MalwareTech’s FBI-Induced Tour to Milwaukee, WI

On Friday, WannaCry hero Marcus Hutchins (AKA MalwareTech) was granted bail by a Las Vegas judge; he will pay his bail on Monday, then have to travel, without a passport to show TSA, to Milwaukee for a court appearance Tuesday (I’m contemplating hopping the ferry for the hearing).

I’d like to focus on the venue, how it is that a British malware researcher came to be charged in Flyover USA for the crime of making malware.

Thomas Brewster-Fox wrote an important piece on Friday trying to figure out what a lot of people have been asking: what is Kronos, which a lot of researchers never really heard of. He notes that the malware was a bust in the criminal malware market.

The reduced price hints at another truth about Kronos: it was largely a failure amongst serious cybercriminals. There was early anticipation in 2014 it could go big, as prolific and profitable as one of its forbears, the banking malware known as Zeus. In an email to your reporter from RSA’s Daniel Cohen in 2014, he wrote: “Waiting to see whether Kronos turns into something. At this point it’s just a post on a forum, no sample or binary yet. It could be an interesting development if it does, as it would point to more movement away from the Zeus code.”

In the last 24 months, according to IBM global executive security advisor Limor Kessem, the Trojan emerged with a hefty $7,000 price tag in mid-2014, but actual attacks didn’t launch until the third and fourth quarter of 2015, when the company saw some Kronos malware campaigns hitting UK banks. “But after that timeframe, have not seen much more activity from the malware,” Kessem told Forbes.

“The very last time we saw Kronos activity was a small campaign in November 2016, when Kronos infected a very small number of machines mostly in Brazil, the UK, Japan, and Canada. At that particular time, we did not see fraudulent activity from Kronos, but rather, believe it was used a loader for other malware.

Importantly, IBM global executive security advisor Limor Kessem names the few places where the malware has been deployed: Some UK banks in the last two quarters of 2015 and then, in altered form and function, in a “very small number of machines” in Brazil, UK, Japan, and Canada.

So: UK, Brazil, UK, Japan, and Canada.

Not the US, as far as Kessem notes.

And in fact, the most commonly cited victim, the UK, is where Hutchins is from! Yet among the things the British National Cyber Security Centre — the folks who worked closely with Hutchins as he saved a bunch of NHS hospitals from being shut down due to the WannaCry malware — has been really circumspect about since Hutchins’ arrest is what the case is doing over here in the States.

We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.

So why are we seeing this case in the US — in Milwaukee, of all places?!?! — rather than in the UK where some of its few victims are?

The indictment against Hutchins includes just two actions he is alleged to have taken personally.

Defendant MARCUS HUTCHINS created the Kronos malware. (¶4a)

[snip]

In or around February 2015, defendants MARCUS HUTCHINS and [redacted] updated the Kronos malware. (¶4d)

All the other overt actions described in the indictment were done by Hutchins’ as yet unknown (even to him, per reports!) and still at-large co-defendant. That includes this action:

On or about June 11, 2015, defendant [redacted] sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency. [emphasis mine]

Most the other charges — counts three through six — cite that June 11 sale. So it’s that sale, in which Hutchins was not alleged to be involved and the alleged perpetrator of which hasn’t yet been arrested, that seems to be the core of the crime.

This Beeb article, by far the most detailed accounting of Hutchins’ arraignment, provides these details.

Prosecutors told a Las Vegas court on Friday that Mr Hutchins had been caught in a sting operation when undercover officers bought the code.

They claimed the software was sold for $2,000 in digital currency in June 2015.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

“He admitted he was the author of the code of Kronos malware and indicated he sold it,” said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant – who has yet to be arrested – where the security researcher complained of not receiving a fair share of the money.

From this, it might be safe to assume that some law enforcement officer, possibly working undercover in the Eastern District of WI, bought a bunch of shit off AlphaBay in 2015, including a copy of (a version of) the Kronos malware. The purchase (and the version of code) wasn’t sufficiently interesting last year to arrest Hutchins when (I believe) he came for the Las Vegas cons.

