A Different Take on the Krebs on Security Article about Marcus Hutchins' Past (aka @malwaretechblog the accidental hero who stopped Wannacry)
Most people who spend any time online know about the Wannacry ransomware incident that happened in May of this year. Less know how the global spread of WannaCry was serendipitously stopped by a British whitehat security researcher known at the time by his twitter handle @malwaretechblog. Journalists would later determine that his name was Marcus Hutchins. Although as I found and show below, he was doxxed all the way back in 2015.
Fast forward to August of this year when FBI agents in Las Vegas arrested 23-year-old Marcus Hutchins and charged him with authoring and potentially selling “Kronos,” a strain of malware designed to steal online banking credentials. This decision to arrest Marcus apparently stemmed from the takedown of AlphaBay, the dark web marketplace that was recently seized by federal law enforcement in July of this year.
Since this arrest, there has been much discussion about Marcus Hutchins within the infosec community and whether he might be innocent or guilty of the charges. Much has already been uncovered which would point to his innocence of these federal charges as I mention at the end of this post. Although I caution much is still not known and much of what the FBI has will eventually come out in court.
But not much of Marcus' past, his teenage years, had been discussed up until yesterday when Brian Krebs of Krebs on Security, an investigative blog on cybersecurity issues posted the article "Who is Marcus Hutchins".
Brian Krebs' article does a good job of connecting the dots and multiple aliases allegedly belonging to Marcus going all that way back to 2009. And it is clear from Brian's article that Marcus was probably not a saint in his teens. Where the allegations start to break down, for me at least, are around the alias "ElementProducts". This part of Krebs' story documents some of the more serious blackhat activities. It is also where the attempts to connect the dots to Marcus Hutchins start to become very fuzzy. Bear in mind that all of what Brian Krebs alleges that Marcus may have done occurs 5-8 years ago and are based on posts in hacker forums and domain name registrations. There is no evidence provided that point to financial dealings or gains that Marcus might have made from these activities. There is also no direct proof that any harm came directly from these activities while he was a teenager. Also none of these activities documented in Brian Krebs' article have any direct relationship to the federal charges Marcus Hutchins is currently facing.
After reading the Krebs' article I decided to do a little investigative research as well and based on what I found I present a slightly different look at Marcus' more recent past below. Some of what I found also illustrates that Marcus' not guilty pleas to the current federal charges may in fact be quite sincere.
First off, in my limited experience, underaged hackers (actually most hackers) are BIG talkers. You don't have to read more than one IRC chat log to come to this conclusion. I also always go under the assumption that everyone on the internet lies. So anything I read in a chat forum or IRC has the potential to be 50% true and 50% false. So with that said, when one hacker on a forum or IRC chat says something about someone else, it could be true or it could be a lie and there could be all kinds of ulterior motives. The stuff Brian Krebs documented in the "Gh0sthosting" section of his article occurred while Marcus was a minor and was prior to 2011. On the surface the connected dots seem fairly strong but again most of what Brian is alleging is based on the idea that a change in an alias can be determined to be the same person because of how the Hackforums functioned.
Everything builds off of this assumption so it would have been nice to see Brian demonstrate a known example of one of his past aliases on Hackforums within a thread and then the changed alias. I honestly don't know how the database at Hackforums functions, whether it can be manipulated, how the deletion of an account is handled by the database and whether someone else could have logged in under Marcus' account. Brian does state that the credentials of Hackforum users were hacked and dumped back in 2012. Given that the databreach at Hackforums probably included at least one of @malwaretechblog 's passwords there is also no way of knowing whether someone else logged in and posted as him. It also isn't clear that the connections to the various domain name registrations prove a connection to Marcus. Many of these domains fail to get renewed and are picked up by other hackers. Thus Michael Chanata could really be a completely different persona from that of Marcus Hutchins.
As Brian Krebs well knows hackers can get very creative when attempting to take someone down. Back in 2013 hacker(s) attempted to frame Brian Krebs by anonymously mailing him heroin. Brian has also admitted that a number of hackers have posed as himself on IRC chat logs, presumably to try and discredit him.
Since at least 2013 there have been one and possible multiple hackers that have had in for @malwaretechblog going by the following aliases of LOLzzzzzz, LOLz, Randy, Xehanort and RealDude.
Looking at Pastebin dumps, @malwaretechblog was doxxed all the way back in 2015, August 12th, 2015 to be exact (https://pastebin.com/myuYBdAt). I would note that this anonymous person posted "Larkey" as an alias and Brian Krebs says it is "Iarkey". I am assuming that was a typo by the person doing the pastebin dump.
After reading more IRC chat logs than I had really planned on doing, one hypothesis that started to form was that someone or some group had it out for @malwaretechblog and believed he somehow contributed to the darkode bust. From another pastebin dump I found the following conversations occurred in October of 2016.
It is also clear in this IRC chat log and a couple others I found that <RealDude> attempted to hire @malwareblogtech to write a banking malware and @malwaretechblog said no.
This came up eariler in the chat along with accusations of previous collaborations by <RealDude>. Again and again @malwaretechblog essentially calls him unhinged and denies the allegations.
Prior to this chat log conversation I found another one in a Pastebin dump that was uploaded in early January 2016 and the conversation appears to be from late December 2015 around Christmas. Essentially the same conversation occurs. Just replace <RealDude> with <LOLzzzzzz>.
And then later in the IRC chat log <LOLzzzzz> logs back in as <Randy>. Here is where Marcus says <Randy> has been trolling him and giving him grief for over three years. All the way back to 2013.
And then there are the timestamped tweets from @malwaretechblog back in 2014 bemoaning that someone stole a block of his code that was incorporated into Kronos.
What would be interesting to find out is whether Brendan Johnston in Brian Krebs piece is the alias Randy / Xehanort and if he had it out for Marcus Hutchins. That would quickly kick out one leg of the allegations made by Brian Krebs, at least within the attempt to connect the alias ElementProducts to Marcus.
Brian Krebs also said Element Scanner was later incorporated as the default scanning application for the “Blackshades" trojan and this is what Brendan Johnston was arrested for. So I actually see more evidence linking the alias ElementProducts to Brendan Johnston and not Marcus Hutchins.
Don't get me wrong this blog post is not meant to defend what Marcus Hutchins may or may not have done. It is also not meant to disprove Brian Krebs' article. He has done good research into Marcus' past and as a minor I am sure there were transgressions. However, I agree with others in the infosec community that Marcus deserves a fair defense and that the case against him seems rather hyperbolic and weak. It is also not based on anything he did as a minor. Nothing I have found or anything Brian Krebs has found would indicate that their is any validity to the current federal charges against him. Rather, much of the IRC logs, malware samples and prior occurrences of Kronos all point to Marcus Hutchins' innocence in this case. Time will tell.