In an analysis done for security company Malwarebytes, researcher hasherezade wrote that Kronos had been first advertised on the black market in 2014 by someone calling themselves VinnyK and communicating in Russian.
This predates Hutchins' claim, made in 2015, that someone had made use of code, that he wrote for a hooking engine, in malware.
Hutchins, who gained the attention of the world when he stopped the spread of the WannaCry ransomware by accident in May, was arrested by the FBI in Las Vegas on 2 August after he had boarded a plane to leave the US.
The chargesheet against him said he had written and helped distribute Kronos along with an unnamed co-conspirator.
It might be worth noting that nothing on my github was invented by me, they are all PoCs of existing methods.— MalwareTech (@MalwareTechBlog) August 18, 2017
After a detailed technical analysis of how Kronos works, hasherezade wrote that the hooking engine used in malware was similar to the engine that Hutchins had described on his blog.
"Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas," the researcher wrote.
"However, it turned out that this technique was described much earlier (i.e. here, //thanks to @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.
"An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions. The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system.
"The author not only used interesting tricks, but also connected them together in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster."