author photo
By Chris Roberts
Tue | Aug 15, 2017 | 3:25 AM PDT

After the FBI accused Marcus Hutchins (the hero of WannaCry) of creating and distributing the Kronos banking Trojan, we asked Chris Roberts, a threat intelligence researcher, if he thought the FBI was confusing legitimate research with criminal activity. Here is an article he wrote for SecureWorld on the matter, preluded with some background information on his viewpoint.


  1. I know of Marcus’s work, and have followed it like many for several years. His research and his knowledge of how things have unfolded in several examples have helped this industry enormously, AND that’s before we even talk about the WannaCry stuff.
  1. I know people who’ve worked with him, talked with him, and spent time researching with him. They are equally experienced and well thought of in this community we have.
  1. As a researcher I’m obviously watching this closely like many in our industry, although most of the work these days goes via a third party (HackerOne or BugBounty) or direct to the offending company, that in itself can be problematic, but not as much as headache as dealing with some of the agencies. It’s worth noting that the various CERT teams are also good at communicating with when it comes to issues).
  2. Having had a little dealing with the wonderful FBI once or twice, I’m probably not the best to answer much given I think the Police Academy and Naked Gun movies are an accurate depiction of many local FBI offices.


As researchers, and pretty much any of us in this industry who hold other titles, our background, roles and jobs make us interested in how something works, why it works, and what could we do differently.

The origin of hacking is simply that of understanding to improve, improvise, or simply the knowledge of what makes something tick. That extends to programs, code, and all things digital.

I know of a number of folks that have TB of malware, exploits and code that they just look at, they’ve captured, exchanged, bought/traded with people, or simply “found” on the various layers of the Internets.

A number of people out there also communicate, live in, and generally have a lot of experience in the various forums, sites, and channels where the less scrupulous individuals are trading malware, exploits, and time on their/others botnets in exchange for financial or other gain… it’s how we learn, it’s how we do research into what’s coming next, what exploits we need to be aware of, which players are teaming up, and whose code is going to arrive on our end-users' computers next.

Without this, as a society we’d be in a lot worse shape than we already are. There’s teams of people at F500 companies and inside the billion dollar information security industry who spend their days on these forums working hard to get access to the next generation of attack code. For them, I am truly grateful.

Oh, and as a matter of record, none of us use our real identities or even anything close to them, we’ve taken time to craft other ID’s over years, other handles, systems, and mail servers to better conceal and protect and yes, we’ve also purchased stuff to become “legitimate” in the eyes of those we are investigating.

However, according to interpretation of the charges a lot of that could be illegal, against the best interest of the federal government and all who protect it.

The simple fact that we’ve spent the time to find out who’s actually trying to attack us by blending in AS them is now threatened. In this light we need to arrest Mother Nature for coming up with camouflage, most of the CIA for having the audacity to blend in as spies and while we’re at it, we might as well arrest the armed forces whenever they wear camouflage for trying to blend in and become the shrubbery… it’s that stupid.

The electronic realm is no different than any other these days—heck, the military considers it a totally separate “theater” of operations akin to land, sea, and air.

So they understand how to camouflage, use deceptive techniques, and sometimes, yes, you have to lie to be believed and trusted so you CAN work out which weapon is about to be unleashed on the ICS/SCADA community next. Sorry, but that’s our job, same as the military person next to you, they lie, they become the shrubbery so they can protect us and save the rest of us from being shot. Simple as that.

Yet the FBI, and I’m not sure if it’s the field office mentality or if it’s HQ who are leading this one, have taken it upon themselves to charge a researcher with basically being the camouflage that protects us, and in my opinion that’s what I hope comes out at trial.

I hope that the case is one of simply doofuses at the office seized upon being able to correlate a false identity with Marcus [Hutchins] and have taken 6 illogical steps to charge him as opposed to actually asking him to come in and talk with them OR even asking NSA or someone to handle it (thankfully they have a better way of dealing with things!).

I hope this is the case. There is logic in that and there doesn’t seem to be enough of the jigsaw to put the Marcus we know in the position of causing harm. It’s not a side of him any of us saw over the years and I don’t believe it’s the case he’s been suppressing it.

So, what I hope for is the money we’ve all donated to the legal fund does nothing more than bring the truth to light and have Marcus back helping us protect the squishy useless things that sit between the chair and keyboard who simply click everything that comes past them. We need people like him a lot more than we realize.