Marcus Hutchins, the researcher, was widely praised for identifying a way to disable the WannaCry malicious software, or malware, attack that seized hundreds of thousands of computers this year. Researchers credited Mr. Hutchins’s discovery of a so-called kill switch in the malware for stopping its spread and preventing the attack from infecting millions more computers.
According to an indictment filed in federal court in Milwaukee that was unsealed on Thursday, Mr. Hutchins, 23, and an unidentified accomplice conspired to create and sell malware intended to steal login information and other financial data from online banking sites.
Mr. Hutchins created the software and his accomplice offered to sell the program, known as the Kronos banking Trojan, for $3,000 on an internet forum, the indictment said. The accomplice sold a version of the Kronos malware for $2,000 in June 2015. The indictment did not include details on how widely that malware was used, or much specific evidence of Mr. Hutchins’s involvement.
The Justice Department said in a statement that a federal grand jury returned a six-count indictment against Mr. Hutchins last month after a two-year investigation. It said that the Kronos malware was built to “harvest and transfer” user names and passwords from banking websites from an infected computer. Kronos, according to the Justice Department’s statement, has been configured to strike banking systems in a number of countries, including Canada, Germany, Poland, France and the United Kingdom.
When the Kronos malware was first advertised in underground Russian forums in 2014, the asking price of $7,000 indicated that the selling of malware was a lucrative business. Kronos was promoted as a hacking tool that could retrieve data including user names and passwords, A.T.M. PINs, and personal information useful in cracking security questions.
Earlier on Thursday, Motherboard reported that Mr. Hutchins had been detained at the Las Vegas airport after a week of attending both the Black Hat and Defcon security conferences. He had been scheduled to fly back to his home in the United Kingdom.
The security community reacted with surprise and skepticism over the arrest of one of its well-regarded stars. Some warned that claims against Mr. Hutchins could strain the relationship between “white hat” hackers — researchers who look for software vulnerabilities to spot problems and fix them, rather than to commit a crime or sow chaos — and law enforcement.
Others were unconvinced that Mr. Hutchins would create such software for an attack. In July 2014, he asked on Twitter if anyone had a Kronos sample — a seemingly odd request if he had created the malware.
While the exact circumstances of Mr. Hutchins’s involvement with the Kronos malware were unclear, security researchers have often skirted legal trouble while looking for vulnerabilities in computer code. In recent years, big tech companies have created “bug bounties” to formalize a process for researchers to report problems and to be compensated for their work.
The Defcon conference, a freewheeling gathering of security experts from around the world, has also had a touchy relationship with law enforcement. In 2002, for example, the Federal Bureau of Investigation arrested a Russian encryption expert in his Las Vegas hotel room after he published software officials said could crack the security of some kinds of e-books.
The Electronic Frontier Foundation, a digital rights organization, said in a statement that it was concerned about the arrest of Mr. Hutchins and was looking into the matter.
The WannaCry ransomware infected computers running older versions of Microsoft Windows. Once spread, the software encrypted computers and locked users out of files, folders and drives. If an affected machine was connected to a network, other computers on the network could become infected as well. The attackers demanded that victims pay hundreds of dollars to a Bitcoin address.
Mr. Hutchins was something of an accidental hero. According to an interview with The Guardian in May, Mr. Hutchins said he registered a website domain after discovering that the malicious software was trying to connect to it. By registering the domain for $10.69, he triggered a so-called kill switch that halted the software’s spread. His intention initially was not to stop the attack but to track its spread.
Mr. Hutchins, who works as a researcher for Kryptos Logic, a Los Angeles-based cybersecurity firm, said in the interview that he had skipped going to college and taught himself how to write software. The company did not respond to a request for comment.
Mr. Hutchins tried to remain anonymous, communicating with the media through his handle MalwareTech, but British tabloids revealed his identity. He was celebrated in the cybersecurity community for his achievement, winning a special recognition award at an SC Awards Europe industry event.
