British security researcher Marcus Hutchins, who was indicted and arrested last summer for allegedly creating and conspiring to sell the Kronos banking trojan, now faces four additional charges. Hutchins, also called MalwareTech and MalwareTechBlog, is well-known in the security community for slowing the spread of WannaCry ransomware[1] as it tore through the world's PCs in May 2017. And as the months have dragged on since his indictment—he has been living in Los Angeles on bail—the latest developments in the case have stoked further fears among white hat hackers that the Department of Justice wants to criminalize their public interest research.
Wednesday's superseding indictment[2], which ups the total number of charges Hutchins faces to 10, alleges that in addition to Kronos, Hutchins also created a hacking tool called UPAS Kit, and sold it in 2012 to a coconspirator known as "VinnyK" (also called "Aurora123" and other monikers). Prosecutors also assert that Hutchins lied to the FBI during questioning when he was apprehended in Las Vegas last year. The original Hutchins indictment listed a redacted defendant along with Hutchins; the superseding indictment only lists Hutchins, which indicates to some observers that a shift has occurred.
"Back when Hutchins was originally indicted I thought there was a possibility that he might be cooperating and that he might get favorable treatment because of WannaCry. Now that seems way more unlikely," says Marcus Christian, a cybersecurity-focused litigation partner at the firm Mayer Brown, who was previously a prosecutor in the Florida US Attorney’s Office. "It’s usually a bad sign when they’re charging additional crimes, particularly when one has to do with lack of honesty, so there could be someone else who's cooperating."
One of Hutchins' lawyers, Brian Klein, said in a tweet[3] on Wednesday that