WannaCry hero Marcus Hutchins faces four new charges

MalwareTech security blogger's lawyer calls the new accusations "meritless"

Marcus Hutchins has been charged with four more offences by the US government, including lying to the FBI as well as the creation and sale of malware designed to harvest personal and financial information.

The fresh accusations have been issued as part of a 'superseding indictment', which allows federal prosecutors to add new charges as more evidence becomes available. Hutchins is now charged with a total of 10 offences, including violation of the Computer Fraud and Abuse Act, wiretapping, conspiracy to commit wire fraud and giving false statements, all of which he denies.

Hutchins' lawyer called the new charges "meritless".

The security researcher, also known by his Twitter handle 'MalwareTech', was arrested last summer by US law enforcement while on a business trip to Las Vegas, and formally charged with creating and distributing the Kronos banking malware, shortly after shooting to fame for helping stop the WannaCry ransomware outbreak.

He denied the claims, saying that while elements of his code are present in the Kronos malware, he did not know what they were going to be used for when he wrote them.

The bulk of the new charges relate to the creation and sale of a piece of malware known as UPAS Kit, which was allegedly designed to intercept data that users type into online forms, such as login pages for banks. The new indictment comes just weeks after Hutchins' lawyers filed a motion to suppress a transcript of a phone call Hutchins made while under arrest in which he allegedly discussed the incident.

According to the indictment, Hutchins developed UPAS Kit at some point prior to July 2012, and provided it to an unnamed individual with the intention that this person would market, sell and distribute it. Prosecutors claim that this individual, who went by handles including 'VinnyK' and 'Aurora123', is the same person that Hutchins is accused of working with in the sale and promotion of Kronos in 2014.

The second component of the updated accusations is that Hutchins "knowingly and willfully made a materially false, fictitious, and fraudulent statement" to the FBI concerning his role in creating Kronos when he was brought in for interrogation last August.

According to the FBI, Hutchins claimed that the first time he was aware of his code being incorporated into Kronos was in 2016, but the agency said that its evidence shows that in November 2014, he was discussing his role in creating the malware with a cyber criminal that he knew to be involved in hacking ATMs and point-of-sale systems.

Hutchins' lawyer, Brian Klein, tweeted that he was "disappointed" that the government had filed the indictment, which he called "meritless" and said "only serves to highlight the prosecution's serious flaws". Hutchins' legal team has previously argued that he was coerced into making false confessions related to his alleged role in creating Kronos.

Klein is not the only legal mind who had taken issue with the indictment; civil rights expert Marcy Wheeler has pointed out that, given Hutchins' birth date of June 1994, if he did create UPAS Kit, he would have done so as a minor, and that the five-year statute of limitations on historic crimes would also have elapsed.

Hutchins has called the new charges f lying to the FBI "bullshit", and has asked fans and followers to donate to his crowdfunded legal defence, on which he says he has spent more than $100,000.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
BEC scammers using Google Forms to identify easy victims
phishing

BEC scammers using Google Forms to identify easy victims

21 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021