Alleged UK hacker Marcus Hutchins was arrested in Las Vegas after attending Black Hat and Defcon this year. Marcus allegedly had developed a Trojan malware that targeted and compromised banking operations, and he sold his wares in 2014-2015. He is also given credit for stopping the recent WannaCry ransomware attacks that affected hundreds of thousands of systems around the world back in May.
So is Marcus a hero or villain? Should he get a pass on his alleged indiscretions two to three years ago since he helped so many this year?
I've been reading the comments of many of my Facebook friends arguing both sides. Passion on both sides. Some are trashing the FBI for arresting Hutchins and violating some perceived truce between the law enforcement community and the hacker community at Black Hat and Defcon. This may come as a shock to some, but there is no truce at Defcon.
While attending Black Hat and Defcon and running the "Meet the Fed" panels there for 12 years, we had clear objectives:
- Gain insight into our adversary (criminals)
- Recruit informants (sources)
- Educate the audience on our progress in investigating cyber crime
- Dissuade folks from going to the dark side (lots of young kids attend)
- Recruit technically savvy people to join our ranks
I have many friends in both communities, and if you research history, the FBI has done this before. This wasn't unique and it's certainly not personal. Law enforcement is just doing their job. It's not surprising that the FBI investigated the allegations, followed leads, and seized the opportunity to arrest an indicted suspect that had voluntarily traveled to their jurisdiction.
This saved government countless time and money and maximized the use of some highly skilled but scarce resources to avoid the extradition process. Good for all of us.
Law enforcement's job is to investigate and arrest, and to do it in the most effective, efficient, and legal way possible to save taxpayer money – not to make judgments about whether Marcus is a good guy or a bad guy. That's what a judge and jury are for.
Maybe the judge can take Marcus’s recent actions into consideration during sentencing if he's convicted. But that's not law enforcement's job.
My personal opinion is that people should be held accountable for their actions. Both positive and negative actions. I wonder how many Facebook friends this will cost me...
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.
Jim can be reached by email at firstname.lastname@example.org.
Connect with Jim on Twitter: @jimchristyusdfc