[uiri]

What if it turns out that his "co-conspirator" stole and sold his PoC malware? We're talking about thieves and fraudster after all so this doesn't seem like it is outside of the realm of possibility. The only proof to the contrary would be if Hutchins profited from the sale of the malware.

Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.

To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?

[tptacek]

Then he'll have an extremely strong defense at trial, and the DOJ will be wasting its time. Which is why it's a little bit unlikely that that's what happened.

[wepple]

There's evidence he knew of Kronos in the wild on his twitter feed. Why wouldn't he alert someone that his research proof of concept had been leaked? Provided the source code to LEA.