CYBER HERO AWAITS U.S. SENTENCING
Hacker who stopped WannaCry virus convicted of earlier crimes
On May 14, 2017, one of the worst cyber attacks in history raged. It was a Friday morning when computers around the world froze and outdated Windows home screens were replaced with WannaCry’s ransom note demanding US$300 in return for access. Before long, 300,000 computers in 150 countries from Colombia to China were locked, causing millions of dollars worth of damage.
NHS England declared a “major incident” with 34 trusts and 595 GP practices hit. Ambulances had to be rerouted and 7,000 appointments were cancelled. It was remarkable no one died; the bill came to $127 million.
The world’s top cyber experts raced to halt the virus, but were left confounded. Then, at 7 p.m., 22-year-old security researcher Marcus Hutchins did what they couldn’t and stopped the attack from his bedroom at his parents’ home in Ilfracombe, United Kingdom. He registered a domain connected to the malicious software that activated a “kill switch.” The world exhaled.
Yet, two years later, the “WannaCry hero” is unable to breathe easily — Hutchins, now 24, is on bail in the U.S., waiting to be sentenced on July 26 for computer crimes he committed as a teenager. The FBI arrested him, three months after the WannaCry attack, at the Las Vegas McCarran International Airport, as he travelled home from Def Con, the world’s largest hacker convention. He was accused of writing the malicious software Kronos, designed to steal money from banks, and selling it to a fraudster for a few thousand pounds when he was 17 — though there is no accusation that he used it to steal money himself.
Hutchins’s journey from WannaCry hero to FBI’s most wanted started at age 12, when he taught himself to code. In 2013, he launched a blog called MalwareTech — also his online pseudonym — and by the time he was 18, U.S. security company Kryptos Logic had offered him a job working remotely for a six-figure salary.
But he lived a quiet life in Devon, at home with his parents, until WannaCry thrust him on to the front pages. He decided to celebrate at Def Con, renting a lavish Airbnb and a Lamborghini. He knew the tabloids were watching him — he didn’t know the FBI was, too.
“I liked the connections and the power,” Hutchins has said previously. “Now, I’m not sure it was worth it ... The FBI took everything: my job, my girlfriend, my bitcoin.”
On April 19, more than 18 months after his arrest, Hutchins accepted “full responsibility for my mistakes” and pleaded guilty in a Wisconsin court to two of 10 charges, related to writing Kronos. Each count carries a maximum sentence of five years and a US$250,000 fine — although his lawyer, Brian Klein, hopes Hutchins will avoid jail.
“What Marcus did to stop WannaCry was truly heroic and the judge will undoubtedly consider that,” says Klein. “It is undisputed, including by the prosecutors, that Marcus has only been using his immense talents for good for many years now.”
The last two years have been an emotional roller-coaster for Hutchins and his parents, Janet and Des, who have made trips to the U.S. Hutchins is currently living in Los Angeles, renting an apartment using his savings and documenting his life on Twitter, interspersing security research with updates that belie a sense of unease. He has posted about being unable to sleep, feeling stressed and having depression.
He has spent more than US$100,000 fighting his case. He has also had support from crowdfunding — one stranger posted his US$30,000 bail.
After I messaged him to ask how he had been passing the time, he wrote on Twitter: “A journalist asked me about what I’ve done since WannaCry, and I realized literally nothing of value. … Went from stopping 3+ major cyber attacks in a year to spending all my time pretending I’m fine and that becoming a drug addict or alcoholic isn’t inevitable.”
Jake Williams, founder of U.S. security company Rendition Infosec, says Hutchins is “uniquely talented.” He adds: “(The attacks he prevented) were a ridiculously bigger threat than what he allegedly created. … If he made mistakes when he was 17, the work he’s been doing since more than makes up for the past. He’s not a bad guy.”
The case has drawn criticism from lawyers and campaigners, who have described it as “aggressive.”
The Foreign Office has done little to contend Hutchins’ detention in the U.S., which levies higher punishments for computer crimes, even though he was in England at the time of the alleged incident. When asked for comment, it said staff were “providing advice and support to (Hutchins’s) family.”
Tor Ekeland, a U.S. criminal lawyer who supported British hacker Lauri Love’s fight against extradition, says the charges are akin to “holding a gun manufacturer liable for murder.” He adds: “It’s reprehensible that Marcus’s reward for stopping WannaCry is a prison sentence. I would counsel anyone not to help with something like WannaCry, because they could end up in jail.”
Hutchins’s case has had a “chilling effect” on the relationship between experts and the authorities, at a time when the U.K. is scrambling to catch up with hackers (the government recently launched local cybercrime units in all police forces, which use YouTube to research hacking techniques). British “white hat” (or ethical) hackers are opting not to tell the police and security services their findings.
Prior to his arrest, Hutchins would share information with the U.K.’s Government Communications Headquarters. Reports say GCHQ knew the FBI was going to arrest Hutchins, but didn’t alert him. Many in the security world believe reformed criminal hackers are vital in preventing attacks. Mustafa Al-Bassam is one example: he was given a 20-month suspended sentence and 500 hours of community service in 2013 for hacking Sony, Fox and the FBI. Now, he is finishing a PhD at University College London and has sold a blockchain company to Facebook.
“If you’ve been on the wrong side in the past and are now on the good, that’s a great thing and should be encouraged,” says Al-Bassam. It’s not that crimes should go unpunished, he adds, but that they should be dealt with proportionately.
After Hutchins entered his guilty plea, he contemplated his future.
“I kept my blog all these years because it acts as a place for people to learn about malware and hacking, away from shady forums of criminals,” he wrote.
It is undisputed ... that Marcus has only been using his immense talents for good for many years.