What Seems to be Going on with MalwareTech’s New Charges

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah


Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

29 replies
  1. orionATL says:

    “This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

    But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?”

    this is why it is hard to feel much genuine  sympathy toward the u. s.. department of justice for the way trump has worked them over, even while confident that trump has abused his power” royally” and presented an extremely dangerous precedent for future presidents being investigated for misconduct or criminal activity. this is how we can end up with a generalissimo style of government.

    i have seen cases like this detailed here and elsewhere involving surveillance whistleblowers where the doj case seemed strained, was clearly designed for punishing whistleblowing, not for justice, and where a judge gave the federal prosecutors an edge their arguments simply did not deserve.


    another case close to my heart involved two oregon ranchers, father and son, put away for five years on evidence nearly 15 years old, and on my suspicion that the u. s. fish and wildlife service wanted their ranch as part of a major preserve (a condition of the final order) . this kind of behavior, especially in the west, will come back to bite the doj and our gov in the ass in a big way when it comes down to protecting federal lands belonging to all of us from western state-corporate pouching in the near future. 

    • orionATL says:

      edit is not turned on so i will add here:

      this is why all the caterwauling at the present about “the rule of law” and our justice department rings hollow to me, though trump’s abusive behavior deserves every criticsm directed toward it. the doj has not earned my respect. the bad cases may be, probably are, a tiny number, but a disciplined doj and fbi where fairness and quality were the first order of business on each case would reduce them to nil.

      as i’ve said before, a serious, extensive (in terms of untrammeled public discussion, corporate as well as gov), highly protective law, combined with a respectful and appreciative public attitude toward whistleblowing are sine qua non for changing the structure and morality of our current manner of organizing our society.

  2. earlofhuntingdon says:

    Standard advice to a client, “No good deed ever goes unpunished.”

    I think it goes along with the idea that a prosecutor can get an indictment even of a ham sandwich.  The simplest of acts can be manipulated against the actor.  It’s as if the government has adopted the Trumpitude about weakness.  Just asking for something, even buying it for an exorbitant price, seems uncouth.  Extortion seems to be the preferred method, borrowed from the intel community’s handbook on agent running.

  3. Trip says:

    @Marcy have you seen this?

    Trump campaign data operation had stolen Clinton emails ‘more than a month’ before WikiLeaks

    The company that ran then-candidate Donald Trump’s data operation in 2016 reportedly obtained Hillary Clinton’s stolen emails more than a month before WikiLeaks published them.

    An American lawyer I know told me that he was approached by a Cambridge Analytica employee after the election. They had had the Clinton emails more than a month before they were published by WikiLeaks: ‘What should I do?’ Take this to Mueller, the lawyer replied.

    Spectator via Rawstory:

    • emptywheel says:

      I don’t find Paul Wood reliable generally, and I suspect that factoid derives from him mixing up what he heard in a game of telephone.

        • SpaceLifeForm says:

          Marcy hits the nail. Article is wrong, best possible explanation would be DNC or Podesta emails. No HRC emails out to my recollection.

          • Trip says:

            Yes, the language about the specific emails wasn’t what I was curious about. Wikileaks never got those (deleted, that we know of) emails nor published them, only those which were released via FOIA, (then they organized them with a search engine on the site).  If that’s what he is talking about, then it’s not a scandal unless they had them before the government released them. I thought perhaps he was talking about the Podesta/DNC emails. It seems to be a universal habit of articles not accurately describing what emails have been in the wild, present company excepted. I usually take it to mean that the emails they are talking about are the DNC/Podesta batches.

            At any rate, Marcy is credible, and if she sees the author as being unreliable, in general, I take her word. I therefore dismiss any importance to this ‘news’.

  4. Rusharuse says:

    Today, I want to discuss Melania’s coat . . No!
    Not today! Today (the longest day), I just want to enjoy my ride on the planet earth, zooming around the sun and out on across the universe. Today, I want to gaze at some clouds, listen for birds, feel a warm breeze. Today, I want to be amazed “to be living in the middle of something that I’ll never really understand”. Today, the Trump(s) can get fucked!

