weyo - Fotolia
Briton Marcus Hutchins, 25, has pleaded guilty in the US to charges of creating the notorious Kronos malware as well as other malware known as UPAS Kit, both used to steal online banking credentials, but has been spared a jail sentence.
Since it was created, Kronos is thought to have stolen user credentials associated with banking systems in several countries, including the UK, Canada, Germany, Poland, France and India.
Once hailed as a hero for finding a “kill switch” for the WannaCry ransomware while working with GCHQ to shut down the attack that heavily affected the NHS in 2017, Hutchins was arrested just weeks later at Las Vegas airport as he prepared to return to his home in Ilfracombe, Devon, after attending the Defcon and other security conferences.
After his arrest, it emerged that GCHQ officials knew about the FBI investigation that led to his arrest before Hutchins travelled to the US and that the arrest effectively saved UK authorities from an extradition battle with the US.
US officials tried for several years to extradite Glasgow-born Gary McKinnon to face charges of breaking into and damaging military computers. His extradition to the US was blocked in October 2012, after a 10-year battle, by Theresa May, then home secretary, on human rights grounds after medical reports said McKinnon was very likely to try to kill himself if extradited because of the vulnerable psychology caused by Asperger’s Syndrome, a form of autism.
Hutchins has remained in the US on bail since his arrest and was facing up to 11 years in prison, but will now be allowed to return to the UK after a US court sentenced him to a one-year supervised release, without any additional jail time or fines. However, Hutchins was ordered to pay $100 for each count, in accordance with victims’ restitution.
According to sentencing guidelines in the plea agreement, the first count against him carries a penalty of up to six years in prison, up to $250,000 in fines, up to one year of supervised release, and a $100 special assessment, while the second count carries a penalty of up to five years in prison, up to $250,000 in fines, up to one year of supervised release, and a $100 special assessment.
The lighter sentence takes into account that although Hutchins, also known as MalwareTech, created Kronos and UPAS Kit between 2012 and 2015, he made a significant contribution to stopping WannaCry, and he is no longer involved in creating malware, having become a security researcher.
In passing sentence in court in Milwaukee, Wisconsin, judge Joseph Stadtmueller praised Hutchins for “turning a corner”, adding that there were “too many positives on the other side of ledger”, tweeted journalist Marcy Wheeler from the courtroom.
Hutchins’ guilty plea came after 20 months of pleading not guilty to all charges relating to the Kronos malware, during which time he said he had matured.
“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” he wrote in a blog post. “I regret these actions and accept full responsibility for my mistakes.
“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Communicating via his Twitter feed, Hutchins also encouraged other security researchers to stay away from criminal activity.
“There is a misconception that to be a security expert, you must dabble in the dark side,” he wrote. “It’s not true. You can learn everything you need to know legally. Stick to the good side.”
Hutchins also thanked his supporters for their “kind messages” in the wake of his guilty plea. “I feel undeserving of them, but you really helped me get through today,” he wrote.
In a statement issued after sentencing, Hutchins’ lawyers said they were “thrilled” that judge Stadtmueller had recognised their client’s contributions to keeping people safe and called the judge’s encouragement for Hutchins to apply for a pardon “unprecedented”.