Marcus Hutchins, the malware researcher who became known as an “accidental hero” for stopping the WannaCry ransomware attack in 2017, has been sentenced to supervised release for one year on charges of making and selling the Kronos banking malware.
Presiding Judge J. P. Stadtmueller described Hutchins, 25, as a “talented” but “youthful offender” in remarks in federal court in Milwaukee Friday.
The judge said Hutchins’ time had been served and that he will face no time in jail.
“It’s going to take the people like [Hutchins] with your skills to come up with solutions because that’s the only way we’re going to eliminate this entire subject of the woefully inadequate security protocols,” said Stadmueller.
The judge said he took into account Hutchins’ age at the time of the offenses, and gave him credit for “turning a corner” in his life before charges were brought.
Stadtmueller said his sentence is likely, however, to bar him from re-entering the United States.
Hutchins told the court he made some “bad decisions” as a teenager. “I deeply regret my conduct and the harm that was caused,” he said.
Brian Klein, a partner at Baker Marquart and one of Hutchins’ attorneys, told TechCrunch in a statement after the sentencing: “We are thrilled that the judge recognized Marcus’ very important contributions to keeping the world safe and let him go home a free man today.”
“Without precedent but more than appropriately, the judge encouraged Marcus to seek a pardon,” he added. “We plan to explore those opportunities.”
“Marcus appreciates the support he’s received from around the world the past two years,” said Klein.
Hutchins, a British citizen who goes by the online handle @MalwareTech, was arrested in Las Vegas by federal marshals in August 2017 while boarding a flight back to the U.K. following the Def Con security conference. The government alleged in an indictment that he developed Kronos, a malware that steals banking credentials from the browsers of infected computers. The indictment also accused him of developing another malware known as the UPAS Kit. Hutchins was bailed on a $30,000 bond.
Since his indictment he has been living in Los Angeles.
Hutchins initially denied creating the malware. But after prosecutors filed a superseding indictment, he later pleaded guilty to the two primary counts of creating and selling the malware. Eight remaining charges were dropped following his change in plea.
Prosecutors said Hutchins faced up to 10 years in prison and a maximum $500,000 fine.
In a statement following his guilty plea, he said he regretted his actions and accepted “full responsibility for my mistakes.”
Prosecutors said although Hutchins and an accomplice had generated only a few thousand dollars from selling the malware, Kronos allowed others to financially benefit from using the malware.
Hutchins’ indictment came four months after he was hailed as a hero for registering a domain name that stopped the spread of the WannaCry cyberattack, which knocked tens of thousands of computers offline with ransomware in a few hours.
The ransomware attack, later blamed on North Korean hackers, spread across Ukraine, Europe and the U.K., encrypting systems and knocking businesses and government departments offline. The U.K.’s National Health Service was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close. Hutchins, who at the time of the attack worked for Los Angeles-based Kryptos Logic from his home in the south of England, registered the domain in an effort to understand why the ransomware was spreading. It later transpired the domain acts as a “kill switch” and stopped WannaCry dead in its tracks.
In the week after, the kill switch became the target of powerful botnets hoping to knock the domain offline and spark another outbreak.
Hutchins told TechCrunch last month that the WannaCry attack was one of the most stressful and exhausting moments in his life.
Since the attack, however, Hutchins received additional acclaim for his malware research on new infections and botnet activities. He has been praised for live-streaming his work so others can learn how to reverse-engineer malware. Many in the security community — and further afield — have called on the court to grant Hutchins clemency for his recent concerted efforts to protect users from security threats.
Prosecutors acknowledged Hutchins’ reformed character in a sentencing memo filed this week, saying Hutchins has “since made a good decision to turn his talents toward more positive ends.”
When reached, a Justice Department spokesperson deferred comment to the U.S. Attorney’s Office for the Eastern District of Wisconsin, which did not immediately comment.
Updated to correct the spelling of the firm Baker Marquart