Marcus Hutchins, the British security researcher who assisted in stopping the WannaCry ransomware attack, was sentenced today in the United States to time served and one year of supervised release on charges of creating and selling the Kronos banking malware.
The researcher, also known by the handle MalwareTech, became a hero in the information security community when he found a “kill switch” to restrain the global dissemination of the WannaCry ransomware.
In April 2019, Hutchins pleaded guilty to two charges associated with the creation of the Kronos banking trojan. Prosecutors complied with dropping the additional eight charges.
In August 2017, Hutchins was taken into custody by the Federal Bureau of Investigation (FBI) at the Las Vegas international airport when the cybersecurity professional was attempting to go back home to the United Kingdom after partaking at the Black Hat and DEF CON security conferences. Prosecutors accused MalwareTech of creating and distributing the Kronos banking malware when he was a teenager.
The arrest of Hutchins had fascinated and occasionally stirred debate within the information security industry, with some people perplexed as to why prosecutors were after Hutchins for crimes that were committed numerous years ago.
Hutchins’ legal case has been contentious. He contended that he was detained and questioned while sleep-deprived and inebriated, and that FBI agents misguided him about the real intentions of the interrogation.
MalwareTech spent some time on house arrest in Milwaukee. He tweeted about the challenges in adapting to a new life and the disappointments of living with legal uncertainties.
Significantly, Hutchins has additionally declared repentance for his past involvement in illicit activities. He made a public statement on his public blog earlier this year where he stated that he accepted full responsibility for his actions.
“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks,” Hutchins stated.
The two charges Hutchins pleaded guilty to each carried a maximum sentence of five years in jail, $250,000 in fines, and up to one year of supervised release. In total, Hutchins faced up to 10 years in jail and a maximum $500,000 fine.
Judge J. P. Stadtmueller weighed Marcus Hutchins’s role in ceasing WannaCry and the prosecutor’s lack of success in showing how much damage Kronos truly created when giving Hutchins a reduced sentence.
With his sentence of time served, MalwareTech will not need to spend any time in jail. Hutchins has spent most of his time since being taken into custody in Los Angeles with an ankle monitor.