Image: Lorenzo Franceschi-Bicchierai

Why Is the FBI Really Going After the Researcher Who Stopped WannaCry?

An attempt to connect the dots between the FBI's surveillance tools, WannaCry, Marcus Hutchins, and Kronos.

|
Sep 7 2017, 1:30pm

Image: Lorenzo Franceschi-Bicchierai

The first thing the FBI would have likely done when it received a lead about a security researcher named "MalwareTech" saving the world from the global WannaCry worm would be to search its federated databases for any information it already held on him. According to public reports, such a "back door search" is standard operating procedure—and it might explain a lot that doesn't seem to make sense about the prosecution of Marcus Hutchins.

"When an FBI agent or analyst initiates a criminal assessment ... it is routine practice," according to a 2014 oversight report on FISA Section 702, "to conduct a query of FBI databases in order to determine whether they contain information on the subject of the assessment." This passage revealed, for the first time, how common back door searches are.

The transcript of a 2015 FISA court hearing released earlier this year went further, likening FBI's searches to Google searches. "[T]hese systems are queried on such a routine basis, these federated systems in some ways are FBI's Google of its lawfully acquired information," described a DOJ official whose identity was redacted. The DOJ official explained that such queries are "the way that the FBI, looking at its lawfully acquired information, makes its initial determinations about whether further investigation, which often involves further more privacy invasive steps, is warranted or not."

Among the reasons FBI does assessments are to find out what role someone might have played in a particular crime, to collect foreign intelligence, or to find out if a person would be a useful informant.

The reminder that FBI routinely searches databases full of electronic surveillance when it gets new leads may provide an explanation for many of the questions surrounding the prosecution of Marcus Hutchins, better known as MalwareTech. Hutchins is the researcher who dramatically minimized the impact of the global WannaCry worm by finding what some called a killswitch and creating a sinkhole that neutralized most WannaCry attacks, only to get busted by the FBI a few months later. At the time, Hutchins wrote that the effectiveness of this strategy was unexpected—the blog post he wrote to explain it was called "how to accidentally stop a global cyber attack."

Hutchins was arrested in Las Vegas on August 3 as he was leaving after the Black Hat and Def Con hacking conferences on six charges in an July 11 indictment. The charges include one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), four counts of electronic surveillance, and one count of CFAA, which prohibits unauthorized access to a computer. Hutchins pleaded not guilty to all of these charges.

Image: Privacy and Civil Liberties Oversight Board

The charges are associated with the June 2015 sale, for $2,000, of a malware named Kronos, a tool used to steal banking credentials that most researchers barely remembered when Hutchins' arrest got announced. Even the US government's press release announcing the arrest describes Kronos as targeting victims outside of the United States: in Canada, Germany, Poland, France, and—most importantly—the UK, where Hutchins is from. The list of non-US victims raises questions why Hutchins would be prosecuted in the US, or even if it such a prosecution is constitutional.

There's a lot about his prosecution that, on first glance, appears to make no sense.

To be sure, there were several aspects of Hutchins' arrest that are quite typical of criminal prosecutions. The United States often arrests alleged foreign criminals, including hackers, when they're in a convenient jurisdiction to make use of extradition treaties or avoid extradition battles altogether. By arresting Hutchins while in Las Vegas, the US avoided the drawn-out extradition process it is still fighting with Lauri Love, a British hacker indicted in three different US jurisdictions starting in 2013.

That seems to be part of the reasoning behind this whole case. British spooks knew Hutchins would get arrested while in the US, according to an anonymous source quoted a Sunday Times story. "Our US partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition," the source was quoted as saying.

It also avoids (at least for the moment) having to explain why the US should prosecute Hutchins, rather than the UK, where there are known victims of the malware.

By taking Hutchins into custody without warning, the FBI also managed to interview the researcher without an attorney (the circumstances around Hutchins' consent for that interview remain unknown). The government claims that in that interview, Hutchins "admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another." That's not the same as admitting he wrote the Kronos malware, which is what the indictment accuses, but it should make any prosecution easier, if his attorneys can't get the statement thrown out.

Why would the government go after the unwitting hero of the public-private effort to contain WannaCry?

Finally, in his initial bail hearings in Las Vegas, the government attempted to keep Hutchins in custody. Most cynically, in addition to all the standard things the government points to to argue someone might be a flight risk (such as, in Hutchins' case, that he has no ties to the US and the financial wherewithal to flee), they pointed to the fact that Hutchins tweeted about going to "firearms ranges twice and used firearms there," as if shooting guns as a tourist in Las Vegas makes him more dangerous to the US.

Nevada District judge Nancy Koppe appeared as unimpressed with the firearms insinuation as the suggestion Hutchins might skip town, and released him on $30,000 bond. She pointedly asked "why it took two years to indict him" if he is a danger to the community. That is a particularly salient question, given that Hutchins was in Las Vegas for Def Con last year but the government didn't deem his alleged 2015 crimes urgent enough, at that point, to arrest him.

All of which is to say the US government treated Hutchins like they treat most alleged criminals, using the tools available to gain maximal leverage over the defendant which, in the vast majority of cases, leads the defendant to accept a plea deal to avoid the time, expense, and higher criminal penalties associated with a trial. Because he had broad support from his community, including his boss at Kryptos Logic in Los Angeles, Salim Neino, Hutchins managed to get released on bail, which a lot of defendants can't do.

The sheer normalcy of the coercive treatment the government subjected Hutchins to raises the larger question. Why—particularly at a time when the US and UK are prioritizing cooperation on cybersecurity issues with the private sector—would the government go after the unwitting hero of the public-private effort to contain WannaCry in May? Why would the US government poison relations with the security community by responding to an act of accidental heroism with a seemingly petty prosecution?

There are also questions about why this prosecution was prioritized over other potential prosecutions. The prosecution closely followed the government's seizure of AlphaBay, a dark web marketing site that the FBI shut down on July 5, and where, according to Hutchins' indictment, his co-defendant sold the Kronos malware back in June 2015. The FBI's descriptions of the AlphaBay takedown emphasize what a huge marketplace it was, with over 350,000 combined product listings, many of which might yield criminal prosecutions. FBI Special Agent Nicholas Phirippidis described, "Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay's illegal activities." Both the FBI and Europol Executive Director Robert Wainwright describe how much international cooperation the bust took, involving (among other foreign entities) the UK and Europol, meaning authorities where Hutchins lives worked with the US on the shut-down.

Hutchins was indicted on July 11, less than a week after authorities seized AlphaBay servers around the world. Nothing identified to date in the case suggests evidence from seized servers was necessary to the indictment.

Out of the "several hundred" investigations cited by Phirippidis, other publicly known active US prosecutions arising out of AlphaBay sales involve clear American victims and perpetrators: a person in California suspected of paying an Israeli teenager to phone and email bomb threats to Jewish Community Centers around the country; a group that fulfilled over 78,000 marijuana orders over the last two years making them largest vendor on AlphaBay; a transaction that led to the fentanyl overdose death of an 18-year old girl in Oregon; another transaction that led to a fentanyl overdose death, this time of a 24-year old Orlando woman; a fentanyl vendor suspected of making over $120,000 in profits who is tied to a non-lethal overdose; an investigation out of Atlanta into a still unidentified American who worked for AlphaBay. Other, earlier prosecutions, include the sales of heroin, fentanyl, and marijuana laid out in the indictment of AlphaBay's head, Alexandre Cazes.

One AlphaBay vendor pled guilty in 2016 to selling hacked banking credentials; while those charges are the most similar to Hutchins', the indictment not only names the bank—Atlanta's SunTrust—but identifies five known victims.

Given the government's silence about any American victims, it may be that Hutchins got indicted in Milwaukee because the law enforcement agents who purchased the malware (identified as such in Hutchins's Las Vegas hearing) were in the district. That's why Cazes was indicted in Fresno: the 12 purchases used to substantiate the indictment against him were all made in the Eastern District of California. Like Hutchins, Cazes (who died in an apparent suicide after being arrested in Thailand) was neither a US citizen nor in the US at the time he was indicted.

"It is unusual for someone accused of the type of computer crimes Mr. Hutchins has been accused of to have unconditional access to his computer"

One other detail about Hutchins's case raises questions. After aggressively seeking to deny Hutchins bail in Las Vegas, the government willingly acceded to lifting a number of his bail restrictions at a hearing in Milwaukee on August 14. The same Wisconsin-based team that dug up Hutchins's tweets about trips to gun ranges in Las Vegas in an attempt to paint him as a physical threat agreed, without contest, at Hutchins' arraignment to let him await trial in Los Angeles. They also didn't contest a provision that allows him to access computers and the internet for both work and personal usage (though after agreeing at his arraignment that Hutchins might eventually be taken off GPS monitoring, the government has since objected to a change in his bail conditions to let him travel freely during the day.)

Defendants accused of computer-related crimes are rarely permitted to use computers and access the Internet. "While pre-trial release conditions vary according to the jurisdiction and judge," US computer law attorney Tor Ekeland told me, "it is unusual for someone accused of the type of computer crimes Mr. Hutchins has been accused of to have unconditional access to his computer while trial is pending." At the arraignment, Prosecutor Michael Chmelar explained his willingness to alter bail conditions because Hutchins's alleged crimes were "historic," meaning that the government is not alleging he is still engaged in criminal activity and doesn't consider him a threat to the public.

