MILWAUKEE (CN) – Weighing his prior crimes against his help in stopping a global computer virus two years ago, a federal judge on Friday sentenced a world-famous British cybersecurity expert to time served and a year of supervised release for his role in a major malware scheme.
U.S. District Judge J.P. Stadtmueller in Milwaukee took into account what he called the “many positives on the ledger” while determining the punishment for 25-year-old Marcus Hutchins, a former hacker that faced up to 10 years in prison and hundreds of thousands of dollars in fines for his role in developing and distributing a malicious malware that targeted banks worldwide between July 2014 and July 2015.
Stadtmueller also waived all fines due to the indigency of Hutchins, who the judge repeatedly emphasized had “turned a corner” and is now working on the right side of the law in the cybersecurity field.
The judge noted that it was only the second computer crime of this type he has seen in his decades of experience, the other being almost a generation ago in 1999. He noted that litigating cybersecurity remains “incredibly challenging” despite the fact that “we live in a world today where security is everything.”
The litigation over Hutchins’ crime proved true to that mold, taking two years to work through the courts, partially due to multiple motions to suppress evidence from Hutchins’ counsel.
Hutchins, who operated under the online handle “MalwareTech,” is something of a celebrity in the United Kingdom and in the global cybersecurity community for his role in finding the “kill switch” to the malignant WannaCry ransomware in 2017, which encrypted files on computers around the world and made them inaccessible unless users paid a ransom ranging from $300 to $600. The ransomware attack nearly crippled England’s hospital system and other global institutions before Hutchins’ fix.
The number of infections that Hutchins’ kill switch avoided numbers in the billions, according to estimates quoted by Stadtmueller on Friday.
Given this magnanimous conduct, it came as a surprise months later in August 2017 when Hutchins was arrested at McCarran International Airport in Las Vegas before he could board a flight home to Ilfracombe, England. Hutchins had been in Las Vegas for a cybersecurity conference.
The specific malware Hutchins was charged with handling between 2012 and 2015, called Kronos, was designed to target banking channels as a Trojan horse that sneaked onto computers and disseminated individuals’ account information while camouflaging itself in legitimate programs and concealing itself from anti-virus software.
Hutchins and an unnamed accomplice originally pleaded not guilty in August 2017 to six counts including conspiracy to commit computer fraud and lying to the FBI, before agreeing to plead guilty in April of this year, leading prosecutors to drop most of the charges.
Benjamin Taibleson, counsel with the U.S. Department of Justice, noted Friday that it is difficult to quantify monetary losses caused by the Kronos malware, as the distribution trail of any malware can be extremely hard to track.
Taibleson also pointed out that the malware Hutchins helped create and distribute is not gone, stating that “once the genie is out of the bottle, it’s still out there.”
Brian Klein, an attorney with Los Angeles firm Baker Marquart representing Hutchins, took issue with the government’s comparison of his client to someone who robbed banks for years before coming up with renewed security measures, and emphasized that there is a “global community” that supports Hutchins.
Hutchins’ parents and a small group of friends were in attendance Friday and tearfully celebrated his sentence of no prison time.
Hutchins expressed contrition during sentencing, echoing remorse that he has shown for his past criminal activities since his arrest.
“When I was a teenager I made a series of bad decisions,” Hutchins said. “I deeply regret my conduct…I wish I could go back and undo all the damage I caused.”
Hutchins, who has been barred from leaving the U.S. for his home in the United Kingdom since his arrest, said he wants to create educational content that would teach people about malware and steer them away from it in the future.
This was not lost on Stadtmueller, who contrasted Hutchins’ “ignoble conduct” against the backdrop of his saving countless people from the devastating WannaCry attack. The judge noted that Hutchins is someone “who is, by many, considered a hero.”
Stadtmueller emphasized in his concluding statements that it will take individuals like Hutchins to use their skill sets to update what he referred to as the “woefully inadequate” security systems necessary to stop hacking in the evolving metadata landscape of a global populace totally dependent on the internet and its interfaces.
On the steps of the Milwaukee federal courthouse after sentencing, Klein stated that Hutchins’ team was “thrilled” with the outcome and Stadtmueller’s recognition of his contributions to cybersecurity.
Marcia Hofmann, a lawyer also representing Hutchins with San Francisco firm Zeitgeist Law, noted from the courthouse steps that Hutchins, in response to comments from Stadtmueller, will be seeking a pardon for his crimes.
Hutchins and his team indicated that he plans to return home to the United Kingdom as soon as possible, which he is free to do as of Friday.