WannaCry hero Marcus Hutchins spared jail in the US over links to Kronos banking Trojan

Marcus Hutchins may want to celebrate tonight following his relatively light sentence in a Wisconsin court today

Marcus Hutchins may want to celebrate tonight following his relatively light sentence in a Wisconsin court today

Judge sentences Hutchins to one year of 'supervised release' and fines him $100 for each count as restitution for victims of Kronos

Marcus Hutchins, the British WannaCry kill-switch hero arrested in the US in 2017 over his links to the Kronos banking Trojan, will be able to fly home soon following his sentencing today.

Hutchins was sentenced by Judge Joseph Stadtmueller today to one year of supervised release [probation], time served and ordered to pay $100 for each count listed by prosecutors. He will be able to serve his probation in the UK, and will be able to fly back as soon as the appropriate arrangements are made.

"He'll have to be processed in England," said Judge Stadtmueller. "He'll be subject to probation's jurisdiction. Nothing in judgement require he stay in US. I'm seeking to avoid him being taken into custody by ICE [US Immigration and Customs Enforcement]. We don't need any more publicity or another statistic."

In sentencing, Judge Stadtmueller took into account Hutchins' role in stopping WannaCry and the fact that Hutchins had clearly ceased his involvement in malware development.

"It's certainly to your credit that without any encouragement, working for the FBI or any security agency in England, that you stepped up to plate without expectation of notoriety," said Judge Stadtmueller in summing up.

He added, though, that it was important to bear in mind his age and maturity at the time of the offences, which would have impaired his ability to "exercise good judgement".

While the ordeal has lasted almost two years, Hutchins nevertheless got off relatively lightly. Sentencing guidelines indicated imprisonment of between eight and 14 months, followed by one-to-three years of probation and a fine anywhere between $4,000 and $40,000. He could, though, have been imprisoned for up to ten years.

Hutchins had also been involved in the development of other malware, in addition to Kronos, typically writing the code for clients that he had found online who would deploy the malware. Hutchins had started writing malware as a teenager as he developed his interests in computing. By the time of WannaCry, Hutchins had become a security researcher investigating malware, rather than writing it.

Indeed, Hutchins had appeared on the radar of US authorities, the prosecutors' Sentencing Memorandum indicates, well before WannaCry emerged in May 2017, when Hutchins became a global hero by finding and activating a ‘kill switch' to stop WannaCry in its tracks.

Hutchins provided the following statement to the court: "Your honour, when I was a teenager I made series of bad decisions. I deeply regret my conduct and the harm that resulted. I eventually discontinued, but wish I could go back now [and] work in cyber security, stopping the same kinds of malware…

"I'd like to dedicate more time to teaching the next generation of security experts. I'd like to apologise to the victims, those who learned of my past, and my family."

Hutchins pleaded guilty in April 2019 after the evidence against him - which included an admission of guilt he made on the phone while in custody - mounted up.

He was arrested in August 2017 at Las Vegas's McCarran International Airport as he was about to board a flight back from the Black Hat and Def Con security conferences. Authorities in the UK, it later emerged, were aware of US authorities' plan to arrest Hutchins before he even flew to Las Vegas in July.

The case was covered on Twitter by security and civil liberties journalist Marcy Wheeler (@emptywheel)

More on Ecommerce

Industry Voice: The Secret to Setting Up a Successful Digital Workspace

Industry Voice: The Secret to Setting Up a Successful Digital Workspace

clock 16 March 2022 • 3 min read
It's unclear if this is simply a postponement, or if Amazon has dropped its plan altogether

Amazon drops plan to ban UK Visa credit cards

The online retailer said in November that Visa payment rates were an impediment to offering the best prices for customers

clock 18 January 2022 • 2 min read
Most areas of financial services have been quick to adapt to the consumerisation of IT - but not motor insurance

The final frontier of financial consumerisation

The consumerisation of IT has completely changed almost every element of financial services, bar one: motor insurance. But why - and, more importantly, what kind of service are drivers likely to see when this sector finally follows in the footsteps of...

Callum Rimmer
clock 16 December 2021 • 5 min read