Marcus Hutchins, the British security researcher known as MalwareTech, has been hit with new charges, prosecutors said in a court filing first made public on Wednesday.
According to the government, Hutchins created a second piece of malware, known as “UPAS Kit,” and also lied to the FBI while being questioned last year in Las Vegas.
The superseding indictment describes UPAS Kit as being designed to facilitate “the unauthorized exfiltration of information form protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.”
Hutchins is accused of creating UPAS Kit and selling it to someone who went by the name VinnyK (aka “Aurora123”), who in turn distributed the software to another person in Wisconsin in 2012. (This is seemingly why the case was brought in federal court in Milwaukee.)
On Wednesday, he asked his supporters for financial donations to support his legal defense.
Spend months and $100k+ fighting this case, then they go and reset the clock by adding even more bullshit charges like “lying to the FBI”.
We require more minerals.
— MalwareTech (@MalwareTechBlog) June 6, 2018
As Ars has previously reported, the 24-year-old security professional who accidentally stopped the spread of the virulent WCry ransomware worm in May 2017 was indicted in August 2017 of being part of a conspiracy that created and distributed Kronos. He pleaded not guilty at a court hearing on August 14, 2017 in Milwaukee.
Hutchins now faces four additional criminal charges, for a total of 10.
The British national was arrested after leaving the Black Hat and DEF CON security conferences in August. He has been unable to leave the US since that time due to his pending criminal charges, and now lives in Los Angeles.
Recently, he appeared at an evidentiary hearing on May 16.
One of his lawyers, Brian Klein, said Wednesday on Twitter that the new allegations against Hutchins were “meritless.”
@marciahofmann and I are disappointed the govt has filed this superseding indictment, which is meritless. It only serves to highlight the prosecution’s serious flaws. We expect @MalwareTechBlog to be vindicated and then he can return to keeping us all safe from malicious software https://t.co/E1M0qod3CN
— Brian Klein (@brianeklein) June 6, 2018