For the last few weeks Marcus Hutchins has been in Las Vegas attending a security conference, and on holiday. On Wednesday he was arrested on the flight home due to an indictment made in the US state of Wisconsin back in early July. He has now been granted bail for Monday, assuming bond is posted.
The allegations are around him allegedly selling malicious software for $2,000 in digital currency in June 2015. The case seems to stem from the take down of a website called AlphaBay, where a large amount of new cases are now entering the US justice system.
Who Marcus is
Marcus is a leading voice in the UK cyber security scene, and indeed worked with the UK Government’s National Cyber Security Center on stopping WannaCry and analyzing other malicious software:
In London for NCSC Industry 100 meet. Until now I've been skeptical that govt / priv sector threat sharing would work, but it actually does.
— MalwareTech (@MalwareTechBlog) April 7, 2017
He is an incredibly valuable asset to the UK. He isn’t just a voice?—?his work has an been invaluable to the UK for some time. He lives and breathes cyber security, almost 24/7, protecting people.
For the past few years there has not been a day gone by where I haven’t used or heard his research in my day to day cyber security work. This is going to create a huge hole for everybody, in particular the UK.
On a personal level, Marcus is a good person who does not deserve how this has been handled by authorities.
What happened in last few days
- He was not arrested on the way into the US for whatever reason.
- The indictment was a complete surprise to everybody, not least Marcus.
- When he was arrested, he simply disappeared. He did not exit the plane at the other end in the UK to meet his mother. No information was provided as to what was happening. When his arrest had been established, he was moved location 10 minutes before visiting was allowed.
- He did not have a lawyer for the first 48 hours. During this time he was in the custody of the FBI.
- He has still not been allowed to talk to his parents.
- Members of the press have asked why they cannot reach him for comment. He has no internet access or outside communication.
- As part of his bail conditions next week, he cannot use the internet.
- He is not allowed to communicate with the co-defendant named in the case. That name is blacked out on the indictment. Neither Marcus’ lawyer nor Marcus know who the co-defendant is.
- To quote his lawyer: “He’s pled not guilty. He is standing by that and he fights the charges and we intend to fight the case in Wisconsin.” His lawyer?—?funded by somebody in the UK cyber security scene?—?addresses reporter questions here.
When the indictment was first released, I had to Google “Kronos” to establish what it even was?—?I haven’t seen it in my 17 years in cyber security.
The first public post I can see for it is on 10th June 2014 in Russian:
Per a Forbes reporter: “…it was largely a failure amongst serious cyber criminals“.
MalwareTech’s business and job is around finding, reversing and analyzing malicious software (malware) and finding the techniques used. This includes monitoring “dark web” websites, where covert identifies are used to gain access?—?as is common across the security industry.
His data around botnets is sold to organizations, including Law Enforcement, around the world.
Sometimes, his research is misused:
Just found the hooking engine I made for my blog in a malware sample. This is why we can't have nice things, fuckers.
— MalwareTech (@MalwareTechBlog) February 7, 2015
- To help get to the truth, I strongly encourage:
- His MP needs to (and is) support Marcus.
- The Foreign Office needs to provide excellent consular assistance.
- His parents both need support.
- The NCSC and UK Government need to take responsibility here, and ensure every possible means of making sure the case is responsibly handled within the US.
- A crowdfunding campaign will likely be launched soon as the fees defending this case will be astronomical.
We have been in a state of shock since we found out about the arrest. The allegations are essentially over $2,000 in digital currency, and could potentially incur up to 40 years in jail in the US. If MalwareTech is to be tried, he should be tried in his home, the UK. Every effort needs to be made to ensure this case is properly investigated.