In 2017, Marcus Hutchins went from being a relatively unknown 23-year-old, to being a worldwide hero, to facing criminal charges all in a span of a few months. After he shut down the rapidly spreading WannaCry malware by finding a killswitch domain in the software, UK tabloids exposed his real name. Then in August of that year, just as he was about to leave Las Vegas after the Defcon event there, US authorities arrested Hutchins, claiming he'd played a part in creating a different type of malware, Kronos, years earlier.
Today he pleaded guilty to a pair of charges related to the malware, for which he faces up to ten years in prison. In a statement posted on his personal website, he said:
As you may be aware, I've pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
As described in court documents published by ZDNet, the government's case was that Hutchins developed the malware, known both as UPAS Kit and Kronos, to collect info, while targeting banking information. He worked with partners to distribute and sell the malware to others who made use of the tools.
At the time of his arrest, Engadget columnist Violet Blue described the chilling effect this prosecution could have on security research. To get the experience needed to shut down malware that threatened computers worldwide one might follow a career that includes some steps outside the lines, and this may make fighting for legitimacy even tougher.