The court saga of Marcus Hutchins, a security researcher from England also known as MalwareTech, will continue after a superseding indictment filed by the U.S. government added new charges to his case.
Hutchins was originally arrested in August 2017 on charges of creating and distributing the Kronos banking Trojan. The superseding MalwareTech indictment, filed on Wednesday, adds four new charges to the original six, including the creation of the UPAS kit malware, conspiracy to commit wire fraud, and lying to the FBI.
Hutchins first gained prominence in May 2017 for being one of the researchers who helped slow the spread of the WannaCry ransomware, and he recently mused on Twitter at the connection between that act and the new MalwareTech indictment.
While this all sucks a lot, I can’t stop laughing at the irony of the superseding indictment coming exactly on the 1 year anniversary of me receiving an award for stopping WannaCry.
— MalwareTech (@MalwareTechBlog)
June 7, 2018
Hutchins also had strong language to describe the supplemental indictment, but one of his lawyers, Brian Klein was more measured.
@marciahofmann and I are disappointed the govt has filed this superseding indictment, which is meritless. It only serves to highlight the prosecution’s serious flaws. We expect @MalwareTechBlog to be vindicated and then he can return to keeping us all safe from malicious software https://t.co/E1M0qod3CN
— Brian Klein (@brianeklein)
June 6, 2018
A question about the new MalwareTech indictment
The UPAS Kit described in the new filing was a form grabber that Hutchins admitted to creating, but he asserted it was not connected to Kronos. Marcy Wheeler, national security and civil liberties expert, questioned how this was included in the new MalwareTech indictment because of the time frames related to those charges.
The indictment noted that the UPAS Kit was originally sold and distributed in July 2012 and it alleged Hutchins developed Kronos “prior to 2014” and supplied it to the individual who sold the UPAS Kit. However, Wheeler pointed out in a blog post that there should be a five year statute of limitations related to such charges and even if the government could avoid that, Hutchins would have been a minor in 2012 when these actions allegedly took place.
Additionally, Wheeler noted that Hutchins admitted to creating the UPAS form grabber — although he denied it was part of Kronos — when he was first arrested by the FBI. The new MalwareTech indictment claims Hutchins lied to the FBI about creating Kronos which would put into question the new charge that Hutchins lied to the FBI.