The He Said, She Said That May Render MalwareTech’s Arresting Agents Useless on the Stand at Trial

Back when Marcus Hutchins (MalwareTech) moved to suppress the statements he made in his first custodial interview after his arrest, I suggested the challenge itself was unlikely to succeed, but that it would “serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial.”

While I still generally think the effort is unlikely to succeed (though it may never come to that, as I lay out below), an evidentiary hearing on the issue yesterday may have rendered both his arresting agents largely useless for testimony at trial.

As a reminder, Hutchins originally challenged his statements because:

  • As a Brit, he couldn’t be expected to understand that US Miranda works in the opposite way as British Miranda does without specific explanation
  • He waived his Miranda rights after being arrested after over a week of partying at DefCon, and was exhausted and possibly high
  • The FBI’s own records were sketchy; they hadn’t recorded that he had been asked if he was drunk (but not high) until over four months after his arrest (yesterday we learned that 302 was dated December 8 or 9)

Then, just before the originally scheduled evidentiary hearing on April 19, the government told Hutchins that the multiple crossed out times on his waiver had not been corrected until at least five days after his arrest, something the FBI agent in question, Jamie Butcher, didn’t formally explain anywhere.

Hutchins lawyers got a continuance to understand the implications of that; yesterday was the rescheduled opportunity to grill the FBI agents about when he was really Mirandized.

From the get-go, Hutchins attorney Brian Klein set a contentious tone for the hearing by suggesting at the outset that they might need to call one or the other of the prosecutors to testify to impeach the agents, something that almost never happens (for mostly good reasons). After some preliminaries in which judge Nancy Joseph laid out how she’d be assessing the issues, first Lee Chartier and then Butcher took the stand to explain how the post-arrest interview and subsequent paperwork had gone down.

Chartier, almost a sterotypical-looking FBI agent — tall and white, beefy, with a goatee — had the more experience of the two: he’s been working cyber since 2011 and in 2016 Jim Comey gave him the Director’s Medal of Excellence for being one of the top performing cyber agents. Still, he testified he had only done around 50 interviews, of which 20 were custodial interviews, over those years. Butcher, a short white woman, has been at FBI nine years, moving from an admin position to a staff operations specialist to her current cyber special agent position, where she’s been for three years. When prosecutor Benjamin Proctor walked her through her background, he didn’t ask how many interviews, custodial or no, she had done, which given Chartier’s surprisingly low number, probably means she’s done very few interviews, particularly custodial ones. When Proctor asked about her involvement in this case, he described it as “becom[ing] involved in the investigation that resulted in arrest of Marcus Hutchins,” which suggests a curious agency behind the investigation.

Between them, the agents described how they flew out to Vegas the night before the arrest. Surveilling agents tracked Hutchins as he went to the airport and got through TSA then sat down at a first class lounge. As soon as Hutchins ordered a drink that turned out to be Coke but that the agents worried might be booze, Chartier, wearing business casual civvies, and two CBP agents wearing official jackets pulled Hutchins away from the lounge, placed him under arrest and cuffed him in a stairwell inside the secure area, and walked him to a CBP interview room, where Chartier and Butcher Mirandized him, then interrogated him for 90 to 100 minutes.

Even in telling that story, Chartier and Butcher’s stories conflicted in ways that are significant for determining when Hutchins was Mirandized. He said it took “seconds” to get into the stairwell and then to the interview room. She noted that the “Airport is rather large. Would have taken awhile.” to walk from place to place (it was 36 minutes between the time Hutchins cleared TSA, walked to the lounge, ordered a Coke, and the time Chartier first approached Hutchins). There seems to be a discrepancy on how many CBP agents were where when (that is, whether one or two accompanied Chartier and Hutchins all the way to to the interrogation room). Those discrepancies remained in spite of the fact that, as Butcher admitted, they had spoken, “Generally, about the interview, and Miranda, and making sure that we were on, that our facts were the same.”

Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning.

It sounds like Chartier did most of the questioning and the dick-wagging, even though Butcher was the lead agent. He offered up the term “Liquid Courage” to describe Hutchins’ description of having to drink to network. He gave Hutchins a list of 80 online monikers, of which Hutchins recognized a handful; “Vinny,” who has shown up in public reporting on Hutchins’ background, was apparently one of those, so he may actually be the co-defendant after all (or the informant the government is hiding). Chartier had Hutchins review a string of code; Hutchins only recognized that it listed Kronos (which is the first he figured out that’s what the interview was about, and which is what the FBI claim he inculpated himself as the coder of Kronos is based off).

