The British IT expert hailed a hero for foiling ‘the biggest ransomware offensive in history’ has appeared in a US court over allegations that he confessed to creating an illegal computer code to harvest people’s bank details.
23-year-old Marcus Hutchins won global fame in May, after working from a room in the house he shares with his parents in Devon to defeat the WannaCry ransomware attack, which had crippled the NHS and spread to computers in 150 countries.
But on Friday, he was led into a Las Vegas courtroom wearing a prison-issue jumpsuit to hear claims he created another form of malware called Kronos, and then conspired between July 2014 and July 2015 to advertise and sell it on internet forums.
If convicted, he could face up to 40 years in a US jail.
Alleging that Hutchins had confessed during a police interview, prosecutor Dan Cowhig told the court: “He admitted he was the author of the code of Kronos malware, and indicated he sold it.”
Mr Cowhig claimed that Hutchins – known in cybersecurity circles as MalwareTech – and his unnamed co-defendant, thought to be still at large, were found out in a sting operation involving undercover officers buying the code.
Prosecutors claim the software was sold for 2,000 dollars (£1,522) in digital currency in June 2015.
Other evidence came from chat logs where Hutchins complained to the co-defendant that he did not receive a fair share of the money, Mr Cowhig said.
Hutchins, however, is expected to deny all six charges against him.
He retains widespread support among the cybersecurity and IT community, some of whom have expressed serious concerns about what is thought to have been a two-year FBI operation against him.
Speaking outside court, computer law expert Tor Ekeland said: “This is a very, very problematic prosecution, and I think it’s bizarre that the United States government has chosen to prosecute somebody who’s arguably their hero in the WannaCry malware attack, and who’s potentially saved lives and thousands, hundreds of thousands, if not millions, of dollars over the sale of alleged malware.”
Claiming the prosecution had only offered flimsy evidence so far, Mr Ekeland said he found it striking that the indictment didn’t allege any financial loss to any victims – or in any way identify them.
“The only money mentioned in this indictment is ... for the sale of the software,” he said.
His concerns were echoed by Kurt Opsahl, deputy executive director of digital civil liberties group the Electronic Frontier Foundation, which is helping Hutchins with his defence case.
Mr Opsahl said outside court: “Security researchers are vital to protecting the computers we rely upon every day. Mr Hutchins’ arrest has unfortunately deepened the divide between the research community and the government.”
Hutchins was arrested on Wednesday as he prepared to return home from Las Vegas, after attending the Def Con convention for computer security professionals.
He smiled to the press packing the public gallery as he was led into the court on Friday, dressed in bright orange Crocs shoes and a yellow jumpsuit with the word “detainee” stamped on the back.
He spoke softly as he answered procedural questions and confirmed his identity.
District Judge Nancy Koppe ordered his release on bail, saying he has no criminal history and the allegations date back two years.
She was also impressed by letters from cybersecurity colleagues.
Despite being granted bail, Hutchins will not be released until Monday because his supporters and family were unable to raise the 30,000 dollars (£23,000) bond money in the brief period between the hearing ending and the court closing on Friday afternoon.
The conditions of his bail are that he cannot access the internet, must be monitored by GPS, surrender his passport and only reside in Clark County, Nevada, or within the Eastern District of Wisconsin where he will appear in court on Tuesday.
Hutchins, who works for Los Angeles-based computer security firm Kryptos Logic, is expected to formally enter his pleas at Tuesday’s hearing.
After Friday’s court appearance, Hutchins’ lawyer Adrian Lobo said her client was innocent.
“He has dedicated his life to researching malware, not trying to harm people,” she said. “What he has done is use the internet for good.
“He was completely shocked [by his arrest]. He came here for a work-related conference. He was fully anticipating to go back home and had no reason to be fearful of coming or going from the US.”
Hutchins’ mother Janet has said she was “outraged” by the arrest, stressing that it was “hugely unlikely” her son was involved because he spends much of his time combating malware attacks.
Hutchins has also been backed by his local MP. Peter Heaton-Jones, the Conservative MP for North Devon, has written to Foreign Office minister Sir Alan Duncan to seek assurance that Hutchins is receiving adequate consular assistance.
He acknowledged the UK cannot interfere with the American proceedings and said he has made no judgement about the guilt of Hutchins, but added: “People who know him in Ilfracombe, and in the wider cyber-community, are astounded at the allegations against him.
“This is particularly so given his role in helping to protect the NHS, and many other institutions, from what could have been a devastating cyber-attack just a few months ago.”
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies