If Marcus Hutchins is found guilty in the United States for creating and selling a malware, then other cyber security warriors would not dare infiltrate hacker forums or investigating malware for ethical reasons, experts believe.
Marcus Hutchins has been described by his friends as an ethical cyber security warrior who would never sell malware for financial gain.
Marcus Hutchins will be produced in a court in Milwaukee later today on charges of creating and spreading a malware for financial gain. He was arrested in Las Vegas earlier this month by the FBI while on his way back to London after attending a cyber security conference in the city.
Hutchins is accused of actively creating and selling Kronos, a malicious banking malware that was used between July 2014 and July 2015 by hackers to steal banking passwords and financial data. The malware can be injected into devices since it can disguise itself as a legitimate software, thereby avoiding malware detection mechanisms in various operating systems.
It has been alleged that Hutchins and his accomplice, who has also been arrested, charged between $2,000 (£1,523) and $3,000 (£2,284) for each Kronos malware sample. By doing so, he violated the Computer Fraud and Abuse Act, aided and abetted a hacking attempt and advertised wiretapping devices.
However, the cyber security community is not amused. Those who have worked with Hutchins in the past, describe him as an ethical cyber security warrior for whom financial gain was never a major priority. Jake Williams, a malware researcher who worked with Hutchins in 2015, told the Guardian that Hutchins refused to take any money from him after helping him create an education programme focussed on malware.
Following his arrest, Hutchins’ mother also expressed ‘outrage’ over his indictment and said that he was a dedicated malware researcher who spent enormous amounts of time in researching and combating malware attacks. A number of his friends have said that his passion was always to find malware and not to create one.
According to several news reports, Hutchins also donated the $10,000 that he received as a gift from HackerOne to charity after he found the kill switch for the WannaCry ransomware that severely impaired operations at the NHS and other institutions.
A number of cyber security experts are implying that Hutchins’ arrest could be a result of mistaken identity. According to Ryan Kalember, a security researcher at Proofpoint, malware researchers have to dig deep and interact in malware-selling forums to find out what they need to know. As such, they end up leaving as much footprint as any other malware developer or seller.
“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure. Lots of researchers like to log in to crimeware tools and interfaces and play around. It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference,” he said.
Considering that Hutchins is now a prime suspect thanks to his longstanding research on malware and other forms of trojans, his indictment will come as a rude shock to the ethical hacking community. Almost all ethical hackers who have discovered malware in the past had to infiltrate the Dark Net to find sources and language of such malware and what they could do. Just because an ethical hacker has evaluated a malware, it doesn’t necessarily mean that he created it or abetted its distribution.
MalwareTech’s (Hutchins’) business and job is around finding, reversing and analysing malicious software (malware) and finding the techniques used. This includes monitoring “dark web” websites, where covert identities are used to gain access — as is common across the security industry,” wrote Kevin Beaumont, a cyber security researcher in the UK in a blog post.
“On a personal note, I am withdrawing from dealing with the NCSC and sharing all threat intelligence data and new techniques until this situation is resolved. This includes through Cyber Security Information Sharing Partnership.
“Many of us in the cyber security community openly and privately share information about new methods of attacks to ensure the security for all, and I do not wish to place myself in danger,” he added.