[dTal]

None of that sounds particularly implausible, to be honest. People build proof-of-concepts for their own amusement. If there's no unique vulnerability to be patched, there's no value to releasing it. People share things with their friends, who are sometimes unscrupulous. And if I found out that software I wrote was being used maliciously, I'm not so sure that my first email would be to the FBI either - especially after this.

The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.