Nor was it interesting enough to the UK, where some of Kronos’ few victims are, to prosecute the sale (which, because conspiracy laws are not as broad as they are here in the US, might not have reached Hutchins in any case, and certainly wouldn’t have exposed him to decades of incarceration).

But this year, in the days after the Alpha Bay seizure (and several months after Hutchins helped to shut down WannaCry), prosecutors presented that $2000 sale to a grand jury in ED WI, after which an arrest warrant was sent out to Las Vegas, just in time to arrest Hutchins on his way out of the country, after most the unruly hackers had departed from Las Vegas.

Arresting Hutchins only as he left — and playing whack-a-mole moving him from one detention center to another — gave authorities the opportunity to interview Hutchins without an attorney, where — prosecutor Dan Cowhig claims, Hutchins “made a confession,” — not that he “created the Kronos malware,” which is what the indictment alleges, but instead that he “was the author of the code of Kronos malware.” That “confession” sounds like the kind of thing an overly helpful person might explain if asked to explain this tweet in circumstances where he didn’t have a lawyer.

So here’s what may be going on.

In the aftermath of the AlphaBay seizure, authorities in the US decided to wade through what they could charge from past purchases off the marketplace, and either remembered or stumbled on this remarkably minor sale. Perhaps because of Hutchins’ fame, or perhaps because someone is unhappy about Hutchins’ fame, it was prioritized in a way it otherwise would not have been. And, as always, the US used convenient travel as a way to nab foreign alleged hackers to pull into America’s far more onerous than its allies criminal justice system.

It’s not even clear, however, that that explains the Milwaukee venue. Recall that DOJ first charged Pyotr Levashov (and therefore first deployed its now legally sanctioned Rule 41 warrant) for the Kelihos botnet in Alaska, even though he’ll be tried in CT if he’s ever extradited to the US. The FBI reorganized the way they investigate cyber crimes in 2014 (no longer tying the investigation to the geography of the crime) and with Rule 41 and international crimes, they’ll be able to do so far more in the future. But at least with Levashov, there were victims referenced in the complaint, whereas here, the only act that may have taken place in ED WI is that purchase, if it even did.

All that said, the venue is a far less interesting question than whether the FBI really has evidence tying Hutchins to intending his code to be used for malware, or if they’ve just made a horrible mistake.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

19 replies
  1. Tawnie says:

    I see this as a form of venue cherry picking. Stick an undercover officer in a district that is mostly rural, not tech savvy, and easily scared. You get a grand jury that heard the word hacker and they indict. According to these rural folks hackers are evil because Fox News says so. Thankfully Mr. Hutchins has a great legal team that has seen this bullfuckery before.

    • bmaz says:

      Oh, you do, do you? Fine. Can you relate those facts ahead of Hutchins’ lawyers even effectively doing so?

      Because, I can guarantee you they do not even have the full facts as to jurisdiction and venue (they have barely had a freaking detention hearing), but you magically do?  Can you elaborate?

      And, honestly, you may well end up being right. But your statements, at first blush, look, well, dubious, legally, at this point.

      • Desider says:

        I’m more having fun thinking of Milwaukee (and Madison next door) as “mostly rural, not tech savvy, and easily scared” – yeah buddy, and full of beer & cheese too. Apparently Milwaukee with 1.5million metro population is flyover country and now counts about the same as Cape Girardeau, Missouri. If it ain’t LA or NY, it’s nuttin’.

        More, if they were banking on easy conviction, perhaps having Michael Chmelar as attorney won’t be quite the slam dunk this blogger thinks?

      • Avattoir says:

        Look at the EDW federal court line-up:

        GWB nom CJ Griesbach controlling assignments; a Reagan nom I wouldn’t expect to be involved; underwhelming Lynn Adelman as one of 2 Ds; Pepper the other D likely the most tech qualified of the 4 but relatively easy for Griesbach to avoid; filling out the allotment: a vacancy.

