BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

WannaCry Hero Marcus Hutchins Pleads Guilty To Creating Banking Malware

Following
This article is more than 4 years old.

ASSOCIATED PRESS

Marcus Hutchins, perhaps best known by his MalwareTech alias, has pleaded guilty to two criminal charges related to creating and distributing malware. In May 2017, Hutchins was hailed as a hero after playing a pivotal role in stopping the global spread of the WannaCry ransomware attack.

That heroic status was tarnished when, as he travelled home following the Black Hat and Def Con security conferences, Hutchins was arrested by the FBI at the Las Vegas McCarran International Airport. The charge shocked most everyone in the information security industry: that of creating the Kronos malware that stole the passwords of online banking customers. Hutchins was further charged, some ten months later, with creating another piece of malware known as UPAS Kit and working with a co-conspirator to market and sell both of them on the dark market.

Court documents obtained by ZDNet writer Catalin Cimpanu reveal that Hutchins could face ten years in prison having pleaded guilty to two of the ten counts against him: distributing Kronos and conspiracy to create and distribute malware.

In a short public statement posted online at his MalwareTech site, Hutchins says that "I've pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes."

Hutchins also says that "Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks." This is something that will resonate with many in the security industry, and no doubt polarize opinion as well. The employment of former "black hat" hackers to help protect networks and data is seen by some as an obvious positive, the poacher turned gamekeeper experience argument, while others maintain that those guilty of criminal hacking cannot be trusted in a "white hat" role.

I am firmly in the former camp as many of us have done things in our younger years that we wouldn't do now, and Hutchins has spent his time while awaiting trial in Los Angeles teaching others how to analyze malware. His actions during the WannaCry attack, when he spotted an unregistered domain in the ransomware code that he then registered himself that became a kill switch, without doubt saved many organizations from being infected. I'm not saying that he should not atone for his crimes, but I am equally certain that his actions as one of the world's most talented security researchers should be balanced against the mistakes he made earlier in life.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here