Security researcher MalwareTech pleads guilty, faces 10 years in prison

• Marcus Hutchins, who goes by the pseudonym MalwareTech, is a popular name in the security community.
• Hutchins was first arrested on August 2, 2017, while returning to the UK after attending the Black Hat and DEFCON conferences.

Security researcher Marcus Hutchins aka “MalwareTech” filed a plea deal on Friday, pleading guilty to creating and distributing malware before his career as a malware researcher.

In 2017, Hutchins became an icon of the security community after playing a critical role in helping stop the WannaCry ransomware outbreak.

In a public statement on his website, Hutchins wrote, “As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

What does this mean?

Hutchins faced a total of 10 charges as per the indictment charged against him by the US government prosecutors. As per the plea deal, Hutchins has pleaded guilty to two counts, while the prosecution is dropping the other eight.

The two charges are for entering a conspiracy to create and distribute malware, and for aiding and abetting its distribution.

Under both the charges, he could be sentenced up to five years in prison, $250,000 in fines, and up to one year of supervised release. Thus, Hutchins could be potentially facing a ten-year prison term.

The prosecutors had charged Hutchins for developing two banking trojans - the Kronos and UPAS-Kit malware strains, and for working with a co-conspirator to advertise and sell the two malware online. Before he became a noted security researcher, Hutchins is believed to have worked on the two malware between July 2012 and September 2015.

Messy case

Due to the controversial situation surrounding his arrest, the case against Hutchins has garnered a lot of attention from the wider community. Hutchins claimed he was interrogated by the authorities while being intoxicated and sleep-deprived. His attorneys also added that the illicit actions in question were committed by Hutchins as a minor and outside the statute of limitations.

Later, the prosecution added charges for creating the UPAS-Kit trojan along with earlier charges for Kronos malware. Additionally, he was charged for lying to the FBI during interrogation.

Presently, Hutchins’ case is slated for a jury trial in Madison, Wisconsin, with no trial date announced yet.

What does the security community think?

After his arrest in 2017, Hutchins got out on a bail and lived in Los Angeles while fighting the charges against him. Due to the ongoing investigation, he was barred from working with his US-based employer Kryptos Logic.

Meanwhile, Hutchins gained popularity as MalwareTech by writing several malware analysis articles and posting tutorial videos on YouTube. This has gained him a reputation as one of the leading security researchers. On Twitter, the infosec community witnessed mixed reactions, with some researchers expressing sadness over the news of his plea deal. Others expressed shock over his admission of creating the two banking trojans.