Hutchins, 23, was attending the DEFCON security conference last week when he was taken into custody, according to the Telegraph.
The arrest was confirmed by British law enforcement and security agencies. US authorities allege that Hutchins created a banking trojan called Kronos between July 2014 and July 2015 and helped to distribute the malware.
Hutchins has been working with the GCHQ's National Cyber Security Centre since he came to prominence after the WannaCry episode.
Finally located @MalwareTechBlog, he's in the Las Vegas FBI field office. Can anyone provide legal representation?— Andrew Mabbitt (@MabbsSec) 3 August 2017
He reasoned that this could be a command and control server and promptly registered the domain which appeared to be a random name, comprising letters from the top two rows of a keyboard. It cost him just US$10.69.
This was in order to create a sinkhole so he could examine the malware further.
But his action unwittingly stopped the malware from spreading as it had been programmed to check this domain, and continue spreading if it could not access the domain. Once he registered the domain, it was accessible, and when this happened the attacks gradually slowed down.
His mother, Janet, told the Telegraph that she was trying to find out details about the arrest of her son.
A security expert who was at DEFCON said: "I finally located him but they moved him 10 minutes before visitinghours and now he's in the wind again."
Britain's National Crime Agency said: "We are aware a UK national has been arrested but it's a matter for the authorities in the US."