HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »
HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »

Marcus Hutchins -- The Guy Who Stopped Wannacry -- Pleads Guilty To Conspiracy Charges

from the enjoy-your-hollow-victory,-DOJ dept

Almost two years after Marcus Hutchins, a.k.a. MalwareTech, was detained by the FBI at the airport as he left a security conference in Las Vegas, the government finally has finally gotten its man.

Charges were stacked and restacked over the past couple of years, as the government brought pressure to bear on Hutchins, who maintained his innocence right up to the point he signed the plea agreement [PDF]. Faced with possibility of spending several years in jail -- and evidence of his past, somewhat shadier exploits continuing to surface -- the man who saved the world from the Wannacry ransomware has pleaded guilty to two conspiracy charges. This means the government will be dropping the other eight charges against Hutchins, which will hopefully keep the researcher from spending several years in jail.

The defendant voluntarily agrees to plead guilty to Counts One and Two of the superseding indictment.

The defendant acknowledges, understands, and agrees that he is, in fact, guilty of the offenses described in paragraph 4. The parties acknowledge and understand that if this case were to proceed to trial, the government would be able to prove the facts in Attachment A, as well as the facts set forth in Counts One and Two of the superseding indictment, beyond a reasonable doubt. The defendant admits that these facts are true and correct and establish his guilt beyond a reasonable doubt. The information in Attachment A is provided for the purpose of setting forth a factual basis for the plea of guilty. It is not a full recitation of the defendant's knowledge of, or participation in, the offenses.

The agreement says both counts carry a possible five-year sentence each, but it seems unlikely it will ask the judge to depart upward from the guidelines. Marcy Wheeler's back-of-the-envelope math puts this at about six months per charge, given Hutchins' lack of criminal history. It may end up being more than that if the DOJ pitches something longer as some twisted form of payback for Hutchins exercising his right to defend himself against criminal charges. That's not exactly unheard of.

Hutchins has also posted a short message at his personal website, admitting guilt and apologizing for the damage he may have caused.

As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.

Hutchins' plea brings an end to a dubious DOJ prosecution -- one that makes the unproven assertion that creating and selling malware is a criminal act, whether or not Hutchins himself engaged in illegal acts using this malware. And it only further blurs the lines security researchers operate in, increasing the chance that research -- which often includes the creation and deployment of malware -- will be treated as criminal activity.

Filed Under: conspiracy, doj, fbi, guilty plea, malware, malwaretech, marcu hutchins, wannacry


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 24 Apr 2019 @ 3:46pm

    What about the programmers who wrote WannaCry

    Shouldn't the government to prosecute itself for creating malware? I mean, they just prosecuted this guy for creating malware even though it was never proven that he actually used it. Just because the malware was used by other people to cause damage, he's guilty of felonies.

    Seems to me, since the government wrote wanna cry, and some bad actors used it to cause significant harm to many businesses and people within the United States, that the government should prosecuted self for conspiracy.

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 25 Apr 2019 @ 11:42am

      Re: What about the programmers who wrote WannaCry

      Agree'd.
      And what is the Time frame for it to be beyond Punishment..
      There was a Tax on Phones from the LATE 1800's that lasted until recently which added a $1-2 charge to the service and you could only go back 2 years to get it credited..

      Its also the idea of Who is responsible, the GUN MAKER or the GUN USER.. Or the doctor that didnt report the mental condition of the person WITH the gun.. even tho he Stole it and shot up the School for the actions of his teachers 20 years before..That retired 5 days before he did anything.

      then the odds are he will be released after his incarceration from the last 2 years...(where is this persons Lawyer??)

      where is the Judge in this for NOT bringing this to court earlier? The FBI/CIa is taking its time to find NEW information, NOT based on the original complaint. Which I think is against the law.
      They are detaining him from any recourse and release.
      And they have ruined his life from this point on, UNLESS they want to hire him for the NEXT hacking job..

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Apr 2019 @ 3:49pm

    No good deed goes unpunished.

    reply to this | link to this | view in chronology ]

  • icon
    Ben (profile), 24 Apr 2019 @ 3:52pm

    note to self...

    Although I've never done anything remotely of interest to the DOJ, remember to steer clear of the USA. Just in case.

    reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 24 Apr 2019 @ 4:26pm

      Re: note to self...

      Given the Library of Congress put up an FAQ in 2012 saying the number of laws in force in the US of A are uncountable don't sell yourself short. There is a law you've broken for the good AG to present to the Grand Jury.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2019 @ 12:01pm

      Re: note to self...

      As Assange/Dotcom can attest, even that may not be enough....

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Apr 2019 @ 4:08pm

    And it only further blurs the lines security researchers operate in, increasing the chance that research -- which often includes the creation and deployment of malware -- will be treated as criminal activity.

