11 C
New York
Sunday, March 3, 2024

The Dark Secrets of a Hacking Hero

In May of 2017, Marcus Hutchins saved the internet. A vicious ransomware attack known as WannaCry had infected computer systems across dozens of countries. It was the worst cyberattack in history at the time, and it seemed unstoppable. But Hutchins, a 23-year-old-hacker in Ilfracombe, England, discovered a secret kill switch that stopped the malware from propagating. Hutchins became a celebrity overnight, with the hacker community and the media hailing him as a hero. But all of the newfound attention was not good for him. Three months after defeating the malware, Marcus was arrested by the FBI—not for his involvement in WannaCry, but for a string of past illegal activities that he had kept secret.

This week on Gadget Lab, WIRED senior writer Andy Greenberg joins us to talk about Hutchins' remarkable story. In the second half of the show, Andy gives us an update on the efforts to set up a contact tracing system to monitor the spread of the coronavirus.

Show Notes

Read Andy’s cover story about the hacker who saved the internet here. His story about contact tracing in India is here. Also check out Andy’s book, Sandworm. Read more about the WannaCry ransomware attack here. Follow all of WIRED’s cybersecurity coverage here.


Andy recommends the book The Mastermind by Evan Ratliff. Lauren recommends NPR’s Planet Money podcast. Mike recommends The New York Times Magazine story “What Happened to Val Kilmer? He’s Just Starting to Figure It Out.”

Andy Greenberg can be found on Twitter @a_greenberg. Lauren Goode is @LaurenGoode. Michael Calore is @snackfight. Bling the main hotline at @GadgetLab. The show is produced by Boone Ashworth (@booneashworth). Our executive producer is Alex Kapelman (@alexkapelman). Our theme music is by Solar Keys.

If you have feedback about the show, or just want to enter to win a $50 gift card, take our brief listener survey here.

How to Listen

You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here's how:

If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts, and search for Gadget Lab. If you use Android, you can find us in the Google Play Music app just by tapping here. We’re on Spotify too. And in case you really need it, here's the RSS feed.


[Intro theme music]

Lauren Goode: Hi, everyone. Welcome to Gadget Lab. I'm Lauren Goode, a senior writer at WIRED, and I'm joined remotely by my cohost, WIRED senior editor Michael Calore. Hey, Mike.

Michael Calore: Hello. Hello.

LG: Nice to hear from you again. Nice to see you over Zoom, although we can't be in person in studio.

MC: Good to see you too.

LG: And we are joined this week by WIRED senior writer Andy Greenberg, who's also the author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Andy, thanks for joining us.

Andy Greenberg: Hi, guys. Nice to see you, remotely.

LG: Andy, I just learned that it's been a really long time since we've had you on the WIRED podcast, possibly six years or so? We were trying to figure out when, but I'm happy to say that nothing has changed since then. There's no news. The world is not dramatically different since the last time you were on the Gadget Lab podcast.

AG: So, we'll just call this a wrap.

LG: Exactly.

AG: Go ahead, drink some coffee.

LG: We've actually brought Andy on this week to talk about a really compelling story he wrote that published this week on WIRED.com. It's the most popular story on our website right now, and for good reason. It's called "The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet" and it's also WIRED's June cover story.

So back in 2017, Hutchins put a stop to a malware called WannaCry, which some of you might remember. At the time, it was the worst cyberattack in history, but Marcus found a way to neutralize it. Effectively, he found the kill switch. Then just three months later, the FBI arrested him, accusing him of creating a different type of malware years earlier.

Andy, you take us through Marcus' remarkable life, and he's still relatively young. So he's done a lot in a short period of time. You go over some of the mistakes he made and the person he has become. What made Marcus want to tell his story?

