Hutchins arrest stokes fears among those sharing sensitive threat intel

The arrest of security researcher Marcus Hutchins is troubling members of multiple threat information sharing groups who once counted Hutchins as an ally, but now worry that he could have recorded and shared their sensitive work.

CyberScoop viewed several conversations among threat intel groups that played out in closed chatrooms and email threads. The concern voiced by members of several groups is that Hutchins — who was arrested by the FBI last week and charged with allegedly creating a banking trojan that was sold on dark web marketplace AlphaBay — could have sent sensitive information from the groups to people associated with the cybercrime underground.

“This is bad. We need to assume for the period he was among us, any and all traffic was compromised and could be, along with our names etc. in the hands of various adversaries,” one member wrote in an email.

Additionally, the communications include the opinions of various industry insiders, offering a window into the controversy surrounding the case. Several prominent security researchers believe the FBI’s case is fundamentally flawed due to a misunderstanding regarding Hutchins’ professional work. Others have been quick to blame Hutchins after the indictment was released by the Justice Department.

While also working with GCHQ’s National Cyber Security Centre (NCSC), Hutchins was a member of at least three cyberthreat information sharing groups, each of which was established to circulate data that would be helpful to stop malicious hackers. One such group that Hutchins was involved with focused on the WannaCry ransomware variant; another was interested in tracking popular variants of crimeware. These groups were run by private sector professionals but included participation from government and law enforcement officials.

The NCSC did not respond to a request for comment.

It’s not uncommon for private sector cybersecurity professionals to share data about hackers with government authorities to assist in stopping cybercrime.
Embed from Getty Images

At the moment, CyberScoop is unaware of evidence proving Hutchins acted improperly or leaked content that was shared inside these groups. Nonetheless, forum moderators have already suspended Hutchins’ online accounts; thereby prohibiting him from viewing new posts shared inside the community.

An indictment filed against Hutchins claims he knowingly developed malware that would be used to break into online banking accounts. Hutchins’ legal case is in the early stages; he was scheduled to be arraigned Tuesday, but that has been postponed until August 14. He is pleading not guilty.

Paul Vixie, CEO of Farsight Security and a moderator for a private security group that Hutchins joined in recent months, told CyberScoop that upon hearing news of the case, he instituted “a new policy on the spot: If you are indicted, your membership will be suspended pending the outcome of the trial.”

Experts believe the current legal proceeding against Hutchins could open the door for a bevy of new prosecutions against other information security professionals that reverse engineer malware.

Hutchins rose to prominence earlier this year for his role in curbing the spread of the WannaCry ransomware outbreak.

The charges against Hutchins date back to between 2014 and 2015.

Shaun Waterman contributed to this report