Three months ago, just as the WannaCry outbreak was at its height, 23-year-old British security researcher Marcus Hutchins made international headlines after accidentally discovering a hidden “kill switch” that stopped the ransomware from spreading. On Wednesday, as he was about to fly home from Las Vegas after attending the Def Con hacking conference, the FBI arrested the man who had been hailed a hero.

News of his arrest led to some conspiracy theorists claiming Hutchins was somehow linked to WannaCry, which many experts believe came from North Korean hackers The Lazarus Group, but a US Department of Justice indictment shows this isn’t the case. Hutchins, better known as MalwareTech, is accused of helping to create, spread, and maintain the banking Trojan Kronos between 2014 and 2015. "Defendant Marcus Hutchins created the Kronos malware,” it alleges.

Hutchins has been charged alongside another unnamed co-defendant, who’s accused of doing most of the work to spread the malware. The person is also said to have uploaded a YouTube video explaining how Kronos works, something the DoJ seems to consider evidence. The same day the video went up, Hutchins posted a tweet asking for a sample to analyze.

The co-defendant is also accused of selling Kronos on dark web marketplace Alphabay, which authorities closed down several weeks ago. It was sold on the malware forums for prices up to $7000, though the indictment lists prices of $2000 and $3000.

Only one part of the indictment suggests Hutchins worked on Kronos after it was actively being used for criminal purposes. He is accused of helping to update the malware in February 2015, six months after it went on sale.

Cybersecurity experts have expressed skepticism at the indictment. "It’s not a crime to create malware. It’s not a crime to sell malware. It’s a crime to sell malware with the intent to further someone else’s crime." George Washington University law professor Orin Kerr told Wired. "This story alone doesn’t really fit. There's got to be more to it, or it’s going to run into legal problems."

Hutchins became an unintentional saviour when he created a website found in WannaCry’s code that turned out to be a kill switch. The ransomware stopped infected new computers when it detected the URL had been registered.

Whether Hutchins was genuinely just researching Kronos, or if he’s another example of a former black hat hacker who moved on to legitimate security research, is unknown. But whatever the case, the arrest marks a drastic change in fortunes for the man who was so recently praised as a hero.