AG: Well, Marcus is a really complicated guy, and the story is really complex. I think everyone in the cybersecurity community kind of had their own version of this story in their heads. They saw Marcus as this hero who in May 2017 had stopped WannaCry, which was this $8 billion cyberattack. It's still the second worst cyberattack in history. Other people saw him as this villain, this imposter, a cybercriminal, a kind of wolf in sheep's clothing or something. And so I think in part, Marcus wanted to replace all of those stories that people had in their heads about him with the full kind of definitive warts and all story. It took years of me asking for him to agree to finally tell that story. We had to wait essentially for his entire case to be adjudicated, for him to go through indictments and arraignment and pleading guilty and then being sentenced.

I don't want to spoil the end of the story, but essentially for his case to be over, for him to talk about all of it. I think another big motivation here was that we called this story "The Confessions of Marcus Hutchins," and that is definitely in part what it was. I mean, Marcus is a young guy who has been through a lot and has done a lot of bad things, as well as the good things that made him this kind of hero to many. And he talked about wanting to actually get that stuff out in public. He actually wanted to confess all of this in the middle of his case, and his friends and lawyers persuaded him not to because of course that would be a disaster. That would have probably resulted in him going to prison.

But when Marcus was arrested in August 2017, he was taken up as this kind of cause célèbre, this like martyred hacker hero, who had saved the internet from this cyberattack and then had been treated by the FBI as a villain. And nobody understood why and a lot of people thought that it was a misunderstanding or at the very least that he was innocent of whatever crimes he was being accused of. And he was going to be railroaded by the US justice system the same way that Chelsea Manning was and Aaron Swartz was so he became this kind of this person that people rallied to as this misunderstood, innocent hero. And he felt really guilty about the fact that he was not innocent. He had done the things he was accused of, but he couldn't say that. So this finally is Marcus telling the whole story of all of those things that he did, the good things and the bad things. And he was very eager to tell that story when the time was right.

MC: And to be clear when he was picked up by the Feds and arrested, it wasn't necessarily because of his involvement with WannaCry. It was because of his involvement with a previous hacking project from years earlier. Can you tell us a bit about that?

AG: That's right. So the real part of the story that had never been told before is that cybercriminal history and Marcus was a kind of hacking prodigy and built his own computer at the age of 13. Then was writing malware by the age of 14, was operating botnets like collections of hacked computers, thousands of computers around the world by the age of 15, and ghost writing professional cybercriminal's malware as a teenager in his parent's home in England. So ultimately what he was charged with was the creation and the maintenance of these two pieces of malware called UPAS Kit and Kronos is the big one. Like the kind of cardinal sin of his whole story is that he built this banking Trojan called Kronos that really did get around the world and at least infected probably hundreds or thousands of computers and was no doubt used to steal people's savings.

But the story that I wanted to tell, that Marcus wanted to tell too, is about how he was kind of slowly seduced into that criminal world and step-by-step in this kind of, I don't know, amoral Lord of the Flies way, just kind of took one step after another into immorality. And before he knew it, was kind of doing things that he knew were wrong and very conflicted about it in some cases.

And part of the story is that he was kind of pulled in by this Lothario figure, Vinny, who is this still unindicted, coconspirator. The Feds, as far as I know, are still looking for Vinny who was sort of Marcus's partner or boss, and the one who was doing the actual selling of Kronos on black markets on the web. Vinny kind of reeled Marcus in and slowly persuaded him step-by-step and maybe even kind of pressured him or tricked him ultimately into building some elements of Kronos that made it this powerful banking Trojan. So that is the first half of the story. It's this kind of very sad descent into, I don't know the darkest parts of the web.

LG: You teed up my next question perfectly because I was wondering whether to this day, anyone really knows who Vinny is and not just Vinny, but also Randy, who was another person on the internet who Marcus connected with and ended up sharing personal information with.