    Actually, the line's been drawn and clear for decades: many legitimate security outfits won't hire someone who has distributed malware, no matter who to, or why.

    Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others.

    Deploying malware on systems you don't fully control is also highly frowned upon.

    Show me a "security researcher" who knowingly distributes malicious software, and I'll show you someone who is likely a criminal, whether they would call themselves one or not.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Apr 2019 @ 4:10pm

      Re:

      [edit] creates and distributes / deploys -- obviously all sorts of people share malware samples that are already in the wild, for the purpose of testing them.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Apr 2019 @ 4:45pm

      Re:

      Actually, the line's been drawn and clear for decades: many legitimate security outfits won't hire someone who has distributed malware, no matter who to, or why.

      The security community may have drawn that line, but why on earth would you expect the DOJ to respect it?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2019 @ 7:02am

      Re:

      "Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others."

      This has been done and they were treated poorly anyway. Some simply inform the owner of compromised host are met with accusations.

      One would think the best response would be to quietly fix your stuff.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 25 Apr 2019 @ 12:12pm

        Corporate treatment of white-hats

        Yeah, and corporations sue white-hats for successful penetration testing and reporting it.

        When we create a market environment that is hostile to white-hats, those hats or going to start darkening.

        Not that said corporations (such as banks and online resellers) really care all that much when someone steals their (unencrypted) client data and trades it on the black market.

        Hackers are the new witches, and yet it's a good era to be one.

        reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 25 Apr 2019 @ 12:17pm

      That tenacious reminder

      We are all criminals.

      You are a convicted criminal as soon as someone important decides that you're in their way.

      Oh and incidentally the whole playpen thing depended on malicious software and was decided by the courts that the police can do whatever depravity they want so long as the target is despicable enough.

      reply to this | link to this | view in chronology ]

      • identicon
        alternatives(), 25 Apr 2019 @ 12:54pm

        Re: That tenacious reminder

        You can not expect an honest trial or the Judge to follow the law as written.

        Given the cost to defend yourself in the Fed - how can a person who is dancing near the edge of the law as knowable going to be able to afford a defense if they happen to think they are right?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2019 @ 1:45pm

      Re:

      "Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others."

      And what happens when you make a proof of concept that does nothing malicious but is very adept at hiding in systems and evading detection, and someone somehow acquires/steals the code and makes it malicious? Are you then responsible for it?

      reply to this | link to this | view in chronology ]

      • identicon
        alternatives(), 25 Apr 2019 @ 2:18pm

        Re: Re:

        And as this case didn't make it to the appeal process - their will be no guidance on that.

        Perhaps someone who has deep pockets or a high tolerance for risk will allow such a determination to be made.

        reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 24 Apr 2019 @ 4:20pm

    As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret [taking guilty pleas] and accept full responsibility for my mistakes...

    That's how I read it.

    reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 24 Apr 2019 @ 4:35pm

      Re:

      He was sorrta screwed - when the male FBI agent met him in Vegas he was dressed up wearing border patrol gear. Then Judge Stadtmuler stated the FBI agent was not out of uniform. The 5 different times written and crossed out on the paperwork was also not problematic as far as the Judge was concerned.

      Based on tweets - Marcus blew through $100k to get him to this point and was broke. No way he had money to take it to trial with Federal trials costing over $300k and the appeal which might have costed $1 million.

      With the superseding indictment claiming "lying to the FBI" he'd have that to deal with.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 24 Apr 2019 @ 7:19pm

    Medieval justice

    Confess, or we'll make you suffer for what will feel like an eternity.

    You'll burn anyway but confessions are what we show to the world to justify our onslaught on justice.

    reply to this | link to this | view in chronology ]

  • icon
    NoahVail (profile), 25 Apr 2019 @ 8:31am

    The "War On Redemption" is proceeding apace

    Show me a "security researcher" who knowingly distributes malicious software, and I'll show you someone who is likely a criminal, whether they would call themselves one or not.

    "Distributes" is present tense. What better fits your assertion is:

    Show me a "security researcher" who once distributed malicious software, and I'll show you someone who is likely still a criminal. It's of no consequence that years of benevolent behavior clearly shows otherwise.

    A likely scenario is Hutchins made bad choices years ago and then followed that up with years of ethical behavior, indicating he had reformed himself.

    Someone tell me. What is the actual damn point of anyone, anywhere reforming their bad behavior and becoming a benefit to society if society is going to effectively ignore their reformation and treat them as if their bad behavior is still happening today?

