Why it matters: "Gray hat" hackers like Hutchins are arguably among the most valuable people in the security field, even if their history is often complicated and loaded with mistakes. Now that the British researcher has earned back his freedom, he wants to dedicate to protecting people from malware attacks, setting a good example for others like him.
The British security researcher who is known for being the "accidental hero" that stopped the WannaCry ransomware hack in 2017 has managed to dodge a potential 10-year prison sentence for creating and selling banking malware.
For those of you who haven't followed his story, the 25 year-old who's been sentenced to supervised release actually has a dark past. Before he managed to single-handedly stop a dangerous piece of ransomware by registering a domain as a kill switch, Hutchins was already under scrutiny for a couple of banking trojans he had been coding between July 2012 and September 2015.
Soon after becoming an internet sensation for stoping the spread of WannaCry, his fortunes changed when the FBI arrested him in Las Vegas on charges that he had developed and sold a malware called Kronos. He didn't admit to it at the time, but federal prosecutors had enough phone evidence to force him into a plea deal. And sure enough, in April this year he came clean to his role in developing the malware, which also earned him a free pass on eight other charges.
Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.--- MalwareTech (@MalwareTechBlog) July 26, 2019
The two banking trojans Hutchins developed are UPAS Kit and Kronos, which was essentially a more potent version of the former. Both worked in a way that allowed them to steal data from online forms, and could also give an attacker ability to remotely control the infected PC.
J.P. Stadmueller, the presiding Judge on the case, gave him credit for turning his life around and noted that people like Hutchins are essential because of their ability to "come up with solutions because that's the only way we're going to eliminate this entire subject of the woefully inadequate security protocols."
Still, the British malware researcher might not be able to return to the U.S., but that doesn't seem to bother him in the slightest. He's now looking to continue his contributions to security research, which is a happy ending to all his legal troubles.