        To the extent ‘venue’ may be a motivating factor, I’d be more inclined to presume the precise opposite to Tawnie. After all, this forum would have been chosen not by Hutchins, but by DoJ.

        • bmaz says:

          Well, yeah.

          To be fair, maybe there is something not seen yet that impacts on this. Often happens.

          So far though, not so much. FBI can concentrate and locate their investigations, but it is the USA’s and AUSA’s that file the paper. Yes, wrongfully, or at least dubiously, sometimes. But not that often.

          Cross jurisdictional cases provide easy cover for this, and it is easy enough to legally do. Long before the digital cases, there were the drug cases. Nothing here that new or unique.

    • Desider says:

      Still trying to get my head around Milwaukee with 1.5million metro area known for large factories & Madison as a serious college town a few miles away as “mostly rural, not tech savvy, and easily scared”

  2. DannyD says:

    From the FBI standpoint, I see three possible strategies. Force him to become an informant, force him to assist FBI cyber army efforts, or simply as a test case for expanding the range of prosecutable offenses under the Computer Fraud and Abuse Act. Each of these have documented parallels here on Empty Wheel already. For example, Muslim travelers forced to become informants or to assist FBI sting efforts. And the expansion of CFAA to defendants who did have authorized access, or as in the AT&T case, of simply accessing a public site with no credentials whatsoever.

    Alternately, he could just as easily have been setup by the authors of WannaCry because he cancelled their party…they’ve gotta be pretty pissed that he found the kill-switch…

    Regardless of the evidence, he’s up against the DOJ, which has unlimited resources and will never drop the case…even if they’re wrong. There’s really nothing he can do now, other than cooperate and enlist in the FBI’s cyber army, go to Guantanamo quietly like a good hacker/terrorist, or ‘an hero’ while in custody in a way that might cause some low level field agent to repeat the ‘detainee handling’ class.

    Poor guy, it doesn’t pay to stand out these days.

  3. bmaz says:

    You think FBI is running this as opposed to US Atty’s offices coordinated by DOJ Main? Like FBI just hooked up with D-WI locally to blithely start an international incident?

    • emptywheel says:

      Interesting <a href=”https://www.fbi.gov/news/stories/alphabay-takedown” rel=”nofollow”>details</a> from the AlphaBay takedown announcement:

      AlphaBay reported that it serviced more than 200,000 users and 40,000 vendors. Around the time of takedown, the site had more than 250,000 listings for illegal drugs and toxic chemicals, and more than 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. By comparison, the Silk Road dark market—the largest such enterprise of its kind before it was shut down in 2013—had approximately 14,000 listings.
      The operation to seize AlphaBay’s servers was led by the FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, along with the European law enforcement agency Europol.
      “Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay’s illegal activities,” Phirippidis said. “It really took an all-hands effort among law enforcement worldwide to deconflict and protect those ongoing investigations.”

      So: This malware sale is just one of 100K listings for fraudulent services, including malware, one of several hundred investigations as a result of AlphaBay’s illegal activities.

      Nah, obviously it was deconflicted out of DC, had to have been. And yet one of the first sales out of the 40,000 vendors taken down is this single sale of a low-victim malware.

      Pretty fucking remarkable.

    • emptywheel says:

      Interesting details from the AlphaBay takedown announcement:

      AlphaBay reported that it serviced more than 200,000 users and 40,000 vendors. Around the time of takedown, the site had more than 250,000 listings for illegal drugs and toxic chemicals, and more than 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. By comparison, the Silk Road dark market—the largest such enterprise of its kind before it was shut down in 2013—had approximately 14,000 listings.

      The operation to seize AlphaBay’s servers was led by the FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, along with the European law enforcement agency Europol.

      “Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay’s illegal activities,” Phirippidis said. “It really took an all-hands effort among law enforcement worldwide to deconflict and protect those ongoing investigations.”

