Briton Marcus Hutchins is due in court on 8 August 2017 to face charges of helping to develop and maintain the password-stealing malware Kronos between July 2014 and July 2015.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The six-count indictment against Hutchins was filed on 12 July 2017, but made public only after his arrest, which comes after a two-year FBI investigation.
The 23-year-old from Ilfracombe in Devon, who is also known by his online handle of “MalwareTech”, was arrested on 4 August 2017 as he prepared to return to the UK from a security conference in Las Vegas.
The arrest came just weeks after Hutchins was hailed as a hero for discovering that WannaCry was connecting to an unregistered domain, which he then registered and took control of to stop the ransomware worm from spreading.
Although granted bail of $30,000, the security researcher who works for cyber security supplier Kryptos Logic, was forced to spend the weekend in jail because bail could not be paid before the court closed.
He was released on 7 August under strict bail conditions, including that he have no access to the internet, surrender his passport, and be place under 24-hour GPS monitoring.
At the weekend, Hutchins’s lawyer Adrian Lobo said her client would plead not guilty to all charges, although prosecutors reportedly claimed he had admitted to writing the Kronos code.
According to the prosector Dan Cowhig, Hutchins and his unnamed co-defendant were caught in a sting operation by undercover officers, according to the Telegraph.
Cohig said other evidence includes chat logs between Hutchins and his co-defendant, who is reportedly still at large.
After his arrest, the cyber security research community rallied in support of Hutchins. His mother said his guilt was “highly unlikely” considering the “enormous amounts of time” he spent stopping cyber attacks.
Draining victims’ bank accounts
Kronos was designed to steal online banking credential to enable those behind the malware to drain victims’ bank accounts.
Since its creation, Kronos is thought to have stolen user credentials associated with banking systems in several countries, including the UK, Canada, Germany, Poland, France and India.
Analysis of the malware revealed that significant effort was put into equipping the malware to evade security tools used by enterprises and security researchers.
US authorities believe Kronos was first made available through certain internet forums in early 2014, and marketed and distributed through AlphaBay, a hidden service on the Tor network.
Although the Alphabay marketplace was shut down on 20 July 2017 in an international law enforcement effort led by the US, the indictment said Kronos presents an ongoing threat to privacy and security becasue the Kelihos botnet was observed loading Kronos on computers through an email phishing campaign in late 2016.