Government Changes Its Tune about MalwareTech
Marcus Hutchins, AKA MalwareTech, just plead not guilty at his arraignment in Milwaukee, WI. After the hearing, his attorney, Marcia Hofmann, called him a “hero” and said he would be fully vindicated.
A dramatic change in the tone of the government suggested that might well be the case. Whereas at Hutchins’ Las Vegas hearing, the government used his appearance at a tourist-focused gun range in an attempt to deny him bail, here, the government was amenable to lifting many of the restrictions on his release conditions. Hutchins will be able to live in Los Angeles, where his other attorney, Brian Klein, is. He will be able to continue working. He can travel throughout the US, though he cannot leave the country (though his defense tried to get him released to the UK).
About the only major restriction — aside from GPS monitoring and monitoring by pretrial services — is that he can’t touch the WannaCry sinkhole.
The government’s attorney, Michael Chmelar, described Hutchins’ alleged crimes as “historic,” a seeming concession that he’s not currently a threat. That said, while the government had not deemed this a complex crime when they indicted Hutchins back on July 11, Chmelar said he expected they would do so in the coming weeks. The trial is currently scheduled for October, but with a complex designation, that will slide.
Chmelar said that they had or would turn over today both Hutchins’ FBI interview, as well as two other recorded phone calls. The rest of discovery will be delayed until the defense signs a protection order.
Perhaps the funniest part of the hearing came when the lawyers tried to help Magistrate William Duffin understand what a “sinkhole” is.
Update: Fixed spelling of Hofmann’s last name–sorry Marcia!
Update: Forgot to mention — the case was assigned to JP Stadtmueller, a 75-year old Reagan appointee, formerly the Chief Judge of EDWI.
Not sure why this needs to be designated a complex case unless there is a raging shitload of wiretap and digital evidence (which the govt may have, but I would be stunned if they want to put it in play). Absent that, not so much.
because it is the government and they have been for the longest time to try and go after the accused, to prove guilty before they are actually found innocent.
*hope you notice my snarky sarcasm, or as I call, snarcasm*.
My guess is they realized that his alleged “confession” isn’t going to prove their case. They need to show that the subset of the code he wrote was still in the malware they bought in 2015. They also have to validate he participated in the IRC chats where he allegedly asked for money. Neither of those is going to be a slam dunk, not with excellent lawyers representing him.
Right. So why is the U.S. Government saying the trial will only take a week?
Is it?
A. They have no case and intend to lose?
B. They have no case and intend to appeal?
C. Both of the above?
EW – Oh, I think that is likely correct, but that does not a “complex case” make.
Excellent news that he pleaded not guilty, which most of us who are following this, wouldnt have expected otherwise. Now there needs to be an official acquittal.
It appears that the government is trying to buy time to put its case together. So, the continuing question is why do this now? Who is the real target if it is not Hutchins? Will the “confession” be thrown out (IIRC Hutchins did not have an attorney, but please correct me) which appears to be the only evidence?
The point about the sources and methods raised by bmaz is a good one, and we have seen in recent cases (like the one from OR where the government was able to spike use of a doc they had faxed their target on legal standing grounds) that the government (even more so under Sessions) would only be too happy to implement a secret Star Chamber to intimidate opposition.
My fundamental problem with the basis for this prosecution is if they want cooperation from the white hats, it doesn’t seem wise to jail them when they help.
So what is going on? Why was he a target in the first place? He seems pretty small fry in the scheme of things, and generally on the white hat side. Do they think they can roll him on someone else?
Still unanswered is why is US claiming right to prosecute a UK citizen for things done in the UK? UK laws already cover his accused actions, no reason for US to be involved.
The killswitch’ is the key. The U.S. Government wanted control of the domain.
As I mentioned earlier, they could have just asked Marcus to give it to them, and almost certainly he would have done so.
Is this entire case just a charade to create cover for something else?
They don’t have that. Hutchins’ company is still running it.
Actually, that is probably not the case at all.
At this point, CloudFlare really has control.