      So: This malware sale is just one of 100K listings for fraudulent services, including malware, one of several hundred investigations as a result of AlphaBay’s illegal activities.

      Nah, obviously it was deconflicted out of DC, had to have been. And yet one of the first sales out of the 40,000 vendors taken down is this single sale of a low-victim malware.

      Pretty fucking remarkable.

    • emptywheel says:

      Nah. Here are some details from the AlphaBay takedown announcement:

      AlphaBay reported that it serviced more than 200,000 users and 40,000 vendors. Around the time of takedown, the site had more than 250,000 listings for illegal drugs and toxic chemicals, and more than 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. By comparison, the Silk Road dark market—the largest such enterprise of its kind before it was shut down in 2013—had approximately 14,000 listings.

      The operation to seize AlphaBay’s servers was led by the FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, along with the European law enforcement agency Europol.

      “Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay’s illegal activities,” Phirippidis said. “It really took an all-hands effort among law enforcement worldwide to deconflict and protect those ongoing investigations.”

      So clearly deconflicted out of DC.

      Still, of all those hundreds of investigations to have only this little purchase, one out of 40K vendors, is pretty fucking remarkable.

    • emptywheel says:

      From the AlphaBay takedown announcement:

      AlphaBay reported that it serviced more than 200,000 users and 40,000 vendors. Around the time of takedown, the site had more than 250,000 listings for illegal drugs and toxic chemicals, and more than 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. By comparison, the Silk Road dark market—the largest such enterprise of its kind before it was shut down in 2013—had approximately 14,000 listings.

      The operation to seize AlphaBay’s servers was led by the FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, along with the European law enforcement agency Europol.

      “Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay’s illegal activities,” Phirippidis said. “It really took an all-hands effort among law enforcement worldwide to deconflict and protect those ongoing investigations.”

      So, no. I’m sure it was deconflicted out of DC. But that’s part of my comparison to Levashov: for some reason someone (DOJ) wanted the Rule 41 to go through AK, not CT. It may be the venue here does come from a purchase some Agent made 2 years ago. But FBI, which reports to DOJ, has made it a lot easier to put venue where is most convenient in reorganizing where it investigates things.

      • emptywheel says:

        Adding: those numbers on other vendors taken down provide some scope on how remarkable it is that DOJ is prosecuting this one little malware purchase.

  4. Rapier says:

    In driving there is a thing called target fixation. That means you tend to steer where your looking. (It isn’t too large a problem with car drivers but it is a huge problem in motorcycling especially with novice riders.) The same thing is the universal dynamic of law enforcement including policing.  With the stipulation that where to look is always at the behest of the top.

  5. SpaceLifeForm says:

    There is this smell I smell that says Kronos is tied to ShadowBrokers. Same group. Not saying Russian.

    Zeus, Kronos, Bitcoin, BTC-e, SB-speak, Kaspersky, Malware Leaks, Carberp, Gameover

    [2013-06-26]
    http://www.ehackingnews.com/2013/06/carberp-trojan-source-code-leaked.html

    “By this leaks, malware will change drastically, we can expect a new merge lmalicious function, more sophisticate botnet, and unpredicted or unexpected vector of attack coming after this, like new variant of APT adopting these codes, or cred.stealer from Asia, or else..” MalwareMustDie Team told EHN.

    [2014-07-11]
    http://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/

    Note that the following descriptions of Kronos are based solely on entries in the underground forum; Trusteer, an IBM company, has not yet analyzed a malware sample in order to validate the seller’s claims.
    [Did Hutchins want a sample for this reason?]

    Read a translation of the original text from Russian underground forum
    I present you a new banking Trojan

    Compatible with 64 and 32bit rootkit Trojan is equipped with the tools to give you successful banking actions.Formgrabber: Works on Chrome, IE, FF in latest versions. Works on the majority of older versions as well. Steals logs from each website Webinjects: Works on latest Chrome, IE, FF, latest and majority of older versions. Injections are in Zeus config format, so it’s easy to transfer the config from one another.32 and 64bit Ring3 rootkit: The Trojan also has a ring 3 rootkit that defends it from other Trojans.

