBlog to be vindicated and then he can return to keeping us all safe from malicious software.”
The superseding indictment in the Hutchins case raises further alarms for security researchers who already saw the case as problematic. The indictment expands the list of alleged “overt acts” that the prosecution claims fueled the conspiracy, which broadens the implications for white hat hackers as well.
‘It’s usually a bad sign when they’re charging additional crimes, particularly when one has to do with lack of honesty.’
Marcus Christian, Mayer Brown
The case has always charged Hutchins under the Computer Fraud and Abuse Act, which traditionally applies to illicit hacking cases. CFAA prosecutions, though, have generated tension between law enforcement and the security community for decades, with researchers and digital rights advocates arguing that the deeply flawed law is open to manipulation and overuse. But Hutchins’ case actually goes a step further. Both indictments have also included counts of wiretapping, in keeping with a broader trend toward classifying malware that can steal data as an “intercepting device.”
“The word ‘device’ is very fuzzy,” says Ahmed Ghappour, an associate law professor at Boston University who specializes in cybersecurity and criminal law. “If you were to stretch it to include development of malware, wiretapping provisions potentially have a broader scope than the Computer Fraud and Abuse Act and could really do an end-run on security research.”
In one episode noted by the superseding indictment, Hutchins evaluated the hacking tool Phase Bot in late 2014 and blogged about its shortcomings and weaknesses. Phase Bot is a type of “fileless malware” that is noteworthy as part of a larger trend in concealing hacking tools from detection. The indictment interprets Hutchins’ analysis of Phase Bot as an attempt to discredit a competitor of the Kronos banking trojan. But the two types of malware are very different, and Hutchins’ blog posts, if anything, would have helped Phase Bot’s developers improve their tool—a strange approach if Hutchins wanted to undermine the malware—at the same time that the research gave defenders a better understanding of how to defeat it.
Monkeying with malware platforms, reverse engineering samples, and analyzing how hacking tools work are routine activities for white hat hackers, and crucial components of the defense intelligence pipeline in private industry. By identifying these types of actions as criminal in Hutchins’ case, the superseding indictment could have a chilling effect on digital defense research.
The security community has rallied to Hutchins’ cause, which appears to have empowered and embolden him. “It’s been overwhelming the amount of people reaching out to show support lately,” he tweeted on Thursday. But in spite of his resources, which aren’t a given in these types of cases, Hutchins still faces the very real risk of a conviction and prison sentence.
“It’s an ongoing investigation and both sides can continue gathering evidence to present at trial,” BU’s Ghappour says. “But researchers have a legitimate cause for concern that they might be subject to a technicality in the law. Frankly, it’s something that we should all be concerned about, because we rely on these people for our security.”