Marcus Hutchins Spared Prison Time in Malware CaseBritish Security Expert Pleaded Guilty to Creating Kronos Trojan
Marcus Hutchins, the British cybersecurity expert who rose to fame by helping to stop the spread of the WannaCry ransomware outbreak in 2017, will be spared federal prison time after pleading guilty earlier this year to creating the Kronos banking malware.
On Friday, U.S. District Judge J. P. Stadtmueller sentenced Hutchins, 25, to time served and one year of supervised released, according to the Associated Press and other media reports. In April, he pleaded guilty to two counts of developing and distributing malicious software aimed at collecting data that would aid in fraudulently compromising bank accounts, and could have been sentenced to 10 years in federal prison along with a $500,000 fine.
Instead, Hutchins, who is also known by his MalwareTech pseudonym, walked out of a federal court house in Milwaukee on Friday. He Tweeted out his thanks to his supporter soon after the case was closed.
Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.— MalwareTech (@MalwareTechBlog) July 26, 2019
During the sentencing on Friday, Stadtmueller noted that Hutchins took responsibility for his actions and that his help in finding the "kill switch" for WannaCry, which helped stop the ransomware from spreading further, outweighed the damage from the malware he created several years ago, according to the AP.
Hero and Villain
Hutchins was first proclaimed a hero in May 2017 for his work on stopping WannaCry, but that charged quickly after the FBI arrested him a few months later, charging him with creating the Kronos banking malware and selling it on dark net forums.
Over the course of the investigation, federal authorities revealed that they had been following Hutchins for some time. FBI agents found that he started developing Kronos between 2012 and 2015, and that while Hutchins did the development work, he left it to someone going by the alias "Vinny," also known as "Aurora123" and "VinnyK," to market the malware, according to an indictment.
Over the course of several years, Hutchins and Vinny exchanged online chat messages with several people, some of whom were helping FBI in their investigation.
On August 2, 2017, Hutchins was arrested before he was set to fly back to the U.K. after attending the Black Hat and Def Con security conferences. Since that time, he has remained in the U.S., working for Los Angeles-based Kryptos Logic, a security consultancy, where he specializes in reversing malware.
At first, Hutchins, who is originally from Devon, England, indicated that he would fight the federal charges against him, but that charged in April, when he plead guilty to the two counts of creating and distributing the Trojan (see: WannaCry Stopper Pleads Guilty to Writing Banking Malware).
"Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks," Hutchins wrote on his personal website after pleading guilty.
Role in WannaCry
What likely spared Hutchins additional prison time on Friday was his quick thinking in May 2017.
That month, suspected North Korean hackers released WannaCry, a type of ransomware that employed leaked software exploits that had apparently been developed by and then stolen from the U.S. National Security Agency. WannaCry spread rapidly around the world, infecting as many as 200,000 systems and causing billions of dollars in damages (see: After 2 Years, WannaCry Remains a Threat).
WannaCry hampered computers across the world, including ones at the U.K. National Health, FedEx, Nissan and Honda. It was Hutchins, however, who discovered the malware might stop spreading if a certain domain was live, which he registered. Triggering that so-called "kill switch" stopped WannaCry from propagating.
Since that time, Hutchins skills as a cybersecurity expert have been praised and he received numerous letters of support between the time of his arrest and Friday's court hearing.
During Friday's sentencing, Stadtmueller indicated that Hutchins will likely have to return to the U.K., and it's not clear if authorities would let him re-enter the U.S. again if he leaves. In a Twitter post Friday, Hutchins seemed to indicate that he would now have to leave Los Angeles.
Hopefully I can work on finding some way to come back to the US. But until then, back to work!— MalwareTech (@MalwareTechBlog) July 26, 2019