Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

British Cyber Expert to be Sentenced for Creating Malware

Just as Marcus Hutchins was hailed as a hero for helping stop a worldwide computer virus in May 2017, his criminal past as a malware developer was about to catch up to him.

Just as Marcus Hutchins was hailed as a hero for helping stop a worldwide computer virus in May 2017, his criminal past as a malware developer was about to catch up to him.

FBI agents had been investigating the 25-year-old British cybersecurity wunderkind for years. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords — charges for which he will be sentenced Friday.

“It is this darker side of Hutchins’ life that brings him before the Court for sentencing in this case,” prosecutors said in a filing ahead of his sentencing hearing in federal court in Milwaukee. The filing makes no sentencing recommendation, only that it “should be sufficient, though not greater than necessary.” Prosecutors note Hutchins accepted responsibility for his actions during a plea deal in April, and they also gave him credit for his role in finding a “kill switch” to the WannaCry virus .

He faces up to 10 years in prison.

Hutchins no longer develops malware attacks and works to stop them, but that does not diminish the seriousness of what he did, prosecutors said. While his case was pending, prosecutors barred Hutchins from returning home, so he worked as a cybersecurity consultant in California.

“Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, he deserves credit for his epiphany. But he still bears responsibility for what he did,” prosecutors said.

Hutchins, who was arrested in Las Vegas on Aug. 2, 2017 as he was about to board a flight to England, also faces deportation.

Presentencing documents from Hutchins’ attorneys and the U.S. Probation Office are sealed.

Advertisement. Scroll to continue reading.

Hutchins was indicted on 10 charges for developing two pieces of malware and lying to the FBI. Prosecutors said Hutchins conspired to distribute the malware — UPAS Kit and Kronos — from 2012 to 2015 and that he sold Kronos to someone in Wisconsin. He also “personally delivered” the software to someone in California, prosecutors said.

Hutchins initially pleaded not guilty to all charges and was scheduled to go on trial this month.

As part of the plea deal, Hutchins pleaded guilty to two charges for creating Kronos — and an updated version of UPAS — and conspiring to distribute it. In exchange, prosecutors dismissed the other eight charges.

“As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” Hutchins said in a statement on his website after the plea deal was announced. “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Kronos was “used to infect numerous computers around the world and steal banking information,” prosecutors said, without providing an exact number. It’s unclear how much Hutchins profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins lamented he had only made $8,000 from five sales. Hutchins said he thought he would be making around $100,000 annually by selling Kronos with one of his conspirators, who is named in the indictment only by his aliases, “Vinny,” ”VinnyK” and “Aurora123.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.