United States District Court Eastern District of Wisconsin, United States of America v. (REDACTED) and Marcus Hutchins aka "Malwaretech" Indictment , July 11, 2017. Unclassified.
National Security Archive
The 2017 Wisconsin indictment pulls back the curtain on the U.S. government's first major attempt to charge a young security researcher for selling a banking Trojan.
Source: United States District Court Eastern District of Wisconsin, United States of America v. (REDACTED) and Marcus Hutchins aka "Malwaretech" Indictment , July 11, 2017. Unclassified. Date: Jul 11, 2017 Archive: Justice Department Collection: Cyber Vault Additions Aug 16, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Rare Glimpse into the Early U.S. Cyber‑Criminal Prosecution
The indictment filed on July 11, 2017, in the Eastern District of Wisconsin is one of the first public documents that attempts to fit a traditional criminal case around the sale of a banking Trojan. The target of the grand‑jury indictment is Marcus Hutchins, a British security researcher better known by his online handle “MalwareTech.” Hutchins, who rose to fame a month later for halting the WannaCry ransomware outbreak, was at the time still a teenager operating in the dark‑web underworld. The charge sheet lays out a classic conspiracy narrative: Hutchins and an unnamed co‑defendant allegedly advertised, sold, and updated a piece of malware called “Kronos,” then offered “crypting” services to hide it from antivirus products. The document’s language—referring to “protected computers” and “electronic devices” that facilitate “surreptitious interception”—mirrors the language of the Computer Fraud and Abuse Act (CFAA) and the Wiretap Act, statutes that have been stretched in the past to reach cyber‑criminal activity.
The Context of Mid‑2010s Cyber‑Law Enforcement
Between 2014 and 2015, the FBI and Department of Justice intensified a campaign against underground markets such as AlphaBay, where malicious code could be bought with cryptocurrency. The Kronos Trojan, first identified by security firms in 2014, was a prolific credential‑stealer that targeted banking credentials worldwide. By charging Hutchins, the government signaled a willingness to pursue not only the operators of bot‑nets but also the developers and vendors of the underlying tools. This indictment arrived just weeks before the high‑profile arrest of “Operation Payback” participants and the takedown of the Darkode forum, illustrating a coordinated push to dismantle the supply chain of cybercrime.
What the Indictment Reveals—and What It Conceals
The text explicitly names Hutchins as a “citizen and resident of the United Kingdom” and lists his alias, but it redacts the identity of his alleged co‑conspirator. The omission suggests either a protective order for a cooperating informant or a strategic decision to shield a larger investigation. The charge sheet’s reliance on “over‑t acts” such as posting a demonstration video on July 13, 2014, and advertising on AlphaBay on April 29, 2015, provides a timeline that aligns with known forum posts captured by security researchers. However, the indictment’s language is deliberately broad: it accuses Hutchins of “creating” Kronos, yet the technical community later argued that his contributions were limited to analysis and reverse‑engineering rather than original code development. This discrepancy highlights the difficulty of parsing intent and authorship in a milieu where code is frequently shared, forked, and repackaged.
Legacy and Continuing Relevance
Although the case against Hutchins ultimately collapsed—he pleaded guilty to a lesser charge of creating a botnet for DDoS attacks in 2019—the indictment remains a touchstone for scholars of cyber‑law. It illustrates the early attempts of U.S. prosecutors to apply decades‑old statutes to a fluid, transnational digital economy. The document also foreshadows later debates over the scope of the CFAA, especially after the controversial 2021 Supreme Court decision in United States v. Van Buren, which narrowed the Act’s reach. Moreover, Hutchins’ later reputation as a white‑hat hero complicates the narrative: the same individual once painted as a malicious vendor became a celebrated defender against ransomware. The indictment, therefore, serves as a reminder that cyber‑crime attribution is often provisional, and that legal responses can lag behind the rapid evolution of threat actors and their tools.
Why It Still Matters
For historians of technology and policy, the sealed indictment is a primary source that captures a moment when law enforcement, academia, and the underground were intersecting in unprecedented ways. It reveals how the U.S. justice system attempted to map the dark‑web’s commercial infrastructure onto existing criminal law, and how those attempts were contested by the very community they sought to prosecute. As cyber‑security threats continue to proliferate, the Hutchins indictment offers a case study in the challenges of drafting legislation that can both deter malicious actors and avoid criminalizing legitimate security research. Its legacy endures in ongoing policy discussions about vulnerability disclosure, bug‑bounty programs, and the thin line between researcher and perpetrator.
CLERK'S OFFICE A TRUE COPY JUL 12 2017 Deputy Clerk, U.S. District Court Eastern District of Wisconsin
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WISCONSIN
SEALED
UNITED STATES OF AMERICA,
Plaintiff,
v.
Case No. 17-CR-124
[Title 18, United States Code, Sections 371, 1030(a)(5)(A), 2511(a)(1), and 2512(1)(a), (b), and (c)(i)]
and MARCUS HUTCHINS, aka "Malwaretech,"
Defendants.