    Proactive Bypass: The Trojan uses an undetected injection method to work in a secure process and bypass proactive anti-virus protections. Encrypted Communication: Connection between bot and panel is encrypted to protect against sniffers. Usermode Sandbox and rootkit bypass: The Trojan is able to bypass any hook in usermode functions which bypasses rootkits or sandboxes which use these hooks.

    1000$ a week of testing. The server will be hosted only for you. You need just a domain or a payment including the domain fee. You’ll have full access to the C&C, without any limits or restrictions during test mode.7000$ Lifetime product license, free updates and bug removals. New modules will not be free , and you will need to pay additionally. We accept Perfect Money, Bitcoin, WMZ, BTC-E.com Currently the Trojan is written in its fullest. Next week we will have tests and bug fixing, then release. Pre-ordering the Trojan will give you a discount.

    [Almost more modern SB-speak]

    [2014-07-14]
    http://www.csoonline.com/article/2453634/data-protection/new-banking-malware-kronos-advertised-on-underground-forums.html

    The premium price suggests that Kronos is aimed to be a replacement for former commercial crimeware toolkits like Zeus, Carberp and SpyEye, whose development has been discontinued or whose source code has been leaked in recent years.
    [Sound familiar? Malware leaks]

    According to researchers from Kaspersky Lab, who have also seen the Kronos advertisements on several underground forums last week, the new online banking threat appears to be based on the source code of Carberp.

    [2014-07-14]
    http://www.pcworld.com/article/2453631/the-game-isn-t-over-yet-for-gameover-malware.html

    The new messages are scrambled using the algorithm and string table that has been the same since the original Zeus source code was leaked in 2011.

  6. Evangelista says:

    The tipping point may have been the “confession” in the cited tweet, “Just found the hooking engine I made for my blog in a malware sample.”

    If the “malware sample” was one of the many manufactured by the USA’s NSA mal-factory, the tweet would indicate a stolen component’s owner’s discovery of the U.S. Government’s theft.

    The U.S. Government would then want to bring its “law enforcement” muscle to bear, and to bring its “justice” system into action to coerce the property owner to change his tune, to “concede” it was he who “borrowed” from the gangster-owners (I mean the U.S. Government), and so has no ownership interest in the component, which is not in ‘malware’, really, but in [redacted] built in there by its “legitimate” owners for official (or O-FICA-L) [CLASSIFIED] use.

    That is how governments and agencies like the USA and its array of alphabet-agencies and agents, with their own owned (or pwned) “legal” systems work.

    Their shift-and-shuffle to keep the victim (“perp”) off-balance, confused and in Kafka-state, for malleability and more successful manipulation techniques are aided imeasurably by the U.S. State system, where lawyers are licensed by state: The faster and farther the government, with all of its available resources can shuffle and shift the matter from venue to venue, location jurisdiction to location jurisdiction, filing one thing here, another there, the more difficult it becomes, and more expensive, for a victim to keep up, having to hire new lawyers each place, who have to catch up to events for each event, and struggle with correlations and continuities.

    If you have any experience in the U.S. legal system, in cases where the U.S. Government, or agencies of it, or of states, have interests (meaning here interests, beyond procedural-form-responsibility), especially interests in outcomes, or even only animosities toward parties, or who or what parties might represent, you may be able to recognize the above suggestion only a natural progression from the old fashioned techniques of mis-sending documents, ultra-short deadlining, last-second discovery deliveries and other manipulatings of proceedings and procedures, which are, and have been for some decades now, common tilting-the-field techniques to ‘clear the courts and dockets of time-wasting, ‘nuisance’ and ‘frivolous’ proceedings’.

    The short term is Criminal Corruption, but by itself that phrase doesn’t really convey what U.S. “law enforcement” and “justice” really is, has become, and continues to rot toward…

Comments are closed.