The government's sole restriction on that computer access—something his defense attorneys, Marcia Hofmann and Brian Klein, themselves readily agreed to—is that he not touch the WannaCry sinkhole he set up back in May. Hutchins' lawyers would not comment for this article.

The government is not worried that Hutchins will start hacking (or helping others hack) banking credentials on the Internet. It is worried that something might happen to the WannaCry sinkhole, which suggests his arrest in 2017 (after not arresting him in 2016) has as much to do with the WannaCry outbreak as it does a little-used piece of malware.

Which brings us back to the FBI's routine practice of checking its databases, including electronic surveillance, when it gets new leads in a case. The federated repositories FBI routinely searches to assess leads include information from foreign intelligence reports and from FBI's own case files (presumably including the ones on that 2015 purchase of Kronos malware, though many of the AlphaBay prosecutions have started with a purchase made by a Homeland Security Investigator), according to the 2015 FISA Court hearing. Since January, the FBI has also been permitted to ask NSA for raw data the spy agency collects overseas, authorized by Executive Order 12333. The FBI declined to comment for this article.

In addition to the evidence presented in the indictment, the government has described the other evidence it will present that, it claims, proves Hutchins has a role in the Kronos malware.

First, there are chat logs: "Among the evidence that the Government will present at his trial," explained Daniel Cowhig, the prosecutor who argued against granting Hutchins bail in Las Vegas, "will be that there are chat logs in which Mr. Hutchins discusses with an associate the sale of the Kronos banking trojan." Cowhig went on to describe the chat logs showing Hutchins agreeing to split the proceeds of the Kronos trojan, but complaining about the amount of money that he received for the sale of it. The chat logs also refer to a key allegation in the indictment — that the associate asked Hutchins to update the Kronos banking trojan. At a status conference, the government described Jabber chats involving Hutchins—apparently collected by the Wisconsin district—as well as statements to him "from another internet forum seized by the government in another District."

The FBI is seeing a picture of Hutchins that is vastly different than the public

The latter detail is key. It suggests Hutchins' name shows up in chats obtained in an investigation in some other district. Just one alias for Hutchins—his widely known "MalwareTech"—is mentioned in the indictment. None of the four or more aliases Hutchins may have used, mostly while still a minor, was included in the indictment, as those aliases likely would have been if the case in chief relied upon evidence under that alias.

Presuming the government's collection of both sets of chat logs predates the WannaCry outbreak, if the FBI searched on Hutchins after he sinkholed the ransomware, both sets of chat logs would come up. Indeed, so would any other chat logs or—for example—email communications collected under Section 702 from providers like Yahoo, Google, and Apple, business records from which are included in the discovery to be provided in Hutchins' case in FBI's possession at that time. Indeed, such data would come up even if they showed no evidence of guilt on the part of Hutchins, but which might interest or alarm FBI investigators.

There is another known investigation that might elicit real concern (or interest) at the FBI if Hutchins's name showed up in its internal Google search: the investigation into the Kelihos botnet, for which the government obtained a Rule 41 hacking warrant in Alaska on April 10 and announced the indictment of Russian Pyotr Levashov in Connecticut on April 21. Eleven lines describing the investigation in the affidavit for the hacking warrant remain redacted. In both its announcement of his arrest and in the complaint against Levashov for operating the Kelihos botnet, the government describes the Kelihos botnet loading "a malicious Word document designed to infect the computer with the Kronos banking Trojan."

Hutchins has tracked the Kelihos botnet for years—he even attributes his job to that effort. Before his arrest and for a period that extended after Levashov's arrest, Hutchins ran a Kelihos tracker, though it has gone dead since his arrest. In other words, the government believes a later version of the malware it accuses Hutchins of having a hand in writing was, up until the months before the WannaCry outbreak—being deployed by a botnet he closely tracked.

There are a number of other online discussions Hutchins might have participated in that would come up in an FBI search (again, even putting aside more dated activity from when he was a teenager). Notably, the attack on two separate fundraisers for his legal defense by credit card fraudsters suggests that corner of the criminal world doesn't want Hutchins to mount an aggressive defense.

All of which is to say that the FBI is seeing a picture of Hutchins that is vastly different than the public is seeing from either just the indictment and known facts about Kronos, or even open source investigations into Hutchins' past activity online. The FBI has a collection of data—all collected by targeting specific suspected criminals or intelligence targets, and therefore removed from any context, including that of a malware researcher—in its coffers. And it would have been routine for the Bureau to consult that collection in May when it tried to figure out what role Hutchins had in the WannaCry outbreak.

Update: An earlier version of this story stated that Hutchins had "accidentally" set up a sinkhole for WannaCry. In reality, what was accidental was that sinkholing the domain was enough to halt the malware.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.