The Marcus Hutchins I knew

To be completely honest, I didn’t know him as Marcus Hutchins at the time. I knew him only by his IRC and forum nick, Touchme.

I first encountered Touchme during my tracking of a different individual, betamonkey. Betamonkey was the the coder of betabot, a piece of malware also known as neurevt. I had encountered betamonkey posting about his still under development malware on opensc.ws, a malware development forum and had grown irritated with his posting manner. I later found his development thread of hackforums.net where he detailed the ongoing development of his malware. I kept track of it and located the malware as soon as he started testing it in the wild, posting it on a malware tracking blog I was collaborating with at the time. Someone messaged me with an IRC log of betamonkey and his initial closed beta tester reacting to the leak on an IRC server (log pasted into the blog post). As my malware tracking at the time was motivated almost entirely by watching skiddies freak out about my interactions with their botnets, I quickly sought out the server.

The IRC turned out to be irc.voidptr.cz. It was owned and managed by touchme. I learned that touchme had tried running IRCs in the past under the name iarkey to gain attention and influence. That had failed but his latest attempt had obtained some manner of success. Touchme tried to further capitalize on this success by starting a malware/carding forum, malkit.(ws/su). Both were advertised on hackforums user signatures, although only the IRC ever gained any significant traction. Numerous logs from the IRC have been posted on pastebin, easily located with some simple google searches.

Touchme was a firm supporter of betamonkey, and went so far as to make a post on his new malware blog, touchmymalware.blogspot.com, to defend betamonkey when his malware was correctly identified as being banking malware and banned from bring sold on hackforums, his primary source of buyers at the time. The post was deleted from his site after he turned it into malwaretech.com, but it can still be seen using the internet archive (look halfway down the page). I would have expected him to be involved in selling betabot, not having the initiative and drive to code his own malware.

Around this time he ran into some issues with malkit. The domain he was using was malkit.ws, and he had come into conflict with another tiny carding forum, 0sec.biz. The first act of the conflict ended in mutual destruction, as both malkit.ws and 0sec.biz were reported to their registars and suspended. Touchme reacted by registering malkit.su. On voidptr IRC, ryanc (zeekill) made a suggestion based off his recent hacking attack against linode or someone. Use basic nginx features to establish a man in the middle phishing site. 0sec’s domain was suspended, so Touchme simply registered 0sec.su, pointed it at 0sec.biz’s IP address and posted it on Trojanforge, where both admins had been making angry posts. 0sec.biz users who had been reading the forum believed that he was the admin posting the new domain and used it to login. Touchme harvested their credentials using nginx, and discovered that one of them was an admin. He used the admin creds to dump the 0sec.biz databases. This effectively killed off the site. Trojanforge died without a backup shortly after this, however the 0sec.biz PM database on pastebin can confirm the conflict (ctrl + f for touchme).

Around his time Touchme hosted malkit.su on the same server as one of his IRC servers. This was recorded by virustotal passive DNS.

The main issue people seem to have with this is that the touchme in the IRC logs and 0sec.biz PMs could be anyone, not just Marcus Hutchins. Marcus’s current twitter handle malwaretechblog can be directly linked to touchmymalware, a closely related nick. Some have pointed to a tweet where he indicates “The “TouchMe” on darkhook isn’t me, please stop sending emails asking me about scriptkiddie stuff, thx.” as evidence that he has never used the nick, however he is denying the use of the nick on a specific forum, actually strengthens the link. Why would be deny a nick on a specific forum if he didn’t use it in other places? You can even see that it was the author nick he used on his blog when it was still touchmymalware, check the internet archive link up the post.

The (now deleted) betabot defense league post on his blog (written by touchme) should be a clear link to the IRC touchme, who is a clear friend of betamonkey. Certainly the IRC logs could be faked, however the pastebin upload timestamps place them four years in the past, making it impossible that they were created to slur Marcus for any of his recent actions.