Chartier’s more dominant role in the questioning is interesting given the dynamic yesterday. Butcher, who was questioned second, seemed to know her multiple fuck-ups on the basic parts of this interview (failing to note the Miranda time, starting the recording late, offering unconvincing claims about what she did when she realized she had entered the time wrong on the consent form) make her an FBI short-timer. I’d honestly be surprised if she were still at FBI by the time this goes to trial, if it does. At times, she seemed not to recognize the dangers of the answers she was giving. Chartier, on the other hand, has his Director’s award career to protect, and perhaps for that reason was openly hostile and seemed ready to throw Butcher under the bus for the fuck-ups that had gotten him sucked in.

Except it was Chartier’s responses that seemed to reflect deceit, and it was Chartier that Brian Klein accused of lying. Chartier seemed to be aware that he had to ensure three details:

  • That he explained to Marcus the circumstances of his arrest, which allegedly happened in the stairwell (I think it shows up in the 302, which Butcher wrote, but she wouldn’t have witnessed it. Also, her response to the judge on how she reconstructed the time of the waiver hinted that there are other sources of time stamps she doesn’t want to reveal — I bet there is surveillance footage from the stairwell).
  • That WannaCry only came up at the end.
  • That Hutchins should have known the interview was about Kronos.

Except even the prosecution made clear that’s not what happened. Prosecutor Michael Chmelar described how Hutchins first realized the case was about Kronos when he was shown the code.

Do you recall certain point Hutchins asked if case was about Kronos, looking for developer. What did you respond. I said I don’t think we’re looking anymore. Our belief that Mr Hutchins was developer of Kronos.

Note, I suspect the full 302 will also show that Chartier had absolutely no reason to make this claim, which is probably why within days of Hutchins’ arrest it became clear the FBI had way oversold their proof from this interview that Hutchins had admitted to contributing to Kronos.

Also at issue is when Hutchins first got to see the arrest warrant, something that Chartier’s testimony appears dodgy on. More importantly, Chartier’s testimony did make it clear Hutchins started asking immediately what the arrest was about, and 30 seconds after the recording started (therefore, after he had just signed the waiver) he asked again. Except it wasn’t until an hour later that Chartier explained that this stop wasn’t about WannaCry, as Klein laid out.

It’s not until 1 hour into the interview that they show him arrest warrant. Here’s what happens. Chartier. What you’ll hear him say, okay, well, here’s the arrest warrant, and just to be honest. If i’m being honest with you this has absolutely nothing to do with WannaCry.

Plus, the arrest warrant apparently did not lay out the charges in the indictment, instead listing “conspiracy to defraud the US” as the crime (good old ConFraudUs!) which is remarkable for reasons I may return to if and when the warrant is docketed.

Effectively, the government explains that the reason they didn’t arrest Hutchins until just before he boarded his plane is because they feared he’d dodge off, open a computer, and shut down the WannaCry sinkhole, re-releasing the global malware. (Yeah, that’s dumb.) Everything they did they did because of WannaCry.

But it wasn’t until an hour into their interrogation of Hutchins that they told him it wasn’t really about WannaCry.

Frankly, I don’t think this thing is going to trial. When Klein asked for more time, given what they discovered yesterday, before arguing the suppression motion, Joseph said she had all the other motions briefed and she wanted to decide them together. As I have laid out, the 5 motions work together, showing (for example) that the CFAA charge is improper, but also showing that the government refuses to point to any computers that were damaged by the Kronos malware Hutchins wrote.

If she’s thinking of all those motions together, then she’s seeing how, together, they show how pointless this prosecution is.

But if not — if this case actually does go to trial — either one of these FBI agents will be very easy to impeach on the stand.

Update: Fixed spelling of Chartier’s last name.

Update, 5/31: Turns out I had Chartier’s last name right the first time, and have now fixed this back.

Update: In talking to a physical surveillance expert who followed the hearing, the stairwell may actually be one place in the secure space that wouldn’t be on surveillance footage, with cameras instead capturing the entry and exit. If that’s right, it would mean the stairwell is all the more curious a place to have some of the key events in this arrest and interrogation go down. h/t DO

24 replies
  1. Beej says:

    I keep having this nagging suspicion that this whole arrest might be about trying to exchange Malwaretech’s return to the UK for the extradition of Laurie Love. If that is the case it didn’t work and now they are stuck with going to trial.

  2. orionATL says:

    “… Butcher, a short white woman, has been at FBI nine years, moving from an admin position to a staff operations specialist to her current cyber special agent position, where she’s been for three years. ..”

    i don’t know how expertise is inculcated at the fbi, but i am dubious of this agent’s degree of cyber expertise. the career track seems to follow typical govt bureau hiring i have observed – going from an admin position, to a staff specialist position, and then to cyber special agent could give one special training, but it seems doubtful to me that extensive knowledge of the sort a cyber agent might need had been gained before hiring.

    the hiring process typically goes like this – a position is posted; it has certain minimal requirements; various candidates are interviewed; a hiring decision is made, sometimes on the basis of high qualification, sometimes out of special knowledge of the candidate, sometimes because no more qualified person had applied.

