Tarah
We have a trial date for @MalwareTechBlog. Marcus goes before a jury July 8th. Please support Marcus if you can by donating to his legal defense fund and spreading the word. https://www.crowdjustice.com/case/malwaretech/ …
https://twitter.com/tarah
Support MalwareTech!
by Tarah Wheeler
Legal campaign Lawyers: Zeitgeist Law PC Los Angeles, United States of America
Tarah Wheeler
Case Owner
We're friends of MalwareTech, and we want him to have the best legal defense available to him.
7
days to go
$29,147
pledged of $50,000 stretch target from 428 pledges
Pledge now
This case is raising funds for its stretch target. Your pledge will be collected within the next 24-48 hours (and it only takes two minutes to pledge!)
About the case Comments
Marcus Hutchins, also known as MalwareTech, is the hero security researcher from the United Kingdom who stopped the WannaCry ransomware that attacked computers around the world in May. In July, he was arrested at the airport by the United States FBI as he was leaving DEFCON, the annual gathering of information security researchers in Las Vegas, Nevada. Family and friends began frantically searching for him when he did not show up in the UK.
We've now found out that Marcus is being prosecuted under wiretap law and the Computer Fraud and Abuse Act--the CFAA. This United States law is notorious for its broad reach and vague language, which makes it vulnerable to creative interpretations and chills important security research. Fortunately, Marcus has an incredibly strong legal team in his corner. Marcia Hofmann is one of the most well known computer crime lawyers in the country, and is the first call of any security researcher faced with an overreaching CFAA charge. Brian Klein is a top federal criminal defense attorney who focuses on cutting-edge technology cases like Marcus's. Together they're the strongest indication that the security community believes Marcus should have the most vigorous and competent defense possible.
You can learn more about the case timeline here.
We, the information security community, and anyone who believes that Marcus Hutchins deserves the right to strong representation and a fair trial, are supporting Marcus's defense by raising funds to defray his legal expenses and fees (including experts), and doing whatever else is needed to help Marcus in his legal fight during these difficult times. This will be a long battle, but we're here all the way through. Marcus is aware of this campaign and appreciates everyone's help tremendously.
Janet Hutchins, Marcus's mom, says to you all: "'Thank you' doesn't seem enough. We have been overwhelmed by the support and generosity shown to Marcus and ourselves."
Thank you,
https://www.crowdjustice.com/case/malwaretech/
theguardian
Briton who stopped WannaCry attack arrested over separate malware claims
Marcus Hutchins arrested over his alleged role in creating Kronos malware targeting bank accounts
Sam Levin
First published on Thu 3 Aug 2017 13.57 EDT
Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts.
According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.
The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft Word documents, and hijacked credentials such as internet banking passwords to let its user steal money with ease.
Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendant Marcus Hutchins created the Kronos malware,” the indictment, filed on behalf of the eastern district court of Wisconsin, alleges.
He was arraigned in Las Vegas late Thursday afternoon and made no statement in court beyond mumbling one-word answers in response to a few basic questions from the judge.
A public defender noted that Hutchins had no criminal history and had cooperated with federal authorities in the past. The court-appointed attorney said Hutchins needed more time to hire a private attorney. Hutchins, who asserted his fifth amendment right to remain silent, was ordered to remain detained until another hearing on Friday.
His mother, Janet Hutchins, told the Press Association it was “hugely unlikely” that her son was involved because he has spent “enormous amounts of time” combating such attacks. She said she was “outraged” by the charges and had been “frantically calling America” trying to reach her son.
At the courthouse, a friend of Hutchins, who declined to give his name, said he was shocked to hear about the arrest.
“There’s probably a million different scenarios that could have played out to where he’s not guilty,” he said. “I’m definitely worried about him.”
The special agent in charge, Justin Tolomeo, said: “Cybercriminals cost our economy billions in loses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice.”
Hutchins’ co-defendant advertised the malware for sale on AlphaBay, a darknet marketplace, the indictment alleges, and sold it two months later. The encrypted website operated like an extralegal eBay for drugs and malware, with independent sellers offering their products in exchange for payment in a number of cryptocurrencies such as bitcoin. It was not clear from the indictment if the malware was actually sold through AlphaBay.