INDICTMENT
COUNT ONE
THE GRAND JURY CHARGES:
- At times material to this indictment:
DEFENDANTS
a. Defendant used the online aliases
b. Defendant MARCUS HUTCHINS was a citizen and resident of the United Kingdom. HUTCHINS used various online aliases, including "Malwaretech."
RELEVANT TERMS
c. A "protected computer" was a computer in or affecting interstate or foreign commerce or communications, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communions of the United States.
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 1 of 8 Document 1
d. "Malware" was a term used to describe malicious computer code installed on protected computers without authorization that allowed unauthorized access to the protected computer.
e. "Kronos" was the name given to a particular type of malware that recorded and exfiltrated user credentials and personal identifying information from protected computers. Kronos malware was commonly referred to as a "banking Trojan."
f. "Crypting" was a term used to describe computer code used to conceal the existence of malware from anti-virus software.
The Conspiracy
- Between in or around July 2014 and July 2015, in the state and Eastern District of Wisconsin and elsewhere,
[illegible] and MARCUS HUTCHINS, aka "Malwaretech"
knowingly conspired and agreed with each other to commit an offense against the United States, namely, to knowingly cause the transmission of a program, information, code, and command and as a result of such conduct, intentionally cause damage without authorization, to 10 or more protected computers during a 1-year period, in violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (c)(4)(A)(i)(VI).
Manner and Means of Conspiracy
- The manner and means sought to accomplish the object and purpose of the conspiracy included:
a. Advertising the availability of the Kronos malware on internet forums; b. Selling the Kronos malware;
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 2 of 8 Document 1
c. Receiving and distributing the proceeds obtained from selling the Kronos malware; and d. Acts done in furtherance of the conspiracy were concealed and hidden, and caused to be concealed and hidden.
Overt Acts in Furtherance of the Conspiracy
- In furtherance of the conspiracy, and to accomplish the object and purpose of the conspiracy, the following overt acts, among others, were committed and were caused to be committed: a. Defendant MARCUS HUTCHINS created the Kronos malware. b. On or about July 13, 2014, a video showing the functionality of the “Kronos Banking trojan” was posted to a publically available website. Defendant [illegible] used the video to demonstrate how Kronos worked. c. In or around August 2014, on an internet forum, defendant [illegible] [illegible] offered to sell the “Kronos Banking trojan” for $3,000. d. In or around February 2015, defendants MARCUS HUTCHINS and [illegible] [illegible] updated the Kronos malware. e. On or about April 29, 2015, defendant [illegible], using the name [illegible] advertised the availability of the Kronos malware on the AlphaBay market forum. f. On or about June 11, 2015, defendant [illegible] sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency. g. On or about July 17, 2015, defendant [illegible] offered cryptying services for Kronos.
All in violation of Title 18, United States Code, Section 371.
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 3 of 8 Document 1
COUNT TWO
THE GRAND JURY FURTHER CHARGES:
Between in or around July 2014 and August 2014, in the state and Eastern District of Wisconsin and elsewhere,
[illegible] and MARCUS HUTCHINS, aka “Malwaretech”
knowingly disseminated by electronic means an advertisement of any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications, knowing the content of the advertisement and having reason to know that such advertisement will be transported in interstate and foreign commerce.
In violation of Title 18, United States Code, Sections 2512(1)(c)(i), and 2.
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 4 of 8 Document 1
COUNT THREE
THE GRAND JURY FURTHER CHARGES:
On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere,
and MARCUS HUTCHINS, aka “Malwaretech”
intentionally sent any electronic, mechanical, or other device, in interstate and foreign commerce, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications.
In violation of Title 18, United States Code, Sections 2512(1)(a), and 2.
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 5 of 8 Document 1
COUNT FOUR
THE GRAND JURY FURTHER CHARGES:
On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere,
[illegible] and MARCUS HUTCHINS, aka “Malwaretech”
intentionally sold any electronic, mechanical, or other device, knowing and having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of electronic communications and that such device and any component thereof was transported in interstate and foreign commerce.
In violation of Title 18, United States Code, Sections 2512(1)(b), and 2.
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 6 of 8 Document 1
COUNT FIVE
THE GRAND JURY FURTHER CHARGES:
On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere,
[illegible] and MARCUS HUTCHINS, aka “Malwaretech”
knowingly and intentionally endeavored to intercept and procure any other person to intercept certain electronic communications, namely computer keystrokes of others without the knowledge or consent of said others,
In violation of Title 18, United States Code, Sections 2511(1)(a), (4)(a), and 2.
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 7 of 8 Document 1
COUNT SIX
THE GRAND JURY FURTHER CHARGES:
On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere,
[illegible] and MARCUS HUTCHINS, aka “Malwaretech”
knowingly caused the transmission of a program, information, code, and command and as a result of such conduct, attempted to cause damage without authorization, to 10 or more protected computers during a 1-year period.
In violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (ii), (c)(4)(A)(i)(VI), 1030(b), and 2.
A TRUE BILL:
[illegible] FOREPERSON
Dated: 07/11/2017
GREGORY J. HAANSTAD United States Attorney
Case 2:17-cr-00124-JPS SEALED Filed 07/11/17 Page 8 of 8 Document 1
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu