Slayer of WCry worm detained after attending Defcon

Enlarge[1] / Hutchins in his office.Frank Augstein / APreader comments 13[2]Share this story

Marcus Hutchins, the 23-year-old security professional who accidentally stopped the spread of the virulent WCry ransomware worm[3] in May, was detained by law-enforcement authorities after attending the Defcon security convention last weekend, according to a close personal friend. Hutchins was booked into the Henderson Detention Center in Nevada on Wednesday afternoon, according to a screenshot the friend captured of the facility website. When the friend visited the detention center on Thursday morning, he was told Hutchins was no longer there.

The website mention of Hutchins was also gone. PJ Thomas, an administrator at the US Marshall office that the website referenced, said the agency has no record of Hutchins. The friend, citing privacy concerns, asked not to be identified by name in this article.

Screenshot showing Hutchins' detention.Enlarge[4] / Screenshot showing Hutchins’ detention.

Hutchins spent the past week in Las Vegas as it hosted both the Black Hat and Defcon security gatherings.

On late Wednesday morning, Hutchins and his friend parted ways as Hutchins left for the airport, where, his Twitter account shows[5], he tweeted over several hours. Then the account went silent–which the friend found odd, since Hutchins typically uses a plane’s Wi-Fi service to stay in contact during flights. The first indication something was serious wrong was when the friend heard from Hutchins’ mother early Thursday morning, when she said Hutchins didn’t arrive in the UK as planned.

“He’s literally off the radar,” the friend said. “I’m very concerned about that. I’ve known Marcus for years. I know everything about him, and I have no idea why he would be arrested.”

Hutchins is a researcher at security firm Kryptos Logic. On the morning of May 12, just as the WCry worm was starting to shut down computers around the globe[6], Hutchins started analyzing the code that made the self-replicating attack work. When he noticed that the code referenced an unregistered Internet domain, he impulsively registered it.

He later learned that the Internet address acted as a kill switch that prevented ransomware infections on computers hit by the worm. Kryptos Logic estimates as many as 727,000 computers may have been hit by the worm[7]. The registration prevented the number from being much greater.

Ars has asked the FBI if Hutchins is the bureau’s custody but officials haven’t responded yet.

This is a breaking story that will be updated as more information becomes available.

References

  1. ^ Enlarge (cdn.arstechnica.net)
  2. ^ 11 posters participating (arstechnica.com)
  3. ^ accidentally stopped the spread of the virulent WCry ransomware worm (arstechnica.com)
  4. ^ Enlarge (cdn.arstechnica.net)
  5. ^ Twitter account shows (twitter.com)
  6. ^ WCry worm was starting to shut down computers around the globe (arstechnica.com)
  7. ^ as many as 727,000 computers may have been hit by the worm (blog.kryptoslogic.com)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *