A British cyber security expert who was credited with neutralizing the global WannaCry ransomware attack in 2017 has pleaded guilty to US charges of developing malware.
Federal prosecutors in Wisconsin and Marcus Hutchinsâ attorneys said in a joint court filing Friday that the 24-year-old agreed to plead guilty to developing malware called Kronos and conspiring to distribute it from 2012 to 2015.
In exchange for his guilty plea to those charges, prosecutors dismissed eight further charges.
âI regret these actionsâ
âAs you may be aware, Iâve pleaded guilty to two charges related to writing malware in the years prior to my career in security,â Hutchins said in a statement on his website.
âI regret these actions and accept full responsibility for my mistakes. Having grown up, Iâve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.â
Hutchins faces up 10 years in prison but could receive a more lenient sentence for accepting responsibility, the court filing said. Attorneys said Hutchins was aware he could be deported.
He initially pleaded not guilty to all the charges and was scheduled to go on trial in July. A new trial date has not been set.
Hutchins ââknew it was always going to come backâ
Prosecutors said Hutchins made incriminating statements during a two-hour interrogation, and later during a jailhouse phone call that Hutchins was told was being recorded, he told an unidentified person that he âused to write malwareâ years before.
âI knew it was always going to come back,â Hutchins said on the call, but that he didnât âthink it would be so soon.â
Hutchins was arrested in Las Vegas in August 2017, as he was about to board a flight to England.
Just months earlier he had been hailed a hero for finding a âkill switchâ to the WannaCry ransomware attack that crippled computers worldwide.
WannaCry infected hundreds of thousands of computers and caused disruptions at factories, hospitals, shops and schools in more than 150 countries.
Kronos software designed to steal banking data
Prosecutors said in court filings that Hutchins sold the Kronos software to someone in Wisconsin and that he âpersonally deliveredâ the software to someone in California.
The malware was designed âto intercept communications and collect personal information, including usernames, passwords, email addresses, and financial dataâ from computers, prosecutors said.
Kronos was âused to infect numerous computers around the world and steal banking information,â prosecutors said, without providing an exact number.
It is still unclear how much money Hutchins made from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins lamented the fact that he had only made $8,000 (âĴ7,100) from five sales.
Hutchins said he thought he would be making around $100,000 annually by selling Kronos with one of his conspirators, who was not named in the indictment.