  3. earlofhuntingdon says:

    An odd pair of FBI agents if one of their purposes was to flip Hutchins into being an informant.

  4. Avattoir says:

    Bureaucracy has many drawbacks and shortcomings. But also advantages, some of which are critical to … here I go … meaningful interface with the customer base – like the courts.

    These days (which, in retrospect, I mark as beginning from somewhere in the Nixon admin to somewhere in Reagan’s second term), it seems policy in the context of large government agencies is assumed bloated with ideology. Except, that ignores that official policy on procedure is, beyond merely what’s retained in the minds of longtime career civil servants, where institutional memory is warehoused.

    What Fearless Leader describes here looks awfully like I don’t know how many cases I’ve been involved in, where the investigators never achieved any proper understanding of why it is that policy on recordings – not just note-taking but the full range, -have to be standardized AND those standards adhered to – as if to the operating instructions on any potentially dangerous machine.
    And that’s so ESPECIALLY with those investigators who lack operational experience, including case work-ups and in-court testimony, to gain sufficient understanding and feel for policy rules, to be trusted with deviating from them.

    Instead, what we very often get is something like what’s depicted here: policy rules degraded thru ad hoc deviations and Bizarro World efforts at correction to something that at least superficially looks more systemic, without a useful understanding of why policy on investigative standards exists in the first place.
    And not only do righteous prosecution cases crumble in the court context, we all lose faith in the capacity of government actors to tell the difference between OTOH true bills of indictment and other such charges, and made-up crap produced by dunderheads on the other.

    Fcol, we’re at the point in recording technology where av recording right from first contact is something a typical 10 year old can do with her cellphone. If an official investigation and subsequent charges fails the Your Teen Coulda Done Better test, –>> with no sufficiently plausible explanation for why not <<–, pull the plug.

  5. SpaceLifeForm says:

    Someone in FBI is creating problems for FBI.

    How can they say out of one side of their mouth that it is not about Wannacry, yet the same FBI asked Kryptos Logic (employer of Marcus) to secure the killswitch/sinkhole?

    Note that Kryptos Logic did so, removing any way for Marcus to access the Domain registrar used to grab the domain name, *AND* removing his access to the CloudFlare portal used to front the killswitch/sinkhole.

    This makes no sense to say it is not about Wannacry and at same time secure the killswitch/sinkhole.

    This case actually *must* be about Wannacry.

    It’s just that the FBI is not saying why.

    Suspect case will not be dropped real soon.






    • SpaceLifeForm says:

      As Marcus noted, if it *was* about Kronos, the FBI could have arrested him on *earlier* visits to US.

  6. SpaceLifeForm says:

    Missing SARs.  (Turtles all the way up)

    But, according to the official who leaked the report, these sars were absent from the database maintained by the Treasury Department’s Financial Crimes Enforcement Network, or fincen. The official, who has spent a career in law enforcement, told me, “I have never seen something pulled off the system. . . . That system is a safeguard for the bank. It’s a stockpile of information. When something’s not there that should be, I immediately became concerned.” The official added, “That’s why I came forward.”

    [This is probably why Avenatti says things are ‘Ugly’]

      • SpaceLifeForm says:

        Oh, the money was *found*. By a bank. And it was suspicious, hence the bank or banks that filed the missing SARs (Suspicious Activity Report).

        What is now missing is the players (account info) involved in the transactions that resulted in the SARs being created.

        Someone is trying to hide evidence. For good or bad, we do not know yet.

        Either bad player inside FinCEN, or hidden due to court order.

        That it is being hidden from LE is what makes it interesting.

  7. orionATL says:

    this really, really bothers me:

    “… Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning…”

    i recognize it is naive to ask, but why isn’t

    a) the failure of the fbi/cpb team to insure ahead of time that the critical recording equipment was working properly, and given that failure,

    b) the subsequent failure of the agent team to manually initiate recording at beginning of their interrogation, euphemistically and antiseptically called an “interview”, and given those two failures,

    c) the failure of the doj prosecutorial team to voluntarily refuse to use the only partially recorded, and hence tainted, interrogation

    grounds for a judge to dismiss any evidence the prosecution would put before the court from this interrogation?

    i would think this sort of dismissal would only happen once or twice before the fbi/doj got the message.

    absent such a ruling, there is obvious leniency here that amounts to favoritism toward the prosecution.



    • pseudonymous in nc says:

      “Recorder done broke” should be classed with “my bad, I forgot this once to turn on the body cam” — it’s just too fucking convenient.

  8. Dev Null says:

    Off-thread, but not seeing a more recent / relevant post to, uh, post this comment at. Apologies in advance.

    “The stakes are so high that the FBI has been working over the past two weeks to mitigate the potential damage if the source’s identity is revealed… The bureau is taking steps to protect other live investigations that the person has worked on, and trying to lessen any danger to associates if the informant’s identity becomes known.”

    At the WaPost via PoliticalWire:


    As the first commenter (at PW) says, if the GOP is going all in on this, ya gotta wonder if they took dirty Russian money.

  9. yogarhythms says:

    Dev N, FBI places informants in 60’s Antiwar, 70’santiwar/antinuc(Sandanista/ElSalvador/AbaloneAlliance, 80’s antiwar “Counter Culture/Protest” movements. FBI infiltration is a given in 90’s 2000’s 2010’s for more cyber/terrorist movements. FBI is the sole investigative law enforcement mandated to investigate POTUS. Is it surprising given the extensive legal foray involving multiple legal jurisdictions Palace resident’s exercised the FBI would want to closely monitor?

  10. Dev Null says:

    @yogarhythms: What is it about trolls, that they cannot write comprehensible English? I’m thinking “non-native English speaker”, because a native English speaker would never write such clotted prose. Whatever you’re being paid to write this crap, comrade, it’s more than you deserve.

    Only a moral ninny (or a disinformation specialist, but I repeat myself) would argue that LE agencies should not be subject to oversight. Likewise, only a moral ninny (or a disinformation specialist, but I repeat myself) would argue that exposing the identity of an undercover agent involved in a sensitive criminal investigation is appropriate in the absence of specific / relevant evidence of wrong-doing on the part of the agency.

    Shoo, troll.

    PS: WTF is going on with the “reply” button?!? I spent 5 minutes trying various tricks – tricks that have worked in the past – in hope of replying directly to the troll … no joy.

  11. Dev Null says:

    @yogarhythms: yet you responded. ~dryly~

    I’ve read your last sentence (“is it surprising”) a dozen times. Not only does the sentence not parse, I can’t for the life of me guess what you thought you were saying. Lots of English words strung together, seemingly at random, do not an English-language sentence make.

    Go ahead, re-write your point in comprehensible English. (It’s a gimme… if you’re not a troll, you should be able to write English. If you *are* a troll, then surely there’s *someone* in your shop who can write colloquial English.)

    Have a nice day.

  12. SpaceLifeForm says:

    When one is insane and has completely lost their moral and legal focus in life.

    To Rudy, a subpoena for docs is different than one to testify. Don’t worry Rudy, Mueller does not need or want to talk to Trump anyway.

    Rudy, just keep telling Trump that he is doing great, that you are working hard, and you may still be around for another month. Oh, and Rudy, just keep going on tv media shows and running your mouth. It really helps.

    Giuliani then attacked Cuomo for regularly inviting “ambulance chaser” Michael Avenatti onto his show, to which Cuomo replied, “What does that have to do with this?”

  13. SpaceLifeForm says:

    Jeffrey Yohai cut a deal

    Andrew Brown, a federal prosecutor in Los Angeles, had been overseeing an investigation into Yohai’s real estate and bank dealings in California and New York several months before Mueller was appointed to his post in May 2017.

    [Note:  Before Mueller appointed. Note: LA]

    • Dev Null says:

      The calendar will be lost on those whose salary depends on ignoring the calendar. (w/apologies to Upton Sinclair…)

    • Dev Null says:

      IANAL, as is evident from my postings, but why not the same explanation that ArsT gives for Ultima Thune?

      Stephen Spaulding, the chief of strategy at advocacy group Common Cause and a former special counsel at the FEC, told Ars that he guessed that listing was because of a pending legal complaint brought to the FEC.

      “The reason they would be listed in a bankruptcy would be that this pending legal action might leave them exposed legally and maybe that’s why it has to be disclosed,” he said. “Why they’re listed as a creditor would be a question for a bankruptcy lawyer.”

      PS: Apologies for Ultima Thune. I am ashamed of myself.

    • earlofhuntingdon says:

      Marketing exercise of the kind Erik Prince often used.  When one legal entity becomes a pariah, change the name to protect the guilty.

      Only the CA name and legal entity will pass.  The people, the data, the money, the business model – and the customers – will realign under other names in other jurisdictions.  Too many opportunities out there.

      • Ken Muldrew says:

        Especially the customers! Can there be any better advertising than to say, and not entirely without justification, that they got the United States of America to elect a malicious idiot for their president. Emerdata will be able to name any price and customers will still be lined up around the block.

Comments are closed.