As It Happens

WannaCry 'hero' indicted by FBI could actually be 'like Donnie Brasco,' says colleague

A colleague of IT researcher Marcus Hutchins says his arrest may be a misunderstanding and it's sending chills through the cybersecurity world.
British IT expert Marcus Hutchins has been indicted by the FBI for his alleged role in spreading a banking malware called Kronos. (Frank Augstein/Associated Press)

Story transcript

Marcus Hutchins' indictment may be a misunderstanding, and it's sending a chill through the cybersecurity world, says a colleague who helped him stop the infamous WannaCry virus.

Hutchins, a 23-year-old cybersecurity researcher known online as Malware Tech, was hailed as a "hero" earlier this year after he helped stop the spread of the WannaCry malware that shut down computer systems worldwide and brought the U.K.'s health-care system to a grinding halt.

Now he's been indicted by the FBI for his alleged role in creating and spreading an unrelated piece of malicious banking software called Kronos between 2014 and 2015.

He was arrested at the Las Vegas airport on Wednesday on his way home from the Def Con hacking conference, Motherboard reports, and could face up to 40 years in prison if convicted. 

Ryan Kalember, the senior vice-president at the security firm Proofpoint, who worked with Hutchins to bring down WannaCry, said he's not convinced his colleague is guilty. 

He spoke with As It Happens guest host Piya Chattopadhyay about the indictment and its ramifications for cybersecurity. Here is part of their conversation.

I thought he was supposed to be the good guy? That he had fought the WannaCry ransomware attack? Why would be be trying to create and sell this malware called Kronos?

He certainly was the good guy in the WannaCry attack. He worked with our researchers as well as lots of other like-minded individuals to stop that particular worm, as we call it, from spreading. 

But that said, this indictment refers to events that happened a few years ago, in 2014 when Kronos was released, as well as in 2015, so this is a little while back.

So he could have been a bad guy-turned-good guy?

Well, the line is an interesting one in cybersecurity. There are sort of these underground groups where malicious software is sold, and in order to gain credibility there, you have to frankly know what you're talking about. 

Marcus Hutchins was branded a hero for slowing down the WannaCry global cyberattack. (Frank Augustein/Associated Press)

Are you saying it's a little bit like going undercover as a cop?

It is a lot like that. Malware researchers, in a lot of respects, are sort of like Donnie Brasco, except they don't work for the FBI.

Being on the forums is something that is a particularly normal thing for researchers to do. There's nothing extraordinary about it and it does require blending in with cybercriminals in order to learn about their tools.

So is there a possibility that there's been a misunderstanding here?

I would say there's certainly a possibility. Obviously, we don't have a lot of evidence to look at at this point in time.

But a lot of what a researcher does, especially on underground forums, for a law-enforcement agency would be really difficult to tell apart from legitimate criminal activity. You think of Donnie Brasco committing crimes in order to be trusted by the Mafia.

Hutchins and Calember worked together to stop the WannaCry ransomware attack that affected computers worldwide. (Ritchie B. Tongo/EPA)

Don't you think the FBI can tell the difference between that and actual criminal activity? 

Any type of investigation like this, even including the things that involve the intelligence community who are some of the world's foremost experts at this, always involves a degree of uncertainty.  And we haven't seen the sort of evidence that would allow us to make a strong conclusion one way or another.

So even the best in the world, whether they work for law enforcement or on the hacking side, it's hard to discern where the line is on this?

It is. And in this case, we also have an unnamed second sort of partner to him that is referred to throughout the indictment, who apparently tried to sell this on what we call a dark web marketplace, so something you'd need a special browser to connect to, called AlphaBay.

And that markeplace had actually been taken down by an international law enforcement effort just a couple of weeks ago. So there's likely more to this story that's going to come out sooner rather than later. 

Do you think that this indictment could be connected to the arrest of the Canadian founder of the dark website AlphaBay and its subsequent shutdown?

I think there's a strong possibility that events are connected, especially as that unnamed partner is actually mentioned as selling this Kronos banking trojan on AlphaBay as recently as a few months ago. So it's likely that the takedown of AlphaBay led to some new evidence in this case.

Hutchins is accused of being behind the Kronos malware code, which was advertised on the illegal Alpha Bay online marketplace that was shut down last month. (Screengrab/CBC News)

You saw Marcus Hutchins recently at the Def Con conference. How did he seem to you?

He's an infosec celebrity, so he seemed to be smiling and laughing and, of course, sort of revered by all who encountered him. 

If this is a misunderstanding, how might this affect the relationship between governments and hackers, cybersecurity types?

Those two groups have been working on trying to get better at collaborating for years and years, and there will occasionally be something that involves a very human, very real story, that sends a chill through those relations.

And what is the significance of that? 

As more and more crime, as well as more and more things of national interest, move to being on the internet, it's absolutely critical for all levels of government to be able to not only have their own robust cybercapabilities, but be connected to those of us who spend our days fighting cybercrime.

If those groups are not collaborating well, that's an advantage for the bad guy.