Just as Marcus Hutchins was hailed as a hero for helping stop a worldwide computer virus in May 2017, his criminal past as a malware developer was about to catch up to him.
FBI agents had been investigating the 25-year-old British cybersecurity wunderkind for years. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords — charges for which he will be sentenced Friday.
“It is this darker side of Hutchins’ life that brings him before the Court for sentencing in this case,” prosecutors said in a filing ahead of his sentencing hearing in federal court in Milwaukee. The filing makes no sentencing recommendation, only that it “should be sufficient, though not greater than necessary.” Prosecutors note Hutchins accepted responsibility for his actions during a plea deal in April, and they also gave him credit for his role in finding a “kill switch” to the WannaCry virus .
He faces up to 10 years in prison.
Hutchins no longer develops malware attacks and works to stop them, but that does not diminish the seriousness of what he did, prosecutors said. While his case was pending, prosecutors barred Hutchins from returning home, so he worked as a cybersecurity consultant in California.
“Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, he deserves credit for his epiphany. But he still bears responsibility for what he did,” prosecutors said.
Hutchins, who was arrested in Las Vegas on Aug. 2, 2017 as he was about to board a flight to England, also faces deportation.
Presentencing documents from Hutchins’ attorneys and the U.S. Probation Office are sealed.
Hutchins was indicted on 10 charges for developing two pieces of malware and lying to the FBI. Prosecutors said Hutchins conspired to distribute the malware — UPAS Kit and Kronos — from 2012 to 2015 and that he sold Kronos to someone in Wisconsin. He also “personally delivered” the software to someone in California, prosecutors said.
Hutchins initially pleaded not guilty to all charges and was scheduled to go on trial this month.
As part of the plea deal, Hutchins pleaded guilty to two charges for creating Kronos — and an updated version of UPAS — and conspiring to distribute it. In exchange, prosecutors dismissed the other eight charges.
“As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” Hutchins said in a statement on his website after the plea deal was announced. “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Kronos was “used to infect numerous computers around the world and steal banking information,” prosecutors said, without providing an exact number. It’s unclear how much Hutchins profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins lamented he had only made $8,000 from five sales. Hutchins said he thought he would be making around $100,000 annually by selling Kronos with one of his conspirators, who is named in the indictment only by his aliases, “Vinny,” ”VinnyK” and “Aurora123.”