A British cybersecurity researcher best known for halting the spread of the global WannaCry ransomware outbreak two years ago will avoid prison for creating banking malware that surfaced in 2014.
A federal judge in the Eastern District of Wisconsin on Friday sentenced 25-year-old Marcus Hutchins to time served and one year of supervised release. The decision brings to a dramatic close a legal saga that has absorbed the cybersecurity community for years.
Hutchins, also known by the Twitter handle “MalwareTech,” had faced up to a decade in prison after pleading guilty in April to two counts related to writing and distributing the Kronos banking trojan, and another piece of malware known as UPAS Kit. Hutchins created Kronos as a black hat hacker, a life he disavowed before the WannaCry ransomware virus infected more than 200,000 computers in roughly 150 countries in May 2017. Hutchins, working as a security researcher at the time, found a so-called kill switch in the WannaCry code which stopped the malware’s spread.
“It’s going to take the people…with your skills to come up with solutions because that’s the only way we’re going to eliminate this entire subject of the woefully inadequate security protocols,” Judge J.P. Stadtmueller said Friday, as TechCrunch reported from the courtroom.
Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.
— MalwareTech (@MalwareTechBlog) July 26, 2019
Kronos could steal log-in credentials and other data from online banking sites accessed using popular web browsers. Hutchins wrote the malware while another person, identified by prosecutors as “Vinny,” advertised and sold it on cybercriminal forums, according to the guilty plea. Kronos has been used in attacks on banks in Britain, Canada, and India, according to researchers.
“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” he said in April.
Hutchins’ arrest at a Las Vegas airport in 2017 after the DEF Con hacking conference was a jarring change of fate for a young man who, months earlier, had stopped the WannaCry ransomware from causing more damage by registering a domain that acted as the accidental kill switch. WannaCry, which the U.S. government has blamed on North Korea, infected hospitals, telecommunications companies and other organizations, costing Britain’s National Health Service alone more than $100 million and forcing doctors to turn away patients.
While not recommending a specific sentence, prosecutors argued in a recent filing that the sentence should “provide a measure of deterrence to other malware developers.”
“Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, [Hutchins] deserves credit for his epiphany,” the prosecutors said. “But he still bears responsibility for what he did.”
Hutchins’ case had resonated in the cybersecurity community as some reflected on the extent to which society allows good hacking to cancel out the bad.
“His conviction sends the wrong message about whether or not it pays to mend your ways and, when the moment comes, to do the right thing,” New York Times columnist Sarah Jeong wrote in April, calling for Hutchins to be pardoned.