By now you might be aware of Marcus Hutchins, the hero who halted WannaCry ransomware and was arrested by the FBI at Las Vegas airport when he was about to catch a flight back to London, his hometown.
The reason for the arrest was his alleged involvement in developing and distributing Kronos banking malware that stole personal data from users around the world. His surprised arrest shocked the security community who hailed him for his service is saving tens and thousands of people from becoming the target of WannaCry ransomware attack.
Now, even more, shocking facts have surfaced revealing that GCHQ (The Government Communications Headquarters), British intelligence and security agency knew that the FBI would arrest Hutchins anytime he enters the United States.
This is quite a shocker that a government agency would let a man who was hailed as a hero around the world fall for the trap. However, The Sunday Times reported that there had been several cases in the past where UK based hackers allegedly hacked targets in the US but in return, the British authorities denied their extradition. Therefore, Hutchins’s arrest would save the government and intelligence agencies from fighting yet another extradition case

“Our US partners aren’t impressed that some people who they believe to have cases against [them] for computer-related offenses have managed to avoid extradition. Hutchins’s arrest freed the British government and intelligence agencies from yet another headache of an extradition battle,” Sunday Times reported.
In 2012, Theresa May (Home Secretary at that time and currently the Prime Minister of the United Kingdom) blocked the extradition of 51-year-old Gary McKinnon, the UFO hacker to the United States since he was diagnosed with Asperger’s syndrome, a type of autism.
In 2016, Lauri Love, another hacker with Asperger’s Syndrome accused of hacking targets in the United States was extradited where if found guilty he could face 99 years in prison. However, in April this year, he also won the right to appeal against his extradition.
As for Hutchins, he is out on bail where he can travel anywhere in the country with the condition of wearing a GPS monitor. Hutchins is only allowed to use the Internet if makes sure not to access the “KillSwitch” he created to halt the WannaCry ransomware attack.
source: https://www.hackread.com/british-intel-knew-wannacry-hero-would-be-arrested-by-fbi/
US Detains, Indicts UK Hacker Who Stopped WannaCry
Back in May, the ransomware WannaCry began infecting critical infrastructure across Europe and in the United States, rising to 230,000 infected machines in 150 countries within a day of its release. The infection was stopped in its tracks when a cybersecurity researcher with Kryptos Logic, Marcus Hutchins (aka MalwareTech), registered a domain that functioned as a sort of kill switch, turning the malware off before it encrypted user data and locked down the system.
Hutchins apparently traveled to the United States to attend the Defcon 2017 conference, which ran from July 27 to 30 at Caesar’s Palace in Nevada. He was arrested on Thursday by the FBI. (Initially it was reported he was held by the US Marshals, but this appears to have been inaccurate.) The FBI has filed a formal indictment against Hutchins, alleging that he and an unnamed co-conspirator (whose name has been redacted from the filing) “knowingly conspired and agreed with each other to commit an offense against the United States.”
Hutchins is accused of creating a banking trojan known as Kronos in 2014. His unnamed co-conspirator appears to have been responsible for documenting and marketing the product by posting YouTube videos and offering to sell it via online forums. The malware was designed and marketed as being capable of stealing banking credentials by sending infected individuals to fake websites.
Later, in 2015, the redacted co-conspirator offered “cryptying [sic, likely “crypting”] services for Kronos. A crypting service takes malware, checks to see if current antivirus tools are detecting it properly, and then attempts to obfuscate the malware code to evade that detection. If you’ve ever used a service like VirusTotal to see whether an application was malicious, this is the opposite — a crypting service takes an infected file and attempts to ensure it isn’t detected, rather than certifying whether a file is actually clean.
The indictment states the Kronos malware was offered on the recently closed AlphaBay website and notes one sale of the software, for $2,000. According to a 2014 story at Threat Post (via Vice), Kronos was offered for $7,000, when the software was apparently in pre-order. The same post notes that the malware went “a step beyond” and came packaged with a Ring 3 rootkit.
The concept of security protection rings is fundamental to how both Linux and Windows protect data and limit functionality according to what resources an application should have access to. Ring 0 is the kernel and the least-protected space, while Ring 3 is the most tightly protected space. At the time, IBM researchers told Threat Post the following
By running as a Ring3 rootkit, other processes, including other Trojans, can’t see the elements this Trojan is using: its directories and files, registry entries, and processes. Some financial Trojans look to remove other Trojans that are already running on the infected machine, to allow the new Trojan to steal the information. After all, cyber criminals compete with each other to gain as much information as possible.
There’s a common trope in TV and films regarding various sorts of expert black hats who later swap a black hat for a white one, or at least an intermediate shade of gray. Based on Hutchins’ job and work on stopping WannaCry, that seems to have been what he attempted to do. The FBI, however, has other ideas — and the statute of limitations on Kronos hasn’t exactly expired.