Risk & Repeat: MalwareTech indictment raises questions

The criminal hacking charges against a notable security researcher known as MalwareTech have raised a number of questions that could have implications for the infosec community and its relationship with law enforcement.

Marcus Hutchins, better known as MalwareTech, was arrested by the FBI in Las Vegas following Defcon earlier this month. The 23-year-old, who also works at Los Angeles-based cybersecurity company Kryptos Logic, is accused of creating the Kronos banking Trojan, which was discovered in 2014 and hit financial services firms in the U.K. and India, among other countries. Hutchins, who was charged with six counts of computer fraud and abuse and wiretapping charges, pled not guilty.

Hutchins, who formerly operated anonymously under the MalwareTech name, achieved notoriety recently when he created a sinkhole to limit the spread of WannaCry ransomware. His identity was revealed by the press soon after that. In addition to Hutchins, a second unnamed defendant was also charged and accused of advertising and selling the Kronos banking Trojan on the now-shuttered AlphaBay dark web marketplace.

The government's case against Hutchins presents some pressing questions about the scope of the charges and the investigation. Who is the unnamed co-defendant? Did the AlphaBay takedown lead to charges against Hutchins? Why is a case involving cyberattacks overseas being brought in the U.S.?

In this episode of the Risk & Repeat podcast, SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more on the case against MalwareTech.