A security researcher who stopped an outbreak of theearlier this has been arrested and detained after attending the Def Con cybersecurity conference in Las Vegas.
Marcus Hutchins, 22, a British national, was arrested at the Las Vegas airport on Wednesday.
A Justice Department spokesperson confirmed that his arrest is in relation to his alleged role "in creating and distributing the Kronos banking Trojan," a hack dating back to 2014 that was used to steal money from online banks.
"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015," said the spokesperson.
The indictment was dated July 11, about two weeks before he flew to the U.S. to attend the annual security conference.
The Department of Justice says Hutchins is charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications and one count of attempting to access a computer without authorization.
A friend told ZDNet that Hutchins was "was pulled by Marshals at the lounge" after clearing security.
He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and he had already been moved," said the friend.
Hutchins is now understood to be in custody at an FBI field office in the state.
Hutchins, also known as @MalwareTechBlog, stormed to fame in May after he found a kill switch in the malware known as , amid a global epidemic of ransomware. Hutchins registered a domain name that stemmed the infection.
He was hailed as a hero for stopping the attack, which gripped U.K. hospitals and other major industries around the world.
The charges are not related to WannaCry, said the Justice Department spokesperson.
The Justice Department has been after those involved with the notorious Kronos malware for more than two years. The indictment accuses another unnamed defendant in the case of advertising and selling the malware on the now-defunct dark web marketplace AlphaBay. Its founder and operator, Alexandre Cazes, was found dead last month.
The Kronos malware can steal credentials, and uses web injections for every major browser to modify legitimate banking websites. Kronos is able to evade some antivirus detection and sandbox environments.
"Cybercrime remains a top priority for the FBI," said Special Agent in Charge Justin Tolomeo. "Cybercriminals cost our economy billions in loses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice."
A message to the UK consulate in Los Angeles -- which is reportedly assisting Hutchins, according to a friend -- was unreturned at the time of writing. The UK consulate in New York is "in touch with local authorities in Las Vegas" following Hutchin's arrest.
The UK's National Cyber Security Center said it was "aware" of the situation but would not comment on a matter of law enforcement.