19
Apr 19

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.

As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security.

“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.

Creating malware is a form of protected speech in the United States, but selling it and disseminating it is another matter. University of Southern California law professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.

According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines, and may take into account time already served in detention. It remains unclear when he will be sentenced.

The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.

Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.

Yours Truly shaking hands with Marcus Hutchins in Las Vegas, August 2018.

Tags: , ,

63 comments

  1. Mikey Doesn't Like It

    Brian, you’re not only an outstanding reporter, you’re also a class act. Who else would end his article on the positive note you did.

    You’re a better man than me; I don’t know if I could be as kind to someone who did such destructive work. But if everyone deserves a second chance — and something good can come out of his story…

    Still, some degree of punishment is warranted, and if he’ll use his skills for constructive purposes in the future, perhaps it will convince at least some of his (former) “colleagues” to join him in making the cyber world safer for everyone. And I’m okay with that.

    • On the contrary. This miscreant needs to do a full ten in a Federal lockup among the general inmate population. And permanently blacklisted from the industry.

      • Anonymous Coward

        The young man you call “this miscreant” helped to stop an active WannaCry ransomware outbreak in 2017. What are your infosec credentials?

      • Mikey Doesn't Like It

        Actually, eCurmudgeon, if you read the article carefully, Brian mentions several factors that weigh in this guy’s favor. And frankly, sir, I trust Brian’s judgment.

        I don’t want this guy to get a walk (as I said in my original post), but if he does some time followed by carefully supervised release (i.e., requiring him to use his “talents” to help bring down some of the scum still out there), I’d be satisfied.

        My hunch is that this is where it’s heading.

        • Cynthia Kenner-Brower

          I think if your banking was affected you would be touting a different view point.

      • We already have a difficult time getting talented infosec individuals to cooperate with federal agencies because of the mistrust and past betrayals by federal agencies. Locking him up in the general population would further reduce the likelihood of talented individuals from cooperating with the feds.
        Permanently blacklisting him? why? people ask why anyone would be a criminal when it pays so much more to do it on the defensive side. the answer is that no matter your skill, the gatekeepers of the industry will keep you from getting a job. They go “blackhat” because the industry refuses to hire new “whitehats”

        • No, they go blackhat because there is a crap tonne more money involved. A typical Security Analyst averages, what 60 – 75 grand a year? Assuming some programming knowledge, that same skillset is worth 100’s of thousands on the black market, IIRC.

          • If money is your only motivator, I’m not sure you’re going to make a good Intelligence/Law Enforcement collaborator in the first place.

  2. Clear case of do the crime do the time.

  3. The Sunshine State

    Another young millennial who learned his lesson the hard way , instead of doing the right thing in the first place ,which is the only way to live your life

    But then again, some people are inherently stupid as in the case with this guy.

    • Cool, so this is about millennials now. “Inherently stupid” millennials who write malware reliant on specialized knowledge, who later go on to (by Krebs’s admission) regret their actions.

      tl;dr: Based on your comment, I don’t feel Hutchins likely to be the “inherently stupid” one in this situation.

      • The Sunshine State

        Stupid because he went to Las Vegas for a hacking convention and got himself arrested .

        He doesn’t regret what he did was illegal, he regrets getting caught for it. His just another young narcissistic hacker who got caught and now has to pay the price,

        • “He doesn’t regret what he did was illegal, he regrets getting caught for it.”

          So, do you have some sort of longitudinal double-blind study to make this sort of determination, or is this just arch-cynical projection?

          Curious.

    • “instead of doing the right thing in the first place ,which is the only way to live your life”

      Thats one of the silliest things Ive ever heard. A famous quote puts it into perspective, Im not sure who said it but it goes somethign like this – If you live your life without ever having made a mistake, you will have learned nothing.

      • ““instead of doing the right thing in the first place ,which is the only way to live your life””

        Really? this made me laugh.

  4. Creating malware is a form of protected speech in the U.S.??? What?? And how?

    • Peter S. Shenkin

      Presumably, so you can legally demonstrate a vulnerability in order to submit it to those responsible for it.

    • jamie ploenges

      Americans never cease to amaze me.
      Dont bother to do some research e.g the clearly visible links that give further information about the indictments and circumstances. , just mouth off about your ignorance of your countries legal system, Trump supporter ?

      • Just because we don’t know every single law in our country equates us to being Trump supporters? LOL. Oh @jamie ploenges, you dull, dull person, you. Your first sentence was claiming Americans are ignorant… Oh, the irony my friend. Why bring Trump into it? We get it, he’s a moron. It’s getting old. Newsflash: Not everyone is a Trump supporter because they disagreed with you on the internet. Quit being a cranky toddler, go grab your blanky and pacifier, and take a nap, you seem like you need one.

    • Krebs has given you the link: “Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue”. Click on it a read it.

  5. I wonder if Marcus knows of the ridiculous sentences in the US for computer crime, specifically the CFAA. Ken White (popehat.com) recently said on KCRW that the CFAA can be twisted to do whatever the prosecution wants.