AG: Yeah, I don't know the identities of either of those people, Vinny or Randy. Vinny is the real mystery here. Vinny, as I was saying is, was Marcus's kind of partner who was doing kind of the real hardened criminal in this story and the one who kind of represents the worst kind of darkest period of Marcus's life as a cybercriminal teenager. Well, Marcus tells me that he doesn't know Vinny's identity either and it seems like the FBI doesn't know who Vinny is. Part of the reason that they arrested and indicted Marcus, it seems, was that they were trying to flip him and get him to act as a cooperating witness and tell them what he knew about Vinny, which was not that much, it turned out.

Now the other person you mentioned is Randy, who's this other interesting character who Marcus saw as this kind of, he was a friend of Marcus's and Marcus saw him as a kind of Robin Hood figure who was involved in cybercrime too, but he was using his profits for kind of philanthropic things like coding education for kids and they would even video chat. Marcus did know, does know Randy's real identity, would not tell it to me. And ultimately, it was Randy who informed on Marcus and gave the FBI the evidence they needed to arrest and indict him and ultimately convict him in fact.

So, the FBI absolutely knows who Randy is, he is their informant, but I don't. And I guess I'm certainly not interested in his story like this and trying to out an FBI informant and get him potentially killed by all the people that he's informed on. So it wasn't the question that I pressed too hard on.

MC: You know as Marcus was moving from being a teenager, into being an adult, he was sort of, as you mentioned, going through all of these moral and ethical conflicts about the work that he was doing. So he eventually went legit and very quickly found work as a security researcher, primarily tracing botnets, basically mapping their activity around the world. Can you tell us about what that work is and why it's useful to security researchers?

AG: Well, botnets are these collections of sometimes hundreds of thousands or millions of computers infected with malware that are being controlled by some hacker somewhere. And they're used to launch denial of service attacks where all the computers send junk traffic at one target at the same time to knock it offline. Or, they can just kind of be harvested for their own contents. All of these hack machines can have their banking information stolen.

So it's really important, there are lots of companies that try to act as a kind of alert system to tell you if your company, if you are part of a botnet, you want to know. You don't want to have your computer being used in these kinds of cyberattacks and you don't want to have your data stolen. But what Marcus was particularly talented at, it turned out, was getting a hold of the malware that composes botnets that is installed on a computer to sort of enslave it in one of these zombie botnets and then reverse engineering that malware to figure out how the computers in a botnet spoke to each other, like the kind of protocol that they communicated with. And then he could basically mimic that protocol on his own computer. He would kind of recreate the communications' element of the malware and that allowed him to kind of infiltrate the botnets communications network.

A lot of these botnets, and some of them communicate to like one server that is their command and control server and that's what tells all the computers in the botnet what to do. But a lot of them communicate to each other in this peer to peer system that makes the botnet a lot harder to take down for law enforcement, for instance. But that also means that if you have one node in that botnet, you can listen in to all the commands that they're receiving and even speak to other bots.

So what Marcus was doing eventually for one botnet after another was infiltrating them, becoming a part of them and then listening in, and that would allow him to identify sometimes all the other computers that were infected and part of that botnet. Or in some cases to intercept the commands that were being sent to all those bots and tell in real-time who was being hit with cyberattacks, for instance. And all of this is really helpful, kind of intelligence for people who are both in the botnet or the victim of the attacks. And that got him a very well paid and prestigious job at this company, Kryptos Logic, where he was kind of a rising star. And that was kind of the next phase of his life after he broke free of this cybercriminal past. He became this kind of botnet whisperer.

LG: Andy, the story is really masterfully told. It's got an amazing narrative arc. You see the rise of this young star hacker and then his past catch up with him. The ending is really great. I highly recommend everyone go to WIRED.com or pick up the June issue if you can and check it out because it's that good.

I had one more question for you. During the effort by Marcus and his legal team to clear his name, at a time when they accepted a plea bargain, Marcus tweeted something that suggested that you don't have to dabble in the dark side of the cyber community in order to be a white hat. Do you think that's true in the hacking community?

