​From WannaCry Hero to Zero for Marcus Hutchins

Posted by Geraldine Hunt on Thu, May 2nd, 2019

In pure James Bond fashion, Marcus Hutchins found a kill switch that disabled the ability of the WannaCry ransomware virus from spreading further across the world in May of 2017.  That was the month that the infamous malware attack made its way across the world, inflicting damage on over 200,000 victims in over 150 countries by encrypting whatever file storage it came across. 

The WannaCry ransomware attack was based on a hacking toolset developed by the National Security Agency that was accidentally leaked.  The attack brought down hospitals, government institutions as well as some of the largest corporations in the world.  As Hutchins watched the attack take shape, he analyzed the involved malware strain and discovered that the registration of a domain name found within the code itself could become a kill switch that could completely disable the threat.  As a result of his quick actions, further damage was skirted and the culprits behind the attack were only able to cash in $143,000. 

As a result, he became an international hero that perhaps saved the digital world from mass devastation.  While some referred to him as an accidental hero, Hutchins was the cybersecurity protagonist of the year.  It was a good moment for Marcus Hutchins, the cybersecurity industry, and enterprises everywhere.  Unfortunately, that moment was short lived.

The Mastermind Behind the Kronos Banking Trojan

Just three months later, the 23-year old was arrested by FBI agents in Las Vegas while attending the Black Hat and Def Con security events in Las Vegas.  The British national was then charged with helping create the Kronos banking trojan years earlier. The banking Trojan was discovered in 2014 and was adept at stealing credentials from banking websites.

The FBI also charged Hutchins with selling the malware the following year in a popular forum and market place on the Dark Net.  Apparently, selling and distributing malware is considered a greater crime than generating the code involved in the first place.  The banking trojan was heavily prevalent throughout Canada, Germany, Poland, France, and the United Kingdom before falling off the map in 2016, only to emerge once more a year later.  Hutchins was indicted on one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising electronic communication interception device, one count of endeavoring to intercept electronic communications and one count of attempting to access a computer without authorization. 

The result was an aftershock felt throughout the cybersecurity community.  Not only did Hutchins have the notoriety of single-handedly stopping one of the most devastating malware attacks, but he was also known for his contributions on a cybersecurity blog known as MalwareTech.  Upon hearing the news of the arrest, many of his blog readers and followers were stunned and assumed that the government had made a mistake.  In fact, 226 of his supporters even donated a total of $14,000 for his defense fund.  Unfortunately, though, as the investigation progressed and evidence began to be released, it became clear that they indeed had the right man.

Hutchins Pleads Guilty

Last week the talented cyber researcher pleads guilty to two counts of writing malware, which could potentially get him 10 years in prison and a $250,000 fine.  Eight other charges were dropped by federal prosecutors.  He firmly expressed regret concerning his actions and accepted full responsibility for his mistakes.  In a public statement on his website, Hutchins wrote:

"Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks". And that is the conundrum.  Hutchins has done a lot of good, including contributing to the malware-reversing field and openly demonstrating his knowledge and findings so that others can learn from him.  Hutchins fall from grace is a good example of how few people are as good or as bad as they are thought to be.