Marcus Hutchins, who authors the popular blog MalwareTech, and a British security researcher has pleaded guilty today to writing malware in the years prior to his prodigious career as a malware researcher.
Marcus posted a statement on his website and on his Twitter feed too, “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Statement About My Legal Casehttps://t.co/XLp82vedLk
— MalwareTech (@MalwareTechBlog) April 19, 2019
Marcus was virtually unknown to most in the security community until May 2017 when the UK media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.
In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins has been barred from leaving the United States since he was arrested.
The plea agreement of Marcus is here. “Attachment A” on page 15 outlines the case against Hutchins and an alleged co-conspirator. It further reads that in between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.
Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a detailed investigation into activities tied to his various online personas over the years.
As per the report, the clues suggested Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror. Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.
Upto 10 years in prison
According to court documents obtained by ZDNet, Hutchins pleaded guilty to two counts, and the government agreed to drop the other eight. He pleaded guilty to entering a conspiracy to create and distribute malware, and in aiding and abetting its distribution. For each count, Hutchins will face up to five years in prison, $250,000 in fines, and one year of supervised release.
According to ZDNet, Marcus was charged for working with a co-conspirator identified as “Vinny,” “VinnyK,” and “Aurora123”– to advertise and sell the two malware strains online. This started somewhere in between July 2012 and September 2015, even before Hutchins was recognized as a talented security researcher.
Further ZDNet explains that creating malware is a form of protected speech in the United States, but selling and disseminating is another matter. Orin Kerr, the law professor of University of Southern California gives a detailed explanation in the 2017 dissection of the government’s charges on the Washington Post website.
The charges on Marcus are likely to be tempered by federal sentencing guidelines, and may take into account the already served detention time. It still remains unclear when he will be sentenced. After the arrest, Hutchins was released on bail and has been living in Los Angeles awaiting trial. He started sharing his malware analysis skills with the information security (infosec) community when he was prohibited from working for his employer. Hutchins is considered as one of the most talented security researchers and this news comes a huge loss for the infosec community.
Hear! Hear! – Marcus has taught me a great deal during my journey with #emotet. I am still amazed that he has worked with me and the @Cryptolaemus1 team to help us with our battle. Without his help, we would still be in the stone age fighting this botnet!
— Joseph Roosen (@JRoosen) April 19, 2019
Update on 26th July from ZDNet
ZDNet on Friday reported that the US legal case against Marcus Hutchins who helped stop WannaCry ransomware outbreak comes to an end. He is sentenced in the US to time served and one year of supervised release.
The UK-born malware analyst avoids prison time in a case that the judge described as having “too many positives on other side of ledger” — referring to Hutchins’ role in the WannaCry ransomware outbreak and his work as a malware analyst.
Read the full story on ZDNet blog post.