The marketplace was shut down on 20 July, following a seizure of its servers by US and European police including the FBI and the Dutch national police. The FBI’s acting director, Andrew McCabe, said AlphaBay was 10 times as large as the notorious Silk Road marketplace at its peak.
When the site was taken down, its servers were seized, giving authorities a window into activity on the site. The operation included the arrest on 5 July of the suspected AlphaBay founder, Alexandre Cazes, a Canadian citizen detained on behalf of the US in Thailand. Cazes, 25, died a week later while in Thai custody.
22-year-old who halted global cyber-attack: ‘I’m no hero’ – video
The security researcher Ryan Kalember, from Proofpoint, says that the Kronos malware was notable for being a particularly slick, and expensive, offering. “It had nice remote administration, with a dashboard panel, and it was quite good at evading attention by antivirus products,” he said. It was sold on malware forums for prices of up to $7,000 (£5,330), according to Kalember; the indictment against Hutchins lists prices of $2,000 (£1,523) and $3,000 (£2,284).
New Kronos infections continued as late as 2016, when the malware was repurposed into a form used to attack small retailers, infecting point-of-sale systems and harvesting customers’ credit card information.
“A lot of us thought of Kronos as crimeware-as-a-service,” Kalember said, since a Kronos buyer would also be getting “free updates and support” and that “implied there’s a large group behind it”.
This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure
Ryan Kalember, security researcher
He also warned that the actions of a researcher examining the malware can look very similar to those of a criminal in charge of it. “This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure. Lots of researchers like to log in to crimeware tools and interfaces and play around.”
On top of that, for a researcher looking into the world of banking hacks, “sometimes you have to at least pretend to be selling something interesting to get people to trust you”, he said. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”
On 13 July 2014, a video demonstrating the Kronos malware was posted to YouTube, allegedly by Hutchins’ co-defendant (the video was taken down shortly after Hutchins’ arrest). That same day, Hutchins tweeted asking for a sample of the malware to analyse.
Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.
The security researcher became an accidental hero in May when he registered a website he had found deep in the code of the ransomware outbreak that was wreaking havoc around the world, including disrupting operations at more than a third of NHS trusts and bodies.
The site, it turned out, acted as a kill switch for the malware, which stopped infecting new computers if it saw that the URL had been registered.
Attendees at the Def Con 2017 hacker convention in Las Vegas in July.
Attendees at the Def Con 2017 hacker convention in Las Vegas in July. Photograph: Steve Marcus/Reuters
When WannaCry first appeared, in early May, it spread rapidly, infecting hundreds of thousands of computers worldwide in less than a day, encrypting their hard drives and asking for a ransom of $300 in bitcoin to receive the decryption key. It moved particularly quickly through corporate networks thanks to its reuse of a security exploit, called EternalBlue, first discovered by the NSA before being stolen and leaked by an allegedly Russian-linked hacking group called the Shadow Brokers.
Both US and UK intelligence agencies later linked the malware outbreak to North Korean state actors, who have become bolder in recent years in using cyber-attacks to raise revenue for the sanction-laden state.
Hutchins was recently given a special recognition award at the cybersecurity celebration SC Awards Europe for halting the WannaCry malware. The malware ended up affecting more than 1m computers, but without Hutchins’ apparent intervention, experts estimate that it could have infected 10-15m.
Hutchins’ employer, the cybersecurity firm Kryptos Logic, had been working closely with US authorities to help them investigate the WannaCry malware. Hutchins handed over information on the kill switch to the FBI the day after he discovered it, and the chief executive of the firm, Salim Neino, testified in front of the US House of Representatives committee on science, space and technology the following month.
“The largest success, though incomplete, was the ability for the FBI and NCSC of the United Kingdom to aggregate and disseminate the information Kryptos Logic provided so that affected organizations could respond,” Neino told the committee.
