Judge sentences Hutchins to one year of 'supervised release' and fines him $100 for each count as restitution for victims of Kronos
Hutchins was sentenced by Judge Joseph Stadtmueller today to one year of supervised release [probation], time served and ordered to pay $100 for each count listed by prosecutors. He will be able to serve his probation in the UK, and will be able to fly back as soon as the appropriate arrangements are made.
"He'll have to be processed in England," said Judge Stadtmueller. "He'll be subject to probation's jurisdiction. Nothing in judgement require he stay in US. I'm seeking to avoid him being taken into custody by ICE [US Immigration and Customs Enforcement]. We don't need any more publicity or another statistic."
In sentencing, Judge Stadtmueller took into account Hutchins' role in stopping WannaCry and the fact that Hutchins had clearly ceased his involvement in malware development.
"It's certainly to your credit that without any encouragement, working for the FBI or any security agency in England, that you stepped up to plate without expectation of notoriety," said Judge Stadtmueller in summing up.
He added, though, that it was important to bear in mind his age and maturity at the time of the offences, which would have impaired his ability to "exercise good judgement".
While the ordeal has lasted almost two years, Hutchins nevertheless got off relatively lightly. Sentencing guidelines indicated imprisonment of between eight and 14 months, followed by one-to-three years of probation and a fine anywhere between $4,000 and $40,000. He could, though, have been imprisoned for up to ten years.
Hutchins: I do this in hopes i can steer people away from my mistakes. Future reinforces that I have no plan to go back, I'd like to dedicate more time to teaching next generation of security experts. I'd like to apologize to victims, those who learned of my past, my family.— emptywheel (@emptywheel) July 26, 2019
Hutchins had also been involved in the development of other malware, in addition to Kronos, typically writing the code for clients that he had found online who would deploy the malware. Hutchins had started writing malware as a teenager as he developed his interests in computing. By the time of WannaCry, Hutchins had become a security researcher investigating malware, rather than writing it.
Indeed, Hutchins had appeared on the radar of US authorities, the prosecutors' Sentencing Memorandum indicates, well before WannaCry emerged in May 2017, when Hutchins became a global hero by finding and activating a ‘kill switch' to stop WannaCry in its tracks.
Hutchins provided the following statement to the court: "Your honour, when I was a teenager I made series of bad decisions. I deeply regret my conduct and the harm that resulted. I eventually discontinued, but wish I could go back now [and] work in cyber security, stopping the same kinds of malware…
"I'd like to dedicate more time to teaching the next generation of security experts. I'd like to apologise to the victims, those who learned of my past, and my family."
Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.— MalwareTech (@MalwareTechBlog) July 26, 2019
Hutchins pleaded guilty in April 2019 after the evidence against him - which included an admission of guilt he made on the phone while in custody - mounted up.
He was arrested in August 2017 at Las Vegas's McCarran International Airport as he was about to board a flight back from the Black Hat and Def Con security conferences. Authorities in the UK, it later emerged, were aware of US authorities' plan to arrest Hutchins before he even flew to Las Vegas in July.
The case was covered on Twitter by security and civil liberties journalist Marcy Wheeler (@emptywheel)