British cyber security expert who stopped a worldwide computer virus in 2017 before being indicted for prior malware crimes is spared prison
- Marcus Hutchins found the ‘kill switch’ in the WannaCry virus which threatened to infect millions of computers globally with Microsoft Word software installed
- But Hutchins, 25, was already wanted by authorities for trying to sell malware
- He was indicted on 10 charges and spent a few days in jail after being arrested in Las Vegas in 2017, and was required to stay in the U.S. while his case was pending
- For the past two years, Hutchins has performed a poacher-turned-gamekeeper role in California, helping to identify and resolve emerging malware threats
- U.S. District Judge J.P. Stadtmueller said the damage he helped prevent by stopping the virus was far greater than the money he made selling malware
- His attorney said afterward he intended to return to Great Britain
A British cyber security expert who was hailed as a hero for helping stop a worldwide computer virus in 2017, only to later be charged with previously selling malware, will not serve any more time behind bars.
Marcus Hutchins was widely praised for his role in finding the ‘kill switch’ in the WannaCry virus that demanded ransoms off Microsoft Word users around the world.
But the hacker was already on FBI lists for his previous crimes including developing two pieces of malware, conspiring to sell the malware and lying to authorities.
He was indicted on 10 charges and spent a few days in jail after being arrested in Las Vegas in 2017. He was also required to stay in the U.S. while his case was pending.
Marcus Hutchins was widely praised for his role in finding the ‘kill switch’ in the WannaCry virus that threatened to harvest millions of internet users’ bank details globally
For the past two years Hutchins has performed a poacher-turned-gamekeeper role based in California, where he has helped to identify and resolve malware threats.
U.S. District Judge J.P. Stadtmueller said the damage Hutchins helped prevent by stopping the virus was far greater than the money he made selling malware years earlier, before also noting Hutchins’ admission of guilt.
‘Mr. Hutchins turned the corner with regard to the conduct that led to these charges,’ Stadtmueller said.
Hutchins spoke briefly Friday, apologizing to his victims: ‘I deeply regret my conduct and the crimes I was involved in.’
His attorney said afterward he intended to return to Great Britain.
FBI agents had been investigating Hutchins for years before his arrest. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords.
Prosecutors in Milwaukee had made no sentence recommendation, and noted that Hutchins had accepted responsibility for his actions during a plea deal in April.
Hutchins no longer develops malware attacks and works to stop them, but that does not diminish the seriousness of what he did, prosecutors said.
‘Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, he deserves credit for his epiphany. But he still bears responsibility for what he did,’ prosecutors said.
Prosecutors said Hutchins conspired to distribute the malware – UPAS Kit and Kronos – from 2012 to 2015 and that he sold Kronos to someone in Wisconsin.
FBI agents had been investigating Hutchins for years before his arrest. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords (file image)
He also ‘personally delivered’ the software to someone in California, prosecutors said.
Hutchins initially pleaded not guilty to all charges and was scheduled to go on trial this month.
As part of the deal, Hutchins pleaded guilty to two charges for creating Kronos – and an updated version of UPAS – and conspiring to distribute it.
In exchange, prosecutors dismissed the other eight charges.
‘As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,’ Hutchins said in a statement on his website after the plea deal was announced.
‘I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.’
Kronos was ‘used to infect numerous computers around the world and steal banking information,’ prosecutors said, without providing an exact number.
It’s unclear how much Hutchins profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins said he had only made $8,000 from five sales.