On Wednesday, Aug. 2, someone withdrew roughly $140,000 from three bitcoin wallets linked to the May 2017 WannaCry ransomware attack and transferred the funds into several additional accounts.
On Wednesday, Aug. 2, someone withdrew roughly $140,000 from three bitcoin wallets linked to the May 2017 WannaCry ransomware attack and transferred the funds into several additional accounts.

The FBI on Wednesday arrested U.K. researcher Marcus Hutchins, who was internationally celebrated after disabling WannaCry ransomware with a kill switch he reported discovering. On the same day, separately, the adversaries behind the May 2017 ransomware campaign apparently emptied their bitcoin wallets, after lying low for roughly 12 weeks.

Citing a spokeswoman from the U.S. Marshal's Service, a report from Motherboard states that Hutchins was picked up by authorities in Las Vegas, where he was attending the Black Hat and DEF CON conventions.

According to a federal indictment and corresponding Department of Justice press release, the U.S. has formally charged Hutchins with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.

Specifically, the U.S. is alleging that Hutchins created the Kronos banking trojan and conspired with others in a plot to advertise, sell and profit from the malware between July 2014 and July 2015, in the process causing damage to at least 10 protected computers within a one-year period.

Filed on July 11, 2017 in the Eastern District of Wisconsin, the indictment states that the Kronos malware records and exfiltrates users' banking credentials. It also references a July 2014 video that was published on a publicly accessible website in order demonstrate Kronos' capabilities to potential buyers.

Meanwhile, it was Keith Collins, a tech reporter at Quartz, who disclosed the WannaCry cryptocurrency transactions, after a Twitter bot he set up detected that someone withdrew roughly $140,000 from three bitcoin wallets in multiple installments of roughly $19,000-$27,500.

"The money was likely sent through a bitcoin mixer, a process that obscures its trail from bitcoin to hard currency. The process is a sort of laundering operation for digital currency," explained Collins in a blog post detailing his observations.

"It was thought that there was so much attention to those particular accounts by law enforcement and by other agencies as well that the [bitcoin] stored in those wallets wouldn't have been able to be released. There was just too much heat, as it were," said Carl Leonard, principal security analyst at Forcepoint, in an interview with SC Media. "But... what we're seeing is large chunks of that money are being taken bit by bit through the bitcoin exchange system. The malware authors are now trying to spread those funds around in order to get them outside of the bitcoin platform." Leonard said that monitoring this activity could help investigators in identifying additional abused cryptocurrency accounts and wallets, if not necessarily the perpetrator.

The prevailing theory among experts is that the WannaCry attack was launched by North Korea-sponsored hackers.

However, Orla Cox, director of security response at Symantec, said that it's not entirely certain who emptied the wallets. “There is no way of knowing whether it was the WannaCry attackers, or even law enforcement, that accessed the three bitcoin addresses," she told SC Media, passing along a quote she had previously provided to Bloomberg Technology. Additionally, "These addresses may not represent all of the attackers' earnings as WannaCry can generate unique bitcoin addresses per infection."

The WannaCry attacks shut down endpoints and organizations in more than 150 countries, spreading across networks using a wormable exploit. Its propagation was halted, however, after Hutchins, also known by the handle "MalwareTech," triggered a kill switch mechanism by registering an unclaimed domain that the ransomware was attempting to query.

In a tweet, the Electronic Frontier Foundation digital rights group commented that it is "deeply concerned about security researcher Marcus Hutchins' arrest. We are looking into the matter, and reaching out to Hutchins."