Hours after Hutchins was arrested by the FBI, more than $130,000 (£100,000) of the bitcoin ransom taken by the creators of WannaCry was moved within the bitcoin network for the first time since the outbreak. There is nothing to suggest the withdrawal, which appears to have moved the coins into a “mixer”, a digital money-laundering system, is connected to the arrest of Hutchins.
Dan Hernandez contributed reporting
• This article was amended on 9 August 2017. An earlier version said a video demonstrating the Kronos malware was posted on 13 June. This has been corrected to 13 July 2014.
https://www.theguardian.com/technology/ ... ined-in-us
arstechnica
MalwareTech loses bid to suppress damning statements made after days of partying
Researcher said statements he made after taking intoxicating substances should be thrown out.
Dan Goodin - 2/13/2019, 6:19 PM
Then-23-year-old security researcher Marcus Hutchins in his bedroom in Ilfracombe, UK, in July 2017, just weeks before his arrest on malware charges.
Enlarge / Then-23-year-old security researcher Marcus Hutchins in his bedroom in Ilfracombe, UK, in July 2017, just weeks before his arrest on malware charges.
Chris Ratcliffe/Bloomberg via Getty Images
Marcus Hutchins, the widely acclaimed security researcher charged with creating malware that sold for thousands of dollars on the Internet, has lost his bid to suppress self-incriminating statements he made following days of heavy partying at the 2017 Defcon hacker convention in Las Vegas.
Hutchins—who, under the moniker MalwareTech, unwittingly helped neutralize the virulent WannaCry ransomware worm—was charged with developing the Kronos banking trojan and an advanced spyware program known as the UPAS Kit. The then-23-year-old UK citizen was arrested in August 2017 at McCarran International Airport as he was about to fly home. He had spent the previous week attending the Black Hat and Defcon conferences. Hutchins has pleaded not guilty to the charges.
According to court documents, federal agents questioned Hutchins in an airport interview room shortly after he was arrested. When asked about his involvement in developing malware, the court records show, Hutchins grew visibly confused about the purpose of the interrogation. Eventually, prosecutors said, Hutchins acknowledged that, when he was younger, he wrote code that ended up in malware, but he denied that he had developed the malware itself. After reviewing some source code produced by the agents, Hutchins asked if the investigators were looking for the developer of Kronos. Hutchins then told the interrogators he didn't develop Kronos and had "gotten out" of writing code for malware before he turned 18.
Allegedly, Hutchins then said he had feared law enforcement authorities would pursue him instead of the actual developer, because pieces of his code appeared in Kronos and that implicated him in the investigation into its creation. Still, he continued to voice confusion about why he was being detained. Almost 80 minutes into the interrogation, agents finally provided Hutchins with his arrest warrant and told him it had nothing to do with WannaCry. During the remainder of the interview, which lasted for another 20 minutes, Hutchins continued trying to be helpful but again noted he had been "out" of "blackhat" hacking for so long that he didn't have any useful information.
Jailed
Hutchins was then taken to jail, where he made two phone calls. Despite being informed the calls were subject to monitoring and recording, Hutchins allegedly "made incriminating statements," court records showed, without elaborating.
In a motion filed in US District Court for the Eastern District of Wisconsin, attorneys for Hutchins moved to suppress the statements and any evidence that may have been obtained as a result of them. Hutchins' grounds are that he didn't waive his Miranda rights against self-incrimination and that his intoxication and limited understanding of the US criminal procedural system made it impossible for him to voluntarily waive those rights.
In a ruling issued Monday, US District Judge J.P. Stadtmueller of the Eastern District of Wisconsin denied the motion. The 32-page decision cited Hutchins' own acknowledgment that he was read his Miranda rights, although the ruling noted there was insufficient evidence to establish if Hutchins received his rights at the beginning of the interrogation. The judge also noted that FBI agents testified under oath that the rights were issued at the beginning of the interrogation.
"In light of Hutchins's admission that he received his Miranda rights, and in light of the agents' corroborating testimony that this occurred before the interrogation, as well as the lack of any indication of when else he may have received them, the court finds that Hutchins was sufficiently apprised of his rights before the interrogation," Judge Stadtmueller wrote.
Hungover? Maybe. Drunk? No.
The judge went on to rule that there were sufficient grounds to find Hutchins's waiver of rights was voluntary. While intoxication, exhaustion, or physical discomfort can all be reasons a waiver might not be considered voluntary, Stadtmueller said it was unlikely Hutchins' alleged impairment significantly factored into his ability to give a voluntary waiver or to make him more susceptible to coercive interrogation practices.
The FBI agents, the judge said, monitored Hutchins continually since the beginning of the day of his arrest to ensure he was sober when he was detained. They then walked him to two separate locations inside the airport and engaged him in conversations to assess whether he was intoxicated.
"Hutchins appeared to be alert, engaged, coordinated, and coherent," Stadtmueller wrote. "There is no evidence in the record to the contrary. There is also no evidence, nor does Hutchins claim, that he was under the influence of drugs that day—only that he was exhausted. But a terrible hangover alone does not, as a matter of law, render someone unable to exercise or waive their Miranda rights. This factor does not weigh in Hutchins's favor."
Judge Stadtmueller went on to rule against Hutchins' claim that he was unable to make a voluntary waiver because of his unfamiliarity of suspect rights in US criminal proceedings. The judge also said Hutchins had failed to meet his burden of presenting "clear and convincing evidence" that FBI agents misled him about the true intentions of the interrogation. Hutchins, the judge said, received his Miranda rights and understood he was under arrest for alleged criminal activity that somehow related to Kronos.
What's more, Stadtmueller said, even though the FBI agents didn't present the warrant at the outset, the interrogation lasted another 20 minutes. During that time, Hutchins continued to consent to searches and answer questions.
The judge went on to acknowledge that it wasn't always clear whether Hutchins understood or remembered the criminal charges against him. "At one point in the interrogation, he made a comment that showed that he did not realize he had even been indicted." But ultimately, Stadtmueller said the scope of the questions should have put Hutchins on notice about the true purpose of the interview.
FBI agents rebuked but ultimately excused
The judge did go on to rebuke the agents for failing to meet their obligation under the Federal Rules of Criminal Procedure to tell Hutchins precisely why he was arrested.
"There is certainly an element of deception to this set of events that the court does not endorse," Stadtmueller wrote. The judge continued later:
The court is concerned by the abject failure of the agents to abide by the Federal Rules of Criminal Procedure 4(c), but their obvious interest in Kronos—including providing Hutchins with a string of code related to kronos—leads the court to conclude that there is not clear and convincing evidence that they acted with intent to deceive.
...
Under the totality of the circumstances—considering Hutchins's exhausted state, his unfamiliarity with the American criminal procedure system, his high level of intelligence, and the lack of material deception, there is an insufficient basis for the Court to find that Hutchins's statements were involuntary. It is wholly improper that he was not provided with a warrant immediately upon arrest. But in light of the record of the post-arrest interrogation, the government has met its burden in proving that the waiver was voluntary.
In the same decision, Stadtmueller denied motions by Hutchins that various counts in a superseding indictment be dismissed for a variety of different reasons.
Monday's decision is the second time Hutchins' motions to suppress and dismiss counts have been denied. Magistrate Judge Nancy Joseph, also of the US District Court for the Eastern District of Wisconsin, issued a report earlier that recommended denying all motions on largely the same grounds.
Based on the court ruling, it appears likely the statements and any evidence they produced will now be in force while the case proceeds through lower court. The denial to suppress the statements is likely to come as a blow to Hutchins' supporters. During the days before his arrest, Hutchins' Twitter account chronicled a life of partying and night clubs that isn't uncommon for people attending Black Hat and Defcon.
If the Twitter account accurately portrays how Hutchins spent his time in the days leading up to his arrest, it's not hard to see how the combination of extreme fatigue, unfamiliar surroundings, and youth might have contributed to a costly lapse in judgement that could follow him for years to come.
https://arstechnica.com/tech-policy/201 ... -partying/