A young cyber expert who stopped the WannaCry global cyber-attack has been arrested in the US for allegedly conspiring to advertise and sell a malicious software that targeted bank accounts.
Marcus Hutchins, 23, who saved the NHS from cyber criminals, was at a hacking conference in Las Vegas when he was arrested by the FBI.
An indictment released by the US Department of Justice revealed that he faces six counts of helping to create, spread and maintain the banking Trojan Kronos between 2014 and 2015.
According to the indictment, the alleged offenses took place between July 2014 and July 2015.
Hutchins was jointly charged with another individual who was not named.
The indictment alleged that Hutchins “created the Kronos malware” and the other person later sold it for $2,000 online.
The Kronos malware was spread through emails with malicious attachments and allowed users steal money using credentials such as internet banking passwords.
The allegations are unrelated to the WannaCry attack he was credited with halting, according to a US official.
The security expert, from Devon, was hailed a hero in May when he discovered a “kill switch” for the WannaCry ransomware, which spread to hundreds of thousands of computers across 150 countries. Among the victims were dozens of NHS Trusts, which were forced to delay operations and turn people away.
Hutchins, who stopped the attack from his bedroom under the pseudonym MalwareTech, has reportedly helped GCHQ’s National Cyber Security Centre since the incident.
An a source said the organization collaborated with many private individuals and was “very much embedded in the community,” of which Hutchins is a part.
On his arrest, an NCSC spokesman said: “We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.”
Janet Hutchins, his mother, told the Telegraph she was trying to find out exactly what had happened to her son but said she had not yet managed to get anything confirmed.
“I think I’m going to be rather busy tonight,” she added.
A security expert who was staying with Hutchins at the DefCon hacking conference in Nevada said he had been arrested at Las Vagas’s McCarran International Airport on Wednesday afternoon.
The friend, who also works in the cyber security industry, said: “He was detained at McCarran airport yesterday. He checked into his flight and I think he was sitting in the Virgin upper-class lounge.
“He was escorted out of the airport and never made his flight.”
Around 20 hours after he went missing, Hutchins’ parents told the friend he had been arrested.
After his arrest, Hutchins was taken to Henderson Detention Center in Nevada before being moved to the Las Vegas FBI field office.
“I had been trying to get in contact with him for the past 20 hours,” the friend told the Telegraph. “I finally located him this morning but they moved him before visiting hours. Now he’s in the wind again.”
A spokesman for the Foreign and Commonwealth Office said: “We are in touch with local authorities in Las Vegas following reports of a British man being arrested.”
The UK’s National Crime Agency said: “We are aware a UK national has been arrested but it’s a matter for the authorities in the US.”
Hutchins stopped the spread of the WannaCry ransomware when he accidentally discovered a “kill switch”. Working on his own from his small bedroom in his parent’s home, Hutchins has been lauded for his computer skills in the wake of the attack.
The WannaCry attack spread to more than 230,000 computers in scores of countries, affecting major organizations including the NHS, Renault, and O2. Using a vulnerability in Microsoft’s Windows operating system discovered by US security agencies, WannaCry locked victims’ computers and demanded a $300 ransom.
Hutchins found a way to stop the virus from rapidly spreading. He was given a $10,000 (£7,600) reward for the effort, which he donated to charity.
The ethical hacker, who is largely self-taught and did not go to university, was in the US for the world’s largest annual conventions for security experts, BlackHat and DefCon.
His arrest comes as more than £100,000 of digital currency Bitcoin that was paid by victims of the WannaCry attack was withdrawn from the hackers’ online wallets.
There is no indication that the two events are connected.
Victims were asked to pay around £230 in Bitcoins to get back control of their systems and monitoring websites showed the wallets holding the payments had been emptied on Thursday.
No one has claimed responsibility for the attack but experts have connected it to Lazarus, a group also linked to the 2014 Sony Pictures hack.