The hacker community received a shock on Thursday morning when Marcus Hutchins, a 22-year-old credited with stopping a global wave of ransomware attacks known as WannaCry, was arrested in the Las Vegas airport.
The FBI initially announced no details about the arrest, leading some to fear Hutchins had been targeted over his WannaCry research. But by mid-afternoon, court papers emerged that show Hutchins had been charged with creating and selling a form of malware known as Kronos.
Other hackers, many of whom were in Las Vegas to attend the Defcon convention, worked to get Hutchins—who uses the Twitter handle MalwareTechBlog—a lawyer.
Finally located @MalwareTechBlog, he's in the Las Vegas FBI field office. Can anyone provide legal representation?
— Andrew Mabbitt (@MabbsSec) August 3, 2017
I'm working on getting a lawyer for @MalwareTechBlog as he has no legal representation and no visitors. I'll be crowdfunding legal fees soon
— Andrew Mabbitt (@MabbsSec) August 3, 2017
Kronos is a type of software designed to steal credit card numbers and other banking information, and cyber criminals often use attachments in fake email messages to trick people into installing it.
In an 8-page indictment filed in Wisconsin, a U.S. Attorney accuses Hutchins and at least one unnamed other person of conspiring to sell the app on AlphaBay, an underground website that was seized by law enforcement in early July. As you can in this screenshot, prosecutors redacted the names of the other person or people involved:
The indictment also charges Hutchins and the co-defendant(s) with using a device to intercept communications in violation of the Wire Tap Act. It does not specify the nature of the device, but recent court cases suggest “device” can also refer to software and apps.
My initial thought was this was a clumsy way to write a charge for making/selling a keylogger.
— Ansel Halliburton (@anseljh) August 3, 2017
The documents also accuse Hutchins of violating an anti-hacking law called the Computer Fraud and Abuse Act.
Hutchins is set to be arraigned at 3pm PT:
In Vegas today? You can go to @MalwareTechBlog’s arraignment 3pm PT @ 333 Las Vegas Blvd. South, before Mag. Koppe. https://t.co/lchraHqQv1
— Cyrus Farivar // @cfarivar@journa.host (@cfarivar) August 3, 2017
These developments are a jaw-dropping reversal of fortune for Hutchins who—despite attempts to keep a low profile—was recently lauded by media across the world for stopping WannaCry. He did so by activating a website that served as a “kill switch” and stopped the ransomware, which infected businesses and hospitals across the world.
Get Data Sheet, Fortune’s daily technology newsletter.
The activities described in the indictment took place in 2014 and 2015, so it’s unclear—if the allegations are true—whether Hutchins is still engaged in criminal activity.
Another mystery revolves around the identity of the other person or people named in the indictment, and why the FBI chose to redact their names. One possibility is the unnamed co-defendant(s) is cooperating with the FBI following the shut-down of the Alpha Bay website, but it’s too soon to say for certain.
