With its elegant decor and soft lighting, the ambience in The Club lounge, at Las Vegas International Airport, is usually serene. On August 2, however, passengers waiting to board Virgin Atlantic’s afternoon flight to London Gatwick were disturbed by an extraordinary scene.
Emerging stealthily into the room, plainclothes FBI officers approached a young, scruffily dressed British man, who had been sampling the complimentary refreshments and amusing himself by posting sardonic messages on Twitter.
They were from the agency’s Cyber Crime Unit, and told him he was suspected of various serious offences, arrested him, snapped his wrists in handcuffs, and marched him off to be interrogated.
Marcus Hutchins had been hailed a hero after thwarting a devastating virus that had spread to 150 countries and some 300,000 computers
News-conscious observers of this drama might have recognised the startled prisoner. For three months earlier, Marcus Hutchins, a 23-year-old computer genius employed to fight internet crime, had been hailed a hero after thwarting a devastating virus that had spread to 150 countries and some 300,000 computers.
Operating alone from his gadget-cluttered bedroom, at his parents’ home in the North Devon resort of Ilfracombe, he had stumbled upon a ‘kill switch’ that halted the so-called WannaCry epidemic dead in its tracks.
Since the shadowy hackers who created the virus (thought to be from Russia or North Korea) had demanded a ransom of £460 per infected machine to remove it, they might have raked in millions but for his timely intervention.
Moreover, as dozens of NHS trusts were targeted, forcing them to shut down their IT systems and cancel operations, Hutchins was credited with sparing countless people from suffering, and possibly saving lives.
An unconventional, freewheeling young man, Hutchins was a very reluctant hero.
With commendable modesty, he claimed his noble deed owed more to luck than judgment, and admitted that, by tampering with the virus, he might actually have made it worse.
Nonetheless, among the so-called ‘white hats’ — the hacking fraternity whose mission is to seek and destroy malicious software, or ‘malware’ — he is revered like a rock-star, as he discovered on his 12-day trip to Las Vegas.
Hutchins had travelled there, in late July, to attend the annual DefCon computer security conference, which began 25 years ago, as a low-key gathering for nerdish techies, but has grown into an ultra-cool global happening, a sort of Glastonbury for geeks.
He was among 25,000 people who flocked to this raucous ‘hackers’ summer camp’ staged in the glitzy Caesars Palace casino hotel — all cheering as keynote speakers downed neat alcohol shots and ace hackers demonstrated their ability to break into everything from car locks to Apple watches.
The Lamborghini Hutchins rented while on a 12-day trip to Las Vegas
In the most bizarre and alarming stunt, a computerised voting machine widely used in U.S elections was hacked into, then reprogrammed to become a glorified jukebox playing the Rick Astley song Never Gonna Give You Up.
As the mop-haired Hutchins sauntered around the conference centre, in his torn jeans and T-shirt, admirers clamoured to have selfies taken with him.
For the young Devonian, however, the conference was something of a sideline.
Having ventured abroad for the first time only last year, he had planned a thrill-packed holiday around the event.
He stayed, with seven friends, in a sumptuous £1,445 a night mansion, just off the famous ‘Strip’, boasting the biggest private swimming pool in Las Vegas.
Hutchins filmed himself reclining in the pool; rented various high-performance cars, including an orange Lamborghini; and regaled his 106,000 Twitter followers with messages about his drunken partying, expensive lobster dinner, and Grand Canyon helicopter tour . . . blithely unaware that his every move was being monitored by the FBI. He also mentioned visiting a shooting range, where he fired a machine gun at a target bearing the face of Osama Bin Laden — something that would come back to haunt him after his arrest.
The events following his detention were Kafka-esque, according to friends. Denied access to a lawyer for 48 hours, he was first taken for questioning at Nevada’s forbidding Henderson Detention Centre.
Then, when friends discovered his whereabouts, he was whisked away again, apparently to an FBI field office.
His father, Desmond Hutchins, a senior social services manager, and mother Janet, a hospital nurse, only realised something was wrong when he failed to arrive at Gatwick.
‘We still don’t really know where they held him, or what went on. It has been a complete nightmare,’ his brother Cameron, 21, told us this week, at the family home — a Victorian townhouse close to Ilfracombe’s historic Tunnels Beaches, where Hutchins liked to wind down after working for hours, alone in his garret.