Here is the timeline I see:
Marcus registered the killswitch domain at 2017-05-12.15:08:04 (Zulu time – GMT) thru Namecheap.
The next day, due to traffic load, (I admit, I do not know that Marcus himself did this, but that makes sense based upon his comments), he enabled CloudFlare thru Namecheap, which delegated DNS traffic to CloudFlare. Namecheap is still the registrar, the domain will not expire until 2023-05-12.
Note that Namecheap uses registration proxy to hide the creator of domain. So does GoDaddy who is the registrar for kryptoslogic.com which is who Marcus works for.
Point is: Neither Marcus nor Kryptoslogic really control the domain at this time.
Interestingly, this whole mess may have been a failure in IC. Apparently, Wannacry nay have only been intended to attack in a corporate evironment, where all the users web browser traffic had to go thru an http proxy.
At this time, one should assume if in a corp env, and a http proxy is required to access the web, and if you still have not patched yet, that you just might get attacked.
[Marcus writeup on 2017-05-13]
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.whois.com/whois/kryptoslogic.com
https://www.whois.com/whois/iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
http://network-tools.com/nslook/Default.asp?domain=iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com&type=1&server=67.222.132.213&class=1&port=53&timeout=5000&go.x=16&go.y=8
[Why proxy?]
https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/amp/
[Bottom line: We no longer know for certain who is in control of the domain name, but we definitely know that any of the malware traffic will go thru CloudFlare]
(IIRC Hutchins did not have an attorney,)
Not necessarily a relevant factor. As a UK resident he is unlikely to be familiar with the details of American criminal law. He may not have asked for a lawyer or he may have waived his right to speak with one; uninformed Americans throw away their rights so it wouldn’t be even slightly surprising if a UK resident threw his legal rights away the moment he was arrested. In fact, when I first heard he was arrested my gut reaction was that this was the reason why he was arrested in the USA and not the UK–he would be at a significant legal disadvantage here as a foreigner. Thus there is only one of two possible reasons why the government changed its tone: either they found the smoking gun they wanted in Nevada and they can afford to play nice because the have a slam dunk case OR they now see the quality of lawyering on the other side and hope that the matter will go quietly into the sunset after the media attention has died down. Time will show which of these two scenarios is correct.
Right. The FBI interview was w/o a lawyer. Which is another thing they’ve changed tune on pretty dramatically. Now they at least appear to be claiming they’re going to be reasonable.
There are a third and fourth option. Ah hell. I guess I need to write up what I think has been going on.
Was Hutchins provided “If you are not a United States citizen, you may contact your country’s consulate prior to any questioning” as part of his Miranda? Was he questioned before being put under “arrest”? What lies have the FBI told him? His expert attorneys will have this part of it all in hand. Trying to get someone to lie to the FBI is just so standard operation procedure.
I don’t know what he got in Vegas.
But the judge today gave him both a solid Miranda and the consulate warning. There was no mention WHETHER the consulate was involved, mind you.
Very, very interesting that the judge did that.
Very interesting. From legal perspective.
Wow.
Marcus is in good spirits. His first tweet since arrest:
https://mobile.twitter.com/MalwareTechBlog/status/897180606005694464
Things to do during defcon:
Attend parties
Visit red rock canyon
Go shooting
Be indicted by the FBI
Rent supercars
OT: DOJ steps in deep doodoo.
Seriously bad walking, not paying attention.
Or stepped on *something*.
https://arstechnica.com/tech-policy/2017/08/trump-can-block-people-on-twitter-if-he-wants-administration-says/
[so public discourse with an elected official is not to be public based upon one sides view?
Gee, this is SCOTUS material based upon other recent cases. At some point]
[Maybe Twiiter should just ban potus. Bad idea I know, loss of all that intel] [/s]
SyncCrypt coming to a store near you?
Shades of Wannacry. Ransomware.
But does not have to do the ransomware part.
Will have the ‘but spam/phishing’ excuse.
Suspect will go thru RDP via another hole not yet patched.
https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/