    Years after this legal fiasco is over, Hutchins will continue to be punished (via background records) for the rest of his life. This system of Lifetime Punishment For Every Possible Transgression is an ideal incentive - if the goal is to create as many criminals as possible. Indications are this exactly what the goal is.

    reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 25 Apr 2019 @ 10:34am

      Re: The "War On Redemption" is proceeding apace

      He will be punished less by not staying in America. The job-market for felons in the US is worse than in other nations.

      reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 25 Apr 2019 @ 12:20pm

      Lifetime punishment

      That's how resistance, terror groups and organized criminal syndicates get recruits...or form in the first place.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2019 @ 1:51pm

      Re: The "War On Redemption" is proceeding apace

      **"A likely scenario is Hutchins made bad choices years ago and then followed that up with years of ethical behavior, indicating he had reformed himself.

      Someone tell me. What is the actual damn point of anyone, anywhere reforming their bad behavior and becoming a benefit to society if society is going to effectively ignore their reformation and treat them as if their bad behavior is still happening today?"**

      There is absolutely no point. The problem here is the US justice and penal systems do not care about whether or not a person can be reformed or rehabilitated and does not care to try. All they care about is revenge; exacting retribution, even if to do so would inflict more harm than it is worth, such as preventing someone who is contributing meaningfully to society from doing so.

      It's not to say bad people who have reformed themselves should not be punished if their crimes come to light, but the US justice system does not accurately weigh how best those people will serve their society and what punishment would be the best in the interest of society. Sentencing guidelines are never decided based on the best interests of society but rather are about inflicting maximum damage in the form of vengeance.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 25 Apr 2019 @ 2:22pm

        All [the state] cares about is revenge

        Which is diametrically contrary to the point of having a state justice system, which is to appoint blame with clarity and precision, and address social conflicts with a utilitarian intervention.

        Hammurabi's code (such as An eye for an eye) was to denote the upper limit of retaliation. Before this, the people were happy to shank each other dead for trivial slights and let such reprisals escalate to family feuds spanning over many generations.

        ...and with the state justice system subverted, evidently they still are.

        reply to this | link to this | view in chronology ]

      • identicon
        alternatives(), 25 Apr 2019 @ 2:22pm

        Re: Re: The "War On Redemption" is proceeding apace

        preventing someone who is contributing meaningfully to society from doing so.

        Marcus screwed up on this. He could have been spending time from 2017 doing the education thing he re-started in late 2018 VS the self-pity gaming thing he was doing up until he ran outta cash. Would have helped on pitching to the Judge that he was not the same person the case claims he was. Tweets to him made the 'put your head down and work the education/research' pitch back in 2017.

        reply to this | link to this | view in chronology ]

      • identicon
        Rekrul, 25 Apr 2019 @ 6:07pm

        Re: Re: The "War On Redemption" is proceeding apace

        AC - I couldn't help noticing that you put double asterisks before and after the text you quoted. Unfortunately, that doesn't work if there's more than one paragraph. You have to put them at the start and end of every paragraph, or they'll just show up in the text.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2019 @ 8:40am

    The Corruption will continue until the Corruption is complete

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2019 @ 9:51am

    Just goes to show. Once again, the best thing to do is when you find a vulnerability. Don't inform anyone and if possible just protect yourself from it. Did he actually even write the Kronos Malware though? And if so, was the US even affected by the Kronos Malware.

    reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 25 Apr 2019 @ 10:45am

      Re:

      Some of the paperwork makes the claim he had the source code for Kronos and makes it sound like that code was modified upas.

      If he'd not been the wannacry shutdown domain name guy it is possible he'd not gotten the urge to get to DefCon. The government's position sure seems to be he was the author of Kronos and like bitcoin-beard-guy Gal Vallerius Marcus might have gotten invites in some other way to get him to the US of A once the UK wasn't that willing to ship him over.

      Lessons:

      1) Don't talk to the FBI. Or anyone in authority in the US of A.
      2) Coming to the US of A is a gamble. The conspiracy charges could show up in your life via giving someone a rainbow table the way the laws are written.

      reply to this | link to this | view in chronology ]

  • identicon
    bobob, 25 Apr 2019 @ 12:25pm

    Yet another example of how threatening to lock someone up for decades will produce confessions to what would otherwise be an amazingly lenient sentence if the original charges were an accurate reflection of the facts. It works even better if the person is from another country.

    Would anyone here not agree to a sentence of a year or so in another country or even here, if the alternative was going to trial with a possible sentence of decades in spite of knowing you haven't done anything wrong? The DOJ has a 95%+ conviction rate for reasons other than all of the defendants' guilt.

    reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 25 Apr 2019 @ 2:24pm

      Re:

      The federal government claims a less than 90% rate. Others claim 99.7% conviction rate.

      Who's got the actual numbers and methods being used?

      reply to this | link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 25 Apr 2019 @ 8:31pm

    Justa Felony I Thunk

    10 Format c: /y

    There. I've written malware. You'll never get me, coppers!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.