Marcus Hutchins, a self taught computer-security researcher stopped WannaCry cyberattack only to get arrested by FBI

Marcus Hutchins, the young computer expert who stopped the WannaCry global cyber attack could face decades in a US prison following accusations that he helped create and sell a malicious software that targeted bank accounts.

Hutchins who had saved the NHS from cyber criminals, could face a maximum sentence of 40 years in prison in the US if he is found guilty of the charges. A self taught computer-security researcher who started blogging under the pseudonym MalwareTech when he was a teenager, was arrested Wednesday in Las Vegas, the Justice Department said in a statement.

Marus Hutchins

Hutchins, who was at a hacking conference in Las Vegas when he was arrested by the FBI, faces six counts of helping to create, spread and maintain the banking Trojan Kronos between 2014 and 2015.

A security expert who was staying with Marcus Hutchins at the DefCon hacking conference in Nevada said he had been arrested at Las Vagas’s McCarran International Airport on Wednesday afternoon.

The friend, who also works in the cyber security industry, said: “He was detained at McCarran airport yesterday. He checked into his flight and I think he was sitting in the Virgin upper class lounge.

“He was escorted out of the airport and never made his flight.”

Around 20 hours after he went missing, Hutchins’ parents told the friend he had been arrested.

After his arrest, Hutchins was taken to Henderson Detention Center in Nevada before being moved to the Las Vegas FBI field office. Hutchins was jointly charged with another individual who was not named.

Marcus Hutchins

The indictment alleged that Hutchins “created the Kronos malware” and the other person later sold it for $2,000 (£1,500) online.

Court documents unsealed on Thursday show he was indicted in July on several charges of computer misconduct relating to the creation and distribution of the Kronos banking Trojan. Kronos is a malicious program that steals usernames and passwords for banking websites from infected machines.

Hutchins’ arrest came as a shock to the cybersecurity industry, which was coming off its biggest week of the year at the Black Hat and Def Con conferences in Las Vegas, which Hutchins had attended. Among white-hat security researchers, who hack technologies to find ways to fix them, Marcus Hutchins was a hero. They hailed his quick thinking in neutralizing the WannaCry ransomware just hours into a fast-spreading attack in May that threatened not just computer systems but also potentially lives.

WannaCry infected about 300,000 computers in 150 countries, locking users out unless they paid a ransom in bitcoin. Victims included the UK’s National Health Service, whose hospitals were disrupted, as well as FedEx Corp., Nissan Motor Co. and Renault. Hutchins found a clever way to stop the attack by registering an Internet domain that served as a ‘kill switch’ for the malware, a secret that was hidden in its code.

Marcus Hutchins

Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation, said Thursday the San Francisco-based legal advocacy group is trying to reach out to Hutchins.

“The maximum statutory sentence he could face is decades, roughly 40 years,” said Tor Ekeland, a US lawyer who specialises in defending alleged cyber criminals. “Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is.”

Hutchins is due to appear in court later on Friday, when he could plead guilty or not guilty. If he pleads guilty he could be sentenced to a short prison sentence or supervised release. If he pleads not guilty, he will be moved to Wisconsin, where the charges have been brought, to face trial, which could start any time between three months and three years, Ekeland said.

“The main thing to do now is enter a not guilty plea as soon as you can, get him out on bail, and then you’ve got some breathing room,” said Ekeland.

But he added it is “highly likely” Hutchins will be refused bail, because he is a foreign national in the US and could be deemed a flight risk.

Marcus Hutchins stopped the spread of the WannaCry ransomware when he accidentally discovered a “kill switch”. Working on his own from his small bedroom in his parent’s home, Hutchins has been lauded for his computer skills in the wake of the attack.

Hutchins found a way to stop the virus from rapidly spreading. He was given a $10,000 (£7,600) reward for the effort, which he donated to charity.

Marcus Hutchins

The ethical hacker, who is largely self-taught and did not go to university, was in the US for the world’s largest annual conventions for security experts, BlackHat and DefCon.
“They’ve sent a really bad message that even if you help the US Government stop a worldwide major malware attack and save people millions of dollars and potentially saved lives, you could be arrested because someone you supposedly associated with supposedly sold malware for $2,000.”
 Ekeland added that creating and distributing malicious software is different to using it to commit crimes. “They’re messing with a multi-billion dollar market,” he said. “If I was a certain type of software manufacturer, I would be very concerned about my work right now. I don’t understand why this type of software isn’t legal.”