Famed white hat hacker Marcus Hutchins — better known as "MalwareTech" — was arrested by the FBI yesterday while trying to fly home to the United Kingdom from Las Vegas. The 22-year-old security researcher gained mainstream fame earlier this year as the guy who stopped the destructive WannaCry ransomware from spreading, and had been partying with friends near the Black Hat and Defcon hacker conferences before his arrest. Now, he faces serious federal charges for allegedly creating the Kronos banking trojan. But he's supposed to be the good guy!
Here's the thing: Good people do bad things sometimes. It's possible that good hackers, the ones we celebrate for stopping malware, also create malware, perhaps for profit or perhaps because they're bored. It's possible, but some people just can't believe that Hutchins would ever do something like this:
I refuse to believe the charges against @MalwareTechBlog, not the MT I know at all. He spent his career stopping malware, not writing it.
— Andrew Mabbitt (@MabbsSec) August 3, 2017
We don't know if Hutchins is guilty. That's up to the courts to determine. However, what we know so far about the young man's precarious situation is intriguing to say the least. In the days leading up to his arrest, Hutchins was going big. In the days before his arrest, Hutchins was throwing parties at a $US1,900 ($2,390)-per-night Airbnb which, incidentally, is home the largest private pool in Las Vegas, Gizmodo alum William Turton reports at the Outline. Hutchins also rented a Lamborghini and asked his Twitter followers where he could find a race track. He contemplated renting a helicopter for a tour of the Grand Canyon. He shot a very scary machine gun at a shooting range.
Spending lots of money and having fun isn't against the law, but it is curious in retrospect. The recently unsealed federal indictment claims that Hutchins not only built the Kronos malware, which enables a hacker to steal bank credentials, but also advertised it on AlphaBay, the dark web marketplace that US and European authorities seized a couple weeks ago. It's unclear if Hutchins' arrest is connected to that seizure. The indictment claims that Hutchins sold Kronos, at least once, for $US2,000 ($2,516). The indictment also claims that Hutchins uploaded a video to YouTube about how Kronos works, a detail that the Department of Justice thinks is incriminating evidence.
Did federal authorities let Hutchins party his face off during Defcon and Black Hat, so that they could collect more incriminating evidence against the young security researcher? Did Hutchins' money come the sale of malware that makes it easy for evil hackers to rob unsuspecting computer users? Did Hutchins lie when he said he was donating the $US10,000 ($12,581) reward from stopping WannaCry to charity, instead choosing to spend the money on exotic car rentals and a lavish party house?
We don't know the answer to any of these questions, and we probably won't for quite some time. But it certainly is possible that a white hat like Hutchins possibly, maybe did some bad things a few years ago. In the hacker world, it's not uncommon for hackers to start off wearing black hats and end up changing their ways. Usually they get caught doing the bad stuff and then spend some time in prison.
Here are some examples. Kevin Paulson is the legendary hacker who became famous for taking over all of the phone lines that led to Los Angeles-area radio stations so that he could be the 102nd caller and win a Porsche back in 1990. He was arrested in 1991, after an 18-month-long manhunt, and served over five years in prison. Now, he's a senior editor at Wired.
Then, you've got Kevin Mitnick, another famous hacker. Mitnick was charged for over two dozen cyber crimes in 1995, evaded the feds for two weeks before being caught with 100 cloned cell phones, and then served nearly four years in prison. Now, he runs his own security company, consulting large companies and even the FBI on how to keep their data safe.
And who could forget Samy Kamkar. When he was just 19-years-old, Kamkar created a worm that he unleashed on MySpace, where it soon became the fastest spreading computer virus in history. He pleaded guilty to a felony, avoided jail time, and was on probation for three years, during which he was not allowed to touch a computer. Now, he's one of the most famous white hat hackers in the world, spotting vulnerabilities in everyday devices and advocating for better privacy. He's even testified before Congress.
One thing deserves repeating, though: We don't know if Hutchins is guilty. It's entirely possible that the feds got the wrong guy, and we can all go back to remembering MalwareTech for being the nice person who saved a lot of people from getting hacked and held hostage by the WannaCry ransomware. If he did do it, however, he wouldn't be the first white hat hacker with a black hat past. In fact, he'd be in good company.