A British cyber researcher, who made international headlines after stopping the WannaCry malware attack in May, was indicted by a U.S. grand jury on allegations that he created and sold a separate cyber attack that targeted banks, according to the Justice Department. The Federal Bureau of Investigation arrested the cyber security researcher on Thursday in Las Vegas, according to Vice’s Motherboard.

Marcus Hutchins, a researcher for cyber security company Kryptos Logic, is credited for finding the kill switch for the WannaCry malware attack in May and preventing the malicious software from spreading further, according to Motherboard. In one day, WannaCry infected computers in 150 countries and crippled hundreds of businesses, hospitals, and governments, according to a report by the U.S. Congress. The cyber security community praised Hutchins, who inadvertently stopped the attack from spreading while he was tracking the malware and trying to understand it, Hutchins told The Guardian and outlined on his blog. But now, Hutchins faces allegations that he created the Kronos Banking Trojan malware, the Justice Department announced.

According to the indictment, which was filed in federal court in Wisconsin in July and unsealed on Thursday, Hutchins allegedly created the Kronos Banking trojan malware in 2014, a malicious program that targeted banks and swiped users bank account login credentials. The indictment alleges that Hutchins, and an unidentified accomplice, advertised and sold the malware on AlphaBay, the dark web marketplace that was recently shut down by US Department of Justice and Europol. The indictment says the malware was sold for $3,000 a piece, but the indictment did not say how many customers bought the exploit. The indictment includes six counts of charges from a federal grand jury against Hutchins and his accomplice.

Motherboard first reported on Hutchins’ arrest and indictment. According to a statement released by the Department of Justice, the federal grand jury indictment was the result of a two-year investigation on the malware that targeted banking customers in Canada, the United Kingdom, France, Germany, and Poland.

The Justice Department says Kronos steals banking login credentials by sending targets to a fake version of their bank’s websites.

Hutchins was arrested at the Las Vegas airport after attending the hacker conference Def Con, Motherboard reported. Kryptos did not return a request for comment.