  5. SpaceLifeForm says:

    Something seriously fishy with the jail phone call transcript. Really fucking fishy.

    Note size of redactions. Two on other end.
    Lets call one LR for Long Redaction, and the other SR for Short Redaction.

    Note that SR says he got tipped by FBI that MH was detained. (why is another question. And what was time of call?)

    But then SR *ASKS* if MH is detained?

    Why would SR ask if SR already knew?

    This is complete fucking bullshit.

    Maybe he was not taling with whom he thought,

    • SpaceLifeForm says:

      Yes, this is complete fucking bullshit.

      It is obvious that MH was tired and hungover.

      But, the questions he was asked are super suspicious.

      Yes, he, not being a US citizen, yeah, he may not have understood what was happening.

      But, LR and SR *KNEW* the conversation was being recorded.

      You don’t even have to be a lawyer to know not to talk about the case!

      This is is flat out crap.

      LR and SR say they will get him a lawyer. MH tells them he is at Hudson.

      Fine. That is exactly what you fucking say, end the fucking call.

      Next day, someone bails you out.

      Proceed from there.

      This is all setup crap, like JS.

  6. DMM says:

    “…nor in having the government double down when he had the nerve to avail himself of the justice system.”

    a la Stephen Heymann in the persecution of Aaron Swartz.

  7. Trip says:

    It’s Friday, so who will be indicted, raided, or fired? Any picks on the roulette wheel? What will be today’s self-made clown crisis?  What dotard drama awaits?

  8. SpaceLifeForm says:

    Reading again the phone log, I do not believe MH understood his Miranda Rights at all. That is assuming they ever read him his Miranda Rights.

    But it smells like they asked him a lot of questions at Airport *before* doing the reading of Miranda Rights.

    If that is true, the Judge shoud dismiss the case.

    This is definitely the reason there will be a Franks motion.

    Years ago, arresting officers would be truthful in their report, and if it was obvious to the Judge that questions were asked before Miranda reading, the Judge would toss right away.

  9. SpaceLifeForm says:

    Twisting a crap case.

    Smells that DOJ is using things that MH said in the recorded phone call *against* him. Which, if he understood his Miranda Rights, he would *not* have said.

    ‘Anything you say, can, and will be used against you’

  10. SpaceLifeForm says:

    And now twitter is down/blocked. Maybe a DNS issue? Maybe BGP issue?

    What is a potus to do?

      • SpaceLifeForm says:

        Pretty certain potus on verizon, not att.

        Something must have occurred (being Friday), and would not surprise this is intentional block.

        (later, they will say otherwise)

        • SpaceLifeForm says:

          Did something happen in past hour or so that someone does not want potus tweet-storming about?

          • Rayne says:

            Can you describe what’s going on? Based on your comments I can’t tell what the problem is with regard to Twitter.

            • SpaceLifeForm says:

              Could not reach site normally. Via Verizon, was basically dead. Via other network routes, intermittent outages.

              Defintely looked like a DDOS on east coast.

              Back to normal now.

      • Rayne says:

        Look, I asked a while ago for clarification. You didn’t explain what the problem was you’ve mentioned here in comments several times. You’re now merely DDOS-ing this thread with chatter not relevant to the post. Focus on the topic or find something else to do.

  11. greengiant says:

    Is that captured chat between MH and Randy floating on the net for real?

    Secondly for the pajama boys try to snatch my ISP account for the last 48 hours have at it. Spoofing phone numbers? You all have baby dicks.

  12. melior says:

    Here’s a fresh Friday document release, a Motion in limine To Exclude:

    ” (T)he government requests that the Court enter an order precluding Manafort’s arguing or presenting evidence at trial concerning alleged selective or vindictive prosecution, the motive and mandate of the Department of Justice office leading this prosecution, and the supposed outcome of any government investigation into Manafort that preceded the Special Counsel’s appointment.”

    (via DailyKos)

Comments are closed.