The British man charged in the U.S. with developing the “Kronos” banking malware has been indicted under a new set of criminal accusations that say he developed and sold the “UPAS Kit” spybot virus.
The new indictment also charges the man, Marcus Hutchins, with lying to the FBI about knowing his code was a part of Kronos.
Hutchins, who has repeatedly denied any illegal activity and is now living in California on bail, responded quickly on Twitter, saying “these [expletive]nuggets just won’t give up.” He quickly deleted that tweet.
Hutchins’ defense team has been continuously battling federal prosecutors over evidence used in the case. While the court continues to consider the defense’s arguments about the original charges, prosecutors dropped a new indictment this week.
The charges of lying come from an exchange that Hutchins’ defense team is disputing and hoping to see dismissed. It was an Aug. 2, 2017, discussion — while Hutchins was in federal custody — in which prosecutors say Hutchins “knowingly and willfully made a materially false, fictitious, and fraudulent statement … that he did not know his computer code was part of Kronos” until 2016 when he reverse-engineered the malware.
As journalist Marcy Wheeler noted, however, prosecutor Dan Cowhig told a judge just two days later that Hutchins “admitted that he was the author of the code that became the Kronos malware and admitted that he sold that code to another.”
Hutchins’ team is trying to have the exchange dismissed because, they assert, the FBI agents who arrested him intentionally misled him about why he had been arrested and did not properly inform him of his rights as a suspect in the United States. All of that happened after Hutchins was “exhausted at the tail-end of a week-long partying binge [at the Def Con cybersecurity conference], about which the agents were on notice,” the defense lawyers told the court.
A related piece of evidence the defendant is looking to have dismissed is a phone call transcript from jail because Hutchins was “sleep-deprived and intoxicated.”
“I used to write malware, they picked me up on some old [expletive],” Hutchins told an unidentified person according to the phone transcript. “I wrote code for a guy a while back who then incorporated it into a banking malware.”
UPAS Kit is described by prosecutors as a bot that “allowed for the unauthorized exfiltration of information from protected computers” that “used a form grabber and web injects to intercept and collect personal information.”
The malware was advertised to “install silently and not alert antivirus engines.” Prices ranged above $1,000 according to advertisements dating back to 2012.
You can read the new full indictment below: