Marcus Hutchins is on his way home to England after a judge spared him a stretch behind bars in America for developing the Kronos banking trojan.
Hutchins, the British malware reverse-engineer who shot to fame in May 2017 for thwarting a global Wannacry epidemic by discovering and activating its kill switch, was facing up to 10 years in the clink – after admitting he crafted the online-bank-account-raiding software nasty Kronos years ago as a teenager.
Today, however, Judge Joseph Stadtmueller, in a Wisconsin federal district court, sentenced Hutchins, 25, to one year of supervised release, and time served, plus ordered him to cough up $100 for each count as restitution to victims of his code. This effectively spared the Brit prison in the US, a country he has been forced to live in while awaiting trial since his dramatic arrest by the FBI in Las Vegas in August 2017.
“We see all sides of the human existence, both young, old, career criminals, those who strayed,” Judge Stadtmueller said, investigative journalist Marcy Wheeler reported from the courtroom. “I appreciate the fact that one might view ignoble conduct against backdrop as work a hero, a true hero. That is, at the end of the day, what gives this case its uniqueness."
Wheeler noted separately that, according to Uncle Sam's prosecutors, virtually all the victims of Hutchins' malware were outside America, making this whole US trial thing pretty odd.
Turned a corner
The judge acknowledged that Hutchins had already turned from the dark side of malware development during his teenage years to become a respected professional white-hat infosec researcher, well before the Feds collared him. Hutchins, the judge said, was now using his intimate knowledge of malware and related skills to study and kill off software nasties, rather than creating more of them. Such skills are sorely needed, the judge noted, to help society tackle its woeful state cyber-security, before passing sentence.
"It's certainly to your credit that without any encouragement ... you stepped up to plate without expectation of notoriety," Judge Stadtmueller added. "It is important to keep in mind the relative age of a young person who may not have matured to the point of being able, at end of day, to exercise good judgment."
It is understood Hutchins is keen to return to the UK as soon as possible after spending the past two years in the US without his passport awaiting his fate. Judge Stadtmueller said nothing in today's judgment forces him to remain in the States, and he is thus free to leave and carry out his year of probation abroad. The judge warned Hutchins that his criminal conviction may well preclude the Brit from ever visiting the US again once he leaves. Stadtmueller even suggested Hutchins consider seeking a pardon or some kind of waiver in order to return – a comment Hutchins' legal team called "unprecedented."
WannaCry kill-switch hero Marcus Hutchins collared by FBI on way home from DEF CONREAD MORE
Hutchins became a computer security celebrity when he discovered Wannacry was checking for the existence of a particular domain name, and by registering it, he activated a kill switch in the ransomware worm that stopped it from spreading further. The malicious code had trashed computers in more than 70 countries, and had crippled large chunks of the UK’s National Health Service. By triggering the kill switch, he halted what could have been a terrible global epidemic.
Later that year, he was invited to the DEF CON conference in Las Vegas, USA, and spent the week hobnobbing with fellow hackers and doing the usual tourist stuff. When he was about to board a flight home, the FBI swooped and arrested him.
Unbeknownst to Hutchins, the g-men had been investigating him, and suspected he had played a role in the creation of two pieces of malware: the Kronos bank-account-draining trojan, and the UPAS Kit malware. The agents had obtained chat logs showing Hutchins had developed part of the code as a teenager, and had sold copies of it to crooks for a few thousand quid.
While Hutchins initially denied the accusations, he later pleaded guilty. That admission, the fact he built the code when he was teenager, and his subsequent work fighting malware and educating others on how to thwart software nasties, before he was even aware the Feds had him in their sights, counted heavily toward today’s verdict.
“Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,” Hutchins, aka MalwareTechBlog, tweeted after the verdict.
"Hopefully I can work on finding some way to come back to the US. But until then, back to work!"
Meanwhile, his lawyers tweeted:
.@MalwareTechBlog is going home a free man. @brianeklein and I are thrilled that Judge Stadtmueller recognized Marcus’ important contributions to society and sentenced him to time served, even suggesting Marcus should seek a pardon.— Marcia Hofmann (@marciahofmann) July 26, 2019
Hutchins’ tearful mother was in court to see her son freed. He will now return to Los Angeles, where he has been staying, to pick up his stuff, before heading back to Blighty. Right now, though, he's, very understandably, celebrating with pals...
Today’s verdict is a rare sign of sense from an American legal system that all too often seems more focused on hard punishment rather than perspicacity. There is little sense in locking away a talented researcher, who has much to offer the world, over youthful indiscretions. ®
PS: The judge was keen to allow Hutchins to smoothly return to the UK, via LA to pick up his belongings, without him being intercepted by America's feisty border cops, ICE, who have no tolerance for criminal immigrants. "Nothing in the judgment requires he stay in US. I'm seeking to avoid him being taken into custody by ICE. We don't need any more publicity or another statistic," he said.