Marcus Hutchins, the British hacker who stopped one of the most destructive cyberattacks in the world, has taken a plea deal, admitting guilt in the US to unrelated hacking charges.
Hutchins became a minor celebrity in May 2017, when he stopped the spread of WannaCry, a ransomware worm created by North Korea that had spread wildly out of control in 2017, hitting the UK’s National Health Service especially hard.
A security researcher who blogged about how to hunt malicious software, Hutchins noticed and activated a kill-switch in WannaCry’s code.
Three months later, as he prepared to fly home after visiting Las Vegas during the DEF CON hacker conference, Hutchins was arrested and charged with crimes relating to the creation and sale of malware programs UPAS Kit and Kronos, programs that help steal people’s banking information, along with two other people. Since then, he’s lived in Los Angeles, unable to leave the US.
Until Friday, he denied the charges.
His arrest prompted an outcry in the cybersecurity community, with many highlighting the relatively harsh sentencing guidelines in the US compared to tamer ones in the UK. The difficulty in extraditing a British national suspected of criminal hacking from the UK to the US was highlighted in February 2018, when a British court decided that Lauri Love, accused of hacking several US government websites in 2013, could not be sent to the US to face trial.
Prior to his plea deal, Hutchins faced a total of 10 charges relating to his alleged involvement in the Kronos and UPAS Kit malware programs.
His plea deal cuts that down to two, each related to conspiracy to commit computer fraud, along with an agreement to accept responsibility. The remaining charges will be dismissed upon sentencing.
He faces up to five years in prison, and up to $250,000 in fines, on each count.
He posted a short statement to his website Friday. “As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes,” he wrote.
“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks,” he said.