GCHQ knew FBI was planning to arrest WannaCry’s ‘accidental hero’ before he travelled to the USA

Extradition is a real hassle.

GCHQ knew FBI was planning to arrest WannaCry's 'accidental hero' before he travelled to the USA

The Sunday Times reported this weekend:

GCHQ was aware that a British IT expert who stopped a cyber-attack against the NHS was under investigation by the FBI before he travelled to America and was arrested for alleged cyber-offences, The Sunday Times can reveal.

Officials at the intelligence agency knew that Marcus Hutchins, from Devon, who was hailed as a hero for helping the NHS, would be walking into a trap when he flew to the US in July for a cyber-conference.

Malware researcher Hutchins was arrested as he attempted to fly home to the UK, following the DEF CON conference in Las Vegas. He has pleaded not guilty to charges related to the Kronos banking malware, and is currently stuck in the United States awaiting trial.

It’s ironic that GCHQ knew about the US intelligence agency’s interest in Hutchins, as just a few months ago it was widely reported that he was actually helping GCHQ’s National Cyber Security Centre to combat further attacks.

Sign up to our free newsletter.
Security news, advice, and tips.

Should we be stunned that GCHQ didn’t tip Hutchins (aka MalwareTech) off that the FBI considered a person of considerable interest? No, of course not. I wouldn’t expect them to act any differently.

Anyone familiar with the cases of Gary McKinnon and Lauri Love will know that the United States has had faced enormous difficulty extraditing suspected hackers from the UK in the past.

Recent history has proven that attempts to extradite suspected malicious hackers from the UK are not guaranteed to succeed, and can go on for years.

With that in mind, it may be no wonder that the FBI chose to wait until Hutchins was on American soil before arresting him.

All of which raises the question of – why did they allow him to spend a week attending security conferences in Las Vegas?

Was it because, out of the goodness of their heart, the FBI felt Marcus Hutchins deserved some party time?

Or was it because they thought it sensible to wait until most of the information security/hacking community had left Las Vegas before apprehending someone many consider a hero?

One thing is clear. The US authorities saved themselves an awful lot of paperwork and legal expense arresting their suspect on their own soil rather than trying to extradite him from the UK.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “GCHQ knew FBI was planning to arrest WannaCry’s ‘accidental hero’ before he travelled to the USA”

  1. IanH

    …and GCHQ's ideal is to be able to say "we complied fully with the law" while finding (indeed generating via complacent and malleable politicians) loopholes to enable them to do exactly what they want. Law is, for GCHQ, an irritating challenge to be circumvented. GCHQ have only done what their US masters require.

    1. M. Sirell · in reply to IanH

      @IanH
      It's not necessary that the US be GCHQ's "master" for these events to be accurate. Having been told that the FBI intended to nick him, they *obviously* couldn't tip him off, for reasons that a couple of seconds' thought will make obvious.

      1. IanH · in reply to M. Sirell

        That's true – you're right
        Then again, they would not have tipped off GCHQ unless they could trust GCHQ to do what was convenient for the US rather than what would have been just for an untried British citizen not afforded due UK-US extradition proceedings, farcically asymmetric as these are when it comes to protection of UK citizens.
        US masters.

  2. Watisoni

    Or maybe the FBI thought Hutchins would be tempted to get into some cyber related mischieves or otherwise, to help their case.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.