  6. Some people are outraged he has been arrested or would like a token slap on the wrist… what would these same people want if it was their bank accounts drained? Or are these supporters using the bank of mum and dad, so have no concept of working hard for a living to pay bills, which you can’t if someone steels it using purchased software from this guy?

    • +++ no kidding, peoples work 40+ years saving money to retire to afford food, housing and some medical, only to get robbed and have to live in poverty due to punks like this. It’s not a crime against computers- it’s theft from lots of people. To which the punishment should fit the crime. If some old couple offs some kid that cleaned them out, my pity won’t be for the thief.

      • Well if you wear a suit and work at a bank… i guess you get nothing, not even a slap on the wrist… reference the 2008 banking crisis…

        so if bankers dont get anything for draining your assets (illegally) why does this guy who did it pre-18, aka a minor, deserve it?

        so if the fed makes your $ worthless due to endless inflation (another form of draining your bank account, pensions, retirement, etc) why should… never mind. I forgot nothing around us is actually real, including the money in your bank account.

        • I can see you at trial for murdering your child; “but judge, Dr’s do abortions, you sentence people to death, don’t tell me I can or can’t kill.
          You’re as full of crap as that.

  7. I feel the security community is vested in the outcome of this case, namely the open source community. I think of hardware devices such as the WiFi Pineapple, software “devices” such as Wireshark, both of which could be viewed as a wiretapping devices. If the prosecution is able to successfully prosecute Marcus, this could set the precedent for prosecuting any individual or company that offers/sells software or hardware “devices” capable of intercepting or capturing data. As Gary said, laws such as CFAA and 2512 are easily manipulated and lack the required detail to limit the exposure of an ethical hacker, or provider of Pen Testing hardware/software. In this case, I think it would be best (for Marcus and the InfoSec community) to offer him a slap on the wrist and job with an established company for 5 years to ensure he is on a positive career trajectory.

  8. It’s funny what kind of hypocrite you are krebs.

    You write few pages long esseyes on cybercriminals, yet you say:

    ‘and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.”

    Yes, he’s one of us – so we can leave his crimes behind him.
    It’s very interesting that you are not so kind to russian cybercriminals who also had infosec carrers.

    He’s damn criminal, which he just admited by signing plea agreement. Yet you somehow you speak on him nicely, unlike other types that you profile on your blog.

    That dude wrote a banking malware, because of which people LOST MONEY. He didnt write RAT or any other sort of “light malware”.

    Hypocrite. Just that.

    • Equating Fancy Bear and other actively aggressive hostile groups who are out to materially harm the USA is an invalid comparison to one guy. Brian Krebs made a judgement call with and determined there may be some potential good in the future for that young guy.

      I’ll defer to Brian Krebs character judgment since he met the guy and nobody else here has.

      • I think you are not aware, that this malware was used by plenty of groups to steal your money – so it’s not “one guy job”. He was working for cybercrime groups. The cybercrime groups stole likely millions of dollars using this malware (impossible to estimate)

        APT groups you mentioned are a threat to the country, they won’t steal your money. The malware that this guy wrote and resold is far more dangerous to average joe.

        Banking malware is on top of FBI hunt list in cyberspace, after that credit card fraud.

        The guy essentially wrote something like “Zeus”, i encourage you to read about it – then you will realize that this guy deserves prison time.

        There are plenty of people in russia who also helped fight cybercrime, krebs wasn’t so kind to them – when they were caught for far less “dangerous” crimes than writing banking malware.

        • can you provide any actual examples, names perhaps? Otherwise its hard to take your comment seriously.

          • are you oblivious to all the information Krebs as provided/linked this guy to? you don’t even have to google anything to see this former child’s criminal accomplishments, its all on his blog. Clearly since “you” didn’t get hit by any of it, you don’t mind. You and MH the kind of people that watches a murder and shrugs his shoulders walking away saying; sucks to be you. Even if it was your own mother.

            • I meant examples of Krebs giving western hackers a free pass while condemning those from Russia unfairly. Id like to see examples of this, because I havent seen it, and if it exists Ill change my tune, but otherwise without examples, I can only assume the person claiming that Krebs treats Russian hackers unfairly, is just trolling.

        • “The cybercrime groups stole likely millions of dollars using this malware (impossible to estimate)”

          It’s impossible to estimate, yet you tried anyway.

          1. Show me reports of the damage / dollar amounts stolen using Kronos.

          2. He was 15, admittedly did something stupid, and has since been living a better life. Cut the kid some slack.

  9. So he did the crimes about 3 years ago … how old was he at the time? Stupidity in a 16 year old may be forgiven , someone still doing it as an adult deserves jail .. why are you so supportive of him? Any connection with your own prior conduct? Just like the parade of pres Trumps co-criminals who get religion after being charged/convicted.

