WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court
Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017.
According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."
Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.
Kronos targeted banking information and was valued at $7,000 on the dark web.
Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."
The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it.
According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.
Source: Information Security Magazine