Maxim_Kazmin - Fotolia
Security researcher Marcus Hutchins, who was integral in stopping the WannaCry ransomware outbreak, has pleaded guilty to creating and distributing malware and now faces as many as 10 years in prison.
Hutchins, better known as MalwareTech, was charged with 10 counts related to the creation and distribution of the Kronos banking Trojan. The plea deal ended with eight counts being dropped -- according to court documents -- while Hutchins pleaded guilty to two counts of entering a conspiracy to create and distribute the malware.
"I regret these actions and accept full responsibility for my mistakes. Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes," Hutchins wrote in a public statement. "I will continue to devote my time to keeping people safe from malware attacks."
The two guilty pleas in Hutchins' case each bring potential penalties of up to $250,000 in fines and up to five years in prison with as much as one year of supervised release. It is unclear how time served may impact these penalties as Hutchins spent time under house arrest after his arrest in August 2017.
Hutchins was notably arrested in Las Vegas on Aug. 3, 2017, after he had attended the Def Con 25 security conference. He was later placed under house arrest in Milwaukee before being released on bail and relocating to Los Angeles. The original indictment in the case included six charges and another four charges were added in June 2018.
Operating anonymously under the name "MalwareTech," Hutchins successfully sinkholed a domain used by the WannaCry ransomware during its outbreak in the spring of 2017. MalwareTech became an infosec media star after being credited with stopping the spread of the notorious ransomware; Hutchins' identity was later revealed by two separate media reports.
The MalwareTech case has been a source of debate in the infosec community because of the prominence Hutchins achieved for helping find a hardcoded kill switch that limited the damage caused by WannaCry.
Kevin Beaumont, a security architect based in the U.K., expressed support on Twitter, saying, "I stand by [MalwareTech] (not that he needs it). He's been integral to the fight against real world cybersecurity threats like Emotet while an adult."
Daniel Miessler, cybersecurity expert and formerly a project leader at the OWASP Foundation, also stood behind Hutchins on Twitter.
My non-expert take on @MalwareTechBlog's arrest:— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) April 19, 2019
1. He used to make malware.
2. He grew out of it in 2013/2014.
3. He used his skills for good to stop WannaCry.
4. That spotlight exposed his distant past.
5. Now he's being punished for it.
Additionally, some worried that the charges would have a chilling effect on others trying to break into cybersecurity research. The illegal activities for which Hutchins was charged occurred between July 2012 and September 2015, before Hutchins began working for Kryptos Logic, a cybersecurity company based in Hermosa Beach, Calif.