AG: Yeah. Well, the tweet that you're referring to, I actually think it's like, I fought with my editors about whether it should be in the story because it complicates the story in a way. Like it's easy to tell this story that, "Oh, isn't this interesting, this kid who has this cybercriminal background, that's what made him so knowledgeable and that's how he was able to do this incredible work to track all of these botnets. And then ultimately in the kind of climax of his heroics, that work allowed him to stop WannaCry too and kind of save the whole internet, stop this $8 billion cyberattack." It's kind of a tidy, convenient story to tell. Like, only because he had done these bad things, was he ultimately able to do this good thing.

But this is a complicated story and Marcus doesn't believe that that's true. And I think it's really to his credit, he tweeted out just as he was pleading guilty as you were saying that, "No, you don't need to take this path to do great things in cybersecurity. That you can just stick to the good side and that you should." So to me, I don't know, it was important to me to avoid that kind of easy story to tell and to Marcus too, and to tell like a very real and complex story about the fact that people can just do very bad things and then do very good things and people change and are complex and that there is a big spectrum of morality.

LG: We're going to take a quick break. When we come back, Andy's going to join us again to talk about contact tracing.


LG: Welcome back. Andy, while we have you on the show this week, we wanted to ask you about contact tracing, which is one of the efforts being used to minimize the spread of the coronavirus. Contact tracing is something that you and some of our other colleagues at WIRED have written about. And a few weeks ago there seemed to be some encouraging news that Apple and Google were actually working together to introduce software kits that could help make contact tracing apps a thing here in the United States. But so far, it doesn't seem as though contact tracing is being received in the same way here in the US as it is in other countries. And maybe it won't gain traction in the same way. What's the latest on contact tracing?

AG: Well, Apple and Google have now actually released not just the kind of schematic for what they're offering, which is this actually very conservative, very privacy-preserving Bluetooth based approach to… They wouldn't even call it contact tracing, they call it exposure notification because they don't want to give any sense that you can trace someone's movements. Or that government contact tracers, who are people, will be able to use this. In fact, all of it is just to inform individuals on their phone if they've been exposed. So that's why it's called exposure notification. But the latest is that they have now also not just released the schematic for this, but the actual code and there's a beta of the API that developers can start to look at to build their own apps. And I personally think that, I don't know, I'm not usually a big cheerleader for tech companies just kind of like in general. But I do believe that Apple and Google's approach is smart here.

The system that they're offering and their operating systems, Android and iOS, to the people who will actually build these apps, the government agencies, who will build the exposure notification apps, does not actually follow people's locations. And it doesn't really collect anything from the vast majority of people's phones. Only people who are diagnosed as COVID-19 positive can choose to alert other people that they've come into contact with, but in a way that if it's done right, if it's implemented correctly, actually no authority will ever be of. Only the people who came into contact them will receive this notification. So it's a super, it's kind of like the minimalist's approach to this, which I think is smart because you need something like 70% of a country's population for this to work.

So every story that I've written about this has been flooded with comments on Twitter about how, "I'm not going to buy into this Apple, Google panopticon." There's so much skepticism, privacy skepticism about Silicon Valley. This is a massive uphill battle and we need to be able to say to people, "There is almost no privacy risk here or there is minimal privacy risk or there won't be anywhere close to the adoption necessary for this to be meaningful."

I am a fan of Apple and Google's approach and I hope that some countries actually adopt it. It seems like European countries in particular want to actually want more information than what Apple and Google are offering them. So there's a lot of conflict right now between countries like France and the UK, actually the UK I think now has come around to the Apple and Google protocol. But France has been fighting with Apple and Google because they want more information. They want to be able to learn more than what this Apple and Google system offers them. They want to actually have a centralized database of who's coming into contact with whom which Apple and Google don't want to give them essentially. So this is the fight and now we're going to have to see what happens in the US.

It seems like as with most things related to COVID-19, the federal government is doing nothing and leaving it to the states to figure this out. So it's going to be this piecemeal thing where we have to look at every state's or regional approach and see how they implement this system or some other system, whether they're trying to just like collect people's location data, which can be very dangerous, or whether they're taking this very privacy, preserving approach instead.

