He was arrested in Las Vegas on Wednesday at McCarran International airport by FBI agents, as he waited to head back home to Britain after attending two global security conferences that ran in late July.
The 23-year-old is being charged with six counts, all involving his alleged involvement with the formation and propagation of Trojan Kronos, a software program that was aimed at infecting bank accounts. The bug is capable of stealing banking logins and other financial information.
Hutchins was charged along with another as-yet unnamed person, who the Justice Department accuses of uploading and selling the malware, but at least one cyber criminal defense attorney doesn’t think the DOJ has a very compelling case.
Talking to the UK’s Telegraph, American attorney Tor Ekeland described the situation this way:
“By [arresting Hutchins], they’ve made the internet less safe because nobody in their right mind is likely to help the US Government stop attacks now. They’ve sent a really bad message that even if you help … stop a … major malware attack and save people millions of dollars … you could be arrested because someone you supposedly associated with supposedly sold malware for $2,000.”
Ekeland added that while Hutchins could face as much as 40 years in prison for his actions, he doesn’t think it’s likely.
“I doubt it, it would be a bizarre outcome. Is it possible? It sure is,” he noted to the Telegraph.
Shock at Arrest
Hutchins was in the US attending conferences Black Hat and Def Con, two conventions for people interested in computer security. Seminars highlight any and all issues of interest to security and surveillance professionals, including, of course, cyber hacking, which has become the modern-day equivalent of the 18th century’s highwaymen.
Word of Hutchins’ arrest went viral and most who know him by his Twitter handle of @MalwareTechBlog were shocked, posting their disbelief via their own tweets on the social media site.
Andrew Mabbitt, founder of cyber firm Fidus Information Security, said on Twitter that he and others were trying to find him a lawyer and would be starting an online crowdfunding account.
“I refuse to believe the charges against @MalwareTechBlog,” Mabbitt said. “He spent his career stopping malware, not writing it.”
But a DOJ presser on the matter described a two-year investigation that had gathered evidence against Hutchins, including a tweet that he put out in July 13, 2014 soliciting others for a copy of the Kronos virus.
The indictment charges him with six counts, including one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.
Depending on Hutchins’ plea on Friday, he could remain in Las Vegas or be transferred to Wisconsin, which was where the DOJ made the charges, according to Ekeland. If the latter, the attorney (who is not representing Hutchins as we go to press) says it could take anywhere from a few months to as long as three years to come to trial. He adds that he doubts Hutchins will be allowed to post bail, given his foreign national status and the potential for flight risk.