July 29, 2019

Marcus Hutchins, the “accidental hero” who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

The British security enthusiast enjoyed instant fame after the U.K. media revealed he’d registered and sinkholed a domain name that researchers later understood served as a hidden “kill switch” inside WannaCry, a fast-spreading, highly destructive strain of ransomware which propagated through a Microsoft Windows exploit developed by and subsequently stolen from the U.S. National Security Agency.

In August 2017, FBI agents arrested then 23-year-old Hutchins on suspicion of authoring and spreading the “Kronos” banking trojan and a related malware tool called UPAS Kit. Hutchins was released shortly after his arrest, but ordered to remain in the United States pending trial.

Many in the security community leaped to his defense at the time, noting that the FBI’s case appeared flimsy and that Hutchins had worked tirelessly through his blog to expose cybercriminals and their malicious tools. Hundreds of people donated to his legal defense fund.

In September 2017, KrebsOnSecurity published research which strongly suggested Hutchins’ dozens of alter egos online had a fairly lengthy history of developing and selling various malware tools and services. In April 2019, Hutchins pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

At his sentencing hearing July 26, U.S. District Judge Joseph Peter Stadtmueller said Hutchins’ action in halting the spread of WannaCry was far more consequential than the two malware strains he admitted authoring, and sentenced him to time served plus one year of supervised release. 

Marcy Wheeler, an independent journalist who live-tweeted and blogged about the sentencing hearing last week, observed that prosecutors failed to show convincing evidence of specific financial losses tied to any banking trojan victims, virtually all of whom were overseas — particularly in Hutchins’ home in the U.K.

“When it comes to matter of loss or gain,” Wheeler wrote, quoting Judge Stadtmeuller. “the most striking is comparison between you passing Kronos and WannaCry, if one looks at loss & numbers of infections, over 8B throughout world w/WannaCry, and >120M in UK.”

“This case should never have been prosecuted in the first place,” Wheeler wrote. “And when Hutchins tried to challenge the details of the case — most notably the one largely ceded today, that the government really doesn’t have evidence that 10 computers were damaged by anything Hutchins did — the government doubled down and issued a superseding indictment that, because of the false statements charge, posed a real risk of conviction.”

Hutchins’ conviction means he will no longer be allowed to stay in or visit the United States, although Judge Stadtmeuller reportedly suggested Hutchins should seek a presidential pardon, which would enable him to return and work here.

“Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,” Hutchins tweeted immediately after the sentencing. “Once t[h]ings settle down I plan to focus on educational blog posts and livestreams again.”


31 thoughts on “No Jail Time for “WannaCry Hero”

  1. John

    I thought it said “time served” instead of “no jail time.” Does anyone know how much time he had already served?

    I wouldn’t say that he was completely unpunished.

    1. ralph l seifer

      He would have served time in custody from his arrest to his arraignment. At arraignment, he would have been released on his own recognizance, or bail would have been set by the court, and he was released on posting of whatever amount the court had set.

      Not to minimize his incarceration, but it is unlikely he was locked up more than a few days.

    2. Phil

      At the beginning of the article, the year 2017 is claimed for where this story begins. And at the end of the article, is quoted a tweet from Hutchins stating two years went by for him in duress. I would assume that Hutchins has been held in jail since 2017, while waiting for his trial to progress to this point

      The title of the article could have said – ‘No additional jail time’, except that it’s usually technically correct according to law that time served while waiting for trial does not fit the legal description of ‘jail time’

      1. Jeff

        That’s not how arrests work. From the article:

        “Hutchins was released shortly after his arrest.”

        The way it works is you get arrested, you go to jail. Then, if the state decides to prosecute (several processes for this, including grand jury indictments) an arraignment hearing is held where the state presents the crimes levied against you, and you plead guilty or not guilty. This MUST happen within days of your arrest, or the state is in violation of Habeas Corpus, enshrined in the first article of the Constitution, and your Sixth Amendment right to a speedy trial.

        If it takes longer than a month or so to reach this point the accused’s lawyer can often get the case dismissed out of hand by a judge. The state requires a very good reason for why the process would be taking so long.

        Once you are arraigned and a trial set, you are either released under your own recognizance until trial, or you released under bail with various other conditions.

