[wepple]

You are suggesting he spent time and energy to build a proof of concept whose explicit task was to demonstrate banking theft from browsers, and he chose to never release it but keep it secret, and a friend decided to sell it on the dark web?

And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?

[dTal]

None of that sounds particularly implausible, to be honest. People build proof-of-concepts for their own amusement. If there's no unique vulnerability to be patched, there's no value to releasing it. People share things with their friends, who are sometimes unscrupulous. And if I found out that software I wrote was being used maliciously, I'm not so sure that my first email would be to the FBI either - especially after this.

The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.