Marcus Hutchins, who saved thousands of users from the notorious WannaCry ransomware is not going to serve jail time
British malware researcher Marcus Hutchins, also known by his online name MalwareTech, was sentenced to time served and one year of supervised release. The sentence was announced on Friday, July 26th, when United States District Judge judge J. P. Stadtmueller read the verdict in Milwaukee County Court.
The now-security expert and known for his heroic deed of saving thousands of users by creating WannaCry killswitch, Hutchins was accused of developing and selling the banking credential-stealing malware Krono when he was merely 22 years old. After his arrest, he was charged with six federal charges related to his hacking activities.
MalwareTech was extremely happy with the outcome, as he initially faced up to 10 years in jail and a $500,000 fine. After the sentencing on Friday, he tweeted:
Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.
Additionally, the now-free man thanked his lawyers, who provided him with “pro bono” help, and he will be forever in debt.
WannaCry kill switch and the successful career in the security field
Marcus Hutchins was born in Devon, UK, in 1994. The world first heard about him in 2017, when the notorious ransomware WannaCry attacked high-profile organizations and governmental institutions, stopping work of such major sectors like NHS and Nissan Motor Manufacturing in the UK.
At that time, Hutchins was working for Los Angeles-based cybersecurity firm Kryptos Logic, and, while trying to understand how ransomware managed to infect over 700,000 devices in such a short period of time, registered a domain. As it turned out, the domain worked as a kill switch that stopped WannaCry from spreading further. The malware is believed to be the work of North Korean state hackers Lazarus, and the created domain was actively being targeted by DDoS attacks initiated by them to continue the ransomware spread. Luckily, the second outbreak never happened, although the virus is still a threat to thousands of unpatched systems that are vulnerable to EternalBlue exploit.
However, stopping the deadly ransomware was not the only heroic deed that Marcus was involved in. After the “kill switch” was created, he was also actively participating in the cybersecurity community, trying to reverse-engineer various malware, as well as teaching others about his findings.
Hutchins initially denied being involved in hacking activities
MalwareTech was coming back from Def Con security conference in August 2017 when he was arrested by the authorities in Las Vegas. Then 23-year-old was accused of developing and selling two strings of data-stealing malware – Kronos and UPAS Kit. He was later released on bail for $30,000 and since then resided in Las Vegas, awaiting for his trial in July 2019.
Initially, Hutchins denied all the charges but was later presented with the evidence of his involvement in the malware development and distribution. After this, he pleaded guilty to two primary charges, while the other eight were dropped.
In his Public statement, Hutchins said he deeply regretted his actions, also blaming his young age is one of the primary reasons for his misconducts:
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
MalwareTech was widely praised by the security community and his fans for the achievements in his field, and many news outlets even asked for his freedom claiming that “Society owns this security researcher a very big favor.”
Judge Stadtmueller looked positively at Marcus' turnaround prior to the arrest and called the 25-year old a “talented but youthful” offender and spared the jail time, claiming:
t’s going to take the people like [Hutchins] with your skills to come up with solutions because that’s the only way we’re going to eliminate this entire subject of the woefully inadequate security protocols