United States authorities, reportedly the FBI, have reportedly detained Marcus Hutchins, the UK security researcher who stopped WannaCry’s destructive spread by registering a domain name that was featured in the virus’ code. Known online by the handle MalwareTech, Hutchins apparently stopped WannaCry in the course of his duties at cyber security firm Kryptos Logic, though it’s reported that his doing so was by accident. He went on to make a number of appearances at security events, and it was after one such event, Def Con in Las Vegas, that he was reportedly taken into custody. He was verified to have been detained at Henderson Detention Center in Nevada as of early Thursday morning, but close friends who tried to visit him there say that he was gone by the time the detention center opened.
It was originally thought that Hutchins was taken into custody by US Marshals, but they had no record of detaining him, and a US Marshals spokesperson said that colleagues in the area had informed him that the arrest was actually ordered by the FBI. An individual on Twitter by the name of Andrew Mabbitt claims to have located Hutchins at the FBI’s Las Vegas field office, and is working on obtaining legal representation for him as of this writing. There is no official word on the matter thus far from anybody besides the aforementioned US Marshals spokesperson, and the FBI has yet to issue any official comment or reveal to the public why Hutchins was detained. UK authorities have deferred to US law enforcement on the matter, which presumably means that they are cooperating with US authorities in the case.
WannaCry mainly attacked Europe and the UK, but it’s not a huge logical leap to assume that it’s somehow linked to Hutchins’ arrest, since the building blocks for it, being the EternalBlue exploit system, were built by the United States’ National Security Administration. According to Hutchins’ account of events on his blog, he noticed reports of WannaCry soon after it began spreading, obtained a sample of the virus, and put it into his analysis environment. When he saw an unregistered web domain in the code, he simply registered it, unaware of its function, which ended up stopping the malware from being able to “phone home”, thus stemming its spread and all but defeating it then and there.