WannaCry Stopper Pleads Guilty to Writing Banking MalwareMarcus Hutchins, aka MalwareTech, Says He Regrets Coding, Distributing 'Kronos'
Marcus Hutchins, the British computer security expert who helped halt the massive WannaCry ransomware outbreak in mid-2017, has pleaded guilty to developing banking malware.
See Also: The Global State of Online Digital Trust
Hutchins, 24, of Devon, England, had previously maintained he would fight U.S. charges that he developed the Kronos malware, also known as UPAS Kit. But on Friday, in a statement posted to his website, Hutchins says he has decided to plead guilty.
"I regret these actions and accept full responsibility for my mistakes," Hutchins writes. "Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."
Hutchins, a British national, was arrested by the FBI in the U.S. and charged on Aug. 2, 2017, just before he was set to fly back to the U.K. after attending the Black Hat and Def Con security conferences. He has remained in the U.S. since then, continuing to work for Los Angeles-based Kryptos Logic, a security consultancy, where he specializes in reversing malware.
Hutchins' guilty plea was filed Friday in federal court in Wisconsin. Hutchins pleaded guilty to two counts of developing and distributing malicious software aimed at collecting data that would aid in fraudulently compromising bank accounts.
Each count carries a maximum penalty of five years in prison, a $250,000 fine and one year of supervised release. Hutchins could also be subject to a restitution order.
As a result of his guilty plea, prosecutors have agreed to drop eight other counts against him that were lodged in a superseding indictment.
Nearly 90 percent of federal prosecutions end in a guilty verdict, says Tor Ekeland, a Brooklyn-based attorney who has worked on high-profile hacking cases. Many defendants - even innocent ones - take guilty pleas to avoid the risk and expense of a trial.
But Hutchins' plea means that a problematic legal theory won't be tested: that it's illegal to write code that can be used illegally. Almost any software could potentially be used for an illegal purpose, Ekeland says. Hutchins was not accused of either selling or actually using Kronos.
"This prosecution is chilling because it presents no clear boundaries as to what is illegal and legal in terms of writing code," Ekeland says. "Because of the plea, there'll be no legal ruling on these critical issues."
Feds Watched Hutchins
The government has not yet made its sentencing recommendation to the judge presiding over Hutchins' case. But the defendant's case for leniency should be strong, due to his quick action in May 2017.
In that month, suspected North Korean hackers released WannaCry, a type of ransomware that employed leaked software exploits that had apparently been developed by and then stolen from the National Security Agency. WannaCry spread rapidly around the world, infecting as many as 200,000 systems, causing billions of dollars in damages and underscoring the fragility of global computer systems (see: Is WannaCry the First Nation-State Ransomware?).
WannaCry hampered computers at the U.K. National Health Service and a host of top-tier companies around the world, including FedEx, Nissan and Honda. But Hutchins discovered the malware might stop spreading if a certain domain was live, which he registered. Triggering that "kill switch" stopped WannaCry from propagating.
Although Hutchins had long been known by his MalwareTech pseudonym, his actual identity became known fairly quickly after he disarmed WannaCry. But what Hutchins didn't know is that he'd already been in the sights of U.S. federal agents.
Kronos Gig: $100,000 a Year
The indictment against Hutchins accused him of developing Kronos between 2012 and 2015. Authorities allege he did the development work and left it to someone going by the alias "Vinny," also known as "Aurora123" and "VinnyK," to market the malware.
Vinny sold Kronos on well-known forums, including exploit[dot]in, Darkode forum and the AlphaBay market. Vinny and Hutchins allegedly had an agreement by which Vinny would share the proceeds from sales. Hutchins allegedly told an FBI source that he expected to make $100,000 per year, according to the plea agreement.
But neither Vinny nor Hutchins were apparently aware that both were communicating in online chats with two people who began working with the FBI and had been furnishing chat logs to the bureau going back as far as 2012.
The plea agreement reveals some of the interplay between Vinny and Hutchins, who likely never met in person. In a chat, Hutchins allegedly told one of the FBI's confidential sources that "he wondered if Vinny was misrepresenting sales and profits in order to keep more money for himself."
Hutchins also allegedly told that source that he'd developed a virtual network control feature for Kronos. But Hutchins wrote that he was holding it back until he was sure Vinny was upholding his side of the bargain. Hutchins told an FBI source he wasn't interested in directly selling malware because it was too "risky," according to the document.
Once the case against Hutchins was revealed and he was detained, the suspect faced several apparent obstacles.
First, Hutchins made incriminating statements to agents following his arrest, and he also made a phone call that FBI agents recorded. In the call, Hutchins said: "I used to write malware."
In January, a federal judge denied motions that sought to suppress his post-arrest statements to agents and the phone call. His attorneys challenged whether his Miranda rights were clearly presented and whether he understood those rights (see: WannaCry Hero Loses Key Motions in Hacking Case).
They also contended that Hutchins was intoxicated when questioned. But the judge determined there wasn't a basis for that, and he said that a "terrible hangover" doesn't constitute a condition whereby someone can't exercise their Miranda rights.
Next Up: Sentencing
A felony conviction will likely imperil Hutchins' ability to live in the U.S.. It might also complicate efforts to attend U.S.-based conferences, such as Black Hat in Las Vegas.
Of course, it's also unclear how much prison time Hutchins might face. Some countries emphasize rapid rehabilitation for young computer crime offenders. But in the U.S., prosecutors often push for the maximum possible period of incarceration for computer crime defendants, citing the need to deter future criminals. Whether such sentences have this effect is unclear (see: The Myth of Cybercrime Deterrence).
Hutchins, however, helped stop WannaCry. That heroic turn could weigh in his favor, together with his stated acceptance of responsibility. He was also a minor during part of the period authorities allege he was active with Kronos.
I have nothing but infinite gratitude for those who have shared kind messages today. I feel undeserving of them, but you really helped me get through today. Thank you— MalwareTech (@MalwareTechBlog) April 20, 2019
After he published the guilty plea on his website, Hutchins received many messages of support. As the case was progressing, Hutchins often commented about the mental toll it was taking on him.
"I have nothing but infinite gratitude for those who have shared kind messages today," Hutchins writes. "I feel undeserving of them, but you really helped me get through today. Thank you."
Executive Editor Mathew Schwartz also contributed to this story.