Hutchins at the firing range
It was only when Hutchins was paraded before a Las Vegas court in a yellow prison jumpsuit embossed with the word ‘detainee’ two days later on August 4, that the reasons behind his detention emerged.
Incredibly, the heroic scourge of the NHS virus, who toils obsessively round the clock to fight cyber-crime on behalf of his Los Angeles-based employer, Kryptos Logic, and is thought to receive a handsome six-figure salary, stood accused of attempting to sell a malevolent virus of his own making.
Marketed under the name Kronos on the dark web, the corner of the internet that can only be accessed by those with special expertise, it infects computer browsers, capturing usernames and passwords without leaving any obvious clues to its presence.
When the unsuspecting user visits a trusted location such as a banking website, their personal details are replicated and sent to the Kronos operator’s machine.
This type of malware is known as a Trojan, because it infiltrates systems disguised as legitimate software, like a digital version of the mythological Trojan horse.
Kronos is said to have been used to attempt to attack banks in Britain, and elsewhere — though internet security experts doubt it was very effective.
Along with an alleged accomplice — who is not named in the indictment — Hutchins, known by his online alias, MalwareTech, is accused of taking part in a conspiracy to create and sell Kronos between July 2014 and July 2015. He faces six charges alleging he invented the virus, advertised it on a notorious dark web marketplace called AlphaBay and sold it for $2,000 in digital currency, all in violation of the U.S. Computer Fraud and Abuse Act.
The trial, scheduled to begin on October 23, will be held in Milwaukee, Wisconsin, where the FBI investigators are based. Curiously, no victims are mentioned in the indictment.
Hutchins is being prosecuted under the same law used against the British hacker Gary McKinnon, who breached the security defences of 97 U.S military and NASA computers — supposedly while hunting for evidence of UFOs — but successfully fought extradition after it was revealed that he suffered from Asperger’s syndrome. His cause was championed by the Daily Mail.
As McKinnon discovered, the law carries draconian penalties.
If Hutchins is found guilty (and the conviction rate in these cases is about 90 per cent) he could face a maximum of 40 years in prison.
However, it is more likely that he would be jailed for between one and three years.
If Hutchins is found guilty (and the conviction rate in these cases is about 90 per cent) he could face a maximum of 40 years in prison
The FBI claims to have uncovered the plot during a two-year investigation which resulted in AlphaBay being shut down. Prosecutor Dan Cowhig told the Las Vegas court that Hutchins had admitted under questioning being the author of the Kronos code, and also ‘indicated’ that he sold it. His alleged co-conspirator is said to have advertised it by posting a video on the dark net.
Mr Cowhig said Hutchins was heard to complain about the money he had received from the scam during conversations with the mysterious accomplice, records of which the FBI claim to have obtained.
Extraordinarily, the prosecutor argued that Hutchins — who strongly denies the accusations — should remain in custody pending his trial, on the grounds that he was a danger to the public, because he had fired a gun at the aforementioned shooting range.
The judge rejected this argument and granted him bail with a surety of $30,000 which was raised by his supporters.
He is now staying in a luxurious Airbnb apartment, in the Venice Beach area of California, complete with gym, pool, and rooftop barbecue pit. But he is only allowed out of the apartment for four hours a week, and complains that he is bored and lonely.
Last Sunday his mother flew out to bolster his spirits.
‘I’ve spoken to him on the phone and he’s feeling better about things now,’ said his brother.
‘But the whole thing is ridiculous. Is it really likely that someone who has spent his whole life fighting computer crime would do something like this?’
It seems a valid question.
So could this young computer whizz, who has built his reputation on ‘ethical hacking’, really have been leading a shadowy double-life as a ‘black hat’, as criminal hackers are known?
Hutchins arrives at US Federal Courthouse in Milwaukee, Wisconsin, on August 14
Or is he the victim of a gross injustice?
Like Gary McKinnon, and many other freakishly gifted technology experts, Hutchins is certainly an unusual character.
He taught himself computer coding, and was excluded temporarily from his comprehensive school after teachers claimed he hacked into its IT system, causing it to crash — which he denies. It meant he was banned from using the school computer while studying for his IT GCSE, and made to sit the exam using a pen and paper, as a result of which he failed.
Disgruntled with the education system, he decided against going to university.
