LOS ANGELES _ A widely celebrated cybersecurity researcher was indicted on charges of developing software that has stolen banking credentials from an untold number of people, prosecutors said Thursday.
Marcus Hutchins, 22, who works for the Los Angeles security firm Kryptos Logic, received praise in May for his role in slowing the spread of a ransomware attack called WannaCry that was locking files on computers around the world.
But federal prosecutors say that Hutchins, at least at one point in his career, had malicious intent. In a July 12 indictment unsealed this week, Hutchins is described as having created, maintained and helped market the Kronos banking Trojan between July 2014 and July 2015.
The program _ often distributed through phishing emails _ monitored consumer's online browsing and led them to fraudulent websites designed to look like legitimate banking services. Kronos then would harvest usernames, passwords and other information from unsuspecting consumers.
Hutchins faces six counts related to the malware distribution, including conspiracy to commit computer fraud and abuse and endeavoring to intercept electronic communications.
The allegations from a two-year FBI investigation point to one of the cybersecurity sector's most distinctive traits: the revolving door between those trying to stop attacks and those launching them.
People often transition between hacking with malicious intent and working as well-meaning investigators. The mischievous work of the past can be an asset to companies and law enforcement agencies looking to get an edge on new waves of criminals. But it also can mar the reputation of the burgeoning industry.
In an interview with the Los Angeles Times in June, Kryptos Logic Chief Executive Salim Neino said he hired Hutchins in 2016 after discovering the surfer and computer hobbyist's blog. Since 2013, Hutchins has written a couple of times almost every month about new viruses and attacks.
Neino called Hutchins' skill and ethics impressive and put him in charge of a division at the small firm. Kryptos Logic acknowledged a request to comment Thursday but didn't provide a statement.
Hutchins, who lives in England, was on vacation in May when WannaCry, a self-replicating worm, sped across the internet, hijacking Windows machines. It locked files and demanded between $300 and $600 for their release.
But Hutchins jumped online and by chance, he has said, found a way to effectively throw Kryptos Logic's servers into the path of the oncoming attack. The tactic acted like a temporary kill switch, giving computer technicians enough time to inoculate their systems from becoming infected.
Hutchins' effort led to collaboration with British authorities and others in the cybersecurity research community. Though a prominent blogger, his identity hadn't been widely known until British tabloids revealed his name during the WannaCry incident.
His move drew praise and a bounty from the security industry, and Hutchins said he would donate his financial reward to charities.
Hutchins was in Las Vegas this week at Defcon, one of the computer security industry's biggest conferences, when the FBI quietly arrested him Wednesday. Friends began worrying about his whereabouts Thursday. The Justice Department released details of the case later in the day.
The indictment _ handed down by a grand jury in the Eastern District of Wisconsin _ redacts the name of a second defendant, who is accused of helping market, sell and update the Kronos malware. The undisclosed defendant posted a video explaining how hackers could infect computers with Kronos and also offered to sell the program for $3,000 on hacking forums, according to court documents.
Kronos was first made available online in early 2014, including on AlphaBay, a secret marketplace for buying drugs and other illicit items. Last month, the Justice Department seized AlphaBay, which could be accessed only through a special Internet browser that scrambles traffic.
Hutchins may have been unmasked during the AlphaBay investigation. When federal agents took down the service, they came into possession of its electronic records and may have been able to trace who was behind Kronos' creation. The founder of AlphaBay was taken into custody in Thailand last month, but later died.
In a June 13, 2014, Twitter post, Hutchins asked followers whether "anyone got a Kronos sample?" A sample refers to a copy or traces of malware.
Three days earlier, the undisclosed defendant had sold a copy of Kronos for $2,000 worth of digital currency, prosecutors say.
Kronos went on to affect consumers in Canada, Germany, Poland, France and the United Kingdom, among other countries, the Justice Department said.
