A cybersecurity researcher who helped stop a ransomware attack on thousands of computers in the U.K. and Spain was arrested in Las Vegas, Nevada, Aug. 3 on unrelated charges.
Marcus Hutchins, 23, was arrested at the Las Vegas airport in connection with another attack involving hacking software, according to The New York Times. The charge contends Hutchins and another accomplice created software with the intent to steal login information to gain access to financial data and other sensitive material.
Hutchins is perhaps best known for his role in stopping the WannaCry outbreak of malicious software in the U.K. and Europe. The WannaCry malware outbreak seized thousands of Microsoft Windows computers, demanding Bitcoin currency as payment to unlock the computer. The National Health Service in the U.K. was severely compromised in the attacks.
Hutchins was able to gain access to a "killswitch" in the malware's code, with then triggered the shutdown of the entire WannaCry process. Hutchins admitted after he'd disabled the malware that his true intent was not to destroy the software but rather to track its progress.
The software Hutchins and an accomplice allegedly created and sought to sell, dubbed Kronos, was promoted as having the ability to steal confidential information from ATMs, such as PINs and other sensitive financial data. Kronos first surfaced on an underground Russian website with an asking price of $7,000.
According to Motherboard, Hutchins appeared to be in the custody of the FBI in connection to his arrest. He was originally detained at a nearby facility before being transferred to another. Those close to Hutchins have not been in contact with him and fear for his safety.
"At this point we've been trying to get in contact with Marcus for 18 hours and nobody knows where he's been taken," a friend of Hutchins' said. "We still don't know why Marcus has been arrested and now we have no idea where in the U.S. he's been taken to and we're extremely concerned for his welfare."
A U.S. Marshal source confirmed to Motherboard that Hutchins' arrest was not in connection with its own affairs but rather that of the FBI.
Hutchins is from the U.K. and was visiting Las Vegas for various cybersecurity conferences when he was detained. He serves as a researcher for a Los Angeles-based cybersecurity firm, according to The Times.
"The maximum statutory sentence he could face is decades, roughly 40 years," said Tor Ekeland, a specialized lawyer in cyber crimes, to The Telegraph. "Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is."