  10. I agreed with some person that (Clear case of do the crime do the time.) and $250,000 fine.

  11. Good read.

  12. Good read.

  13. The Koreans, Chinese and Russians are running rings around western security at the moment. Use this guy, set him up with the wherewithal to infiltrate their systems. The Government do it all the time when it suits them.

  14. Thanks for providing nuance, Brian.

    I too hope he is able to KEEP HIS NOSE CLEAN and come out of this to do more work in a positive role.

    Have some of these commentators noticed that part of your reporting?

    • Measure for Measure

      *Exactly* Nobby. The man has stepped up and pleaded guilty. The law considers both mitigating and aggravating factors during sentencing. As it should.

  15. I won’t say I’m for or against the young man getting hard time, but history has shown that people tend to go back to their roots. People don’t change. Can we really trust this kid enough to let him work in the Security field? That’s already enabling him to bypass the first layer(s) of defense.

  16. The conviction of yet another white, violently autistic, straight-haired menace should give social justice warriors some peace. Finally, they got Marcus Hutchins, the scowling Russian hacker who broke an election.

    /sarcasm/

  17. Lotta hate in here. Dissapointing to see it from thinking people. I expect it from the great unwashed but I hold K.O.S. readers to a higher standard.

    • There is no rule to keep the unwashed away from here. Racists and leftists. One in the same. They like to find something nice, and then destroy it. Par for the course.

  18. The guy admitted most of what he did he did in his mid teens. And has since had a change of heart. And has proven this as well by action.

    Give the kid a break.

    I hope he gets the minimum sentence.

    • He admitted it after it was proven he was the author. Until that time he vehemently denied having anything to do with it. Please don’t chalk his admission of guilt up to morals or conscious. He only eventually owned up to his creation of a banking trojan as part of his plea deal. Without evidence to convict him he never would have admitted to what he did. He was trying to save his own butt, not being a good person.

      • Ian, does this harsh judgment mean that you have immediately admitted every mistake or wrong that you have committed whether or not you were in danger of getting caught?

        If so, you are the most honest person I have ever met in my life.

        Let he who has not sinned cast the first stone . . .

  19. Kronos, and other banking trojans like Zeus, terrified small business people for years. Small business people are not tech savvy and are generally struggling to keep their businesses going. Too many small business people were wiped out by phishing and drive-by downloads that installed stuff like Kronos.

    Over the years, the small business people who weren’t hit kept hearing horror stories of their colleagues who were hit hard. It was bad times until only a couple years ago.

    Info-sec people might be willing to give Hutchins a break, but I know that many small business people would rather see him spit roasted and his head publically displayed as a warning to other malware writers.

    • I don’t often agree with you, but I do here.

      Hutchins’ “public statement” makes no expression of remorse for the terror his adolescent actions caused his victims… or explain why he denied his past for so many years.

      Does Hutchins really feel badly or is he just sorry he was caught as an adult, long after his supposed transformation to white hat?

      It’s troubling that he led a double-life, as an adult.

      It’s more troubling that despite pleading guilty, he still hasn’t acknowledged publicly what his malware did to real people.

  20. I hope he serves his time (or equivalent), learns from it and goes on to have a fantastic career in cyber security. Not many people would have become productive members of society without some form of a second chance. Myself included.

  21. SO I love the no rehabilitation aspect of a lot of these comments.

    You were all young once. Cast the first stone.

    Give him a second chance. We need people like him on the White hat side. I work in Cybersecurity. and have met a couple of these folks. As long as he keeps his nose clean from this point. I welcome him.

    • He pretended to be changed and a white hat, while still being involved in crimes, long after becoming an adult, according to the timing of the charges and guilty plea.

      His vague public statement didn’t indicate any remorse. He “regrets” his behavior, but gave no apologies to anyone he hurt.

      Second chances are for people capable of integrity and empathy. He had plenty of chances already and blew it.

  22. So if you’re charmed by someone you’re their fan. You have no proof he no longer was involved with or working on malicious projects but you’re rooting for him?!

  23. Just another guy

    Oh TouchMe, I always knew you were developing malware, despite of being always a”security researcher”.

  24. If you’ve tried to make money online, noticed seen advertisements for Maverick
    Money Pans. Creator also exposed this paypal earning inside video.

    Can easily make money from merchandising. http://stalkond.ru/bitrix/rk.php?goto=http://kslot.app/index.php/games/play8oy

  25. So, now the question is; Is he really guilty, or is this another case of the US “justice” system intimidating someone into a guilty plea as is so common these days?

  26. the comment section just cracks me up. everytime some young naive kid gets busted and Krebs reports on it – a bunch of keyboard warriors come out from the woodwork and start rambling about how the sentence wasn’t long enough, how vigilante justice should be brought back and other ridiculous revenge porn.

  27. Painted rocks

    I was skeptical at first, but what a believer I am now, my lover is back and faithful to me, if you are also seeking for help to get your lover back?
    (((WhatsApp Number__+ 1-3 0 5-9 2 8-6 4 5 5 ))))