A British cybersecurity expert who admitted to writing and selling malware was spared prison time Friday by a judge who said the misconduct was outweighed by his help in stopping a worldwide computer virus in 2017.
Marcus Hutchins was hailed as a hero for his role in stopping the WannaCry virus, a so-called crypto-ransomware that encrypts and makes inaccessible files on a computer until a ransom is paid by an individual or company.
Hutchins was sentenced to time served by U.S. District Judge J.P. Stadtmueller. The judge noted Hutchins had pleaded guilty and accepted responsibility for his work on the malware years earlier.
“Mr. Hutchins turned the corner with regard to the conduct that led to these charges,” Stadtmueller said.
Hutchins, 25, served just a few days in jail after being arrested in Las Vegas in 2017, but had been required to stay in the U.S. while his case was pending.
Hutchins spoke briefly Friday, apologizing to his victims, saying, “I deeply regret my conduct and the crimes I was involved in.” His attorney said afterward he intended to return to Great Britain.
FBI agents had been investigating Hutchins for years before his arrest. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords.
Prosecutors in Milwaukee had made no specific sentence recommendation, and noted that Hutchins had accepted responsibility for his actions during a plea deal in April. They also gave him credit for his role in finding a “kill switch” to the WannaCry virus.
He had faced up to 10 years in prison.
‘He still bears responsibility’
Hutchins no longer develops malware attacks. Instead, he works to stop them. Because prosecutors barred Hutchins from returning home while his case was pending, he worked as a cybersecurity consultant in California.
But prosecutors said that does not diminish the seriousness of what he did.
“Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, he deserves credit for his epiphany,” they explained. “But he still bears responsibility for what he did.”
Hutchins was indicted on 10 charges for developing two pieces of malware and lying to the FBI. Prosecutors said Hutchins conspired to distribute the malware — UPAS Kit and Kronos — from 2012 to 2015 and that he sold Kronos to someone in Wisconsin. He also “personally delivered” the software to someone in California, prosecutors said.
Hutchins initially pleaded not guilty to all charges and was scheduled to go on trial this month.
But as part of the April plea deal, he pleaded guilty to two charges for creating Kronos — and an updated version of UPAS — and conspiring to distribute it. In exchange, prosecutors dismissed the other eight charges.
“As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” Hutchins said in a statement on his website after the plea deal was announced.
“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Kronos was “used to infect numerous computers around the world and steal banking information,” prosecutors said, without providing an exact number.
It’s unclear how much Hutchins profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins lamented he had only made $8,000 US from five sales. Hutchins said he thought he would be making around $100,000 US annually by selling Kronos with one of his conspirators, who is named in the indictment only by his aliases, “Vinny,” “VinnyK” and “Aurora123.”