Judge sets $30K bail for researcher in malware case
LAS VEGAS (AP) — A Las Vegas federal judge set bail of $30,000 on Friday for a celebrated young British cybersecurity researcher accused by U.S. prosecutors of creating and distributing malicious software designed to steal banking passwords.
The attorney for Marcus Hutchins, who has broad support in the information-security community, said the 23-year-old hacker would contest the charges. She said he would not be released until Monday because there wasn’t enough time to post bail after Friday’s afternoon ruling.
Hutchins is due in federal court in Milwaukee on Tuesday.
The U.K. resident gained overnight fame with quick thinking in May when he helped curb the spread of the WannaCry ransomware attack that had crippled thousands of computers worldwide.
Much of the cybersecurity community rallied around Hutchins after his arrest Wednesday, calling him a principled, ethical hacker.
The conditions of his release came as a relief for his supporters.
“This is excellent news,” said Nicholas Weaver, a computer scientist at the University of California at Berkeley. “The indictment is remarkably shallow even by indictment standards, which is disappointing because it adds considerable uncertainty and fosters distrust with the general security community.”
Las Vegas-based attorney Adrian Lobo said money for Hutchins’ bond would come from a variety of supporters and family in the U.S. and abroad. The Electronic Frontier Foundation, a digital leading civil liberties non-profit, said it helped arrange Hutchins counsel and was working to find him an attorney to provide “the best possible defence.”
“Security researchers are vital to protecting the computers we rely upon every day,” EFF general counsel Kurt Opsahl said via email. “Mr. Hutchins’ arrest has unfortunately deepened the divide between the research community and the government.”
Weaver said federal prosecutors and the FBI were making a mistake by not providing more details about the crimes it alleges Hutchins committed. “Having more information would act to reassure the larger security community,” he said.
At the hearing, assistant U.S. attorney Dan Cowhig said Hutchins admitted to authorities in an interview following his arrest that he was the author of the malware code and sold it. He said the government has evidence of chat logs in which Hutchins discussed with an associate the sale of the Kronos banking Trojan.
Magistrate Judge Nancy Koppe said Hutchins is not a danger to the community and has sufficient community support to not be a flight risk.
She ordered him to surrender his passport and said he could fly to Wisconsin, where he was indicted last month, without identification.
“The most recent charge in the indictment is in July of 2015. That’s two years ago that the defendant has been free to roam the world during that period of time,” she said.
Hutchins did not enter a plea at Friday’s hearing. He was arrested while preparing to return home from the Def Con convention for computer security professionals.
He stands accused of creating and distributing malware known as the Kronos banking Trojan. Such malware infects web browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location, enabling cybertheft.
Computer law expert Tor Ekeland described the evidence so in the case far as flimsy.
“This is a very, very problematic prosecution to my mind, and I think it’s bizarre that the United States government has chosen to prosecute somebody who’s arguably their hero in the WannaCry malware attack and potentially saved lives and thousands, hundreds of thousands, if not millions, of dollars over the sale of alleged malware,” Ekeland said.