Marcus Hutchins will serve his suspended sentence in Blighty BRITISH WANNACRY KILL-SWITCH HERO MARCUS HUTCHINS has avoided a jail sentence over his links to the Kronos banking Trojan. Hutchins, who was arrested in the US in 2017, was on Friday sentenced to one year of supervised release and ordered to pay $100 for each count listed by prosecutors.
Marcus Hutchins will serve his suspended sentence in Blighty
BRITISH WANNACRY KILL-SWITCH HERO MARCUS HUTCHINS has avoided a jail sentence over his links to the Kronos banking Trojan.
Hutchins, who was arrested in the US in 2017, was on Friday sentenced to one year of supervised release and ordered to pay $100 for each count listed by prosecutors. He will be able to serve his probation in the UK, and will be able to fly back as soon as the appropriate arrangements are made.
“He’ll have to be processed in England,” said Judge JP Stadtmueller. “He’ll be subject to probation’s jurisdiction. Nothing in judgement require he stay in US. I’m seeking to avoid him being taken into custody by ICE [US Immigration and Customs Enforcement]. We don’t need any more publicity or another statistic.”
In Milwaukee for @MalwareTechBlog sentencing hearing, that begins in 7 minutes.
Most of the sentencing materials are sealed, but here’s the govt filing. https://t.co/LZdpqGMpbD
— emptywheel (@emptywheel) July 26, 2019
In sentencing, Judge Stadtmueller took into account Hutchins’ role in stopping WannaCry and the fact that he had clearly ceased his involvement in malware development.
“It’s certainly to your credit that without any encouragement, working for the FBI or any security agency in England, that you stepped up to plate without expectation of notoriety,” said Judge Stadtmueller in summary.
He added, though, that it was important to bear in mind his age and maturity at the time of the offences, which would have impaired his ability to “exercise good judgement”.
While the ordeal has lasted almost two years, Hutchins nevertheless got off relatively lightly. Sentencing guidelines indicated imprisonment of between eight and 14 months, followed by one-to-three years of probation and a fine anywhere between $4,000 and $40,000. He could, though, have been imprisoned for up to 10 years.
Hutchins: I do this in hopes i can steer people away from my mistakes. Future reinforces that I have no plan to go back, I’d like to dedicate more time to teaching next generation of security experts. I’d like to apologize to victims, those who learned of my past, my family.
— emptywheel (@emptywheel) July 26, 2019
Hutchins had also been involved in the development of other malware, in addition to Kronos, typically writing the code for clients that he had found online who would deploy the malware. Hutchins had started writing malware as a teenager as he developed his interests in computing.
By the time of WannaCry, Hutchins had become a security researcher investigating malware, rather than writing it.
Indeed, Hutchins had appeared on the radar of US authorities, the prosecutors’ Sentencing Memorandum indicates, well before WannaCry emerged in May 2017, when Hutchins became a global hero by finding and activating a ‘kill switch’ to stop WannaCry in its tracks.
Hutchins provided the following statement to the court: “Your honour, when I was a teenager I made series of bad decisions. I deeply regret my conduct and the harm that resulted. I eventually discontinued, but wish I could go back now [and] work in cyber security, stopping the same kinds of malware…
“I’d like to dedicate more time to teaching the next generation of security experts. I’d like to apologise to the victims, those who learned of my past, and my family.”
Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.
— MalwareTech (@MalwareTechBlog) July 26, 2019
Hutchins pleaded guilty in April 2019 after the evidence against him – which included an admission of guilt he made on the phone while in custody – mounted up.
He was arrested in August 2017 at Las Vegas’s McCarran International Airport as he was about to board a flight back from the Black Hat and Def Con security conferences. Authorities in the UK, it later emerged, were aware of US authorities’ plan to arrest Hutchins before he even flew to Las Vegas in July. µ