Instead, he worked alone in his bedroom before his expertise came to the attention of internet security company Kryptos Logic, which offered him a job. He took it on condition that he could remain in his beloved Devon.
His Las Vegas trip notwithstanding, Hutchins claims to loathe big cities, and his only other known hobby is surfing.
In his teens, he was a member of Woolacombe Surf Life Saving Club, whose organiser Tracy Lark remembers him as a ‘nice natured guy from a very good family’ and, like others who know him, is convinced of his innocence.
At all events, if Hutchins was a covert criminal, as alleged, he was a very naive one.
If he had masterminded the Kronos virus, surely he would have been aware of the risks of travelling to the United States?
Particularly to a conference widely known as a magnet for law enforcement agents eager to appraise themselves of the latest hacking techniques. As DefCon’s founder, Jeff Moss, once put it: ‘If you’re a criminal, you don’t go where all the feds and good guys are going.’
Then there are the lenient terms of his bail, which hardly suggest he is considered an arch-criminal and a major security threat.
Hutchins claims to loathe big cities, and his only other known hobby is surfing
Though his internet access was briefly removed, he is now allowed to use his computer, and is giving his Twitter followers a bleakly humorous running commentary about his plight.
He has blogged about his attempts to learn to cook, and problems such as having no clothes, and no proof of identity.
Amazon has closed his account and wants him to send proof of his address by fax, he says, adding incredulously: ‘In 2017 nobody under the age of 80 uses fax.’
However, as we have discovered, there are more compelling reasons to believe that Hutchins stands wrongly accused.
Our inquiries reveal that the Kronos virus was being marketed on a notorious Russian underground web forum as early as June 10, 2014 — a month before the period covered by the indictment.
Stranger still, on July 13, 2014, as the malware began to appear extensively on hacking sites, Hutchins tweeted: ‘Anyone got a Kronos sample?’
This begs a rather obvious question: why would he be trying to obtain the virus if he was its evil architect?
According to British cyber-security expert Gavin Millard, it just doesn’t add up.
He believes Hutchins might simply have posed as the author of Kronos while researching it to gain intelligence — a tactic frequently used by ‘white-hats’ fighting computer crime.
An alternative explanation could be that Hutchins’ research — which he published to highlight vulnerabilities in internet banking security — was hijacked for criminal purposes, or ‘weaponised’ to use industry jargon. Hutchins has complained about this happening to him in the past.
‘Most of the authors of malware are Russian,’ says Mr Millard. ‘The most successful have made millions of dollars. They are not experienced, respected security agents like Hutchins, with a £100,000-a-year job.’
Quite so. But why might Hutchins, of all people, have been targeted? Supporters suggest U.S. government security agencies might have turned against the 23-year-old Briton because he embarrassed them by stamping out the WannaCry virus after they had lost control of it.
Another twist, drawing the British authorities into this murky story, came this week. The Sunday Times claimed our spy agency GCHQ knew Hutchins was under FBI surveillance before he flew to Las Vegas, yet failed to warn him that he was liable to be arrested.
This was despite the fact that Hutchins had rescued our health service, and had recently been working closely with the UK’s National Cyber Security Centre.
Given the political fall-out from the McKinnon affair, the suspicion is that British authorities abandoned Hutchins to his fate to avoid another protracted extradition battle with the U.S.
True or not, the irony is that his prosecution will seriously hamper the war on internet crime.
For as Tor Ekeland, a U.S. defence lawyer who specialises in computer technology cases, points out, the authorities rely on brilliant young mavericks such as Hutchins to help them root out rogue operators.
But after the man who averted a global internet meltdown has been treated in this manner, he says: ‘who in their right mind would help the government out? All you are going to do is draw attention to yourself.’
‘I think using this really blunt instrument to dive in and get this young computer talent is a terrible exercise of prosecutorial discretion,’ he said, arguing that, even if he had been found to have crossed the boundaries of criminality, his good work ought to have been considered, and he should have been freed with a warning.
Many would agree, among them thousands of grateful NHS patients. We cannot predict the trial’s outcome, of course.
Yet whether or not Marcus Hutchins is proved innocent, the Americans — and the British spymasters who complied with them — might come to regret turning this quirky Devonian from heroic hacker to villain.
- Additional reporting, Hugo Daniel in Los Angeles.