The most direct evidence I have saved for the end. Shortly after betabot related content started being posted on exposedbotnets.com, someone posted some alleged dox of betamonkey (possibly not him, but looking up the guy on linkedin the skillsets seem to match) and another comment claimed it was all fake. In response, someone called the second commenter out: “Hi Iarkey (Marcus Hutchins) lololollol”. The blogger timestamps are clear, the comment identifying Marcus Hutchins as iarkey/Touchme was posted in 2013. A simple google search finds hackforums posts indicating that iarkey and touchme were linked nicks.

voidptr IRC logs: https://pastebin.com/qZJ5v5M4

https://pastebin.com/DUNq5VYp <- some great content in this one

[18:11] <+TouchMe> 2 more btc’s are all mine
[18:11] <+TouchMe> :3
[18:13] <TheCurator> TouchMe: You hording?
[18:14] <+TouchMe> sort of
[18:14] <+TouchMe> some is for buying coke rest is for hoarding
[18:14] <TheCurator> Nice ;)
[18:15] <TheCurator> Anyone here a fan of basshunter?
[18:16] <+TouchMe> used to like his music
[18:16] <Batmayne> maybe my next big project should just be a crypting service
[18:16] <Batmayne> i feel like that could almost be more worth it
[18:17] <TheCurator> Batmayne: more worth it than what?
[18:17] <vapor> people would pay a lot for a crypter that is great for betabot, and who can provide that better than the coder itself :P
[18:18] <Batmayne> than bot
[18:18] <Batmayne> not exactly monetary wise either
[18:18] <Batmayne> i mean like
[18:18] <Batmayne> it’s virtually zero-risk
[18:18] <Batmayne> and still a lot of cash
[18:18] <TheCurator> That’s a good point
[18:19] <Batmayne> bot brings in more money but crypt service is much better in terms of safety
[18:19] <TheCurator> Bot is very dangerous
[18:20] <TheCurator> You can get arrested for just selling a bot not even using it
[18:20] <Batmayne> if you knowingly do anything to support a crime that is still a crime itself
[18:20] <vapor> technically he never sold the bot
[18:20] <Batmayne> at least in the US
[18:21] <TheCurator> For a crypting service you just cover your ass in the TOS
[18:21] <Batmayne> so technicalllllllllllly anyone who has provided help towards say, carberp, knowing it was going to be sold to commit fraud, could all be wrapped up under a RICO charge in the US
[18:21] <Batmayne> yeah i guess
[18:21] <TheCurator> Selling a bot is like selling a nuke
[18:21] <Batmayne> in the end basically, it comes down to how well you can prove that you didn’t know what they were doing
[18:21] <vapor> couldnt you say that betabot is for educational purposes only
[18:21] <Batmayne> if there is a single log of you acknowledging their activities
[18:21] <Batmayne> thats it
[18:21] <Batmayne> no
[18:21] <Batmayne> you can’t do that vapor
[18:21] <vapor> oh
[18:21] <Batmayne> you can, but it doesn’t make shit of a difference
[18:21] <bake> lmfao
[18:22] <TheCurator> reguardless of TOS they will try and arrest you for selling a bot
[18:22] <TheCurator> They hate bot makers
[18:22] <Batmayne> vapor: in the end they really just have to convince a jury (in US), so even if you try and go by technicalities it isn’t always so easy
[18:22] <bake> curator,
[18:22] <bake> they hate fraud
[18:22] <vapor> true
[18:22] <TheCurator> bake: That too.
[18:23] <Batmayne> whenever you take peoples money you move to the top of the priorities list
[18:23] <Batmayne> the top things always include things that are gaining media traction, and things that are costing <someone> a lot of money
[18:23] <TheCurator> Money is the ultimate trap
[18:23] <vapor> is it illegal to sell a crypter
[18:23] <Batmayne> usually targeting businesses and banks will get an investigation rolling easily
[18:24] <TheCurator> vapor: Not really
[18:24] <Batmayne> like using ZeuS to lift 200,000 out of a business account would probably get its own investigation right away
[18:24] <Batmayne> and later merged into a larger one if you are doing that to more than one
[18:24] <TheCurator> Vapor: Depends on how you sell it
[18:24] <+TouchMe> lul
[18:25] <+TouchMe> crypter based work is the most boring shit ever
[18:25] <vapor> BetaCrypt
[18:25] <TheCurator> All aboard the BetaCrypt train!
[18:25] <Batmayne> instead of ‘betafed’
[18:25] <Batmayne> it could be
[18:25] <Batmayne> BetaFUD
[18:26] <vapor> well that can be false advertisement if it ever gets unfud
[18:26] <vapor> then bitches be complaining
[18:26] <TheCurator> Lol <(x.x)<
[18:26] <+TouchMe> damn now someone has reminded me of basshunter i have to do lsd
[18:26] <+TouchMe> i would love basshunter on lsd o.O

If only Touchme had read the scroll back.

If other people have voidptr IRC logs, dump them. Skidlist, if you still have all yours let me know.