MC: You know, I think that that friction is really interesting. The one that you speak of where there are a lot of people who are unwilling to turn over the kinds of information that these apps collect. When in reality, the types of information that these apps collect are pretty benign and there's not really a lot of identifying information that is being transmitted.

In contrast, of course every day, when you walk around with a cell phone, or when you spend time on the internet, you're being tracked by Ad Tech companies which are the systems that hoover up all of the information that they can use to sell you targeted advertising. So, how do we communicate that to people? That like, if you're unwilling to participate in a large scale data collection project for the good of public health, you should also know that you're already participating in a large scale data collection system for the commercial gain of advertising companies.

AG: Well, that is such a complicated message to give to people like, "Listen, buy into this Google and Apple system because this one is actually fairly private." Let's set aside the fact that Google in particular is tracking you in ways that are vastly more centralized and invasive all the time. As well as of course your carriers, in particular your phone carriers are, I would say in some ways even more dangerous, they have all of the cell tower data about where you are at all times. You probably have location services turned on and there are features of Google maps that people opt into that follow them everywhere they go constantly. I mean, as you were saying Mike, there are Ad Tech companies that are following your movements inside of stores and things.

So at some point when someone is diagnosed with COVID-19 positive, they have to tell the server that so that everybody they've been in contact with can be notified. Now that should be done anonymously but if the app maker implements this incorrectly, they might tie that to the person's IP address and be able to learn who is sick. And that could be bad, but I guess that many people, many governments in fact, already have databases of everyone who is sick and they want to have that information. So, the risks are not negligible and they are particularly sensitive in some ways because they're about health. They're about a very serious disease, but at the same time, as you were saying, Mike, we all open our private lives, our digital lives to these companies in so many other ways that people just neglect to think about all the time.

So this is a case where the trade-offs are pretty real. Like you could actually help in some maybe marginal, but maybe real, way, to allow people to get back to normal life by installing this app.

LG: Andy, what do we think will happen next with contact tracing apps in the US?

AG: I think we're going to see probably a state-by-state rollout, if anything. I mean, it could be that the US just decides not to even try this, which I think would be a shame, but there's been so much skepticism in the media, which I think often doesn't understand how these things work and overplays the privacy risks. Or, simply the kind of techlash and inherent privacy skepticism of the people who would use these apps could simply kill it here in the US, and I wouldn't be surprised if we don't see it at all. But if we do, I think it will be on a state-by-state basis, and some of the apps will use Google and Apple's system. Some will probably use their own, like, home-rolled, Genki problematic systems, and I think that we're going to have to kind of watch them one by one to see who is doing this right and who is doing it wrong. And the ones that do it wrong, it could be very dangerous.

I wrote a story just this past week about India, where they have implemented—they built their own system. They've made it mandatory for millions and millions of people; 90 million people have installed their contact tracing app. And then it turns out that you can essentially, at least in some less-densely populated areas, identify sick people just as, not as the government, but any hacker can reverse engineer the app and send requests to the server and figure out where sick people are down to a few meters, perhaps. So the pitfalls here are real if you do this wrong.

LG: Thank you for that update. We're going to take one more quick break. And when we come back, we're going to do recommendations, and Andy is going to join us.


LG: All right, Andy, what's your recommendation this week?

AG: Well, it's not like a "this week" recommendation, particularly, except that I guess it sort of is relevant in some ways to the Marcus Hutchins story. I loved Evan Ratliff's book The Mastermind, which published, I don't know, when was that, last year at this point? Evan Ratliff is a former WIRED writer, and the story he tells is about this young cryptogeek kid, Paul LaRue, who just begins to dabble in crime, kind of cybercrime. He builds some encryption tools, but then he eventually kind of leaves behind these nerdy crimes and just takes one step after another into evil and becomes this global criminal mastermind kingpin who is involved in everything from North Korean methamphetamine production to trying to stage a coup in Somalia.