        It’s only when you are considered an extreme flight risk or a danger to the community that bail would be denied and you would be detained until the date of your trial. Typically only people accused of very violent crimes, like murder or rape or kidnapping, etc would qualify for detainment. Otherwise they would simply set a very high bail and / or some type of monitoring upon release.

        Hutchins was obviously not a violent criminal, and was not deemed a flight risk, so he was probably given some sort of bail and released within a day or two of his arrest, at most.

        So “time served” really was a slap on the wrist, and that plus the monitoring was about the minimum the judge could assign as far as I can tell.

  2. The Sunshine State

    But still Ross Ulbricht is doing a life sentence while this guy goes free ?

    One word to describe this guy “Snitch” that’s how you don’t go to prison now and days.

    1. Simon

      Ross was involved in selling hard drugs and tried to have people murdered, slightly more serious crimes.

      1. The Sunshine State

        I respectively disagree with you, Marcus Hutchin crimes , even though can’t one hundred proven are just as serious, since damage occurred to millions of computers and or servers.

        Their hasn’t been zero proof that Ross Ulbricht tried to have anyone killed, most of it has been hearsay.

        Ulbricht in my opinion, received a real bad deal from the court system, he should have done about ten years , tops.

        1. Brendan

          The government struggled to prove that Hutchins’ infected more than 10 computers, I don’t know where you’re getting this “millions” number from. Both malware strains Hutchins’ has been tied to are tiny in comparison to most malware operations. I’m not dismissing what he’s done, but you’re massively blowing it out of proportion.

          And look, all you guys can speculate on whether Ulbricht tried to have someone killed all you want, but until he’s charged, tried, and convicted for that, that’s all it is, speculation.

    2. Readership1

      Ulbricht’s case is completely unrelated, but I agree he got a bum rap.

      Hutchins got a fair deal. He admitted guilt, got to see the inside of a jail cell, and hopefully won’t reoffend.

      He should never be allowed to visit here again, though. The judge should have made that part of the deal, because Hutchins will definitely try to come back. He’s an attention seeker.

      1. Ian

        Claiming he admitted guilt is glossing over the fact that he plead not guilty in August 2018 and then only plead guilty in April of 2019 when he realized he was likely going to jail. He didn’t plead guilty for any moral reasons. He plead guilty because his lawyer told him that was the most likely way to avoid jail. Please don’t give him credit for owning up to what he did as he only did that when there was no other choice.

        1. Phil

          Even the innocent are allowed to plead ‘not guilty’ when they do not have equal resources to build a defense vs the state & federally financed prosecutorial offices

          I do not wish to sound as if I am defending Ulbright, it’s my own personal opinion that he did in fact author the illegal posts on his own dark site claiming to offer bitcoin for hits

      2. Hayton

        Of course Marcus will want to be able to return to the US. Have you forgotten the circumstances of his arrest? He had been attending DefCon in Las Vegas, one of the most exciting and informative events in the calendar. For a security researcher – which is what he is now – being there is part of the job spec. And the judge’s comments hinted that something might be arranged to make that possible, although the spectre of the dreaded ICE looms over Marcus for the present :
        “Nothing in the judgement requires he stay in US. I’m seeking to avoid him being taken into custody by ICE. We don’t need any more publicity or another statistic,” [the judge] said.

  3. gigi

    Can he now be prosecuted and/or sued in UK for his part in finacial cyber crimes by the victims and banking institutions? He was a hero here and around the world for one malware but also a villian in UK to milluons fir another that could bring the real pain for him….legal fees alone would be devastating.

    1. Hayton

      “Can he now be prosecuted and/or sued in UK”?

      He could be but I don’t think he will be. I get the distinct impression that some influential company or organisation, quite possibly in the US, wants to make use of Marcus. He’s too useful and talented to waste.

  4. Some Guy

    Lets hope that when he goes back to the UK, he is held to account for his crimes

    1. Ian

      Agree completely. Justice was not served here at all.

    2. Hmm

      That’s your opinion. A lot of others I know would disagree.

      1. Readership1

        A lot of people did business with, and took money from, wealthy financier Jeffrey Epstein, *AFTER* his first conviction.

        There were plenty of supporters who said, in court filings supporting his limited sentence, that he had the capacity to be good.

        They’ve all run away from him since his recent arrest.

        Whatever support Hutchins has will vanish when he does this crime again.

        Stopping Wannacry doesn’t mean he’s not the sort of person who wouldn’t cut open a puppy to see how its heart beats.

        Or unleash another round of trouble on the world.

  5. Notme

    “It’s not whether you are guilty or innocent. It’s what they can prove.”

  6. Ash

    I’ve often seen it repeated that the domain name that he registered was a ‘kill switch’, but wasn’t it just a test to see if it was running in a VM environment to thwart attempts to analyze it? I don’t think that the author intended to use it as a ‘kill switch’.

    I’m not much of a computer guy, so apologies if I don’t know what I’m talking about. Just wondering if calling it a ‘kill switch’ is accurate.

    1. beej

      From what I understand the code in WannaCry “looked” for the URL and if it existed it stopped running. Hutchins registered the URL and the infections stopped. In order to get to the point of finding the URL Hutchins needed to know how to reverse the compter code and examine WannaCry at a level that the average computer user is not going to be able to do. So his expertise is what stopped the malware.

      1. Ash

        Yes, but my point is, did the Wannacry programmer put the URL check in there so that he could register the domain if he wanted to stop it (a ‘kill switch’), or was it intended to check to see if the malware was running in a VM environment? It’s my understanding that it was the latter.

        1. Phil

          Your question could be viewed as: ‘was Hutchins so incompetent in his chosen profession, that he would have made such a huge mistake as intending to run code in an isolated environment yet ‘accidentally’ let the code access the world wide web

      2. Yam

        As far as I am aware the issue is that at the point he registered the domain it wasn’t known what the domain actually did. It could just as easily have been a switch that made the malware delete everything on any PCs that had been infected.

        Luckily for him (especially lucky since it got him off some jail time) it turned out to be a good thing but he took a big gamble with a lot of peoples data when he registered the domain.

  7. Kevin Johnson

    It really feels like the Prosecutor drop the ball on this one. Ideally as he exits the plane in UK the authorities meet to collect him and start proceedings there.
    The judicial systems need to put mandatory sentencing in place for these type of crimes if proven guilty.
    We just saw another hacker with CapitalOne this morning that exposed over 100M personal data records they were selling on the web.
    These companies need to be held accountable and to PAY ALL the persons a monitory amount $1-2K USD when these breaches occur. One year of credit monitoring doesn’t mitigate your personal data that was already sold on the web as this could have future consequences to unknow lengths.
    The mentality of Cost vs Risk that these companies have with OUR personal data is complete BS. They need to maintain and have external security audits on a yearly basis to keep these breached from happening. And there needs to be stiff monetary consequences when they fail to do so. And all need to give us an OPT OUT process and confirm destruction this type of personal data when we request an “Opt Out”.
    Just as we saw with facebook and Cambridge Analytica… Personal/Consumer DATA is the new Big Business to be sorted and sold.

    1. C Parker

      Respectfully disagree.

      He has spent time albeit short in Jail, and has since been under house arrest, without a passport and throughout the two years unable to leave the US. Initially he was also denied access to his electronic tools and equipment too.

      He ultimately conducted this v. low impact crime as a 17yr old and as was demonstrated throughout this write up and in court, the damage done vs. the positive impact he has with Wannacry but more importantly other anti-malware research and engagement with UK law enforcement bodies, via his US based employer, this sentence seems entirely appropriate.

      He wasn’t innocent but he has, in the passing of time shown that actually the financial and other gains he sought out were via valid, rather than criminal endeavours.

      You’d also struggle to find anyone in the UK who could demonstrate any impact from the malware he is accountable for creating / distributing.

    2. M Parkes

      Where has it been stated that the capitol one data was being sold on the dark web? Everything i have read is stating that while it was stolen it had not been released for sale and that this was the saving grace of this incident, a lot of people on here seem to be assuming and making judgement without facts.

  8. Kevin Jones

    He did nothing to deserve any major punishment. You fools are like the Waffen SS, having a burning desire to throw someone into a concentration camp because they looked at you funny.

  9. huj knur

    thats good ! why he should be in jail ? nice guy 🙂 cheers

  10. Mub Tuc

    I think 40 years would be more appropriate. This cavalier attitude by the security community is wrong.

Comments are closed.