from the enjoy-your-hollow-victory,-DOJ dept
Charges were stacked and restacked over the past couple of years, as the government brought pressure to bear on Hutchins, who maintained his innocence right up to the point he signed the plea agreement [PDF]. Faced with possibility of spending several years in jail — and evidence of his past, somewhat shadier exploits continuing to surface — the man who saved the world from the Wannacry ransomware has pleaded guilty to two conspiracy charges. This means the government will be dropping the other eight charges against Hutchins, which will hopefully keep the researcher from spending several years in jail.
The defendant voluntarily agrees to plead guilty to Counts One and Two of the superseding indictment.
The defendant acknowledges, understands, and agrees that he is, in fact, guilty of the offenses described in paragraph 4. The parties acknowledge and understand that if this case were to proceed to trial, the government would be able to prove the facts in Attachment A, as well as the facts set forth in Counts One and Two of the superseding indictment, beyond a reasonable doubt. The defendant admits that these facts are true and correct and establish his guilt beyond a reasonable doubt. The information in Attachment A is provided for the purpose of setting forth a factual basis for the plea of guilty. It is not a full recitation of the defendant’s knowledge of, or participation in, the offenses.
The agreement says both counts carry a possible five-year sentence each, but it seems unlikely it will ask the judge to depart upward from the guidelines. Marcy Wheeler’s back-of-the-envelope math puts this at about six months per charge, given Hutchins’ lack of criminal history. It may end up being more than that if the DOJ pitches something longer as some twisted form of payback for Hutchins exercising his right to defend himself against criminal charges. That’s not exactly unheard of.
Hutchins has also posted a short message at his personal website, admitting guilt and apologizing for the damage he may have caused.
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
Hutchins’ plea brings an end to a dubious DOJ prosecution — one that makes the unproven assertion that creating and selling malware is a criminal act, whether or not Hutchins himself engaged in illegal acts using this malware. And it only further blurs the lines security researchers operate in, increasing the chance that research — which often includes the creation and deployment of malware — will be treated as criminal activity.