I mean, the story is just so amazing. And so the Marcus Hutchins story that I was trying to tell in some ways is about this kid, similarly, who just descends into online immorality but then kind of miraculously rescues himself and rehabilitates and becomes this hero. The Mastermind, to me, is this, I mean, in some ways even more interesting story of what happens when that kid just goes deeper and deeper and deeper, to a degree of just absolute deplorable behavior that is just, it's hard to even fathom. And it's just an epic book. I think Evan spent five years writing it, and it's a great read.

LG: Mike, what's your recommendation?

MC: Well, I mean, we should also note that Andy wrote a book called, Sandworm, last year which is excellent. You should also read that one after you finish Evan's book.

AG: Very kind of you, Mike. Thank you.

MC: So my recommendation for this week is a profile of Val Kilmer that ran in The New York Times Magazine last week. It's written by Taffy Brodesser-Akner, and if you're familiar with her work then you know that it's very in-depth and beautifully written and a lot of fun. It's a crazy journey. Val Kilmer, of course, the matinee idol of the '80s and '90s. He was in Top Gun. He played Jim Morrison in The Doors. He played Doc Holiday in the film Tombstone. And then about six or seven years ago, he just kind of disappeared. So what happened to Val Kilmer? She meets with him and hangs out with him and tells you exactly what happened to him. It also traces his career. It's just a fantastic profile. So there's two ways to get into it. One is you can read it in The New York Times Magazine on The New York Times website, but I would also recommend that you listen to it.

So last year, at some point, The New York Times bought a company called AUDM, A-U-D-M, which does spoken editions of long stories on the internet. They do some stories for WIRED, and they do a lot of The New York Times long-form stuff. And you can listen to it in their app, but also The New York Times has been publishing its long form, like weekly reads, on The Daily podcast feed. So if you subscribe to The Daily podcast then you probably saw this pop up last Sunday. I think the episode was titled "Ice Man in Winter." Of course referencing Val Kilmer's character name from Top Gun. So if you can listen to it, it's really extra special, but you can also just read it. So that's my recommendation. What happened to Val Kilmer? by Taffy Brodesser-Akner.

LG: I feel like Taffy could write a profile of a box of crackers and I would read it. She's just, she's really so talented, incredibly talented. And I will say I know it is against her ethics—I know it is against all of our ethics—to accept any gifts that are given to us from sources, but I hope she does get to keep the painting for a while. It seemed meaningful to her, which you will understand if you go read this profile.

MC: True. Lauren, what's your recommendation?

LG: My recommendation this week is Planet Money from NPR. It's a podcast. It's not a new podcast. It's been around for a while, but I think they're doing a particularly good job during this time of economic uncertainty. The most recent episode was about the restaurant from the future and the ways in which the industry is rethinking restaurants.

There was a really good episode back on May 1 called "About that Hazard Pay," where they spent the morning at a grocery store and talked to an essential worker and heard directly from that worker and talked about it. And basically this grocery store worker would make more money if she were laid off at this point and could collect unemployment because of the additional unemployment benefits that are being given to workers. But she kind of feels like it's her duty to continue to work at this grocery store, and she's putting herself at risk every day by doing so.

It was a really compelling episode. Their episodes about buybacks and bailouts, episodes about the price of a barrel of oil in the United States and what's going on there. It's just very good. They do a fantastic job. They're not super-long episodes. They're usually somewhere between 15 and 20 minutes. So I highly recommend that you give Planet Money a listen.

MC: Solid.

LG: All right. That's our show for this week. Thanks very much to Andy Greenberg for joining us.

AG: Thank you guys for having me on. It was fun.

LG: And thanks to all of you for listening. If you have feedback, you can find all of us on Twitter. Just check the show notes. This show is produced by Boone Ashworth. Our executive producer is Alex Kapelman, we'll be back next week and, until then, be well.

[Outro theme music]

Related Articles

Latest Articles