United States v. Hutchins

• Citation: 361 F.Supp.3d 779
• Decision Date: 11 February 2019
• Docket Number: Case No. 17-CR-124-2-JPS
• Parties: UNITED STATES of America, Plaintiff, v. Marcus HUTCHINS, Defendant.
• Court: U.S. District Court — Eastern District of Wisconsin

361 F.Supp.3d 779

UNITED STATES of America, Plaintiff,

v.Marcus HUTCHINS, Defendant.

Case No. 17-CR-124-2-JPS

United States District Court, E.D. Wisconsin.

Signed February 11, 2019

Benjamin W. Proctor, Michael J. Chmelar, Benjamin P. Taibleson, United States Department of Justice (ED-WI) Office of the US Attorney, Milwaukee, WI, for Plaintiff.

Brian E. Klein, Baker Marquart LLP, Los Angeles, CA, Marcia C. Hofmann, Zeitgeist Law PC, San Francisco, CA, Daniel W. Stiller, D. Stiller LLC, Milwaukee, WI, for Defendant.

ORDER

J.P. Stadtmueller, U.S. District Judge

1. INTRODUCTION

Defendant Marcus Hutchins is a hacker who received considerable attention for disabling a North Korean malware called WannaCry. He has a reputation as a "white hat" hacker, which implies a hacker who works for the benefit of the public. Hutchins has nevertheless been indicted for various crimes related to his activity with two forms of malware, "Kronos" and "UPAS Kit."

On March 30, 2018, Hutchins filed a motion to suppress the statement that he made to Federal Bureau of Investigation ("FBI") agents immediately following his arrest, as well as any evidence the government may have obtained as a result. (Docket # 55). On July 13, 2018, Hutchins also filed three motions to dismiss various counts in the superseding indictment. (Docket # 92, # 95, and # 96).¹ Magistrate Judge Nancy Joseph issued a report and recommendation in which she recommended denying all motions. (Docket # 109). Hutchins timely objected, and each party has fully briefed the issues. The Court will address each of the motions below. In accord with Magistrate Joseph's analyses, all motions will be denied. The Court will overrule Hutchins's objections and adopt Magistrate Joseph's recommendation in large measure.

2. LEGAL STANDARD

When reviewing a magistrate's recommendation, this Court is obliged to analyze de novo "those portions of the report or specified proposed findings or recommendations to which objection is made." 28 U.S.C. § 636(b)(1)(C). The Court can "accept, reject, or modify, in whole or in part, the findings or recommendations made by the magistrate." Id. The Court's review encompasses both the magistrate's legal analysis and factual findings. Id. ; see also Fed. R. Crim. P. 59(b).

3. RELEVANT FACTS

Hutchins, a citizen of the United Kingdom, is a coder and hacker of considerable repute. He is most well-known for finding the kill-switch to a North Korean malware called WannaCry in May 2017. According to the superseding indictment, several years ago, Hutchins developed two types of malware, UPAS Kit and Kronos (a "banking trojan").

The superseding indictment alleges that Hutchins developed UPAS Kit and, in 2012, sold it to Individual A, who then sold it to an individual in the Eastern District of Wisconsin. At some point before July 2014, Hutchins allegedly developed Kronos and provided it to Individual A, intending for Individual A to advertise, promote, and sell it. Hutchins used a YouTube video to demonstrate how Kronos worked, and referred prospective customers to Individual A. In December 2014, Hutchins hacked and analyzed a malware that competed with Kronos, and published a blog post describing the competing malware's vulnerability. In February 2015, Hutchins allegedly updated the Kronos malware, and distributed it to Individual B, who was located in California and was known to be involved in cyber-based criminal activities.

On July 11, 2017, a grand jury indicted Hutchins on various counts related to his activity with the malware. He was charged with conspiracy, fraud, and unlawfully intercepting communications. (Docket # 1). On June 5, 2018, the government filed a superseding indictment with additional charges. (Docket # 86). In Count One, the superseding indictment charges Hutchins with conspiring to violate the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, and the Electronic Communications Privacy Act ("Wiretap Act"), 18 U.S.C. § 2510 et seq. , in violation of 18 U.S.C. § 371. Counts Two and Three charge Hutchins with disseminating, aiding, and abetting an attempt to advertise the malware, in violation of the Wiretap Act. Counts Four and Five charge Hutchins with aiding and abetting the distribution of the malware, in violation of the Wiretap Act. Count Six charges Hutchins with using, or getting others to use, the malware to intercept communications in violation of the Wiretap Act. Count Seven charges Hutchins with causing, aiding, and abetting the transmission of malware in violation of the CFAA. Count Eight charges Hutchins with aiding and abetting the intentional access and damage to protected computers for the purpose of private financial gain, in violation of the CFAA. Count Nine charges Hutchins with lying to the FBI about whether he knew that his computer code was part of Kronos, in violation of 18 U.S.C. § 1001(a)(2). Finally, Count Ten charges Hutchins with conspiring to commit fraud in connection with his malware activities, in violation of 18 U.S.C. §§ 1343, 1349.

