Security researcher Marcus Hutchins pleaded guilty Wednesday to writing malware and helping with its distribution with the help of a partner.
Hutchins is best known for his key role in breaking the spread of WannaCry around the world and his person online MalwareTech where he interacts with the information security community, helping those who enter the field, disseminating information about new threats, and launching tutorials on how to analyze malware.
Hutchins was arrested at the Las Vegas airport on Aug. 2, 2017, on his way home to the UK after attending the Black Hat and DEF CON security conferences as a security researcher.
Possible arrest time and significant fines
Filed on Friday, the guilty plea agreement is for Count One and Count Two of a total of 10 charges provided on a prosecution for replacement of the American prosecutors.
They refer to the development of malware (UPAS-Kit and Kronos bank trojans) and help with their distribution in partnership with a co-conspirator known as "Vinny", "VinnyK", "Aurora 123", "And the Wind Took" , "Cocaine," and "Jack of All Trades." These activities occurred between July 2012 and September 2015, according to court documents.
Each of the two charges carries a maximum sentence of five years in prison, up to $ 250,000 in fines, a year of supervised release, and a special assessment of $ 100. In total, Hutchins is at risk of 10 years in prison and $ 500,000 in fines. After this agreement, the rest of the counts will be judged in the court after the sentence.
It should be noted that, irrespective of the outcome of this agreement, Hutchins is not exempt from other civil or administrative actions, from US or local governments.
In a public statement on his blog, the researcher says he regrets his actions before his career in the field of cyber security and takes full responsibility for his mistakes.
"Having grown up, I have since used the same skills that I have been using wrong for several years for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."
Support is still strong
Although they do not always openly admit, and for good reason, many security researchers have enjoyed the cybercrime activity. Often, there is a drop of blackhat on all the professionals wearing a white hat. This is particularly true with the older generations of security experts who did not have current information resources; In addition, they did this at a time when laws for cyber incidents were too vague or nonexistent.
Today's internet, however, offers enough learning opportunities to reach expert levels without having to break the law and even for free. Hutchins agrees:
There is a misconception that, to be a security expert, you should get involved on the dark side. Is not true. You can learn everything you need to know legally. Stay on the bright side.
– MalwareTech (@MalwareTechBlog) April 20, 2019
After his arrest, many researchers came together to help him. Even his local Conservative deputy, Peter Heaton-Jones, and a dozen more sent letters of support in his name. Hutchins has relied on crowdfunding to cover his legal fees.
Even now, Hutchins has a large crowd in his corner. A superficial look at the responses he received after tweeting his statement about the latest development of the case shows, most of the time, positive comments; you would have to look further to find a negative response.
Stay strong, you will come back from this.
– x0rz (@ x0rz) April 19, 2019
Hoping for the best.
– Moose (@LitMoose) April 19, 2019
It sucks honestly, you deserve to be back home.
– DEY! (@ronindey) April 19, 2019
I think many of us recognize that this case has always been a misuse of the discretion of the Public Prosecutor's Office. Right and wrong have always been a very different standard from legal and illegal. Hope to see you back in the good fight soon man.
– Jacob Riggs (@Riggsbit) April 19, 2019
Still in your corner, boy. And I mean it tenderly not in a decreasing way. Just get home. This is what I want for you. And for your family to be able to hug and see you. All my love and support. I will always believe you.
– BlackRoomSec (@blackroomsec) April 19, 2019
Looking closer, it is clear that most of them are in the field of computer security: trainers, malware researchers, penetration testers, reverse engineering, security consultants, nerds.
After giving up the criminal life, Hutchins devoted his skills to fighting malware threats and applied for a position at the British intelligence agency, General Communications Headquarters (GCHQ), but got a better deal with the US cyber security company Kryptos Logic, who recruited him later seeing his analysis of the botnet Kelihos).
Even before his entry, Hutchins published technical articles that showed his reverse engineering skills, often revealing the tricks used in various strains of malware and their components; and offering details on how to fight them.
In a post in 2013 on the imminent leak of source code for banking malware Carberp, Hutchins wrote the following:
"Nothing good comes from leaks like this. AV companies get a huge wave of infected users and spin-off bots are usually created.[…] I think we can only hope that leading anti-virus vendors can upgrade their software to deal with this threat before more damage is done. In addition, the first 5 people asking me where to get the source will receive a virtual slap (all expenses paid) and my eternal disapproval. "
Even after he was arrested, he continued to add inputs to combat cybercrime: identifying and understanding command and control server topology (Emotet), tracking botnets (Hide and Seek), reviewing a reverse engineering tool (NSA GHIDRA), and analyzing security vulnerabilities.
All this effort resulted in a community of supporters who not only offered words of comfort, but also met to pay his legal fees (after his arrest he was barred from working for his employer).
This, together with the time already served, can also count when the court gives the sentence, for which there is no date scheduled at the time.