WannaCry Hero Loses Key Motions in Hacking Case

Application Security , Data Breach , Fraud

Judge Says 'Terrible Hangover' Didn't Fuzz Suspect's Miranda Rights Clarity(jeremy_kirk) • February 15, 2019    WannaCry Hero Loses Key Motions in Hacking CaseMarcus Hutchins, pictured on July 26, 2017, while attending the Black Hat conference in Las Vegas. (Photo: NorthSec)

A famed British computer security researcher has lost several key motions in a federal hacking case that stems from his alleged contribution to two types of banking malware.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

The rulings mean that statements made by Marcus Hutchins, 24, of Devon, England, during questioning by FBI agents at a Las Vegas airport can be entered into testimony. Hutchins' defense team challenged the validity of the interrogation on the grounds that he was intoxicated and unfamiliar with U.S. legal procedures.

His defense against the charges may now be more difficult. Hutchins was arrested on Aug. 2, 2017, just before he was to fly back to the U.K. after attending the Black Hat and Def Con security conferences. He is accused of developing and distributing Kronos and UPAS Kit, two types of banking malware, between 2012 and 2015.

Agents escorted him from an airport lounge and handcuffed him. Hutchins admitted to developing code for the banking malware, but denied having a larger role. Hutchins also made two phones calls, both of which were recorded, in which he made further incriminating statements.

imageAn excerpt from a phone call Hutchins made following his arrest in August 2017

Hutchins was indicted by a grand jury in July 2017 on 10 counts of computer-related violations. The case is being heard in federal court in Wisconsin.

Before he rose to fame, Hutchins was known in computer security circles for his deep analysis of malware via his Twitter account, MalwareTechBlog. In May 2017, Hutchins used his expertise to defang WannaCry, a ransomware worm that rapidly spread across the world.

Hutchins discovered WannaCry had been coded in such a way that he could effect a "kill switch" that would cause the malware to stop running if a certain domain name was live. He registered the domain, thus stopping additional computers from being infected.

As a result, Hutchins lost his low profile and suddenly became the subject of worldwide media attention, which he appeared to accept reluctantly but with grace. His world flipped again, however, following his arrest (see: WannaCry 'Accidental Hero' Denies FBI Charges).

'Terrible Hangover'

Hutchins' attorneys filed a motion to suppress the statements he made after his arrest. They challenged whether his Miranda rights were clearly presented and whether Hutchins understood those rights.

They also contended Hutchins was intoxicated at the time of questioning. But FBI agents followed Hutchins the day of his arrest to ensure he had not been drinking prior.

U.S. District Court Judge J.P. Stadtmueller found that Hutchins' did voluntarily waive his Miranda rights, even if he had come off several days' of partying at the security conferences. Although Hutchins was "clearly confused" about the questioning, he knew it had to do with Kronos, Stadtmueller writes.

imageJudge Stadtmueller's ruling

"There is also no evidence, nor does Hutchins claim, that he was under the influence of drugs that day - only that he was exhausted," Stadtmueller writes. "But a terrible hangover alone does not, as a matter of law, render someone unable to exercise or waive their Miranda rights."

Stadtmueller did note, however, that during questioning, Hutchins appeared to be unaware he'd been indicted, because agents had apparently not told him that during his arrest. He also wasn't immediately provided with the arrest warrant.

"There is no reason why the government could not have told him exactly why he was arrested, as he requested, and as was required of them by Federal Rule of Criminal Procedure 4(c), unless they were concerned that he would not be cooperative with them," the judge writes. "There is certainly an element of deception to this set of events that the court does not endorse."

Even considering Hutchins' tired state, however, "the government has met its burden in proving that the waiver was voluntary," Stadtmueller writes. The judge also denied several other motions that sought to dismiss charges.

Psychological Toll

Hutchins has developed a large and loyal Twitter following. He continues to track botnets, runs the Malware Tech blog and occasionally holds live video workshops showing techniques for reverse-engineering malware. He's also been allowed to continue to work and remains employed by Kryptos Logic in Los Angeles.

Hutchins demonstrates his sharp sense of humor on his Twitter feed, but he occasionally references the psychological toll that's come from the criminal case, which he's been fighting for 18 months.