In a surprising twist to what was until now a positive story, the security researcher who stopped the WannaCry ransomware attack earlier this year has been arrested for his involvement with a banking “trojan” virus.

British national Marcus Hutchins (pictured), 23, was arrested at the Las Vegas airport on Wednesday by U.S. Marshals on an indictment relating to his alleged role in the creation and distribution of Kronos. That’s a banking trojan that was designed to steal financial and other personal details from a victim. It first appeared for sale in 2014 on the darknet, the shady part of the Internet requiring special software to reach.

According to the indictment:

“An unnamed co-defendant and Marcus Hutchins knowingly conspired and agreed with each other to commit an offense against the United States, namely, to knowingly cause the transmission of a program, information, code, and command and as a result of such conduct, intentionally cause damage without authorization, to 10 or more protected computers during a 1-year period in violation of Title 18, United States Code, stated in the court document.”

Hutchins came to public attention in May, when he “saved the world” from the rapidly spreading WannaCry ransomware when he “accidentally” discovered a kill switch that could slow the distribution of the malware. The fix was remarkably simple. Hutchins discovered that the code tested for the existence of an unregistered nonsensical domain name, which he subsequently registered, resulting in WannaCry infections that were pinging the domain name ceasing operation.

There are some open questions on the charges, particularly with the unnamed co-defendant who also stands accused of the distribution of Kronos. The majority of the evidence presented so far relates to the co-defendant, who is accused of having provided instructions for using the malware on YouTube and listed it on various darknet marketplaces. By contrast, the indictment ties Hutchins to distribution, but the only evidence points solely to his involvement in the creation of the malware.

That a security researcher could be involved in the creation of malware is not beyond the realm of possibility, but the case does seem strange. That’s particularly so given that according to his Twitter account Hutchins was at one stage looking to investigate the Kronos malware. He even went so far as asking someone to send him a copy, a standard request from a security researcher.

The obvious question is: Why would Hutchins ask for a copy of malware he is alleged to have written? Or was this a ploy at the time to defer any suspicion?

Hutchins remains in FBI custody awaiting his first court appearance.

Photo: Marcus Hutchins/Facebook