Marcus Hutchins, better known as MalwareTech, has been sentenced to “time served” and one year of supervised release for developing and selling the Kronos banking malware.
Yes, Hutchins will not go to prison, United States District Judge J.P. Stadtmueller ruled today in Milwaukee County Court, after describing his good work as “too many positives on the other side of the ledger.”
In response to today’s sentencing, Hutchins said: “Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.”
Marcus Hutchins, 25, is the same British malware analyst who gained notoriety in cybersecurity circles for “accidentally” helping to stop the WannaCry ransomware outbreak in 2017 that wreaked havoc in over 150 countries and brought down companies across all industries.
Hutchins was arrested by the FBI in August 2017 at Las Vegas International Airport when he was heading home to England after attending DefCon hacking conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015.
Kronos is a banking trojan that Hutchins created, which he described today in court as one of some “bad decisions” he made when he was a teenager and “deeply regret” his conduct and the harm that was caused.
Kronos malware has been designed to steal banking credentials and personal information of victims from their compromised computers, which was sold for $7,000 on Russian online forums.
Last year, a revised superseding indictment was unsealed in Wisconsin accusing Hutchins and another yet-unidentified co-conspirator of creating and promoting not just Kronos but also for selling another malware, called UPAS Kit, on the dark web.
UPAS Kit is a Spybot virus that unauthorizedly intercepts, collects and exfiltrates personal information, including credit card details, from infected computers using a form grabber and web injects. It was advertised for prices ranged above $1,000 back in 2012.
Hutchins initially pleaded not guilty at a court hearing in August 2017 in Milwaukee and was released on $30,000 bail while awaiting trial.
However, in April this year, Hutchins pledged guilty on two counts of creating and distributing the malware, which in total, carries a maximum sentence of 10 years in prison, $250,000 in fines, and up to one year of supervised release.
At that time, Hutchins said: “having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Now, today in court, though Hutchins accepted his role in creating the malware, the prosecutor failed to show how much damage Kronos actually made.
Also, citing his role in stopping WannaCry and contribution in keeping people safe, the judge ended up giving Hutchins a lower sentence.
The sentencing doesn’t include jail time, as the judge said Hutchins has already served his time being arrested in Los Angeles and can go home under one year of supervised release.