Marcus Hutchins, the researcher hailed for squashing the WannaCry ransomware outbreak in May 2017, pleaded guilty to charges relating to the creation of the Kronos malware.
The 24-year-old researcher filed a plea agreement admitting guilt to two of 10 counts in the Eastern District of Wisconsin on Friday – one charge for distributing Kronos and the other charge for conspiracy.
The agreement comes after Hutchins was indicted in 2017 and charged with writing the Kronos malware, a banking trojan first discovered in 2014 that is capable of stealing credentials and using web injects for banking websites. Hutchins and another individual whose name was redacted from the original indictment, allegedly advertised the malware for sale on a number of internet forums, including the dismantled AlphaBay market.
In a brief public statement posted to his blog on Friday, Hutchins said:
> As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
After Hutchins was first detained August 2017 in Nevada – a week after attending Black Hat and DEF CON – reaction to his arrest was mixed. The U.K. malware researcher has been hailed by many as the so-called “WannaCry Hero” because he discovered a way to knock down the WannaCry ransomware just as it had started to rapidly spread, infecting at least 200,000 systems and bringing global businesses to a halt.
Hutchins was hailed as a hero during the global WannaCry outbreak in 2017. His analysis of the ransomware uncovered a hardcoded killswitch domain that the malware beaconed out to. Hutchins’ purchased the domain for around $10 and by doing so likely spared the U.S. from suffering significant impact at the hands of WannaCry.
WannaCry is blamed for infecting more than 200,000 endpoints in 150 countries, causing billions of dollars in damages and grinding global business to a halt.
After being freed on bail post-2017 arrest, Hutchins continued living in California on bail while he awaited his court date; then in June 2018, he faced fresh charges for allegedly conspiring – with the same person who advertised Kronos on the Dark Web – to distribute the UPAS Kit malware, a backdoor spybot using to download malicious components.
On the heels of his plea agreement, Hutchins faces up to 10 years in prison and $500,000 in fines, according to court documents; it is not immediately clear when the sentencing will take place.
On his Twitter page, Hutchins said of his statement: “To be clear: this statement wasn’t required by the plea deal, it was my decision to post it.”
> To be clear: this statement wasn't required by the plea deal, it was my decision to post it. > > — MalwareTech (@MalwareTechBlog) April 21, 2019
Hutchin’s attorney, Marcia Hofmann, did not immediately respond to a request for comment from Threatpost.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.