Marcus Hutchins, a British cybersecurity researcher awaiting trial in the U.S. for felony hacking charges, was named in a superseding indictment Tuesday with new counts including lying to investigators.
The four new criminal counts filed by prosecutors in the U.S. Attorney’s Office for the Eastern District of Wisconsin add to the six unsealed last summer against Mr. Hutchins, 23, weeks after he was praised for activating a “kill switch” that disabled WannaCry, a debilitating computer virus U.S. and its allies have linked to North Korea.
A native of Devon, U.K. also known as “Malwaretech,” Mr. Hutchins was arrested at Las Vegas International Airport last August and accused of creating and distributing Kronos, a computer virus unrelated to WannaCry designed to steal banking credentials. He pleaded not guilty and was freed on bail, albeit relegated to the U.S. for the last 10 months awaiting trial and a potential prison sentence.
Prosecutors this week brought three new hacking charges against Mr. Hutchins as well as one count of lying to investigators in violation of federal law.
Separate from Kronos, prosecutors now allege Mr. Hutchins also sold and developed “UPAS KIT,” another type of malware marketed to “install silently and not alert antivirus engines,” according to the updated indictment. Mr. Hutchins allegedly created UPAS Kit and gave it to someone identified in the indictment as “Individual A” who in turn sold it in July 2012 to a person located in the Eastern District of Wisconsin, prosectors said Tuesday.
Prosecutors also alleged in the new indictment that Mr. Hutchins and Individual A later worked together on Kronos and conspired to monetize the malware by promoting it with a YouTube video. The two maintained Kronos through at least February 2015, according to the indictment, when Mr. Hutchins allegedly discussed updating it during an internet chat with a third person identified in the indictment as “Individual B.”
Mr. Hutchins was asked about Kronos when he was interrogated after his arrest, and he told investigators at the time that he only knew his computer code was being used for the banking Trojan when he dissected the malware in 2016 – “a materially false, fictitious and fraudulent statement” since he had boasted about it online, prosecutors alleged in the new indictment.
“We are disappointed the government has filed this superseding indictment, which is meritless. It only serves to highlight the serious flaws in this prosecution,” defense attorneys told The Washington Times in a statement Wednesday. “We expect Marcus to be vindicated and then he can return to doing what he loves: keeping us all safe from malicious software.”
“Spend months and $100k+ fighting this case, then they go and reset the clock by adding even more [expletive] charges like ’lying to the FBI’,” Mr. Hutchins said Wednesday through his Twitter account. “Legal and emotional pressure doesn’t really work on me, why not save a couple of years and try waterboarding instead?”
The latest development in the case came a week after attorneys for Mr. Hutchins filed a motion asking the court to suppress the statements he made about Kronos immediately after his arrest to investigators and in a jail house phone call afterwards. Defense attorneys previously argued that the interrogation should be suppressed since Mr. Hutchins was drunk and tired at the time, and “did not sufficiently understand any warnings he may have been given or rights being waived.”
WannaCry infected computers in over 150 countries before Mr. Hutchins stopped it by activating a “kill switch” of sorts. The U.S., U.K. and Australia have subsequently blamed the outbreak on the North Korean government.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.