In the summer of 2017, Hutchins spent a week in Las Vegas to attend "Defcon," which is a conference for hackers. On August 2, 2017, Hutchins was about to embark on his journey back to the U.K. Hutchins was waiting in a lounge at the Las Vegas airport when a federal agent and two Customs and Border Patrol ("CBP") officials approached him. Unbeknownst to him, FBI Special Agents Lee Chartier ("Chartier") and Jamie Butcher ("Butcher") had been monitoring Hutchins's whereabouts all morning, and had followed him to the airport, through security, and to his lounge. Although the FBI had originally planned to arrest Hutchins as he boarded the flight, they opted to arrest him earlier in order to ensure that he did not consume any alcoholic beverages that might affect his ability to answer questions in an interrogation. Indeed, Hutchins had spent much of the week partying, which included ingesting various intoxicating substances. He had had very little sleep the night before. There are no allegations, however, that Hutchins was intoxicated whilst at the airport—only exhausted and, it can be assumed, terribly hungover.

Thus, at approximately 1:17 p.m., Hutchins was approached in the airport lounge by two CBP officers and a plainclothes FBI agent, Chartier. These officials escorted Hutchins to a stairwell, whereupon he was handcuffed. Chartier informed Hutchins that he was under arrest pursuant to a federal warrant. The officials then led Hutchins to an interview room, where Butcher was waiting. The agents observed Hutchins to be alert, engaged, and not visibly intoxicated or disoriented. Hutchins verbally confirmed that he was able to answer questions and was not drunk. Hutchins received his Miranda rights orally. He was also given an advisement of rights form. He listened to his rights and signed the advisement form in the presence of both agents. There is a dispute as to what time he signed it, but the Court does not find this to be material for reasons that will be explained below.

Hutchins then proceeded to respond to the questions asked by the agents, and gave consent for them to search his phones, laptops, backpacks, and USB drives. He did not request a lawyer or invoke his right to remain silent, although he did ask "what this is all about." The agents told him they would explain eventually, but continued questioning him. In total, Hutchins was questioned for approximately 105 minutes. He was offered food, an opportunity to use the restroom, and—eventually—allowed to contact his mother. He was not shown a copy of the arrest warrant until over an hour into the interrogation.²

Hutchins showed every indication of being voluntarily cooperative with the agents, but was also clearly confused about the nature of the interrogation. The interrogation began with broad questions about his career and his online activities, but about ten minutes in, the questions focused on Hutchins's involvement with malware. Hutchins acknowledged that when he was younger, he had written some code that ultimately ended up in malware, but denied that he developed malware. About eleven minutes into the interrogation, after looking at a string of code, Hutchins asked if they were looking for the developer of Kronos. Hutchins stated that he did not develop Kronos, and he had "gotten out" of writing code for malware before he was eighteen. Thirteen minutes in, he said that he had feared that law enforcement authorities would come after him, instead of the actual developer, because pieces of his code appeared in Kronos. Thus, Hutchins was aware that the criminal investigation was, at least in part, about Kronos, and that he was implicated in the investigation, although he expressed confusion about why he was being detained throughout the interrogation. Almost eighty minutes into the recorded interrogation, the agents finally provided him with the warrant, and told him that it had "nothing to do with WannaCry." The interrogation continued for about twenty minutes after that. Throughout the remainder of the interrogation, Hutchins tried to be helpful but noted that he had been "out" of so-called "black hat" hacking for so long that he did not have any helpful connections.

Hutchins was taken to a jail, where he proceeded to make two phone calls, which were recorded. Prior to making the phone calls, Hutchins was informed that the phone calls were subject to monitoring and recording. In the calls, Hutchins also made incriminating statements.

4. ANALYSIS

4.1 Motion to Suppress

Hutchins seeks to suppress his post-arrest statements and any evidence that may have been obtained as a result of his statements. He argues that he did not waive his Miranda rights, (Docket # 55 at 6–9), and submits that the government has not met its burden in rebutting the presumption against waiver, (Docket # 111 at 13). Hutchins calls into question whether (1) he received notice of his rights at all; and (2) whether he was able to voluntarily waive his rights...