NHS cyber attack hero admits to criminal charges

Marcus Hutchins, 24, from Ilfracombe, Devon – known in the online world as Malwaretech – admitted two charges in the US relating to the Kronos program that was “used to infect numerous computers around the world and steal banking information”. 

Eight further charges were dismissed in exchange for his plea. 

Hutchins faces up ten years in prison but could receive a more lenient sentence for accepting responsibility. 

The malware was designed “to intercept communications and collect personal information, including usernames, passwords, email addresses, and financial data” from computers. 

Prosecutors said Hutchins sold the Kronos software to “someone in Wisconsin” and “personally delivered” the software to someone in California. Kronos was “used to infect numerous computers around the world and steal banking information”, prosecutors said, without providing an exact number. 

It is unclear how much Hutchins profited from the malware, but in online chats the FBI intercepted on November 2014, Hutchins said he had made only $8,000 (£6,100) from five sales. Hutchins said he thought he would be making around $100,000 (£76,000) annually by selling Kronos with one of his conspirators, who is not named in the indictment. 

Prosecutors in Wisconsin said Hutchins made incriminating statements during a two-hour interrogation. Later, during a prison phone call that Hutchins was told was being recorded, he told an unidentified person that he “used to write malware” years before. “I knew it was always going to come back,” Hutchins said during the call, but didn’t “think it would be so soon”. 

In May 2017, Hutchins had discovered a ‘kill-switch’ that slowed the effects of the WannaCry virus that hit more than 300,000 computers in 150 countries. In an interview at the time, he said that he did not consider himself a hero but that he was combating the malware because “it’s the right thing to do”. 

Hutchins initially pleaded not guilty to all the charges and was scheduled to go on trial in July. While his case has been pending, prosecutors barred Hutchins from returning home. He has spent the past few years living in California, working as a cybersecurity consultant but is likely to be deported back to the UK after his case. 

In a statement on his personal website, Hutchins said: “As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”