The FBI arrested the WannaCry “kill-switch hero,” Marcus Hutchins, on Wednesday as he attempted to board a plane from Las Vegas to London.
It was originally not clear what the charges were, per the initial report by Motherboard’s Joseph Cox. However, according to an indictment released by the Department of Justice on Thursday, the 23-year-old United Kingdom security researcher has been accused of creating, distributing and updating the Kronos malware, a banking Trojan spread through email attachments to harvest credentials and credit card data.
Hutchins is known on Twitter as @MalwareTechBlog and was instrumental in stopping the ransomware that infected hospitals, telecommunications companies and nearly 75,000 computers worldwide in May. He discovered and registered a domain that disabled WannaCry from infecting new targets.
However, his alleged activities between July 2014 and July 2015 alongside an unnamed co-defendent are what resulted in his arrest, according to the indictment filed in the eastern division district court of Wisconsin.
Hutchins is in the United States having attended two annual hacking conferences — Black Hat and Def Con — before taking a week of vacation.
Before boarding the flight home, Hutchins was taken by the FBI for reasons initially unknown. An anonymous friend told Motherboard that, after 18 hours of unsuccessfully contacting Hutchins, they tried to contact the United States Marshals, but was told that “they have no record of Marcus being in the system … nobody knows where he’s been taken. We still don’t know why Marcus has been arrested and now we have no idea where in the US he’s been taken to and we’re extremely concerned for his welfare.”
His friend, Andrew Mabbitt, took to Twitter and confirmed the arrest. He tweeted that he is “working on getting a lawyer for @MalwareTechBlog” since he lacks legal representation and visitors and would soon be starting a crowdfund for any legal fees.
Both the FBI and the UK’s National Crime Agency declined to comment on any charges or suspicions or where he has been held, but it was reported that he was at one point at the Henderson Detention Center in Nevada and then the FBI’s Las Vegas field office.