A British cybersecurity expert who admitted writing and selling malware was spared prison Friday by a judge who said the misconduct was outweighed by his help in stopping a worldwide computer virus in 2017.
Marcus Hutchins, who was hailed as a hero for his role in stopping the “WannaCry” virus, was sentenced to time served by U.S. District Judge J.P. Stadtmueller. The judge noted Hutchins had pleaded guilty in May and accepted responsibility for his past actions.
“Mr. Hutchins turned the corner with regard to the conduct that led to these charges,” Stadtmueller said.
Hutchins, 25, served just a few days in jail after being arrested in Las Vegas in 2017, but had been required to stay in the U.S. while his case was pending.
Hutchins spoke briefly Friday, apologizing to his victims.
“I deeply regret my conduct and the crimes in which I was involved.” Later in his statement he said: “My plan is to continue my work in security but if possible I would like to dedicate more time to teaching the next generation of security experts.”
His attorney said afterward he intended to return to Great Britain. But during the hearing, Stadtmueller reminded him that his conviction in the case would make it difficult to return to the U.S., unless he gets a waiver or a pardon, because the crimes he pleaded guilty to are deportable offenses. His attorneys say they’ll pursue a pardon from the federal government.
In a tweet after the hearing, Hutchins said he hopes he’s able to return to the U.S. someday.
FBI agents had been investigating Hutchins for years before his arrest. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords.
But Stadtmueller said the crimes Hutchins committed paled to the damage the WannaCry virus did by infecting billions of computers worldwide. He praised Hutchins’ “foresight and ability to put in place in a matter of hours a kill switch” to stop the virus.
“It makes the facts of the case that’s before the court today virtually pale in comparison,” the judge said.
Hutchins was indicted on 10 charges for developing two pieces of malware and lying to the FBI. Prosecutors said Hutchins conspired to distribute the malware — UPAS Kit and Kronos — from 2012 to 2015 and that he sold Kronos to someone in Wisconsin. He also “personally delivered” the software to someone in California, prosecutors said.
Prosecutors in Milwaukee had made no specific sentence recommendation. They also credited Hutchins for his role in stopping the WannaCry virus and for accepting responsibility for his actions during a plea deal in April , but said he still deserved to be punished.
The fact that Hutchins now works to stop malware attacks should not diminish the seriousness of what he did, prosecutors insisted.
“Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, he deserves credit for his epiphany. But he still bears responsibility for what he did,” prosecutors said.
While his case was pending, prosecutors barred Hutchins from returning home, so he worked as a cybersecurity consultant in California.
He had faced up to 10 years in prison, but presentencing documents from the U.S. Probation Office recommended he serve 14 months at most.
Hutchins initially pleaded not guilty to all charges and was scheduled to go on trial this month. As part of the deal, Hutchins pleaded guilty to two charges for creating Kronos — and an updated version of UPAS — and conspiring to distribute it. In exchange, prosecutors dismissed the other eight charges.
Kronos was “used to infect numerous computers around the world and steal banking information,” prosecutors said. But they couldn’t provide an exact number of victims, they said, partly because the malware was designed to be undetectable on computers.
However, prosecutors said in their presentencing memo that the impact of the malware Hutchins created are still being felt, noting that “international cyber security firms have reported hundreds of Kronos alerts over the years.”
One firm detected Kronos more than 600 times between 2014 and 2019 around the world, prosecutors said.
It’s unclear how much Hutchins profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins lamented he had only made $8,000 from five sales. Hutchins said he thought he would be making around $100,000 annually by selling Kronos with one of his conspirators, who was named in the indictment only by his aliases, “Vinny,” ”VinnyK” and “Aurora123.”