Prosecutors Cite Osiris in an Attempt to Resuscitate Dead Law against Marcus Hutchins

I’ve been meaning to do an update on a series of filings in the MalwareTech (Marcus Hutchins’) case in which his defense challenged the magistrate’s recommendations, the government responded, and MalwareTech replied. As I’ll get to, those filings reveal a bit more about what the government was really up to in their prosecution of Hutchins.

First, however, I want to look at something the government does in the first paragraph of their response. The paragraph starts with a succinct statement about the case that smooths over a lot of legally suspect moves they make in the case.

Marcus Hutchins is charged with developing and distributing malware capable accessing and damaging computers without the owners’ knowledge and stealing personal information. See Doc. #86. As set forth in the superseding indictment, he worked with others to sell this malware in online forums. Doc. #86. Hutchins did this to earn money for himself. He essentially admitted his crimes in online “chats” that were later obtained by law enforcement.

Effectively, this statement obscures all the problems with charging Hutchins for making malware that he never intended to use to damage computers as understood by the Computer Fraud and Abuse Act and which doesn’t equate to a device that might amount to wiretapping.

Immediately after having done that, the government points to an entirely different generation of malware than Hutchins wrote — which has since been dubbed Osiris — to suggest Hutchins’ own work has led to damage.

The malware developed and sold by Hutchins and his coconspirators, and variants of that malware, particularly Kronos, have been used to compromise computers around the world for years. See, e.g., “Kronos Reborn,” Proofpoint, July 24, 2018, available at (last visited November 30, 2018) (discussing 2018 campaigns involving Kronos variants).

The link describes a much later version of the underlying malware used in campaigns in Germany, Poland, and Japan.

In April 2018, the first samples of a new variant of the banking Trojan appeared in the wild [2]. The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymizing network. There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets. In this blog, we present information on the German, Japanese, and Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested.

Even if Hutchins’ code formed a key part of this module (I’m sure if this ever gets to trial Hutchins’ team will be able to mock this as a possibility), attacks in three other countries do not justify a prosecution of a British citizen in Milwaukee.

Remember, early on in this case, the government admitted they don’t believe Hutchins continues to engage in criminal activity.

Effectively, Hutchins is on trial for code he wrote years ago, some of it while he was a minor. Because people associated with later generations of that code — with its literal rebirth as a new product — are causing havoc, the government is intent on holding him accountable.

12 replies
  1. Rapier says:

    Why are they doing this? It’s target fixation. A term that comes from driving where there is an unconscious tendency to drive towards where you look. Very large teams are devoted to finding hackers, with very limited success finding ones they can charge. So they found one and drove towards him.

  2. Trip says:

    So, it’s like arresting the caveman who invented the wheel, for a modern day fire hazard in Ford car manufacturing?

  3. Greg Hunter says:

    Thanks for the update as I noticed he had not been posting on his twitter feed.  FBI/DOJ seems to be losing credibility with this case, but they cannot give up trying.  It has never made sense and it smacks of the Richard Jewell “case”.

  4. pseudonymous in nc says:

    This is ridiculous. Hutchins has decent representation, but I worry that bullshit arguments like “you are personally responsible for the damage done by the umpteenth iteration of a lump of old code” gain traction with judges (and eventually juries) who don’t have sufficient knowledge of the field. Infosec / opsec people are already nervous about their proof-of-concept work even if they don’t have blackhat pasts.

    This is another attempt to get a plea by keeping him in the US and running up his legal bills.

    • emptywheel says:

      Yes. As was the superseding generally. Which is my TL;DR from the most recent round of motions.

    • bmaz says:

      Welcome to how prosecutors work. They may be keeping Hutchins in the US; far more commonly they are keeping your client in jail pre-trial.

  5. Tech Support says:

    The Gov’t has always been super twitchy and weird about this stuff. Goes all the way back to Operation Sundevil (, which ultimately was what led to the creation of the Electronic Frontier Foundation back in the day.

    Lots and lots of cynical stuff I could say about the natural inclination to pursue soft targets (DefCon wannabe script kiddies) vs. oh… the Chinese espionage-industrial complex.

  6. I Never Lie And am Always Right says:

    A bit off topic, but also illustrative of how nasty the National security Machine can be is illustrated in the recent 9th Circuit opinion in Ibrahim v. DHS, issued this last week. Kudos to the law firm that represented Ibrahim and obtained a fee award under the EAJA. Seriously, go to the 9th Circuit website and read this opinion. It is unfathomable what the government did to Ibrahim.

    • bmaz says:

      Let’s be honest: it has been 14 years then Stanford student, now Dr. Rahinah Ibrahim (and her daughter the way) has been, along with the ACLU fighting this case. Ibrahim has always been on the winning end. What Kim Wardlaw, who in the waining of the old Carter school liberal lions in the 9th, stands tall, did is make sure that the idiocy of the government pays for their idiocy.

  7. puzzled says:

    What I dont get is the selling part. Even if he wrote the code and even assuming he can be held accountable for what others have done with that code in terms of hacking, selling is much more than writing. Selling requires an offer and a buyer. Who are they? How much money did he make?

Comments are closed.