Hutchins once proclaimed his innocence. Now he admits he created the Kronos bank trojan.
Marcus Hutchins, the security researcher who helped neutralize the virulent WannaCry ransomware worm, has pleaded guilty to federal charges of creating and distributing malware used to break into online bank accounts.
“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote in a short post. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Hutchins was changed in August 2017 with creating Kronos, a banking trojan that stole online bank account passwords from infected computers. A superseding indictment filed 10 months later charged him with 10 felony counts that alleged he created a second piece of malware called UPAS Kit. Hutchins, whose online persona MalwareTech attracts more than 143,000 followers on Twitter, had a league of vocal defenders claiming the allegations were false.
In a plea agreement filed in federal court Friday, Hutchins pleaded guilty to two of the 10 counts. One count charged him with distributing Kronos, while the other charged him with conspiracy. Prosecutors agreed to drop the remainder of their case. The agreement, which is signed by Hutchins, includes the following elements:
- The conspiracy as charged existed;
- The defendant knowingly became a member of the conspiracy with the intent to advance the conspiracy;
- And one of the conspirators committed an overt act in an effort to advance the goal of conspiracy.
Hutchins faces 10 years in prison at sentencing. It wasn’t immediately clear when sentencing would take place.
Hutchins became an overnight luminary in security circles in May 2017 after he registered a domain that stopped the spread of WannaCry, a quick-spreading ransomware worm that had been shutting down computers all over the world. Windows exploits developed by, and later stolen from, the National Security Agency caused the worm to spread from computer to computer without requiring any interaction of the part of users.
As WannaCry was spreading, Hutchins noticed an unregistered domain referenced in the code. Without knowing precisely what role the domain played, Hutchins registered it. He quickly discovered that the domain triggered a developer-created kill switch that prevented the worm from spreading. Hutchins continued working to ensure that the kill switch remains activated to prevent WannaCry from spreading again.
Hutchins’ subsequent arrest touched off a debate in security circles about whether the charges were founded. Throughout the case, Hutchins strenuously professed his innocence, describing the charges as “bullshit” when the superseding indictment was filed. KrebsOnSecurity reporter Brian Krebs dug into various online personas that appeared to be tied to the researcher and concluded he did have a criminal past. Defenders continued to say the charges were false.