A legal defense fund established to ease Marcus Hutchins’ attorney costs has been disbanded after a sizable number of fraudulent donations were discovered.
Hutchins, known as Malware Tech, is facing six counts for his alleged involvement in creating and distributing the Kronos banking malware. The researcher is best known for finding the so-called killswitch domain in the WannaCry malware, stopping the May global ransomware outbreak cold.
The fund contained upwards of $150,000 in donations, but most of that money came from stolen credit cards and other fraudulent sources, said attorney Tor Ekeland whose New York firm managed the fund.
Ekeland told Threatpost he has refunded almost all of the money save for three or four donors. He urges anyone who has donated and yet to receive a refund to email email@example.com.
“I’m 99 percent sure it was someone being an ass,” Ekeland said of the source of the fraud. “When I went back and went through everything, I saw that one person had their card run five times in different amounts. There’s no way those were legitimate transactions.
“It’s really obnoxious that someone did that,” Ekeland said. “I think it was a script; someone ran a script on it.”
Ekeland said the fund’s payment processor flagged the suspicious transactions last week and shut them down, adding that it was simpler to refund all of the money rather than sort through the legitimate versus fraudulent donations. Ekeland said the refunds have to be done through a manual process.
“You’ve got some jerk running a script and it becomes a massive headache and it’s just not worth it,” Ekeland said. “We tried to help out.”
A Buzzfeed report last week said Ekeland was able to confirm only $4,900 in legitimate donations, but those were refunded as well. A Bitcoin wallet was also set up to accept donations, and that has received 96 totaling $3,400.
Hutchins was arrested in Las Vegas shortly after Black Hat and DEF CON and charged along with an unnamed co-conspirator with writing and distributing Kronos. Hutchins, represented by attorneys Marcia Hofmann and Brian Klein, pleaded not guilty on Aug. 14; he is free on $30,000 bond. The proceedings have been moved to Wisconsin where Hutchins awaits trial.
Last week, government prosecutors complained after a judge lifted some restrictions on Hutchins’ movements, Bloomberg reported. Prosecutors feared Hutchins might try to return to his home in the United Kingdom, while his attorneys maintain he is no such risk.
Also last week, the courts gave Hutchins’ case a designation of “complex” based on the intricacies of the evidence, which includes 150 pages of Jabber chats between Hutchins and an individual whose identity has been redacted, along with user data provided by Apple, Google and Yahoo, along with 350 pages of statements made in an online forum seized by the government. There are also malware samples and a search warrant executed against a third party to be considered.
“The parties agree that the case should be designated as complex,” court records said. “Information is still being obtained from multiple sources. The issues are complex. The defendant requests 45-60 days in which to review the discovery. The government notes that it is in agreement with the request.”
A conference call is scheduled for Oct. 13 between the two parties and the court.
In the indictment against Hutchins, he and another individual whose identity has been redacted, are facing charges that they violated the Computer Fraud and Abuse Act. The two are charged with six counts associated with the distribution of the Kronos malware.
The indictment alleges Hutchins created the Trojan in July 2014, and the second individual demonstrated it in a video posted to YouTube.
The two are also alleged to have advertised the malware for sale on a number of internet forums, including the recently dismantled AlphaBay market. The Department of Justice alleges the second defendant offered to sell the malware for $3,000 in August 2014. The indictment goes on to allege that the pair updated the malware in February 2015, and in April of that year, the second defendant posted it to AlphaBay. The unnamed defendant allegedly sold the malware in June 2015 for $2,000 in cryptocurrency. In July 2015, the second defendant began offering encryption services that would conceal the malware, the indictment said.