MalwareTech Loses Bid To Suppress Damning Statements

Then 23-year-old security researcher Marcus Hutchins in his bedroom in Ilfracombe, UK, in July 2017, just weeks before his arrest on malware charges.

Enlarge / Then 23-year-old security researcher Marcus Hutchins in his bedroom in Ilfracombe, UK, in July 2017, just weeks before his arrest on malware charges.

Marcus Hutchins, the widely acclaimed security researcher charged with creating malware that sold for thousands of dollars on the Internet, has lost his bid to suppress self-incriminating statements he made following days of heavy partying at the 2017 Defcon hacker convention in Las Vegas.

Hutchins—who, under the moniker MalwareTech, unwittingly helped neutralize the virulent WannaCry ransomware worm—was charged with developing the Kronos banking trojan and an advanced spyware program known as the UPAS Kit. The then-23-year-old UK citizen was arrested in August 2017 at McCarran International Airport as he was about to fly home. He had spent the previous week attending the Black Hat and Defcon conferences. Hutchins has pleaded not guilty to the charges.

According to court documents, federal agents questioned Hutchins in an airport interview room shortly after he was arrested. When asked about his involvement in developing malware, the court records show, Hutchins grew visibly confused about the purpose of the interrogation. Eventually, prosecutors said, Hutchins acknowledged that, when he was younger, he wrote code that ended up in malware, but he denied that he had developed the malware itself. After reviewing some source code produced by the agents, Hutchins asked if the investigators were looking for the developer of Kronos. Hutchins then told the interrogators he didn’t develop Kronos and had “gotten out” of writing code for malware before he turned 18.

Allegedly, Hutchins then said he had feared law enforcement authorities would pursue him instead of the actual developer, because pieces of his code appeared in Kronos and that implicated him in the investigation into its creation. Still, he continued to voice confusion about why he was being detained. Almost 80 minutes into the interrogation, agents finally provided Hutchins with his arrest warrant and told him it had nothing to do with WannaCry. During the remainder of interview, which lasted for another 20 minutes, Hutchins continued trying to be helpful but again noted he had been “out” of “blackhat” hacking for so long that he didn’t have any useful information.

Jailed

Hutchins was then taken to jail, where he made two phone calls. Despite being informed the calls were subject to monitoring and recording, Hutchins allegedly “made incriminating statements,” court records showed, without elaborating.

In a motion filed in US District Court for the Eastern District of Wisconsin, attorneys for Hutchins moved to suppress the statements and any evidence that may have been obtained as a result of them. Hutchins’s grounds are that he didn’t waive his Miranda rights against self-incrimination and that his intoxication and limited understanding of the US criminal procedural system made it impossible for him to voluntarily waive those rights.

In a ruling issued Monday, US District Judge J.P. Stadtmueller of the Eastern District of Wisconsin denied the motion. The 32-page decision cited Hutchins’s own acknowledgment that he was read his Miranda rights, although the ruling noted there was insufficient evidence to establish if Hutchins received his rights at the beginning of the interrogation. The judge also noted that FBI agents testified under oath that the rights were issued at the beginning of the interrogation.

“In light of Hutchins’s admission that he received his Miranda rights, and in light of the agents’ corroborating testimony that this occurred before the interrogation, as well as the lack of any indication of when else he may have received them, the court finds that Hutchins was sufficiently apprised of his rights before the interrogation,” Judge Stadtmueller wrote.

Hungover? Maybe. Drunk? No.

The judge went on to rule that there were sufficient grounds to find Hutchins’s waiver of rights was voluntary. While intoxication, exhaustion, or physical discomfort can all be reasons a waiver might not be considered voluntary, Stadtmueller said it was unlikely Hutchins’s alleged impairment significantly factored into his ability to give a voluntary waiver or to make him more susceptible to coercive interrogation practices.

The FBI agents, the judge said, monitored Hutchins continually since the beginning of the day of his arrest to ensure he was sober when he was detained. They then walked him to two separate locations inside the airport and engaged him in conversations to assess whether he was intoxicated.

“Hutchins appeared to be alert, engaged, coordinated, and coherent,” Stadtmueller wrote. “There is no evidence in the record to the contrary. There is also no evidence, nor does Hutchins claim, that he was under the influence of drugs that day—only that he was exhausted. But a terrible hangover alone does not, as a matter of law, render someone unable to exercise or waive their Miranda rights. This factor does not weigh in Hutchins’s favor.”

Judge Stadtmueller went on to rule against Hutchins’s claim that he was unable to make a voluntary waiver because of his unfamiliarity of suspect rights in US criminal proceedings. The judge also said Hutchins had failed to meet his burden of presenting “clear and convincing evidence” that FBI agents misled him about the true intentions of the interrogation. Hutchins, the judge said, received his Miranda rights and understood he was under arrest for alleged criminal activity that somehow related to Kronos.

What’s more, Stadtmueller said, even though the FBI agents didn’t present the warrant at the outset, the interrogation lasted another 20 minutes. During that time, Hutchins continued to consent to searches and answer questions.

The judge went on to acknowledge that it wasn’t always clear whether Hutchins understood or remembered the criminal charges against him. “At one point in the interrogation, he made a comment that showed that he did not realize he had even been indicted.” But ultimately, Stadtmueller said the scope of the questions should have put Hutchins on notice about the true purpose of the interview.

FBI agents rebuked but ultimately excused

The judge did go on to rebuke the agents for failing to meet their obligation under the Federal Rules of Criminal Procedure to tell Hutchins precisely why he was arrested.

“There is certainly an element of deception to this set of events that the court does not endorse,” Stadtmueller wrote. The judge continued later:

The court is concerned by the abject failure of the agents to abide by the Federal Rules of Criminal Procedure 4(c), but their obvious interest in Kronos—including providing Hutchins with a string of code related to kronos—leads the court to conclude that there is not clear and convincing evidence that they acted with intent to deceive.

Under the totality of the circumstances—considering Hutchins’s exhausted state, his unfamiliarity with the American criminal procedure system, his high level of intelligence, and the lack of material deception, there is an insufficient basis for the Court to find that Hutchins’s statements were involuntary. It is wholly improper that he was not provided with a warrant immediately upon arrest. But in light of the record of the post-arrest interrogation, the government has met its burden in proving that the waiver was voluntary.

In the same decision, Stadtmueller denied motions by Hutchins that various counts in a superseding indictment be dismissed for a variety of different reasons.

Monday’s decision is the second time Hutchins’s motions to suppress and dismiss counts have been denied. Magistrate Judge Nancy Joseph, also of the US District Court for the Eastern District of Wisconsin, issued a report earlier that recommended denying all motions on largely the same grounds.

Based on the court ruling, it appears likely the statements and any evidence they produced will now be in force while the case proceeds through lower court. The denial to suppress the statements is likely to come as a blow to Hutchins’s supporters. During the days before his arrest, Hutchins’s Twitter account chronicled a life of partying and night clubs that isn’t uncommon for people attending Black Hat and Defcon.

If the Twitter account accurately portrays how Hutchins spent his time in the days leading up to his arrest, it’s not hard to see how the combination of extreme fatigue, unfamiliar surroundings, and youth might have contributed to a costly lapse in judgement that could follow him for years to come.

READ MORE HERE