WannaCry hero pleads guilty, urges others to stay on ‘good side’

British security researcher Marcus Hutchins is urging security researchers to stay on the right side of the law after pleading guilty to two charges relating to developing and distributing password-stealing malware Kronos between July 2014 and July 2015.

Kronos was designed to steal online banking credentials to enable those behind the malware to drain victims’ bank accounts. Since it was created, Kronos is thought to have stolen user credentials associated with banking systems in several countries, including the UK, Canada, Germany, Poland, France and India.

Once hailed a hero for finding a “kill switch” for the WannaCry ransomware, Hutchins was arrested just weeks later at Las Vegas airport in August 2017 as he prepared to return to his home in Ilfracombe, Devon, after attending Defcon and other security conferences.

The change in plea comes 20 months of pleading “not guilty” to all charges relating to the Kronos malware, during which time the 24-year-old said he has matured.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes.

“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks,” he wrote in a blog post.

Communicating via his Twitter feed, Hutchins also encouraged other security researchers to stay away from criminal activity.

“There’s a misconception that to be a security expert you must dabble in the dark side. It’s not true. You can learn everything you need to know legally. Stick to the good side,” he tweeted.

Hutchins also thanked his supporters for their “kind messages” in the wake of his guilty plea. “I feel undeserving of them, but you really helped me get through today.”

According to sentencing guidelines in the plea agreement, the first count carries a penalty of up to six years in prison, up to $250,000 in fines, up to one year of supervised release, and a $100 special assessment, while the second count carries a penalty of up to five years in prison, up to $250,000 in fines, up to one year of supervised release, and a $100 special assessment.

However, the document notes that: “The defendant acknowledges and understands that the sentencing guidelines recommendations contained in this agreement do not create any right to be sentenced within any particular sentence range, and that the court may impose a reasonable sentence above or below the guideline range.”

A court date for sentencing has not been set. This means Hutchins faces yet another period of waiting to find out if he faces more or less than 11 years in prison.