British citizen Marcus Hutchins, 23, has been named in an indictment by the US Department of Justice (DoJ) as a suspect linked to the spread malware between July 2014 and July 2015. Hutchins was arrested this week (2 August) following a Las Vegas hacking conference.
An indictment claimed that Hutchins created and advertised the availability of a banking Trojan known as "Kronos" on internet forums alongside another unnamed defendant. He stands accused six separate hacking crimes according to the filing, first released by Motherboard.
"Marcus Hutchins, aka MalwareTech, knowingly conspired and agreed [...] to commit an offence against the United States, namely, to [...] intentionally cause damage without authorisation, to 10 or more protected computers during a 1-year period," the indictment reads.
It also stated that on 29 April 2015, one the defendants (the exact name was redacted) advertised the Kronos banking Trojan on AlphaBay - one of most popular marketplaces on the dark web at the time.
As previously reported, AlphaBay was recently seized and taken offline by a global cybercrime operation in collaboration with the FBI, Dutch police and Europol. Multiple arrests were made.
You can see the full indictment here.
As noted by cybersecurity firm Proofpoint last year, the Kronos malware typically spread via email phishing and primary targeted the United Kingdom and North America. At the time, researchers said it targeted sectors including hospitality, schooling and financial services.
Hutchins was widely credited with stopping the a global ransomware attack in May earlier this year. The global outbreak, blamed on a strain known as "WannaCry", spread to more than 300,000 computers in 150 countries and caused damage to the UK health service.
Cybersecurity researcher Kevin Beaumont tweeted that "it looks like the US justice system has made a huge mistake" after the news broke. In an update, he added: "I know Marcus. He has a business which fights against exactly this (bot malware), it's all he does. He feeds that info to US law enforcement."
Motherboard first reported how Hutchins was arrested and initially held at the Henderson Detention Centre in Nevada however was later moved to another - unknown - facility.
Sources close to Hutchins later claimed he was being held at the FBI field office in Las Vegas.
Based on his Twitter timeline following the Defcon hacking conference it appears Hutchins was arrested in the airport as he was set to fly out of America. One of his last tweets stated: "Priority boarding so you can add to the time you're sat on a plane that is nowhere near ready to fly."
A statement from the UK's National Cyber Security Centre (NCSC), a fork of British intelligence agency GCHQ, read: We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further." The FBI, meanwhile, has not commented.
News of the indictment caused shock across the infosec community. Hutchins was considered a hero after stopping WannaCry. "I refuse to believe the charges against @MalwareTechBlog," tweeted Andrew Mabbitt, a researcher who travelled with Hutchins to Defcon.
This week (3 August) it emerged that more than $140,000 (£106, 400) in illicit profit made from the WannaCry virus - captured in a form of digital currency called bitcoin - was being emptied out of online accounts. There is nothing to suggest Hutchins's arrest is linked to these transfers.