The FBI arrested Marcus Hutchins in Las Vegas as he prepared to return to the UK after attending the Black Hat and Defcon security conferences.
The 23-year-old security researcher, also known as MalwareTech, was hailed as a hero for discovering that WannaCry was connecting to an unregistered domain, which he then registered and took control of to stop the ransomware worm from spreading.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
But Hutchins, from Ilfracombe in Devon, has now been accused of helping to create and distribute the Kronos banking Trojan that was designed to steal funds from online bank accounts between July 2014 and July 2015.
The six-count indictment against Hutchins was filed on 12 July 2017, but made public only after his arrest, which comes after a two-year investigation by the FBI cyber crime unit in Milwaukee, Wisconsin.
In the indictment, Hutchins – alongside another, as yet unnamed individual – is charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavouring to intercept electronic communications, and one count of attempting to access a computer without authorisation.
According to the indictment, Kronos was designed to harvest and transfer the username and password associated with banking websites as they are entered on an infected computer to a control panel hosted on another computer inaccessible to the victim.
Since its creation, Kronos is thought to have stolen user credentials associated with banking systems in several countries, including the UK, Canada, Germany, Poland, France and India.
Analysis of the malware revealed that significant effort was put into equipping the malware to evade security tools used by enterprises and security researchers.
US authorities believe Kronos was first made available through certain internet forums in early 2014, and marketed and distributed through AlphaBay, a hidden service on the Tor network.
On 20 July 2017, the Alphabay marketplace was shut down through an international law enforcement effort led by the US.
The indictment said Kronos presents an ongoing threat to privacy and security, as the Kelihos botnet was observed loading Kronos on computers through email phishing campaign in late 2016.
“Cyber crime remains a top priority for the FBI,” said special agent in charge Justin Tolomeo. “Cyber criminals cost our economy billions in loses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice,” he said.
Hutchins’s mother, Janet, said it was “hugely unlikely” that her son was responsible for Kronos. She told the BBC that her son had spent “enormous amounts of time stopping attacks like these”.
Shortly after Kronos was reported publicly in July 2014, Hutchins – whose job involves investigating malware – asked on Twitter if anyone could provide him with a sample of Kronos.
As news of the arrest broke, supporters took to Twitter to express their disbelief and offer legal and other assistance.
Digital rights group, the Electronic Frontier Foundation (EFF), said it was “deeply concerned” about the arrest. “We are looking into the matter, and reaching out to Hutchins,” the EFF said in a tweet.
Hutchins’s arrest took place just hours before the bitcoin wallets associated with the WannaCry attacks were drained of funds, but no evidence of a link between these two events has been reported.
While some security commentators believe that professional cyber criminal groups have the means to protect their identity, others say that the money trail will ultimately lead to those behind the attacks.