The particulars of Marcus Hutchins’ indictment last week on charges the WannaCry hero three years ago wrote a banking Trojan have created another divisive information security storyline.
While experts in the community rallied over the weekend to raise funds for his bond and wrote letters of support to the judge on his behalf, others pumped the brakes and cautioned that MalwareTech may have indeed crossed an ethical and legal line.
The fact is that we just don’t know. The indictment barely scratched the surface of each of the six federal counts levied against Hutchins and an unidentified co-conspirator. Hutchins is alleged to have created the Kronos banking malware in July 2014 and the unidentified accomplice is alleged to have marketed it for distribution on a number of underground forums, including the recently dismantled AlphaBay, and sold it at least once for $2,000 USD.
The case has inspired new debate among white-hats as to whether writing malware is a crime, whether the prosecution is over-reaching especially with the inclusion of a wiretapping charge, and what the long-term effect on future information sharing with the U.S. government would be.
“This really waves a finger in the eye of the information security community doing this after DEF CON,” said defense attorney Tor Ekeland, who specializes in computer crimes. “This is going to generate way more ill will in the industry and it’s sending a message that if you help out the U.S. government, we may reward you by arresting you. You’d have to be an idiot now to help the government on anything.”
Hutchins, who pleaded not guilty to the charges, was arrested last week and pulled off an airplane in Las Vegas before his flight home to the United Kingdom could take off. The indictment was signed on July 11 yet Hutchins was allowed to enter the U.S. and move about Las Vegas during the Black Hat and DEF CON conferences, which he reportedly did not attend. He spent the weekend in jail but could be released today on $30,000 bond before he’s moved to Wisconsin to formally face charges.
Ekeland called the indictment “paper thin” and “problematic” and that a defendant should be presented with sufficient details in order to prepare a defense and to avoid double jeopardy down the line. Also, he said the public has a right to see how laws are being enforced by the executive branch in cases such as these.
The six counts do not list victims nor damages, and Ekeland said that the two counts under the Computer Fraud and Abuse Act were dubious in that it infers Hutchins’ alleged creation of the banking Trojan is an overt agreement to commit an illegal act and support a conspiracy.
“He is not accused of doing actual damage, nor is damage listed in the indictment,” Ekeland said. “I found it paper thin. It’s such a stretch; if that’s a CFAA felony with a maximum [40] years, I give up.”
Ekeland said the Department of Justice could be taking an overly expansive view of the statute in this case, one that could be extended into legitimate software used by researchers for pen-testing or malware testing in a lab setting.
“They’re implying that writing the malware is evidence of intent,” he said. “It’s really a poorly written, dangerous indictment. And it doesn’t support such a dramatic action on the part of the government. The warrant was written July [11] and they wait until he gets on a plane to grab him. There’s so much weird about it that it’s hard to tell if it’s deliberate or just sloppy.”
Former DoJ prosecutor Ed McAndrew of Ballard Spahr of Washington, D.C., said he agreed that writing malware in and of itself is not a crime but that the intent for which it’s created and what is done after it’s created—such as advertising it on criminal forums or distributing it to others who may use it for criminal gain—could make it a crime.
“When you create malware knowing and intending to use it to harvest credentials and commit acts of fraud, then you crossed a line,” McAndrew said.
McAndrew points out that the CFAA-related charges are only in connection with aiding and abetting the co-conspirator. Hutchins and his alleged co-conspirator are also facing charges in connection with the Wiretap Act (18 U.S. Code § 2511), which is an attempt to prosecute the advertisement and dissemination of computer code, not the creation of it., McAndrew said.
“The government could succeed here but it would be a fight as to whether code constitutes a device under these circumstances,” McAndrew said. “A device is not defined in the Wiretap Act. The focus there was on some tangible physical device or apparatus used to tap or intercept communications. Is software [that intercepts and forwards credentials] standing alone a device? That’s a critical question.”
McAndrew also cautions reading too much into the indictment’s calling out of one alleged sale of the malware for $2,000.
“I would not read into the allegation of making $2,000 as the sum total of the conduct and harm,” he said. “It could be that they’re meeting the statutory threshold of the CFAA. I would not read that as the ceiling of economic harm involved here.”
Another outstanding question is the identity of the co-conspirator and why the proceedings are moving to Wisconsin. It could be that the co-conspirator is in Wisconsin, or servers involved in illegal transactions are located in that state. This falls under federal venue law, McAndrew and Ekeland said, and McAndrew added that some overt act of conspiracy was engaged in there.
“I don’t know if Hutchins was ever in Wisconsin, but this suggests he was in contact with someone who was in Wisconsin, or money was transferred through there. There is some connection that provides venue there,” McAndrew said.
Hutchins’ best testimonial, however, may be his actions in blunting WannaCry. The global ransomware outbreak hit hardest in Europe where hospitals across the U.K. had patient services affected by the malware. Telecommunications giants in Spain and enterprises in Russia and the Ukraine were also impacted. Ironically, Hutchins’ actions may have spared the United States the brunt of the attack, which targeted Windows 7 and XP machines, both still prevalent in health care and other industries.
“If it’s true that Hutchins really did cut off WannaCry, if I’m his defense lawyer, that is going to be a critical mitigating factor in any prosecution of him,” McAndrew said.
Ekeland said: “He potentially saved lives.”
